异质环境下第三方库漏洞触发代码重构研究

doi:10.11896/jsjkx.220500092

摘要/Abstract

摘要： 第三方库中的漏洞被大量传播到宿主应用(即引用了第三方库的软件)中去,而宿主应用的开发者通常不能及时地修复这些漏洞,容易引发安全问题。为了深度探究第三方库漏洞对宿主应用的影响,如何有效地验证传播到宿主应用中的漏洞是否仍可触发显得尤为重要。最新的研究工作应用污点分析技术和符号执行技术重构第三方库的漏洞触发代码,使其适用于宿主应用并验证漏洞的可触发性。然而第三方库测试环境与宿主应用的真实环境通常存在差异(即互为异质环境),使得通过上述方法重构的漏洞触发代码仍难以适用于宿主应用。为解决上述问题,提出了一种在异质环境下进行漏洞触发代码重构的方法,具体可以分为4个步骤:首先分别提取以原始漏洞触发代码为输入时第三方库测试环境和宿主应用环境中的代码执行轨迹;随后对执行轨迹进行分析对比,识别出路径差异点;然后,对路径差异点处的代码进行分析测试,识别出导致差异的关键变量;最后,定位漏洞触发代码中能够影响到关键变量状态的关键输入域,通过对关键输入域进行变异,尝试修改关键变量的状态并对齐差异路径,最终引导宿主应用的执行流到达漏洞代码处,验证漏洞的可触发性。在11个真实世界的漏洞触发代码上进行实验,结果表明,所提方法能够在异质环境下成功验证传播后的漏洞在宿主应用中的可触发性。

关键词: 漏洞触发代码, 第三方库, 异质环境, 重构

Abstract: Vulnerabilities in third-party libraries are widely propagated to host applications(software that using third-party libra-ries),and developers of host applications usually fail to fix these vulnerabilities in a timely manner,which easily leads to security problems.In order to explore the impact of third-party library vulnerabilities on the host applications,it is particularly important to effectively verify whether the vulnerabilities propagated to the host application can still be triggered.The latest research applies taint analysis and symbolic execution to transform the PoC of third-party libraries to make it suitable for host applications.However,there are often differences between the test environment of the third-party library and the real environment of the host application (they are heterogeneous environments),so that the PoC transformed by the above method is still difficult to apply to the host application.To solve the above problems,a method for PoC refactoring in heterogeneous environment is proposed,which can be divided into four steps.Firstly,we exeract the execution traces in the third-party library test environment and the host application environment respectively when the original PoC is input.Secondly,we compare and analyze the two traces obtained in the first step to identify differences.Thirdly,we analyze codes at difference points to identify the key variables that cause the diffe-rences.Finally,we locate the key fields in the PoC that can affect the state of key variables,by mutating the key fields of the PoC,we try to modify the state of the key variables and align the difference paths,guide the execution flow of the host application to reach the vulnerability code,and eventually we complete the refactoring of the PoC.Experiments are carried out on 11 real-world PoCs,and the experimental results show that the proposed method can successfully verify the triggerability of the propagated vu-lnerability in the host application in a heterogeneous environment.

Key words: PoC, Third-party library, Heterogeneous environments, Refactoring

中图分类号:

TP311

宋文凯, 游伟, 梁彬, 黄建军, 石文昌. 异质环境下第三方库漏洞触发代码重构研究[J]. 计算机科学, 2023, 50(4): 277-287. https://doi.org/10.11896/jsjkx.220500092

SONG Wenkai, YOU Wei, LIANG Bin, HUANG Jianjun, SHI Wenchang. Research on PoC Refactoring of Third-party Library in Heterogeneous Environment[J]. Computer Science, 2023, 50(4): 277-287. https://doi.org/10.11896/jsjkx.220500092

