缓冲区溢出漏洞的挖掘与利用方法研究
|
摘要
随着计算机及网络技术的飞速发展,计算机网络犯罪事件层出不穷,打击计算机网络犯罪日显重要。此外,信息战不可避免地会成为未来新的作战方式。因此,研究漏洞挖掘与利用技术,无论是从打击计算机网络犯罪还是从信息对抗来说都具有重要的理论意义和实用价值。
分析了目前两种主流的漏洞挖掘方法,说明了这些方法进行漏洞挖掘的技术思路,总结了各自优缺点,在此基础上给出了漏洞分析的基本步骤。围绕漏洞利用技术的发展,分析了栈溢出和堆溢出的基本原理和利用技巧。在总结传统漏洞挖掘方法不足的基础上,探索性地给出了一种基于逆向工程和Fuzzing测试的漏洞挖掘方法,阐述了该方法的指导思想和技术思路。基于所提出的漏洞挖掘方法,围绕超星阅览器存在的一个0day安全漏洞,说明了该漏洞的详细挖掘过程,给出了该漏洞的形成原因。
针对所挖掘出的超星阅览器的漏洞,探讨了利用该漏洞的可行性,给出了漏洞利用程序的设计原则和设计思想,设计了相应的漏洞利用程序。围绕漏洞利用程序实现中涉及到的关键技术,重点说明了Shellcode编写的要点,包括返回地址的定位、API(Application Programming Interface)函数调用地址的动态定位以及对Shellcode的安全保护措施。
实际运行结果表明,基于逆向工程和Fuzzing测试的漏洞挖掘方法是一种兼顾了自动化和目的性的漏洞挖掘方法,能有效地挖掘出某些未知漏洞。而面向SSR(Super Star Reader)漏洞的利用程序除具有较强的通用性和稳定性外,还能在多个操作系统中运行,并能成功避免主流反病毒软件的监控和查杀,具有一定的实用价值。
With the rapid development of computer and network technology, cyber-crimes are emerging in an endless stream, hence, it has being increasingly important to crack down cyber-crimes. Besides, information warfare will inevitably become a new way of warfare in future. Therefore, the research of vulnerability detecting and exploiting technologies is very significative for both beating cyber-crimes and information antagonizing.
Based on the analysis of two existing mainstream vulnerability detecting methods, the technical characteristics of the methods are described, their advantages and disadvantages are summarized, and the basic process of vulnerability analyzing is illustrated as well. And then, referring to the development of exploiting technology, the basic principle and exploiting skills of stack overflow and heap overflow, which are the mainstream exploiting technologies are discussed. At analyzing the weak points of traditional methods of vulnerability detecting, an approach of vulnerability detecting based on reverse engineering and Fuzzing test is exploratory proposed in this paper, and the guiding ideologies and technical ideas of this approach are also discussed. Moreover, based on the approach proposed before, the detecting process is described and the cause of the 0day vulnerability from Super Star Reader is presented.
For the given 0day vulnerability which is detected before, the feasibility of exploiting the 0day vulnerability is discussed, the design principles and ideas of the vulnerability exploiting program are given out, and the relevant program is designed. Concerning the key technologies involved in the realization of the vulnerability exploiting program, the key points how to write Shellcode are discussed in this paper, including the location of the return address, the dynamic positioning of the call addresses of Application Programming Interfaces and the security measures for the Shellcode.
The experiment results conclude that the detecting method based on reverse engineering and Fuzzing test gives attention to both automation and purposiveness, and it can detect some unknown vulnerabilities effectively. While, besides its universal property and stability, the practical exploiting program for the 0day vulnerability can run on several operating systems, and avoid the monitoring and killing by antivirus software successfully.
分析了目前两种主流的漏洞挖掘方法,说明了这些方法进行漏洞挖掘的技术思路,总结了各自优缺点,在此基础上给出了漏洞分析的基本步骤。围绕漏洞利用技术的发展,分析了栈溢出和堆溢出的基本原理和利用技巧。在总结传统漏洞挖掘方法不足的基础上,探索性地给出了一种基于逆向工程和Fuzzing测试的漏洞挖掘方法,阐述了该方法的指导思想和技术思路。基于所提出的漏洞挖掘方法,围绕超星阅览器存在的一个0day安全漏洞,说明了该漏洞的详细挖掘过程,给出了该漏洞的形成原因。
针对所挖掘出的超星阅览器的漏洞,探讨了利用该漏洞的可行性,给出了漏洞利用程序的设计原则和设计思想,设计了相应的漏洞利用程序。围绕漏洞利用程序实现中涉及到的关键技术,重点说明了Shellcode编写的要点,包括返回地址的定位、API(Application Programming Interface)函数调用地址的动态定位以及对Shellcode的安全保护措施。
实际运行结果表明,基于逆向工程和Fuzzing测试的漏洞挖掘方法是一种兼顾了自动化和目的性的漏洞挖掘方法,能有效地挖掘出某些未知漏洞。而面向SSR(Super Star Reader)漏洞的利用程序除具有较强的通用性和稳定性外,还能在多个操作系统中运行,并能成功避免主流反病毒软件的监控和查杀,具有一定的实用价值。
With the rapid development of computer and network technology, cyber-crimes are emerging in an endless stream, hence, it has being increasingly important to crack down cyber-crimes. Besides, information warfare will inevitably become a new way of warfare in future. Therefore, the research of vulnerability detecting and exploiting technologies is very significative for both beating cyber-crimes and information antagonizing.
