计算机科学 ›› 2019, Vol. 46 ›› Issue (7): 133-138.doi: 10.11896/j.issn.1002-137X.2019.07.021

• 软件与数据库技术 • 上一篇    下一篇

基于SEH的漏洞自动检测与测试用例生成

黄钊,黄曙光,邓兆琨,黄晖   

  1. (国防科技大学 合肥230037)
  • 收稿日期:2018-06-13 出版日期:2019-07-15 发布日期:2019-07-15
  • 作者简介:黄 钊(1994-),女,硕士生,主要研究方向为软件漏洞分析;黄曙光(1960-),男,教授,博士生导师,主要研究方向为信息安全,E-mail:hz0_mu@163.com(通信作者);邓兆琨(1993-),男,硕士生,主要研究方向为网络态势、漏洞分析;黄 晖(1987-),男,博士,主要研究方向为漏洞分析,E-mail:hhui_123@163.com。
  • 基金资助:
    国家重点研发计划“网络空间安全”重点专项(2017YFB0802905)资助

Automatic Vulnerability Detection and Test Cases Generation Method for Vulnerabilities Caused by SEH

HUANG Zhao,HUANG Shu-guang,DENG Zhao-kun,HUANG Hui   

  1. (National University of Defense Technology,Hefei 230037,China)
  • Received:2018-06-13 Online:2019-07-15 Published:2019-07-15

摘要: SEH即结构化异常处理,是Windows操作系统提供给程序设计者处理程序错误或异常的途径。然而SEH的链式处理方式使得程序中可能存在相应漏洞。针对该问题,为提升程序安全性,提出一种基于SEH的漏洞自动测试用例生成方法。首先判断程序是否存在基于SEH被攻击的漏洞风险性,若存在则构建和调整测试用例约束,并自动求解生成相应测试用例。该方法一方面扩展了当前的自动测试用例生成模式,另一方面可在GS保护开启时仍能生成有效测试用例。最后通过实验验证了该方法的有效性。

关键词: 符号执行, 结构化异常处理, 自动测试用例生成

Abstract: Structured Exception Handling (SEH),which offered by Windows operating system,is a way to handle program errors or exceptions.However,while SEH handles exception based on link,there may be corresponding vulnerabi-lities.To solve this problem,in order to improve program security,a method was proposed to generate test cases base on SEH.First,the method judge whether the program has the risk of being attacked based on the SEH.If there is a risk,the test case constraints are constructed and adjusted.Then by solve these constraints,the corresponding test cases are generated automatically.On the one hand,this method extends the current automatic test case generation pattern.And on the other hand,it can generate effective test cases even when GS protection is turned on.Finally,the effectiveness of the method is verified by experiments.

Key words: Automatic test cases generation, Structured exception handling, Symbolic execution

中图分类号: 

