计算机科学 ›› 2023, Vol. 50 ›› Issue (4): 343-350.doi: 10.11896/jsjkx.220100113
何杰, 蔡瑞杰, 尹小康, 陆炫廷, 刘胜利
HE Jie, CAI Ruijie, YIN Xiaokang, LU Xuanting, LIU Shengli
摘要: 思科公司的新型操作系统Cisco IOS-XE广泛部署于Cisco路由器、交换机等平台,但系统的Web管理服务中存在通过命令注入实现权限逃逸的安全漏洞,使网络安全面临严重威胁。近年来,模糊测试常被用于检测嵌入式设备的安全漏洞,然而目前没有针对Cisco IOS-XE系统Web管理服务的模糊测试框架,由于IOS-XE特有的系统架构和命令模式,现有IoT模糊测试方法在IOS-XE上的检测效果不佳。为此,提出了一个针对Cisco IOS-XE系统Web管理服务的模糊测试框架CRFuzzer,用于检测命令注入漏洞。CRFuzzer结合Web前端请求和后端程序分析以优化种子生成,基于命令注入漏洞的特征发现脆弱代码以缩小测试范围。为了评估CRFuzzer的漏洞检测效果,在实体路由器ISR 4000系列和云路由器CSR 1000v上对31个不同版本共124个固件进行了测试,共检测出11个命令注入漏洞,其中2个为未公开漏洞。
中图分类号:
[1]Open Web Application Security Project Top Ten[EB/OL].(2013-10-30)[2021-10-01].https://owasp.org/www-project-top-ten. [2]STASINOPOULOS A,NTANTOGIAN C,XENAKIS C.Commix:automating evaluation and exploitation of command injection vulnerabilities in Web applications[J].International Journal of Information Security,2019,18(1):49-72. [3]YOGESH R,NAGENDRA K N.Containers in Cisco IOS-XE,IOS-XR,and NX-OS:Orchestration and Operation[M].Cisco Press,2021. [4]MUNIZ S,ORTEGA A.Fuzzing and debugging Cisco IOS[J/OL].BlackHat Europe,2011.https://infocon.org/cons/SyScan/SyScan 2011 Singapore/SyScan 2011 Singapore presentations/Syscan2011-CiscoIOS-Aortega-Smuniz.pdf. [5]LI F,ZHANG L,CHEN D.Vulnerability mining of Cisco routerbased on fuzzing[C]//The 2014 2nd International Conference on Systems and Informatics(ICSAI 2014).IEEE,2014:649-653. [6]ZHOU J X,FENG D,LI B.A fuzzing method based on dual variation strategy for Cisco IOS[C]//2017 3rd IEEE International Conference on Computer and Communications(ICCC).IEEE,2017:205-209. [7]ZHANG Y,HUO W,JIAN K,et al.SrFuzzer:An automaticfuzzing framework for physical soho router devices to discover multi-type vulnerabilities[C]//Proceedings of the 35th Annual Computer Security Applications Conference.2019:544-556. [8]CHEN J,DIAO W,ZHAO Q,et al.IoTFuzzer:DiscoveringMemory Corruptions in IoT Through App-based Fuzzing[C]//NDSS.2018. [9]FENG X,SUN R,ZHU X,et al.Snipuzz:Black-box fuzzing of iot firmware via message snippet inference[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.2021:337-350. [10]ZHENG Y,DAVANIAN A,YIN H,et al.FIRM-AFL:high-throughput greybox fuzzing of iot firmware via augmented process emulation[C]//28th {USENIX} Security Symposium({USENIX} Security 19).2019:1099-1114. [11]SRIVASTAVA P,PENG H,LI J,et al.Firmfuzz:Automated iot firmware introspection and analysis[C]//Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things.2019:15-21. [12]CHEN D D,WOO M,BRUMLEY D,et al.Towards Automated Dynamic Analysis for Linux-based Embedded Firmware[C]//NDSS.2016,1:1.1-8.1. [13]OpenResty-a dynamic web platform based on NGINX and LuaJIT[EB/OL].(2013-08-26)[2021-12-16].http://openresty.org/. [14]BOLLAPRAGADA V,MURPHY C,WHITE R.Inside cisco ios software architecture[M].Cisco Press,2000. [15]WANG Z,ZHANG Y,LIU Q.Rpfuzzer:A framework for discovering router protocols vulnerabilities based on fuzzing[J].KSII Transactions on Internet and Information Systems(TIIS),2013,7(8):1989-2009. [16]ZHU L,FU X,YAO Y,et al.FIoT:detecting the memory cor-ruption in lightweight IoT device firmware[C]//2019 18th IEEE International Conference on Trust,Security And Privacy In Computing And Communications/13th IEEE International Conference on Big Data Science And Engineering(TrustCom/BigDataSE).IEEE,2019:248-255. [17]YU L,WANG H,LI L,et al.Towards Automated Detection of Higher-Order Command Injection Vulnerabilities in IoT Devices:Fuzzing With Dynamic Data Flow Analysis[J].International Journal of Digital Crime and Forensics(IJDCF),2021,13(6):1-14. [18]JIANG Y,XIE W,TANG Y.Detecting authentication-bypassflaws in a large scale of IoT embedded web servers[C]//Proceedings of the 8th International Conference on Communication and Network Security.2018:56-63. [19]CHEN L,WANG Y,CAI Q,et al.Sharing More and Checking Less:Leveraging Common Input Keywords to Detect Bugs in Embedded Systems[C]//30th {USENIX} Security Symposium({USENIX} Security 21).2021. [20]HALLER I,SLOWINSKA A,NEUGSCHWANDTNER M,et al.Dowsing for Overfiows:A Guided Fuzzer to Find Buffer Boundary Violations[C]//22nd {USENIX} Security Sympo-sium({USENIX} Security 13).2013:49-64. [21]COSTIN A.Lua code:security overview and practical approaches to static analysis[C]//2017 IEEE Security and Privacy Workshops(SPW).IEEE,2017:132-142. |
[1] | 杨鹏飞, 蔡瑞杰, 郭世臣, 刘胜利. 一种基于容器的Cisco IOS-XE系统入侵检测方法 Container-based Intrusion Detection Method for Cisco IOS-XE 计算机科学, 2023, 50(4): 298-307. https://doi.org/10.11896/jsjkx.220300264 |
[2] | 刘泽润, 郑红, 邱俊杰. 基于抽象语法树裁剪的智能合约漏洞检测研究 Smart Contract Vulnerability Detection Based on Abstract Syntax Tree Pruning 计算机科学, 2023, 50(4): 317-322. https://doi.org/10.11896/jsjkx.220300063 |
[3] | 杨亚辉, 麻荣宽, 耿洋洋, 魏强, 贾岩. 基于工控私有协议逆向的黑盒模糊测试方法 Black-box Fuzzing Method Based on Reverse-engineering for Proprietary Industrial Control Protocol 计算机科学, 2023, 50(4): 323-332. https://doi.org/10.11896/jsjkx.211200258 |
[4] | 黄松, 杜金虎, 王兴亚, 孙金磊. 以太坊智能合约模糊测试技术研究综述 Survey of Ethereum Smart Contract Fuzzing Technology Research 计算机科学, 2022, 49(8): 294-305. https://doi.org/10.11896/jsjkx.220500069 |
[5] | 胡志濠, 潘祖烈. 基于QRNN的网络协议模糊测试用例过滤方法 Testcase Filtering Method Based on QRNN for Network Protocol Fuzzing 计算机科学, 2022, 49(5): 318-324. https://doi.org/10.11896/jsjkx.210300281 |
[6] | 张潆藜, 马佳利, 刘子昂, 刘新, 周睿. 以太坊Solidity智能合约漏洞检测方法综述 Overview of Vulnerability Detection Methods for Ethereum Solidity Smart Contracts 计算机科学, 2022, 49(3): 52-61. https://doi.org/10.11896/jsjkx.210700004 |
[7] | 陈乔松, 何小阳, 许文杰, 邓欣, 王进, 朴昌浩. 基于预训练技术和专家知识的重入漏洞检测 Reentrancy Vulnerability Detection Based on Pre-training Technology and Expert Knowledge 计算机科学, 2022, 49(11A): 211200182-8. https://doi.org/10.11896/jsjkx.211200182 |
[8] | 王昌晶, 丁希龙, 陈茜, 罗海梅, 左正康. 基于模型驱动的Web服务建模与三阶段模型转换方法 Web Service Modeling Based on Model-driven and Three-stage Model Transformation Method 计算机科学, 2022, 49(11A): 211100055-14. https://doi.org/10.11896/jsjkx.211100055 |
[9] | 张冰清, 费琪, 王轶辰, 杨召. 面向SOA的集成测试序列生成算法研究 Study on Integration Test Order Generation Algorithm for SOA 计算机科学, 2022, 49(11): 24-29. https://doi.org/10.11896/jsjkx.210400210 |
[10] | 王田原, 武淑红, 李兆基, 辛昊光, 李璇, 陈永乐. PGNFuzz:基于指针生成网络的工业控制协议模糊测试框架 PGNFuzz:Pointer Generation Network Based Fuzzing Framework for Industry Control Protocols 计算机科学, 2022, 49(10): 310-318. https://doi.org/10.11896/jsjkx.210700248 |
[11] | 李明磊, 黄晖, 陆余良, 朱凯龙. SymFuzz:一种复杂路径条件下的漏洞检测技术 SymFuzz:Vulnerability Detection Technology Under Complex Path Conditions 计算机科学, 2021, 48(5): 25-31. https://doi.org/10.11896/jsjkx.200600128 |
[12] | 李毅豪, 洪征, 林培鸿. 基于深度优先搜索的模糊测试用例生成方法 Fuzzing Test Case Generation Method Based on Depth-first Search 计算机科学, 2021, 48(12): 85-93. https://doi.org/10.11896/jsjkx.200800178 |
[13] | 涂良琼, 孙小兵, 张佳乐, 蔡杰, 李斌, 薄莉莉. 智能合约漏洞检测工具研究综述 Survey of Vulnerability Detection Tools for Smart Contracts 计算机科学, 2021, 48(11): 79-88. https://doi.org/10.11896/jsjkx.210600117 |
[14] | 于扬, 邢镔, 曾骏, 文俊浩. KSN:一种基于知识图谱和相似度网络的Web服务发现模型 KSN:A Web Service Discovery Method Based on Knowledge Graph and Similarity Network 计算机科学, 2021, 48(10): 160-166. https://doi.org/10.11896/jsjkx.200900026 |
[15] | 龚扣林, 周宇, 丁笠, 王永超. 基于BiLSTM模型的漏洞检测 Vulnerability Detection Using Bidirectional Long Short-term Memory Networks 计算机科学, 2020, 47(5): 295-300. https://doi.org/10.11896/jsjkx.190800046 |
|