可控内存写漏洞自动利用生成方法

doi:10.11959/j.issn.1000-436x.2022003

通信学报 ›› 2022, Vol. 43 ›› Issue (1): 83-95.doi: 10.11959/j.issn.1000-436x.2022003

可控内存写漏洞自动利用生成方法

黄桦烽¹^,², 苏璞睿¹^,², 杨轶¹^,², 贾相堃¹^,²

¹ 中国科学院软件研究所可信计算与信息保障实验室，北京 100190
² 中国科学院大学计算机科学与技术学院，北京 100190

修回日期:2021-12-17 出版日期:2022-01-25 发布日期:2022-01-01
作者简介:黄桦烽（1988- ），男，福建永春人，中国科学院软件研究所工程师，主要研究方向为计算机系统安全、漏洞自动挖掘与利用
苏璞睿（1976- ），男，湖北宜昌人，博士，中国科学院软件研究所研究员，主要研究方向为系统安全、恶意代码分析、漏洞挖掘
杨轶（1982- ），男，河南鹤壁人，博士，中国科学院软件研究所副研究员，主要研究方向为计算机系统安全、漏洞挖掘与分析
贾相堃（1990- ），男，河北邯郸人，博士，中国科学院软件研究所副研究员，主要研究方向为系统安全、漏洞挖掘与分析
基金资助:
国家自然科学基金资助项目(U1736209);国家自然科学基金资助项目(61572483);国家自然科学基金资助项目(U1836117);国家自然科学基金资助项目(U1836113);国家自然科学基金资助项目(62102406);中国科学院战略性先导科技专项基金资助项目(XDC02020300)

Automatic exploitation generation method of write-what-where vulnerability

Huafeng HUANG¹^,², Purui SU¹^,², Yi YANG¹^,², Xiangkun JIA¹^,²

¹ Trusted Computing and Information Assurance Laboratory, Institute of Software Chinese Academy of Sciences, Beijing 100190, China
² School of Computer Science and Technology, University of Chinese Academy of Sciences, Beijing 100190, China

Revised:2021-12-17 Online:2022-01-25 Published:2022-01-01
Supported by:
The National Natural Science Foundation of China(U1736209);The National Natural Science Foundation of China(61572483);The National Natural Science Foundation of China(U1836117);The National Natural Science Foundation of China(U1836113);The National Natural Science Foundation of China(62102406);The Strategic Priority Research Program of the Chinese Academy of Sciences(XDC02020300)

摘要/Abstract

摘要：

针对现有漏洞自动利用生成方法无法实现从“可控内存写”到“控制流劫持”的自动构造问题，提出一种可控内存写漏洞的自动利用生成方法。首先，基于内存地址控制力度的动态污点分析方法检测可控内存写漏洞；然后，基于漏洞利用模式进行利用要素搜索，通过约束求解自动构造可控内存写漏洞的利用。实验结果表明，所提方法可以有效检测可控内存写漏洞，搜索漏洞利用要素，自动生成从可控内存写到控制流劫持的利用。

关键词: 可控内存写, 控制流劫持, 动态污点分析, 漏洞利用要素, 自动利用生成

Abstract:

To solve the problem that the current vulnerability automatic exploitation generation methods cannot automatically generate control-flow-hijacking exploitation from write-what-where, a method of automatic exploitation generation for write-what-where was proposed.First, the write-what-where vulnerability was detected based on the memory address control strength dynamic taint analysis method.Then, the vulnerability exploitation elements were searched based on the vulnerability exploitation modes, and the exploitation of write-what-where vulnerability was generated automatically by constraint solving.The experimental results show that the proposed method can effectively detect write-what-where vulnerability, search exploitation elements, and automatically generate the control-flow-hijacking exploitation from write-what-where.

Key words: write-what-where, control flow hijacking, dynamic taint analysis, vulnerability exploitation element, auto-matic exploitation generation

中图分类号:

TP311

黄桦烽, 苏璞睿, 杨轶, 贾相堃. 可控内存写漏洞自动利用生成方法[J]. 通信学报, 2022, 43(1): 83-95.

Huafeng HUANG, Purui SU, Yi YANG, Xiangkun JIA. Automatic exploitation generation method of write-what-where vulnerability[J]. Journal on Communications, 2022, 43(1): 83-95.