Based on the analysis of two existing mainstream vulnerability detecting methods, the technical characteristics of the methods are described, their advantages and disadvantages are summarized, and the basic process of vulnerability analyzing is illustrated as well. And then, referring to the development of exploiting technology, the basic principle and exploiting skills of stack overflow and heap overflow, which are the mainstream exploiting technologies are discussed. At analyzing the weak points of traditional methods of vulnerability detecting, an approach of vulnerability detecting based on reverse engineering and Fuzzing test is exploratory proposed in this paper, and the guiding ideologies and technical ideas of this approach are also discussed. Moreover, based on the approach proposed before, the detecting process is described and the cause of the 0day vulnerability from Super Star Reader is presented.
For the given 0day vulnerability which is detected before, the feasibility of exploiting the 0day vulnerability is discussed, the design principles and ideas of the vulnerability exploiting program are given out, and the relevant program is designed. Concerning the key technologies involved in the realization of the vulnerability exploiting program, the key points how to write Shellcode are discussed in this paper, including the location of the return address, the dynamic positioning of the call addresses of Application Programming Interfaces and the security measures for the Shellcode.
The experiment results conclude that the detecting method based on reverse engineering and Fuzzing test gives attention to both automation and purposiveness, and it can detect some unknown vulnerabilities effectively. While, besides its universal property and stability, the practical exploiting program for the 0day vulnerability can run on several operating systems, and avoid the monitoring and killing by antivirus software successfully.
引文
[1]刘晓冬,赵军.论计算机网络技术与当代经济发展的关系.商场现代化,2007,6(506):396~397
[2] B. Carrier, E. Spafford. Getting physical with the digital forensics investigation. International Journal of Digital Evidence, 2003, 20(4): 78~89
[3]朱哲.一种基于程序远程植入及隐藏的监控系统设计与实现:[硕士学位论文].武汉:华中科技大学,2007.
[4] B.Carrier. Getting physical with the digital forensics investigation. International Journal of Digital Evidence, 2003, (12): 3~5
[5]彭菊香.文件系统过滤层穿透系统设计与实现:[硕士学位论文].武汉:华中科技大学,2008.
[6] R.D.Cliford. Cybercrime: the investigation prosecution and defense of a computer related crime. Carolina Academic Press, 2001. 50~53
[7]卢昱,张伶,卢鋆.网络战装备概念与体系结构研究.计算机工程与科学,2006,28(2):1~4
[8] Chien-Chung Shen, Deh-Phone Hsing. A network management architecture for battlefield networks. In: Military Communications Conference. California USA: IEEE Computer Society, 1997. 1226~1231
[9]刘牧星.木马攻击与隐藏技术:[硕士学位论文].天津:天津大学,2006.
[10] Greg Hoglund,Gray McGraw.软件剖析——代码攻防之道.邓劲生.北京:清华大学出版社,2005.53~185
[11]刘扬.白盒测试技术概述.广西大学学报,2008,33(z1):146~149
[12] David Wagner, Jeffrey S Foster. A first step towards automated detection of buffer overrun vulnerabilities. In: San Diego. Proc Network and Distributed System Security Symposium. California USA: Internet Society Press, 2000. 122~127
[13] Alexander Ivanov Sotirov. Automatic Vulnerability Detection Using Static Source Code Analysis: [Master Thesis]. Alabama: University of Alabama, 2005.
[14] Glenford J.Myers. The Art of Software Testing. Second Edition. New York: John Wiley & Sons Inc, 2005. 58~81
[15] Michael Howard, James Whittaker. Violating Assumptions with Fuzzing. IEEEComputer Society, 2005, (5): 58~62
[16]张茂林,杨海燕.面向对象系统灰盒测试模型的研究与应用.计算机工程与设计,2007,28(15):3551~3555
[17]施寅生,邓世伟,谷天阳.软件安全性测试方法与工具.计算机工程与设计,2008,29(1):27~30
[18] Spafford. The Internet Worm: Crisis and aftermath. CACM, 1989, 32(6): 1~4
[19]王清.0day安全:软件漏洞分析技术.北京:电子工业出版社,2008.3~5
[20] Jonathan Pincus, Brandon Baker. Beyond stack smashing: recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2004, 2(4): 20~27
[21] Michael Ringenburg, Dan Grossman. Preventing format-string attacks via automatic and efficient dynamic checking. In: Proceeding of the 12th ACM conference on Computer and Communications Security. Alexandria: ACM Press, 2005. 354~363
[22] Denning. Cryptograph and Date Security. Boston: Addison-Wesley, 2001. 102~107
[23] Bishop, Bailey. A Critical Analysis of Vulnerability Taxonomies. Technical Report, 1996, (11): 3~14
[24] Ivan Krul. Software Vulnerability Analysis: [PhD Dissertation]. Indiana: Purdue University, 1998.
