基于有限状态机的内核漏洞攻击自动化分析技术

doi:10.11896/jsjkx.211200039

计算机科学 ›› 2022, Vol. 49 ›› Issue (11): 326-334.doi: 10.11896/jsjkx.211200039

基于有限状态机的内核漏洞攻击自动化分析技术

刘培文¹, 舒辉², 吕小少², 赵耘田²

1 郑州大学网络空间安全学院郑州 450001
2 信息工程大学数学工程与先进计算国家重点实验室郑州 450001

收稿日期:2021-12-03 修回日期:2022-04-22 出版日期:2022-11-15 发布日期:2022-11-03
通讯作者: 舒辉(shuhui123@126.com)
作者简介:(2386107892@qq.com)
基金资助:
国家重点研发计划(2019QY1305)

Automatic Analysis Technology of Kernel Vulnerability Attack Based on Finite State Machine

LIU Pei-wen¹, SHU Hui², LYU Xiao-shao², ZHAO Yun-tian²

1 School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450001,China
2 State Key Laboratory of Mathematical Engineering and Advanced Computing,Information Engineering University,Zhengzhou 450001,China

Received:2021-12-03 Revised:2022-04-22 Online:2022-11-15 Published:2022-11-03
About author:LIU Pei-wen,born in 1997,postgra-duate.His main research interests include cyber security and reverse engineering.
SHU Hui,born in 1974,Ph.D,professor,Ph.D supervisor.His main research interests include cyber security and reverse engineering.
Supported by:
National Key R & D Program of China(2019QY1305).

摘要/Abstract

摘要： 内核漏洞攻击是针对操作系统常用的攻击手段,对各攻击阶段进行分析是抵御该类攻击的关键。由于内核漏洞类型、触发路径、利用模式的复杂多样,内核漏洞攻击过程的分析难度较大,而且现有的分析工作主要以污点分析等正向程序分析方法为主,效率较低。为了提高分析效率,文中实现了一种基于有限状态机的内核漏洞攻击自动化分析技术。首先,构建了内核漏洞攻击状态转移图,作为分析的关键基础;其次,引入反向分析的思路,建立了基于有限状态机的内核漏洞攻击过程反向分析模型,能够减小不必要的分析开销;最后,基于模型实现了一种内核漏洞攻击反向分析方法,能够自动、快速地解析内核漏洞攻击流程。通过对10个攻击实例进行测试,结果表明,反向分析方法能够准确得到关键代码执行信息,且相比传统正向分析方法,分析效率有较大提高。

关键词: 内核漏洞, 漏洞利用, 提权攻击, 反向分析, 漏洞触发点定位

Abstract: Kernel vulnerability attack is a common attack way for operating systems,and the analysis of each attack stage is the key to defend against such attacks.Due to the complexity and variety of kernel vulnerability types,trigger paths,and exploit modes,it is difficult to analyze the attack process of kernel vulnerability.Moreover,the existing analysis work mainly focuses on forward program analysis methods such as taint analysis,and the efficiency is low.In order to improve the analysis efficiency,this thesis implements an automatic analysis technology of kernel vulnerability attack based on finite state machine.Firstly,the state transition diagram of kernel vulnerability attack is constructed as the key basis for analysis.Secondly,the idea of reverse analysis is introduced,and a reverse analysis model of kernel vulnerability attack process based on finite state machine is established,which can reduce the unnecessary analysis cost.Finally,based on the model,a reverse analysis method of kernel vulnerability attack is implemented,which can automatically and quickly analyze the kernel vulnerability attack process.By testing 10 attack samples,the results show that the reverse analysis method can accurately obtain the key code execution information,and compared with the traditional forward analysis method,the analysis efficiency is greatly improved.

Key words: Kernel vulnerability, Vulnerability exploit, Privilege escalation attack, Reverse analysis, Vulnerability trigger point positioning

中图分类号:

TP393

刘培文, 舒辉, 吕小少, 赵耘田. 基于有限状态机的内核漏洞攻击自动化分析技术[J]. 计算机科学, 2022, 49(11): 326-334. https://doi.org/10.11896/jsjkx.211200039

LIU Pei-wen, SHU Hui, LYU Xiao-shao, ZHAO Yun-tian. Automatic Analysis Technology of Kernel Vulnerability Attack Based on Finite State Machine[J]. Computer Science, 2022, 49(11): 326-334. https://doi.org/10.11896/jsjkx.211200039

