Windows平台下软件安全漏洞研究
|
摘要
随着Windows系统在各行各业的广泛应用,运行在Windows平台下的软件得到了极大的丰富和完善。软件在提供给了人们方便快捷的工作生活方式的同时,也带来了铺天盖地的软件安全漏洞,从Windows系统本身的安全漏洞到运行于其上的应用软件安全漏洞,不胜枚举。日益增多的安全漏洞不仅影响了普通用户和企业的正常生产生活,也威胁到了全社会的信息安全。
软件安全漏洞由于其特殊性,关系到个人,企业甚至于国家的信息安全,较为敏感,目前的情况是公开的文献和技术方法都较少,网络上发布的安全漏洞信息一般只概述漏洞的总体情况,缺乏对漏洞进行分析的技术支持。
研究漏洞的相关技术,涉及到对漏洞进行细致的分析,一般来说会涉及到系统底层的技术细节。在这个基础之上,我们可以找到安全编程的新方法、遏制通过漏洞传播的网络木马和病毒、归纳出漏洞产生机理的规律指导对未知漏洞的挖掘和分析。从更高的层面来讲,这有利于我国信息安全人才的培养和技术积累,有利于规范计算机行业秩序,打击计算机犯罪,维护国家的信息安全。
本文将研究对象定位在Windows平台下的闭源软件。首先介绍了进行漏洞分析工作的基础,包括PE文件的结构、反汇编的基本概念,紧接着给出了三种漏洞的定义,并讨论了漏洞的分类。然后,详细阐述了静态分析技术,静态分析技术实质是理解所生成反汇编代码的逻辑结构,理解高级语言中关键结构在反汇编代码中的表现形式。之后是动态分析技术部分,在明确了断点和单步执行的基本概念之后,用实际调试、跟踪分析的方式深刻剖析了栈溢出、堆溢出和格式化字符串漏洞的产生机制。
随后,本文选取了两个颇具代表性的漏洞,即2010年1月的IE0day极光漏洞和2008年的MS08-067漏洞,前者属于应用软件漏洞,后者属于系统软件漏洞,对这两个安全漏洞进行了详细的调试,结合实际的代码片断和调试器的信息反馈,进行了分析和说明,展示了产生这两个漏洞的技术细节。
文末,对软件安全漏洞的研究进行了总结和展望。
With the Windows system widely used in all aspects of modern society, software running on the Windows platform has been greatly improved. Software brings human beings a fast and convenient way of life. And it also brings overwhelming software security vulnerabilities, from security vulnerabilities in Windows system itself to the software running on it, too numerous to mention. An increasing number of security vulnerabilities not only affect the ordinary users and businesses, but also pose a threat to the information security of our society.
Software security vulnerabilities are related to individuals, corporations and even national information security, so they are very sensitive. Current situation is that the open literature and technical methods are fewer. Security vulnerabilities information on the network normally only contains an overview, lack of technical support.
Research on software vulnerability is about analyzing software vulnerabilities. In general, it involves the underlying technical details. On that basis, we can find new methods of safe programming; supress the spread of Trojans and viruses through the holes; sum up the regular pattern to dig and analysis unknown vulnerabilities. From a higher level, which is good to train talents and accumulate computer technology, and will help standardize the order of the computer industry, crack down on computer crime, protect national information security.
This dissertation will examine the closed-source software under the Windows platform. First we introduce the basis for vulnerability analysis, including the PE file structure and the basic concept of disassembly, then three different definitions of software vulnerability and the discussion of the vulnerability classification. After that, it details the static analysis techniques, which is mainly about how to understand disassembly code. Followed by some dynamic analysis techniques, after understanding the concept of breakpoint and single-step, we debug and trace the stack overflow, heap overflow and format string vulnerabilities.
Then, we select two fairly representative vulnerabilities, that is, the IE 0day Aurora vulnerability of January 2010 of and in the year of 2008, MS08-067 vulnerability. The former is application software vulnerability and the latter is system software vulnerability. Combined with the actual code snippet and the feedback of debuggers, we debug the two vulnerabilities and explain the technical details.
Finally, we summarize and forecast the research on software security vulnerabilities.