[25]岳彩松.MS Office漏洞挖掘与利用技术研究:[硕士学位论文].上海:上海交通大学,2008.
[26]吴金波,蒋烈辉.静态反汇编技术研究.计算机应用,2005,25(3):623~625
[27]曹军.Windows危急级漏洞挖掘及分析技术研究:[硕士学位论文].成都:四川大学,2006.
[28]高晓飞,申普兵.基于有向图分析的蠕虫早期检测方法.计算机安全,2009,47(4):111~118
[29] Wang XR, Jhi YC, Liu P. STILL: Exploit Code Detection via Static Taint and Initialization Analyses. In: 24th Annual Computer Security Applications Conference, Proceedings. USA: IEEE Computer SOC, 2008. 289~298
[30]孔德光,郑烇,帅建梅等.基于污点分析的源代码脆弱性检测技术.小型微型计算机系统,2009,30(1):78~82
[31] Oehlert P. Violating Assumptions with Fuzzing. IEEE Security & Privacy, 2005, 3(2): 58~62
[32] Liu GH, Wu G, Zheng T. Vulnerability Analysis for X86 Executables Using GeneticAlgorithm and Fuzzing. In: Third 2008 International Conference on Convergence and Hybrid Information Technology, VOL 2, Proceedings. USA: IEEE Computer SOC, 2008. 491~497
[33]刘奇旭,张玉清.基于Fuzzing对TFTP漏洞挖掘技术.计算机工程,2007,33(20):142~147
[34]任春钰,舒辉,瞿进.一种改进的针对复合文档的Fuzz测试技术.计算机应用,2008,28(2):535~537
[35]邱晓鹏,张玉清,冯登国.缓冲区溢出攻击代码的分析研究.计算机工程与应用,2005,41(18):134~135
[36]许治坤,王伟,郭添森等.网络渗透技术.北京:电子工业出版社,2005.502~525
[37]段钢.加密与解密.第三版.北京:电子工业出版社,2008.46~69
[38] Fosdick, Osterweil. Data Flow Analysis in Software Reliability. ACM Computing Surveys, 1976, 8(3): 305~330
[39]曹军.Word溢出漏洞分析与利用.黑客防线,2006,(2):32~35
[40]王建开,罗晓波,张天刚.一种新型漏洞利用方式的探讨和防护.计算机应用,2008,28(5):54~57
[41] Arce I. The Shellcode Generation. IEEE Security & Privacy, 2004, 2(5): 72~76
[42]贾红星,刘凡.基于二进制代码分析的缓冲区溢出漏洞挖掘模型.高性能计算技术,2005,Sum(174):29~32
[43]李国乐,林志强,茅兵.堆溢出的攻击演变与防范.计算机工程与应用,2006,42(25):102~107
[44]陈铭.软件漏洞逆向分析技术研究:[硕士学位论文].成都:电子科技大学,2007.
[2] B. Carrier, E. Spafford. Getting physical with the digital forensics investigation. International Journal of Digital Evidence, 2003, 20(4): 78~89
[3]朱哲.一种基于程序远程植入及隐藏的监控系统设计与实现:[硕士学位论文].武汉:华中科技大学,2007.
[4] B.Carrier. Getting physical with the digital forensics investigation. International Journal of Digital Evidence, 2003, (12): 3~5
[5]彭菊香.文件系统过滤层穿透系统设计与实现:[硕士学位论文].武汉:华中科技大学,2008.
[6] R.D.Cliford. Cybercrime: the investigation prosecution and defense of a computer related crime. Carolina Academic Press, 2001. 50~53
[7]卢昱,张伶,卢鋆.网络战装备概念与体系结构研究.计算机工程与科学,2006,28(2):1~4
[8] Chien-Chung Shen, Deh-Phone Hsing. A network management architecture for battlefield networks. In: Military Communications Conference. California USA: IEEE Computer Society, 1997. 1226~1231
[9]刘牧星.木马攻击与隐藏技术:[硕士学位论文].天津:天津大学,2006.