图/表 17

图1

表1

表2

图2

图3

图4

图5

图6

图7

图8

图9

表3

表4

表5

图10

表6

表7

参考文献 17

[1]	孙鸿宇, 何远, 王基策 ,等. 人工智能技术在安全漏洞领域的应用[J]. 通信学报, 2018,39(8): 1-17.
	UN H Y , HE Y , WANG J C ,et al. Application of artificial intelligence technology in the field of security vulnerability[J]. Journal on Communications, 2018,39(8): 1-17.
[2]	SONG J , ALVES-FOSS J , . The DARPA cyber grand challenge:a competitor’s perspective[J]. IEEE Security ＆ Privacy, 2015,13(6): 72-76.
[3]	BRUMLEY D , POOSANKAM P , SONG D ,et al. Automatic patch-based exploit generation is possible:techniques and implications[C]// Proceedings of 2008 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2008: 143-157.
[4]	AVGERINOS T , CHA S K , HAO B L T ,et al. AEG:automatic exploit generation[C]// Network and Distributed System Security Symposium. San Diego:DBLP, 2011: 1-18.
[5]	AVGERINOS T , CHA S K , REBERT A ,et al. Automatic exploit generation[J]. Communications of the ACM, 2014,57(2): 74-84.
[6]	CHA S K , AVGERINOS T , REBERT A ,et al. Unleashing mayhem on binary code[C]// 2012 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2012: 380-394.
[7]	WANG M H , SU P R , LI Q ,et al. Automatic polymorphic exploit generation for software vulnerabilities[C]// Security and Privacy in Communication Networks. Cham:Springer, 2013: 216-233.
[8]	HUANG S K , HUANG M H , HUANG P Y ,et al. CRAX:software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations[C]// Proceedings of 2012 IEEE Sixth International Conference on Software Security and Reliability. Piscataway:IEEE Press, 2012: 78-87.
[9]	HE L , CAI Y , HU H ,et al. Automatically assessing crashes from heap overflows[C]// Proceedings of 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). Piscataway:IEEE Press, 2017: 274-279.
[10]	WANG Y , ZHANG C , XIANG X B ,et al. Revery:from proof-of-concept to exploitable[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1914-1927.
[11]	WU W , CHEN Y , XU J ,et al. FUZE:towards facilitating exploit generation for kernel use-after-free vulnerabilities[C]// Proceedings of the 27th USENIX Security Symposium. Berkeley:USENIX Association, 2018: 781-797.
[12]	方皓, 吴礼发, 吴志勇 . 基于符号执行的 Return-to-dl-resolve 利用代码自动生成方法[J]. 计算机科学, 2019,46(2): 127-132.
	FANG H , WU L F , WU Z Y . Automatic return-to-dl-resolve exploit generation method based on symbolic execution[J]. Computer Science, 2019,46(2): 127-132.
[13]	HU H , CHUA Z L , ADRIAN S ,et al. Automatic generation of data-oriented exploits[C]// Proceedings of the 24th USENIX Security Symposium. Berkeley:USENIX Association, 2015: 177-192.
[14]	HU H , SHINDE S , ADRIAN S ,et al. Data-oriented programming:on the expressiveness of non-control data attacks[C]// Proceedings of 2016 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2016: 969-986.
[15]	ISPOGLOU K K , ALBASSAM B , JAEGER T ,et al. Block oriented programming:automating data-only attacks[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1868-1882.
[16]	SCHWARTZ E J , AVGERINOS T , BRUMLEY D ,et al. Q:exploit hardening made easy[C]// Proceedings of the 20th USENIX Security Symposium. Berkeley:USENIX Association, 2011:25.
[17]	黄桦烽, 王嘉捷, 杨轶 ,等. 有限资源条件下的软件漏洞自动挖掘与利用[J]. 计算机研究与发展, 2019,56(11): 2299-2314.
	HUANG H F , WANG J J , YANG Y ,et al. Automatic software vulnerability discovery and exploit under the limited resource conditions[J]. Journal of Computer Research and Development, 2019,56(11): 2299-2314.

研究工作	①	②	③	④	⑤	⑥	⑦	⑧
APEG	√
AEG					√
Mayhem					√
PolyAEG					√
CRAX					√
HCSIFTER								√
Revery		√	√
FUZE					√
R2dlAEG						√
FlowStitch						√	√
DOP						√	√
BOP						√	√

指令	规则说明
add	单字节独立计算污点状态，不考虑低字节对高字节的进位污染，考虑了进位只能影响1 bit，不能控制大范围地址
sub	单字节独立计算污点状态，不考虑低字节对高字节的借位污染，考虑了借位只能影响1 bit，不能控制大范围地址
lea	单字节独立计算污点状态，不考虑低字节对高字节的进位污染，考虑了进位只能影响1 bit，不能控制大范围地址
and	与运算的非污点字节如果比特数超过6 bit为0对该字节漂白，通常用于内存页对齐，失去了可控计算的能力
or	或运算的非污点字节如果比特数超过6 bit为1对该字节漂白
shl	左移位数超过6 bit的低字节漂白，通常用于内存页地址对其，失去了可控计算的能力

pwn样本集编号	判定情况	统计数/个
01,02,04,05,07,10,13,18,22,24,25, 26,27,30,31,34, 37,38,45,48,49,50	控制流劫持	22
09,14,15,17,19,20,21,23, 28,35,36,39,40,41,42,46,	可控内存写	16
32	命令注入	1
03,06,08,11,12,16,29,33, 43,44,47	未能判定	11

样本	格式化函数	能否检测	利用方式
Pwn06	sprintf	能	溢出ret
Pwn11	snprintf	能	可控内存写
Pwn16	printf、sprintf	能	溢出ret
Pwn29	printf	能	信息泄露覆盖ret
Pwn33	printf	能	可控内存写
Pwn43	printf	能	可控内存写
Pwn47	snprintf	能	可控内存写

实例程序	版本	“可控内存写”告警数量
实例程序	版本	告警数/个	误报数/个	漏报数/个
PLC WinNT	V2.4.7.52	2	1	0
Media Player Classic	1.3.1249.0	1	0	0
DirectShow Player GUI	V1.0	1	0	0
WinWord	14.0.4760.1000	0	0	0
VUPlayer	2.49	0	0	0
Float Ftp	1.0	0	0	0

可控内存写漏洞自动利用生成方法

Automatic exploitation generation method of write-what-where vulnerability

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 17

参考文献 17

相关文章 4

Metrics

推荐阅读 0

实例程序	版本	函数表利用要素统计
实例程序	版本	UW/个	AW/个	UAW/个
PLC WinNT	V2.4.7.52	1 067	81	54
Media Player Classic	1.3.1249.0	2 507	925	17
DirectShow Player GUI	V1.0	707	954	26
WinWord	14.0.4760.1000	3 969	1 012	1
VUPlayer	2.49	162	11	10
Float Ftp	1.0	637	334	27

测试用例	利用点	构造情况
Pwn09	0x407ffedc	失败
Pwn11	0x080ec4f0	失败
Pwn14	0x080ec4f0	call劫持
Pwn15	0x080f14f0	失败
Pwn17	0x080ed4f0	失败
Pwn19	0x080ec4f0	call劫持
Pwn20	0x080ec4f0	call劫持
Pwn21	0x080ec4f0	call劫持
Pwn23	0x407ffdcc	失败
Pwn28	0x080ec4f0	call劫持
Pwn33	0x080ecb60	失败
Pwn35	0x080ec4f0	call劫持
Pwn36	0x407ffedc	ret劫持
Pwn39	0x80f1b80	call劫持
Pwn40	0x080ec810	call劫持
Pwn41	0x080ec4f0	call劫持
Pwn42	0x080eb4d8	失败
Pwn43	0x080ed650	失败
Pwn46	0x080ede60	call劫持
Pwn47	0x080ec4f0	call劫持

[1]	潘传幸, 张铮, 马博林, 姚远, 季新生. 面向进程控制流劫持攻击的拟态防御方法[J]. 通信学报, 2021, 42(1): 37-47.
[2]	潘璠，洪征，周振吉，吴礼发. 语义层次的协议格式提取方法[J]. 通信学报, 2013, 34(10): 19-173.
[3]	潘璠,洪征,周振吉,吴礼发. 语义层次的协议格式提取方法[J]. 通信学报, 2013, 34(10): 162-173.
[4]	刘豫,聂眉宁,苏璞睿,冯登国. 基于可回溯动态污点分析的攻击特征生成方法[J]. 通信学报, 2012, 33(5): 21-28.