软件安全漏洞由于其特殊性,关系到个人,企业甚至于国家的信息安全,较为敏感,目前的情况是公开的文献和技术方法都较少,网络上发布的安全漏洞信息一般只概述漏洞的总体情况,缺乏对漏洞进行分析的技术支持。
研究漏洞的相关技术,涉及到对漏洞进行细致的分析,一般来说会涉及到系统底层的技术细节。在这个基础之上,我们可以找到安全编程的新方法、遏制通过漏洞传播的网络木马和病毒、归纳出漏洞产生机理的规律指导对未知漏洞的挖掘和分析。从更高的层面来讲,这有利于我国信息安全人才的培养和技术积累,有利于规范计算机行业秩序,打击计算机犯罪,维护国家的信息安全。
本文将研究对象定位在Windows平台下的闭源软件。首先介绍了进行漏洞分析工作的基础,包括PE文件的结构、反汇编的基本概念,紧接着给出了三种漏洞的定义,并讨论了漏洞的分类。然后,详细阐述了静态分析技术,静态分析技术实质是理解所生成反汇编代码的逻辑结构,理解高级语言中关键结构在反汇编代码中的表现形式。之后是动态分析技术部分,在明确了断点和单步执行的基本概念之后,用实际调试、跟踪分析的方式深刻剖析了栈溢出、堆溢出和格式化字符串漏洞的产生机制。
随后,本文选取了两个颇具代表性的漏洞,即2010年1月的IE0day极光漏洞和2008年的MS08-067漏洞,前者属于应用软件漏洞,后者属于系统软件漏洞,对这两个安全漏洞进行了详细的调试,结合实际的代码片断和调试器的信息反馈,进行了分析和说明,展示了产生这两个漏洞的技术细节。
文末,对软件安全漏洞的研究进行了总结和展望。
With the Windows system widely used in all aspects of modern society, software running on the Windows platform has been greatly improved. Software brings human beings a fast and convenient way of life. And it also brings overwhelming software security vulnerabilities, from security vulnerabilities in Windows system itself to the software running on it, too numerous to mention. An increasing number of security vulnerabilities not only affect the ordinary users and businesses, but also pose a threat to the information security of our society.
Software security vulnerabilities are related to individuals, corporations and even national information security, so they are very sensitive. Current situation is that the open literature and technical methods are fewer. Security vulnerabilities information on the network normally only contains an overview, lack of technical support.
Research on software vulnerability is about analyzing software vulnerabilities. In general, it involves the underlying technical details. On that basis, we can find new methods of safe programming; supress the spread of Trojans and viruses through the holes; sum up the regular pattern to dig and analysis unknown vulnerabilities. From a higher level, which is good to train talents and accumulate computer technology, and will help standardize the order of the computer industry, crack down on computer crime, protect national information security.
This dissertation will examine the closed-source software under the Windows platform. First we introduce the basis for vulnerability analysis, including the PE file structure and the basic concept of disassembly, then three different definitions of software vulnerability and the discussion of the vulnerability classification. After that, it details the static analysis techniques, which is mainly about how to understand disassembly code. Followed by some dynamic analysis techniques, after understanding the concept of breakpoint and single-step, we debug and trace the stack overflow, heap overflow and format string vulnerabilities.
Then, we select two fairly representative vulnerabilities, that is, the IE 0day Aurora vulnerability of January 2010 of and in the year of 2008, MS08-067 vulnerability. The former is application software vulnerability and the latter is system software vulnerability. Combined with the actual code snippet and the feedback of debuggers, we debug the two vulnerabilities and explain the technical details.
Finally, we summarize and forecast the research on software security vulnerabilities.