[10] Greg Hoglund,Gray McGraw.软件剖析——代码攻防之道.邓劲生.北京:清华大学出版社,2005.53~185
[11]刘扬.白盒测试技术概述.广西大学学报,2008,33(z1):146~149
[12] David Wagner, Jeffrey S Foster. A first step towards automated detection of buffer overrun vulnerabilities. In: San Diego. Proc Network and Distributed System Security Symposium. California USA: Internet Society Press, 2000. 122~127
[13] Alexander Ivanov Sotirov. Automatic Vulnerability Detection Using Static Source Code Analysis: [Master Thesis]. Alabama: University of Alabama, 2005.
[14] Glenford J.Myers. The Art of Software Testing. Second Edition. New York: John Wiley & Sons Inc, 2005. 58~81
[15] Michael Howard, James Whittaker. Violating Assumptions with Fuzzing. IEEEComputer Society, 2005, (5): 58~62
[16]张茂林,杨海燕.面向对象系统灰盒测试模型的研究与应用.计算机工程与设计,2007,28(15):3551~3555
[17]施寅生,邓世伟,谷天阳.软件安全性测试方法与工具.计算机工程与设计,2008,29(1):27~30
[18] Spafford. The Internet Worm: Crisis and aftermath. CACM, 1989, 32(6): 1~4
[19]王清.0day安全:软件漏洞分析技术.北京:电子工业出版社,2008.3~5
[20] Jonathan Pincus, Brandon Baker. Beyond stack smashing: recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2004, 2(4): 20~27
[21] Michael Ringenburg, Dan Grossman. Preventing format-string attacks via automatic and efficient dynamic checking. In: Proceeding of the 12th ACM conference on Computer and Communications Security. Alexandria: ACM Press, 2005. 354~363
[22] Denning. Cryptograph and Date Security. Boston: Addison-Wesley, 2001. 102~107
[23] Bishop, Bailey. A Critical Analysis of Vulnerability Taxonomies. Technical Report, 1996, (11): 3~14
[24] Ivan Krul. Software Vulnerability Analysis: [PhD Dissertation]. Indiana: Purdue University, 1998.
[25]岳彩松.MS Office漏洞挖掘与利用技术研究:[硕士学位论文].上海:上海交通大学,2008.
[26]吴金波,蒋烈辉.静态反汇编技术研究.计算机应用,2005,25(3):623~625
[27]曹军.Windows危急级漏洞挖掘及分析技术研究:[硕士学位论文].成都:四川大学,2006.
[28]高晓飞,申普兵.基于有向图分析的蠕虫早期检测方法.计算机安全,2009,47(4):111~118
[29] Wang XR, Jhi YC, Liu P. STILL: Exploit Code Detection via Static Taint and Initialization Analyses. In: 24th Annual Computer Security Applications Conference, Proceedings. USA: IEEE Computer SOC, 2008. 289~298
[30]孔德光,郑烇,帅建梅等.基于污点分析的源代码脆弱性检测技术.小型微型计算机系统,2009,30(1):78~82
[31] Oehlert P. Violating Assumptions with Fuzzing. IEEE Security & Privacy, 2005, 3(2): 58~62
[32] Liu GH, Wu G, Zheng T. Vulnerability Analysis for X86 Executables Using GeneticAlgorithm and Fuzzing. In: Third 2008 International Conference on Convergence and Hybrid Information Technology, VOL 2, Proceedings. USA: IEEE Computer SOC, 2008. 491~497
[33]刘奇旭,张玉清.基于Fuzzing对TFTP漏洞挖掘技术.计算机工程,2007,33(20):142~147
[34]任春钰,舒辉,瞿进.一种改进的针对复合文档的Fuzz测试技术.计算机应用,2008,28(2):535~537
[35]邱晓鹏,张玉清,冯登国.缓冲区溢出攻击代码的分析研究.计算机工程与应用,2005,41(18):134~135
[36]许治坤,王伟,郭添森等.网络渗透技术.北京:电子工业出版社,2005.502~525
[37]段钢.加密与解密.第三版.北京:电子工业出版社,2008.46~69
[38] Fosdick, Osterweil. Data Flow Analysis in Software Reliability. ACM Computing Surveys, 1976, 8(3): 305~330
[39]曹军.Word溢出漏洞分析与利用.黑客防线,2006,(2):32~35
[40]王建开,罗晓波,张天刚.一种新型漏洞利用方式的探讨和防护.计算机应用,2008,28(5):54~57
[41] Arce I. The Shellcode Generation. IEEE Security & Privacy, 2004, 2(5): 72~76
[42]贾红星,刘凡.基于二进制代码分析的缓冲区溢出漏洞挖掘模型.高性能计算技术,2005,Sum(174):29~32
[43]李国乐,林志强,茅兵.堆溢出的攻击演变与防范.计算机工程与应用,2006,42(25):102~107
[44]陈铭.软件漏洞逆向分析技术研究:[硕士学位论文].成都:电子科技大学,2007.