参考文献

[1]Vulnerability and technical analysis of Windows local rights rai-sing in APT activities [EB/OL].https://paper.seebug.org/1753/#apt.
[2]ZHANG K,LIU J J.Network Attack Path Analysis MethodBased on Vulnerability Dynamic Availability[J].Netinfo Security,2021,21(4):62-72.
[3]MA M Y,CHEN L W,MENG N.A Survey of Memory Corruption Attack and Defense [J].Journal of Cyber Security,2017,2(4):82-98.
[4]Data-Oriented Programming:On the Expressiveness of Non-control Data Attacks[C]//Symposium on Security and Privacy(SP).2016:969-986.
[5]JANG H,PARK M C,LEE D H.IBV-CFI:Efficient fine-grained control-flow integrity preserving CFG precision[J/OL].Computers & Security.https://www.researchgate.net/publication/340442234_IBV-CFI_Efficient_fine-grained_control-flow_integrity_preserving_CFG_precision.
[6]LU S B,LIN Z C,ZHANG M.Kernel Vulnerability Analysis:A Survey[C]//2019 IEEEFourth International Conference on Data Science in Cyberspace(DSC).Hangzhou,China,2019:549-554.
[7]PAN J F,YAN G L,FAN X C.Digtool:A virtualization-based framework for detecting kernel vulnerabilities[C]//26th USENIX Security Symposium(USENIX Security 17).Vancouver,BC:USENIX Association,2017:149-165.
[8]JURCZYK M,COLDWIND G.Bochspwn:Exploiting KernelRace Conditions Found via Memory Access Patterns[C]//The Syscan’12 Conference.2013.
[9]BRENDAN D G,JOSH H,PATRICK H,et al.Repeatable Reverse Engineering with PANDA[C]//5th Program Protection and Reverse Engineering Workshop(PPREW-5).Association for Computing Machinery,New York,NY,USA,2015:1-11.
[10]MING J,WU D H,WANG J,et al.StraightTaint:decoupled offline symbolic taint analysis[C]//the 31st IEEE/ACM International Conference on Automated Software Engineering(ASE’16).2016:308-319.
[11]WANG X J,MA R,DOU B W,et al.OFFDTAN:A New Approach of Offline Dynamic Taint Analysis for Binaries[C]//Security and Communication Networks.2018:1-13.
[12]XU J,MU D L,CHEN P,et al.CREDAL:Towards Locating a Memory Corruption Vulnerability with Your Core Dump[C]//the 2016 ACM SIGSAC Conference on Computer and Communications Security(CCS ’16).Association for Computing Machinery,New York,NY,USA,2016:529-540.
[13]XU J,MU D L,CHEN P,et al.POMP:Postmortem programanalysis with hardware-enhanced post-crash artifacts[C]//the 26th USENIX Security Symposium.USENIX Association,2017:17-32.
[14]CUI W D,PEINADO M,CHA S K,et al.RETracer:Triaging Crashes by Reverse Execution from Partial Memory Dumps[C]//the 38th International Conference on Software Enginee-ring(ICSE).2016:820-831.
[15]ZHENG Y,WANG Z,FAN X Y,et al.Localizing multiple software faults based on evolution algorithm[J].The Journal of Systems & Software,2018,139:107-123.
[16]JIANG S J,ZHANG X,WANG R C,et al.Fault Localization Approach Based on Path Analysis and Information Entrop[J].Journal of Software,2021,32(7):2166-2182.
[17]GUO W B,MU D L,XING X Y,et al.DEEPVSA:Facilitating Value-set Analysis with Deep Learning for Postmortem Program Analysis[C]//Proceedings of the 28th USENIX Security Symposium.Santa Clara:USENIX Association,2019:1787-1804.
[18]YAGEMANN C,PRUETT M,CHUNG S P,et al.ARCUS:Symbolic Root Cause Analysis of Exploits in Production Systems[C]//the 30th USENIX Security Symposium.2021.
[19]BLAZYTKO T,SCHLOGEL M,ASCHERMANN C,et al.AURORA:Statistical Crash Analysis for Automated Root Cause Explanation[C]// the 29th USENIX Security Symposium.2020.
[20]NI T,YE X.Privilege Escalation Technology of Kernel Vulnerabilities in Write What Where Mode[J].Journal of Information Engineering University,2014,15(2):232-236.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed

基于有限状态机的内核漏洞攻击自动化分析技术

Automatic Analysis Technology of Kernel Vulnerability Attack Based on Finite State Machine

PDF (PC)

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 4

Metrics

本文评价

推荐阅读 0

[1]	施瑞恒, 朱云聪, 赵易如, 赵磊. ROP漏洞利用脚本的语义还原和自动化移植方法 Semantic Restoration and Automatic Transplant for ROP Exploit Script 计算机科学, 2022, 49(11): 49-54. https://doi.org/10.11896/jsjkx.210900230
[2]	方皓, 吴礼发, 吴志勇. 基于符号执行的Return-to-dl-resolve利用代码自动生成方法 Automatic Return-to-dl-resolve Exploit Generation Method Based on Symbolic Execution 计算机科学, 2019, 46(2): 127-132. https://doi.org/10.11896/j.issn.1002-137X.2019.02.020
[3]	孟辰. 基于代码覆盖的浏览器漏洞利用攻击检测方法 Web Browser Vulnerability Exploitation Attack Test Technology Based on Code Overriding 计算机科学, 2011, 38(Z10): 41-43.
[4]	唐和平,黄曙光,张亮. 动态信息流分析的漏洞利用检测系统 Dynamic Information Flow Analysis for Vulnerability Exploits Detection 计算机科学, 2010, 37(7): 148-151.