引文
[1] CERT.CERT Statistics:Full Statistics.http://www.cert.org/stats/,2009
[2]中国信息安全评测中心.漏洞通报.http://www.itsec.gov.cn.,2009
[3] Andy Ozment.Improving Vulnerability Discovery Models-Problems with Definitions and Assumptions. Proceedings of the 2007 ACM workshop on Quality of Protection,2007:6-11
[4] M.A hadavi,H.M.Sangchi,V.S.Hamishagi.Software Security:A Vulnerability-Activity Revisit.The Third Interational Conference on Availability,Reliability and Security,2008:866-872
[5] Mary Lou Soffa.Path-Sensitive Analysis for Security Flaws.11th IEEE High Assurance Systems Engineering Symposium,2008:3-5
[6] Hyunha Kim,Tae-Hyoung Choi,Seung-Cheol Jung.Applying Data flow Analysis to Detecting Software Vulnerability. 10th International Conference on Advanced Communication Technology ICACT 2008,2008:255-258
[7] Nabil Schear,David R. Albrecht,Nijita Brisov.High-Speed Matching of Vulnerability Signatures.Recent Advances in instrusion Detection RAID 2008,2008:155-174
[8] Phrack.Phrack Issues.http://www.phrack.com/issues.html,2009
[9] Security Focus.Bugtraq.http://www.securityfocus.com,2009
[10] Greg Hoglund,Gary McGraw.Exploiting Software:How To Break Code.北京:清华大学出版社,2005,3-11
[11]何力,贾焰,李爱平等.基于NVD漏洞数据库的网络脆弱性指数计算研究.北京:中国电子学会第十六届信息论学术年会论文集,2009,730-736
[12] MITRE.Common Vulnerability and Exposure.http://cve.mitre.org
[13]王磊.计算机系统安全漏洞研究:[硕士学位论文] .西安:西安电子科技大学,2004
[14]曹军.Windows危急级漏洞挖掘及分析技术研究:[硕士学位论文] .成都:四川大学,2006
[15]陈铭.软件漏洞逆向分析技术研究:[硕士学位论文] .成都:电子科技大学,2007
[16]张晓锋.软件逆向工程相关技术研究与实现:[硕士学位论文] .成都:电子科技大学,2007
[17]胡晗翰.Win32环境下缓冲区溢出漏洞利用技术的分析和改进:[硕士学位论文] .武汉:华中科技大学.2008
[18]彭建山,吴灏.Windows内存保护关键技术研究.计算机工程与科学,2007,29(12):33-36
[19] Nagy B.SEH(structured Exception handling)Security Changes in XP SP2 and 2003 SP1.eEye Digital Security,2006
[20]邵林.软件缓冲区溢出漏洞自动化发掘系统:[硕士学位论文] .成都:电子科技大学,2009
[21] xcon2007.xfocus information security focus.http://xcon.xfocus.net/XCon2007/index.html
[22] xcon2008.xfocus information security focus.http://xcon.xfocus.net/
[23]绿盟科技.研究成果.http://www.nsfocus.net/index.php?act=advisory
[24] Microsoft Portable Executable and Common Object File Format Specification.USA:Microsoft Corporation,2008[2008-02-15].http://www.microsoft.com/whdc/system/platform-m/firmware/PECOFF.mspx
[25] Intel.Intel?64 and IA-32 Architectures Software Developer's Manual Volume 2B:Instruction Set Reference N-Z[Z].Intel Corp,2008
[26] Intel.Intel?64 and IA-32 Architectures Software Developer's Manual Volume 2A:Instruction Set Reference A-M[Z].Intel Corp,2008
[27]戴超,庞建民,赵荣彩.采用跳转混淆技术的恶意代码反汇编.计算机工程,2008,34(8):153-255
[28]张玉清.网络安全漏洞研究.信息网络安全,2008,2008年第11期:24-26
[29]王丰辉.漏洞相关技术研究:[硕士学位论文].北京:北京邮电大学,2006
[30]单国栋,戴英侠,王航.计算机漏洞分类研究.计算机工程,2002,28(10):3-5
[31]汪贵生,夏阳.计算机安全漏洞分类研究.计算机安全,2008:68-72
[32]王颖,李祥和.软件漏洞的分类研究.计算机系统应用,2008,2008年第11期:40-44
[33]袁江.基于CVE知识库的危急漏洞挖掘与分析技术研究:[硕士学位论文] .哈尔滨:哈尔滨理工大学,2008
[34]张永铮.计算机安全弱点及其对应关键技术研究:[硕士学位论文].哈尔滨:哈尔滨工业大学,2006
[35]迟强,罗红,乔向东.漏洞挖掘分析技术综述.计算机与信息科技,2009:90-92
[36]刘波,文伟平,孙惠平等.ClearBug一种改进的自动化漏洞分析工具.信息网络安全,2009,2009年第5期:28-31