  • TP311
[1]林桠泉.漏洞战争:软件漏洞分析精要[M].北京:电子工业出版社,2016.<br /> [2]MILLER C,CABALLERO J,BERKELEY U,et al.Crash analysis with BitBlaze[J].Revista Mexicana De Sociologia,2010,44(1):81-117.<br /> [3]PIETREK M.A Crash Course on the Depths of Win32 Structured Exception Handling[J].Microsoft Systems Journal,1997,1.<br /> [4]XU Y F,ZAHNG J H,WEN W P.Windows Security:The gra- dual improvement of SEH mechanism [J].Netinfo Security,2009(5):47-50.(in Chinese)<br /> 徐有福,张晋含,文伟平.Windows安全之SEH安全机制分析[J].信息网络安全,2009(5):47-50.<br /> [5]HE L,SU P L.Automatic software vulnerabilities exploit gene- ration research progress [J].China Education Network,2016(z1):46-48. 和亮,苏璞睿.软件漏洞自动利用研究进展[J].中国教育网络,2016(z1):46-48.<br /> [6]AVGERINOS T,SANG K C,REBERT A,et al.Automatic exploit generation[J].Communications of the Acm,2014,57(2):74-84.<br /> [7]HUANG S K,HUANG M H,HUANG P Y,et al.CRAX:Software Crash Analysis for Automatic Exploit Generation by Mo-deling Attacks as Symbolic Continuations[C]∥IEEE Sixth International Conference on Software Security and Reliability.IEEE Computer Society,2012:78-87.<br /> [8]YAN S,WANG R,SALLS C,et al.SOK:(State of) The Art of War:Offensive Techniques in Binary Analysis[C]∥Security and Privacy.IEEE,2016:138-157.<br /> [9]CHIPOUNOV V,GEORGESCU V,ZAMFIR C,et al.Selective Symbolic ution[C]∥The Workshop on Hot Topics in System Dependability.2009:1286-1299.<br /> [10]吴世忠,郭涛,董国伟,等.软件漏洞分析技术[M].北京:科学出版社,2014:134.<br /> [11]ZHANG Y F.Improving the Scalability and Feasibility of Symbolic ution [D].Changsha:National University of Defense Technology,2013.(in Chinese)<br /> 张羽丰.符号执行可扩展性及可行性关键技术研究[D].长沙:国防科技大学,2013.<br /> [12]CADAR C,DUNBAR D,ENGLER D.KLEE:unassisted and automatic generation of high-coverage tests for complex systems programs[C]∥Usenix Conference on Operating Systems Design and Implementation.USENIX Association,2009:209-224.<br /> [13]STUMP A.CVC:a Cooperating Varidity Checher[C]∥Proc.of International Conference on Computer-Aided Verification.2002.<br /> [14]GANESH V,DILL D L.A Decision Procedure for Bit-Vectors and Arrays[C]∥Computer Aided Verification,International Conference,CAV 2007.Berlin:DBLP,2007:519-531.<br /> [15]MOURA L D,BJ RNER N.Z3:An Efficient SMT Solver[C]∥International Conference on Tools and Algorithms for the Construction and Analysis of Systems.Berlin:Springer,2008:337-340.<br /> [16]王清.0day安全:软件漏洞分析技术(第2版)[M].北京:电子工业出版社,2011.
[1] 李明磊, 黄晖, 陆余良, 朱凯龙.
SymFuzz:一种复杂路径条件下的漏洞检测技术
SymFuzz:Vulnerability Detection Technology Under Complex Path Conditions
计算机科学, 2021, 48(5): 25-31. https://doi.org/10.11896/jsjkx.200600128
[2] 周晟伊, 曾红卫.
进化算法与符号执行结合的程序复杂度分析方法
Program Complexity Analysis Method Combining Evolutionary Algorithm with Symbolic Execution
计算机科学, 2021, 48(12): 107-116. https://doi.org/10.11896/jsjkx.210200052
[3] 方皓, 吴礼发, 吴志勇.
基于符号执行的Return-to-dl-resolve利用代码自动生成方法
Automatic Return-to-dl-resolve Exploit Generation Method Based on Symbolic Execution
计算机科学, 2019, 46(2): 127-132. https://doi.org/10.11896/j.issn.1002-137X.2019.02.020
[4] 叶志斌,严波.
符号执行研究综述
Survey of Symbolic Execution
计算机科学, 2018, 45(6A): 28-35.
[5] 李航, 臧洌, 甘露.
基于蚁群算法的猜测符号执行的路径搜索
Search of Speculative Symbolic Execution Path Based on Ant Colony Algorithm
计算机科学, 2018, 45(6): 145-150. https://doi.org/10.11896/j.issn.1002-137X.2018.06.025
[6] 张婧,周安民,刘亮,贾鹏,刘露平.
Crash可利用性分析方法研究综述
Review of Crash Exploitability Analysis Methods
计算机科学, 2018, 45(5): 5-14. https://doi.org/10.11896/j.issn.1002-137X.2018.05.002
[7] 邓兆琨, 陆余良, 朱凯龙, 黄晖.
基于符号执行技术的网络程序漏洞检测系统
Symbolic Execution Technology Based Defect Detection System for Network Programs
计算机科学, 2018, 45(11A): 325-329.
[8] 邓维,李兆鹏.
形状分析符号执行引擎中的状态合并
State Merging for Symbolic Execution Engine with Shape Analysis
计算机科学, 2017, 44(2): 209-215. https://doi.org/10.11896/j.issn.1002-137X.2017.02.034
[9] 陈勇,徐超.
基于符号执行和人机交互的自动向量化方法
Symbolic Execution and Human-Machine Interaction Based Auto Vectorization Method
计算机科学, 2016, 43(Z6): 461-466. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.109
[10] 梁家彪,李兆鹏,朱玲,沈咸飞.
支持形状分析的符号执行引擎的设计与实现
Symbolic Execution Engine with Shape Analysis
计算机科学, 2016, 43(3): 193-198. https://doi.org/10.11896/j.issn.1002-137X.2016.03.036
[11] 李华,邢熠,张玉荣.
基于Token选取的OpenStack单一平面网络建模方法
Modeling OpenStack Single Plane Network Based on Token Selection
计算机科学, 2016, 43(11): 66-70. https://doi.org/10.11896/j.issn.1002-137X.2016.11.012
[12] 王志文,黄小龙,王海军,刘烃,俞乐晨.
基于程序切片的测试用例生成系统研究与实现
Program Slicing-guied Test Case Generation System
计算机科学, 2014, 41(9): 71-74. https://doi.org/10.11896/j.issn.1002-137X.2014.09.012
[13] 张亚军,李舟军,廖湘科,蒋瑞成,李海峰.
自动化白盒模糊测试技术研究
Survey of Automated Whitebox Fuzz Testing
计算机科学, 2014, 41(2): 7-10.
[14] 陈翔,顾庆,陈道蓄.
回归测试中测试用例集扩充技术研究进展
Research Advances in Test Suite Augmentation for Regression Testing
计算机科学, 2013, 40(6): 8-15.
[15] 牛伟纳,丁雪峰,刘智,张小松.
基于符号执行的二进制代码漏洞发现
Vulnerability Finding Using Symbolic Execution on Binary Programs
计算机科学, 2013, 40(10): 119-121.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!