参考文献

[1]KOCH S.Evolution of open source software systems－a large-scale investigation[C]//International Conference on Open Source Systems.2005:148-153.
[2]DESHPANDE A,RIEHLE D.The Total Growth of Open Source[C]//Open Source Development,Communities and Quality,IFIP 20th World Computer Congress,Working Group 2.3 on Open Source Software.Milano,Italy:OAI,2008.
[3]2021 open source security and risk analysis (OSSRA)[EB/OL].https://www.synopsys.com/software-integrity/resources/analystreports/open-source-security-risk-analysis.html.
[4]The GitHub Blog－Thank you for 100 million repositories[EB/OL].https://github.blog/2018-11-08-100m-repos/.
[5]OpenHarmony[EB/OL].https://gitee.com/openharmony.
[6]LwIP[EB/OL].http://savannah.nongnu.org/projects/lwip.
[7]LwIP patch for CVE-2020-22284[EB/OL].https://savannah.nongnu.org/bugs/index.php?58554.
[8]OpenHarmony patch for CVE-2020-22284[EB/OL].https://gitee.com/openharmony/third_party_lwip/commit/e53e0a6a4e2adf2fb75340cf4a06fc4cdbc2921d.
[9]KIM S,WOO S,LEE H,et al.VUDDY:A Scalable Approachfor Vulnerable Code Clone Discovery[C]//2017 IEEE Sympo-sium on Security and Privacy(SP).IEEE,2017:595-614.
[10]JANG J,AGRAWAL A,BRUMLEY D.ReDeBug:Finding Unpatched Code Clones in Entire OS Distributions[C]//2012 IEEE Symposium on Security and Privacy.IEEE,2012:48-61.
[11]XIAO Y,CHEN B,YU C,et al.MVP:Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures[C]//CAPKUN S,ROESNER F.29th USENIX Security Symposium,USENIX Security 2020.USA:USENIX Association,2020:1165-1182.
[12]DONG Y,GUO W,CHEN Y,et al.Towards the Detection of Inconsistencies in Public Security Vulnerability Reports[C]//28th USENIX Security Symposium,USENIX Security 2019.Santa Clara,CA,USA:USENIX Association,2019:869-885.
[13]KWON S,WOO S,SEONG G,et al.OCTOPOCS:AutomaticVerification of Propagated Vulnerable Code Using Reformed Proofs of Concept[C]//51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks,DSN 2021.Taipei,Taiwan:IEEE,2021:174-185.
[14]YOU W,ZONG P Y,CHEN K,et al.SemFuzz:Semantics-based Automatic Generation of Proof-of-Concept Exploits[C]//the 2017 ACM SIGSAC Conference.New York:Association for Computing Machinery,2017:2139-2154.
[15]AVGERINOS T,CHA S K,REBERT A,et al.Automatic exploit generation[J].Commun.ACM,2014,57(2):74-84.
[16]HU H,CHUA Z L,ADRIAN S,et al.Automatic Generation of Data-Oriented Exploits[C]//24th USENIX Security Sympo-sium,USENIX Security 15.Washington,D.C.,USA:USENIX Association,2015:177-192.
[17]ALHUZALI A,ESHETE B,GJOMEMO R,et al.Chainsaw:Chained Automated Workflow-based Exploit Generation[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.Vienna,Austria:ACM,2016:641-652.
[18]HUANG S,LU H,LEONG W,et al.CRAXweb:Automatic Web Application Testing and Attack Generation[C]//IEEE 7th International Conference on Software Security and Reliability,SERE 2013.Gaithersburg,MD,USA:IEEE,2013:208-217.
[19]LUO L,ZENG Q,CAO C,et al.System Service Call-orientedSymbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation[C]//Procee-dings of the 15th Annual International Conference on Mobile Systems,Applications,and Services,MobiSys’17.Niagara Falls,NY,USA:ACM,2017:225-238.
[20]BRUMLEY D,POOSANKAM P,SONG D X,et al.Automatic Patch-Based Exploit Generation is Possible:Techniques and Implications[C]//2008 IEEE Symposium on Security and Privacy (S&P 2008).Oakland,California,USA:IEEE Computer Society,2008:143-157.
[21]STEPHENS N,GROSEN J,SALLS C,et al.Driller:Augmen-ting Fuzzing Through Selective Symbolic Execution[C]//Network and Distributed System Security Symposium.2016.
[22]LU K,WALTER M T,PFAFF D,et al.Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying[C]//Network and Distributed System Security Symposium.2017.
[23]WU W,CHEN Y,XU J,et al.FUZE:Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities[C]//27th USENIX Security Symposium,USENIX Security 2018.Baltimore,MD,USA:USENIX Association,2018:781-797.
[24]WU W,CHEN Y,XING X,et al.KEPLER:Facilitating Con-trol-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities[C]//28th USENIX Security Symposium,USENIX Security 2019.Santa Clara,CA,USA:USENIX Association,2019:1187-1204.
[25]YUN I,KAPIL D,KIM T.Automatic Techniques to Systematically Discover New Heap Exploitation Primitives[C]//29th USENIX Security Symposium,USENIX Security 2020.USA:USENIX Association,2020:1111-1128.
[26]BABIC D,BUCUR S,CHEN Y,et al.FUDGE:fuzz driver ge-neration at scale[C]//Proceedings of the ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering,ESEC/SIGSOFT FSE 2019.Tallinn,Estonia:ACM,2019:975-985.
[27]ISPOGLOU K K,AUSTIN D,MOHAN V,et al.FuzzGen:Automatic Fuzzer Generation[C]//29th USENIX Security Symposium,USENIX Security 2020.USA:USENIX Association,2020:2271-2287.
[28]libfuzzer[EB/OL].https://llvm.org/docs/LibFuzzer.html.
[29]LI Z,ZOU D,XU S,et al.VulPecker:an automated vulnerability detection system based on code similarity analysis[C]//Proceedings of the 32nd Annual Conference on Computer Security Applications,ACSAC 2016.Los Angeles,CA,USA:ACM,2016:201-213.
[30]ZHEN L,ZOU D,XU S,et al.VulDeePecker:A Deep Learning-Based System for Vulnerability Detection[C]//Network and Distributed System Security Symposium.2018:2224-2236.
[31]QEMU[EB/OL].https://www.qemu.org/.
[32]ImageMagick[EB/OL].https://imagemagick.org/index.php.
[33]Tree-sitter[EB/OL].https://github.com/tree-sitter/tree-sit-ter.
[34]Addr2line[EB/OL].http://sourceware.org/binutils/docs/binutils/addr2line.html.