[37]郭臣.基于模型检测的软件安全分析研究:[硕士学位论文] .北京:北京交通大学,2009
[38]张林,曾庆凯.软件安全漏洞的静态检测技术.计算机工程,2008,34(12):157-159
[39] Xia Yiming.Security Vulnerability Detection Study Based on Static Analysis.Computer Science,2006,33(10):279-203
[40]刘坤.结合逆向工程和fuzz技术的Windows软件漏洞挖掘模型研究.成都信息工程学院学报,2008,23(2):178-181
[41]王成.基于Win32的软件逆向工程的研究与应用:[硕士学位论文] .吉林:吉林大学,2008
[42]田硕,梁洪亮.二进制程序安全缺陷静态分析方法的研究综述.计算机科学,2009,36(7):8-14
[43] Stanley B.Lippman.C++ primer(fourth edition).北京:人民邮电出版社,2006
[44] Paul Vicent Sbanal,Mark Vicent Yason.Reverse C++.BlackHat,2007:245-270
[45]彭炜.计算机安全漏洞动态检测研究.光盘技术,2009,2009年第4期:16-17
[46]李毅超,刘丹,韩宏等.缓冲区溢出漏洞研究与进展.计算机科学,2008,2008年第1期:87-89
[47]许治坤,王伟,郭添森等.网络渗透技术.北京:电子工业出版社,2005
[48] AlephaOne.Smashing The Stack For Fun And Profit.PhrackMagzine,1996,14(49):14-20
[49] Litchfiled David.Windows Heap Overflow.Black Hat,2004:169-180
[50] Conover Matt.XP SP2 Heap Exploitation Symantec,004:1-25
[51]陈爱红,彭伟民.堆溢出原理及利用技术的分析研究.计算机与数字工程,2008,26(9) :117-119
[52] Marinescu Adrian.Windows Vista Heap Management Enhancements.X’con,2006:16-42
[53] Jeffery Richter.Programming Applications for Microsoft Windows,Fourth Edition.北京:机械工业出版社,2000:385-397
[54]黄海.C程序格式串缺陷检测技术:[硕士学位论文].长沙:国防科技大学,2008
[55]张龙杰,谢晓方,袁胜智等.基于二进制文件的格式串漏洞检测技术.计算机应用,2008,28(10):2495-2498
[56] RINGENBURG MF,GROSSMAN D.Preventing format-string via automatic and efficient dynamic checking.Proceedings of the 12th ACM Conference on Computer and Communications Security.New York,NY,USA,ACM,2005:354-363
[57]周虎生,文伟平.基于Windows平台的RPC缓冲区溢出漏洞研究.专题研究,2009:38-40
[2]中国信息安全评测中心.漏洞通报.http://www.itsec.gov.cn.,2009
[3] Andy Ozment.Improving Vulnerability Discovery Models-Problems with Definitions and Assumptions. Proceedings of the 2007 ACM workshop on Quality of Protection,2007:6-11
[4] M.A hadavi,H.M.Sangchi,V.S.Hamishagi.Software Security:A Vulnerability-Activity Revisit.The Third Interational Conference on Availability,Reliability and Security,2008:866-872
[5] Mary Lou Soffa.Path-Sensitive Analysis for Security Flaws.11th IEEE High Assurance Systems Engineering Symposium,2008:3-5
[6] Hyunha Kim,Tae-Hyoung Choi,Seung-Cheol Jung.Applying Data flow Analysis to Detecting Software Vulnerability. 10th International Conference on Advanced Communication Technology ICACT 2008,2008:255-258
[7] Nabil Schear,David R. Albrecht,Nijita Brisov.High-Speed Matching of Vulnerability Signatures.Recent Advances in instrusion Detection RAID 2008,2008:155-174
[8] Phrack.Phrack Issues.http://www.phrack.com/issues.html,2009
[9] Security Focus.Bugtraq.http://www.securityfocus.com,2009
[10] Greg Hoglund,Gary McGraw.Exploiting Software:How To Break Code.北京:清华大学出版社,2005,3-11
[11]何力,贾焰,李爱平等.基于NVD漏洞数据库的网络脆弱性指数计算研究.北京:中国电子学会第十六届信息论学术年会论文集,2009,730-736
[12] MITRE.Common Vulnerability and Exposure.http://cve.mitre.org
[13]王磊.计算机系统安全漏洞研究:[硕士学位论文] .西安:西安电子科技大学,2004
[14]曹军.Windows危急级漏洞挖掘及分析技术研究:[硕士学位论文] .成都:四川大学,2006
[15]陈铭.软件漏洞逆向分析技术研究:[硕士学位论文] .成都:电子科技大学,2007
[16]张晓锋.软件逆向工程相关技术研究与实现:[硕士学位论文] .成都:电子科技大学,2007
[17]胡晗翰.Win32环境下缓冲区溢出漏洞利用技术的分析和改进:[硕士学位论文] .武汉:华中科技大学.2008
[18]彭建山,吴灏.Windows内存保护关键技术研究.计算机工程与科学,2007,29(12):33-36
[19] Nagy B.SEH(structured Exception handling)Security Changes in XP SP2 and 2003 SP1.eEye Digital Security,2006
[20]邵林.软件缓冲区溢出漏洞自动化发掘系统:[硕士学位论文] .成都:电子科技大学,2009
[21] xcon2007.xfocus information security focus.http://xcon.xfocus.net/XCon2007/index.html
[22] xcon2008.xfocus information security focus.http://xcon.xfocus.net/
[23]绿盟科技.研究成果.http://www.nsfocus.net/index.php?act=advisory
[24] Microsoft Portable Executable and Common Object File Format Specification.USA:Microsoft Corporation,2008[2008-02-15].http://www.microsoft.com/whdc/system/platform-m/firmware/PECOFF.mspx
[25] Intel.Intel?64 and IA-32 Architectures Software Developer's Manual Volume 2B:Instruction Set Reference N-Z[Z].Intel Corp,2008
[26] Intel.Intel?64 and IA-32 Architectures Software Developer's Manual Volume 2A:Instruction Set Reference A-M[Z].Intel Corp,2008
[27]戴超,庞建民,赵荣彩.采用跳转混淆技术的恶意代码反汇编.计算机工程,2008,34(8):153-255
[28]张玉清.网络安全漏洞研究.信息网络安全,2008,2008年第11期:24-26
[29]王丰辉.漏洞相关技术研究:[硕士学位论文].北京:北京邮电大学,2006
[30]单国栋,戴英侠,王航.计算机漏洞分类研究.计算机工程,2002,28(10):3-5
[31]汪贵生,夏阳.计算机安全漏洞分类研究.计算机安全,2008:68-72
[32]王颖,李祥和.软件漏洞的分类研究.计算机系统应用,2008,2008年第11期:40-44
[33]袁江.基于CVE知识库的危急漏洞挖掘与分析技术研究:[硕士学位论文] .哈尔滨:哈尔滨理工大学,2008
[34]张永铮.计算机安全弱点及其对应关键技术研究:[硕士学位论文].哈尔滨:哈尔滨工业大学,2006
[35]迟强,罗红,乔向东.漏洞挖掘分析技术综述.计算机与信息科技,2009:90-92
[36]刘波,文伟平,孙惠平等.ClearBug一种改进的自动化漏洞分析工具.信息网络安全,2009,2009年第5期:28-31
[37]郭臣.基于模型检测的软件安全分析研究:[硕士学位论文] .北京:北京交通大学,2009
[38]张林,曾庆凯.软件安全漏洞的静态检测技术.计算机工程,2008,34(12):157-159
[39] Xia Yiming.Security Vulnerability Detection Study Based on Static Analysis.Computer Science,2006,33(10):279-203
[40]刘坤.结合逆向工程和fuzz技术的Windows软件漏洞挖掘模型研究.成都信息工程学院学报,2008,23(2):178-181
[41]王成.基于Win32的软件逆向工程的研究与应用:[硕士学位论文] .吉林:吉林大学,2008
[42]田硕,梁洪亮.二进制程序安全缺陷静态分析方法的研究综述.计算机科学,2009,36(7):8-14
[43] Stanley B.Lippman.C++ primer(fourth edition).北京:人民邮电出版社,2006
[44] Paul Vicent Sbanal,Mark Vicent Yason.Reverse C++.BlackHat,2007:245-270
[45]彭炜.计算机安全漏洞动态检测研究.光盘技术,2009,2009年第4期:16-17
[46]李毅超,刘丹,韩宏等.缓冲区溢出漏洞研究与进展.计算机科学,2008,2008年第1期:87-89
[47]许治坤,王伟,郭添森等.网络渗透技术.北京:电子工业出版社,2005
[48] AlephaOne.Smashing The Stack For Fun And Profit.PhrackMagzine,1996,14(49):14-20
[49] Litchfiled David.Windows Heap Overflow.Black Hat,2004:169-180
[50] Conover Matt.XP SP2 Heap Exploitation Symantec,004:1-25
[51]陈爱红,彭伟民.堆溢出原理及利用技术的分析研究.计算机与数字工程,2008,26(9) :117-119
[52] Marinescu Adrian.Windows Vista Heap Management Enhancements.X’con,2006:16-42
[53] Jeffery Richter.Programming Applications for Microsoft Windows,Fourth Edition.北京:机械工业出版社,2000:385-397
[54]黄海.C程序格式串缺陷检测技术:[硕士学位论文].长沙:国防科技大学,2008
[55]张龙杰,谢晓方,袁胜智等.基于二进制文件的格式串漏洞检测技术.计算机应用,2008,28(10):2495-2498
[56] RINGENBURG MF,GROSSMAN D.Preventing format-string via automatic and efficient dynamic checking.Proceedings of the 12th ACM Conference on Computer and Communications Security.New York,NY,USA,ACM,2005:354-363
[57]周虎生,文伟平.基于Windows平台的RPC缓冲区溢出漏洞研究.专题研究,2009:38-40