相关文章 15

[1]	马廷淮, 孙圣杰, 荣欢, 钱敏峰. 基于动态记忆和双层重构强化的知识图谱至文本转译模型 Knowledge Graph-to-Text Model Based on Dynamic Memory and Two-layer Reconstruction Reinforcement 计算机科学, 2023, 50(3): 12-22. https://doi.org/10.11896/jsjkx.220700111
[2]	黄璞, 杜旭然, 沈阳阳, 杨章静. 基于局部正则二次线性重构表示的人脸识别 Face Recognition Based on Locality Regularized Double Linear Reconstruction Representation 计算机科学, 2022, 49(6A): 407-411. https://doi.org/10.11896/jsjkx.210700018
[3]	董丹丹, 宋康. RIS辅助双向物联网通信系统性能分析 Performance Analysis on Reconfigurable Intelligent Surface Aided Two-way Internet of Things Communication System 计算机科学, 2022, 49(6): 19-24. https://doi.org/10.11896/jsjkx.220100064
[4]	潘泽民, 覃亚丽, 郑欢, 王荣芳, 任宏亮. 基于深度神经网络的块压缩感知图像重构 Block-based Compressed Sensing of Image Reconstruction Based on Deep Neural Network 计算机科学, 2022, 49(11A): 210900118-9. https://doi.org/10.11896/jsjkx.210900118
[5]	郭亚琳, 李晓晨, 任志磊, 江贺. 自动化软件重构质量目标与非质量目标有效性研究 Study on Effectiveness of Quality Objectives and Non-quality Objectives for Automated Software Refactoring 计算机科学, 2022, 49(11): 55-64. https://doi.org/10.11896/jsjkx.220300058
[6]	方仲礼, 王喆, 迟子秋. 面向多标签小样本学习的双流重构网络 Dual-stream Reconstruction Network for Multi-label and Few-shot Learning 计算机科学, 2022, 49(1): 212-218. https://doi.org/10.11896/jsjkx.201100143
[7]	石克翔, 保利勇, 丁洪伟, 官铮, 赵雷. 基于生成时间序列均匀优化的混沌人工蜂群算法 Chaos Artificial Bee Colony Algorithm Based on Homogenizing Optimization of Generated Time Series 计算机科学, 2021, 48(7): 270-280. https://doi.org/10.11896/jsjkx.200800087
[8]	郭彪, 唐麒, 文智敏, 傅娟, 王玲, 魏急波. 一种面向动态部分可重构片上系统的列表式软硬件划分算法 List-based Software and Hardware Partitioning Algorithm for Dynamic Partial Reconfigurable System-on-Chip 计算机科学, 2021, 48(6): 19-25. https://doi.org/10.11896/jsjkx.200700198
[9]	钟岳, 方虎生, 张国玉, 王钊, 朱经纬. 基于9轴姿态传感器的CNN旗语动作识别方法 Method of CNN Flag Movement Recognition Based on 9-axis Attitude Sensor 计算机科学, 2021, 48(6): 153-158. https://doi.org/10.11896/jsjkx.200500005
[10]	徐建波, 舒辉, 康绯. 反向调试技术研究综述 Summary on Reverse Debugging Technology 计算机科学, 2021, 48(5): 9-15. https://doi.org/10.11896/jsjkx.200600152
[11]	张登科, 王兴伟, 何强, 曾荣飞, 易波. 可重构数据中心网络研究综述 State-of-the-art Survey on Reconfigurable Data Center Networks 计算机科学, 2021, 48(3): 246-258. https://doi.org/10.11896/jsjkx.201100038
[12]	谢海平, 李高源, 杨海涛, 赵洪利. 超分辨率重构遥感图像分类研究 Classification Research of Remote Sensing Image Based on Super Resolution Reconstruction 计算机科学, 2021, 48(11A): 424-428. https://doi.org/10.11896/jsjkx.210300132
[13]	王喆, 唐麒, 王玲, 魏急波. 一种基于模拟退火的动态部分可重构系统划分-调度联合优化算法 Joint Optimization Algorithm for Partition-Scheduling of Dynamic Partial Reconfigurable Systems Based on Simulated Annealing 计算机科学, 2020, 47(8): 26-31. https://doi.org/10.11896/jsjkx.200500110
[14]	蓝章礼, 申德兴, 曹娟, 张玉欣. 一种基图像提取和内容无关图像重构方法研究 Content-independent Method for Basis Image Extraction and Image Reconstruction 计算机科学, 2020, 47(6A): 226-229. https://doi.org/10.11896/JsJkx.200160009
[15]	李金霞, 赵志刚, 李强, 吕慧显, 李明生. 改进的局部和相似性保持特征选择算法 Improved Locality and Similarity Preserving Feature Selection Algorithm 计算机科学, 2020, 47(6A): 480-484. https://doi.org/10.11896/JsJkx.20190800095

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed