计算机科学 ›› 2022, Vol. 49 ›› Issue (11): 49-54.doi: 10.11896/jsjkx.210900230

• 计算机软件* • 上一篇    下一篇

ROP漏洞利用脚本的语义还原和自动化移植方法

施瑞恒, 朱云聪, 赵易如, 赵磊   

  1. 空天信息安全与可信计算教育部重点实验室(武汉大学国家网络安全学院) 武汉 430072
  • 收稿日期:2021-09-27 修回日期:2022-03-26 出版日期:2022-11-15 发布日期:2022-11-03
  • 通讯作者: 赵磊(leizhao@whu.edu.cn)
  • 作者简介:(ruihengshi@whu.edu.cn)
  • 基金资助:
    国家自然科学基金(62172305,U1836112);湖北省重点研发计划(2020BAA003)

Semantic Restoration and Automatic Transplant for ROP Exploit Script

SHI Rui-heng, ZHU Yun-cong, ZHAO Yi-ru, ZHAO Lei   

  1. Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education,School of Cyber Science and Engineering, Wuhan University,Wuhan 430072,China
  • Received:2021-09-27 Revised:2022-03-26 Online:2022-11-15 Published:2022-11-03
  • About author:SHI Rui-heng,born in 1997,postgra-duate.His main research interests include automatic exploit generation and fuzzing.
    ZHAO Lei,born in 1985,Ph.D,professor.His main research interests include software and system security,especially in security analysis of binary programs and automatic software vulnerability detection.
  • Supported by:
    National Natural Science Foundation of China(62172305,U1836112) and Key-Area Research and Development Program of Hubei Province(2020BAA003).

摘要: 漏洞利用脚本在安全研究中有着极为重要的作用,安全研究人员需要研究漏洞利用脚本触发以及利用漏洞的方式,来对漏洞程序进行有效的防护。然而,从网络中获取的大量漏洞利用脚本的通用性和适配性都很差,局限于特定的操作系统及环境,会因运行环境的改变而失效。这个问题在基于ROP的漏洞利用脚本中尤为普遍,使得ROP漏洞利用脚本的移植利用分析变得非常困难,需要依赖于大量的人工辅助与专家经验。针对ROP漏洞利用脚本的移植利用难题,提出了ROPTrans系统,通过ROP漏洞利用脚本的语义识别,定位与运行环境相关的关键语义及其变量,随后自动化适配环境,生成目标环境下的ROP漏洞利用脚本,以实现ROP脚本的自动化移植。实验结果表明,ROPTrans的成功率可以到达80%,验证了该方法的有效性。

关键词: 漏洞利用, 控制流劫持, ROP, 移植

Abstract: Exploit script plays an important role in security research.Security researchers need to study how the exploit script trigger and exploit the vulnerability,so as to effectively protect the vulnerable program.However,many exploit scripts obtained from network have poor generality and adaptability.They are limited to specific operating system and execution environment,and the change of environment will lead to execution failure.This problem is particular common in exploit scripts based on return-orinted programming(ROP),makes the transplanting and exploit analysis of ROP scripts are difficult and rely on manual assistance and expert knowledge.To solve this problem,we propose ROPTrans system,which locates key semantics and its variables related to the running environment through analysing the semantic of ROP script,and then automatically generates ROP script adapted to the target environment,so as to achieve the target of transplanting ROP scripts automatically.Experimental results show that the success rate of ROPTrans can reach up to 80%,which verifies the effectiveness of our method.

Key words: Exploit script, Control flow hijack, Return-orinted Programming, Transplanting

中图分类号: 

  • TP399
[1]ARCE I.The shellcode generation[J].IEEE Security & Privacy,2004,2(5):72-76.
[2]ROEMER R,BUCHANAN E,SHACHAM H,et al.Return-oriented programming:Systems,languages,and applications[J].ACM Transactions on Information and System Security(TISSEC),2012,15(1):1-34.
[3]VISHNYAKOV A V,NURMUKHAMETOV A R.Survey ofMethods for Automated Code-Reuse Exploit Generation[J].Programming and Computer Software,2021,47(4):271-297.
[4]BUCHANAN E,ROEMER R,SHACHAM H,et al.When good instructions go bad:Generalizing return-oriented programming to RISC[C]//Proceedings of the 15th ACM Conference on Computer and Communications Security.2008:27-38.
[5]BAO T,WANG R,SHOSHITAISHVILI Y,et al.Your exploit is mine:Automatic Shellcode transplant for remote exploits[C]//2017 IEEE Symposium on Security and Privacy(SP).IEEE,2017:824-839.
[6]NEWSOME J,SONG D X.Dynamic Taint Analysis for Auto-matic Detection,Analysis,and Signature Generation of Exploits on Commodity Software[C]//NDSS.2005:3-4.
[7]KANG M G,MCCAMANT S,POOSANKAM P,et al.Dta++:dynamic taint analysis with targeted control-flow propagation[C]//NDSS.2011.
[8]CHARNIAK E.Tree-bank grammars[C]//Proceedings of the National Conference on Artificial Intelligence.1996:1031-1036.
[9]YOU W,ZONG P,CHEN K,et al.Semfuzz:Semantics-basedautomatic generation of proof-of-concept exploits[C]//Procee-dings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.2017:2139-2154.
[10]CHOWDHARY K R.Natural language processing[M]//Fundamentals of Artificial Intelligence.New Delhi:Springer,2020:603-649.
[11]LAM M S,MARTIN M,LIVSHITS B,et al.Securing web applications with static and dynamic information flow tracking[C]//Proceedings of the 2008 ACM SIGPLAN symposium on Partial Evaluation and Semantics-based Program Manipulation.2008:3-12.
[1] 李鹏宇, 刘胜利, 尹小康, 刘昊晖.
面向Cisco IOS的ROP攻击检测方法
Detection Method of ROP Attack for Cisco IOS
计算机科学, 2022, 49(4): 369-375. https://doi.org/10.11896/jsjkx.210300153
[2] 刘培文, 舒辉, 吕小少, 赵耘田.
基于有限状态机的内核漏洞攻击自动化分析技术
Automatic Analysis Technology of Kernel Vulnerability Attack Based on Finite State Machine
计算机科学, 2022, 49(11): 326-334. https://doi.org/10.11896/jsjkx.211200039
[3] 曹浩, 郭绍忠, 刘聃, 许瑾晨.
面向64位RISC-V的基础数学库自动化移植
Automatic Porting of Basic Mathematics Library for 64-bit RISC-V
计算机科学, 2021, 48(6): 41-47. https://doi.org/10.11896/jsjkx.201200058
[4] 钟岳, 方虎生, 张国玉, 王钊, 朱经纬.
基于9轴姿态传感器的CNN旗语动作识别方法
Method of CNN Flag Movement Recognition Based on 9-axis Attitude Sensor
计算机科学, 2021, 48(6): 153-158. https://doi.org/10.11896/jsjkx.200500005
[5] 刘华玲, 皮常鹏, 刘梦瑶, 汤新.
一种新的优化机制:Rain
New Optimization Mechanism:Rain
计算机科学, 2021, 48(11A): 63-70. https://doi.org/10.11896/jsjkx.201100032
[6] 王茂光, 杨行.
一种基于AP-Entropy选择集成的风控模型和算法
Risk Control Model and Algorithm Based on AP-Entropy Selection Ensemble
计算机科学, 2021, 48(11A): 71-76. https://doi.org/10.11896/jsjkx.210200110
[7] 高航航,赵尚弘,王翔,张晓燕.
基于系统最优的航空信息网络流量均衡方案
Traffic Balance Scheme of Aeronautical Information Network Based on System Optimal Strategy
计算机科学, 2020, 47(3): 261-266. https://doi.org/10.11896/jsjkx.190200296
[8] 葛娜, 孙连英, 石晓达, 赵平.
Prophet-LSTM组合模型的销售量预测研究
Research on Sales Forecast of Prophet-LSTM Combination Model
计算机科学, 2019, 46(6A): 446-451.
[9] 陈深进, 薛洋.
基于改进卷积神经网络的短时公交客流预测
Short-term Bus Passenger Flow Prediction Based on Improved Convolutional Neural Network
计算机科学, 2019, 46(5): 175-184. https://doi.org/10.11896/j.issn.1002-137X.2019.05.027
[10] 方皓, 吴礼发, 吴志勇.
基于符号执行的Return-to-dl-resolve利用代码自动生成方法
Automatic Return-to-dl-resolve Exploit Generation Method Based on Symbolic Execution
计算机科学, 2019, 46(2): 127-132. https://doi.org/10.11896/j.issn.1002-137X.2019.02.020
[11] 彭建山,周传涛,王清贤,丁大钊.
基于多路径分发的ROP框架构造方法
Construction Method of ROP Frame Based on Multipath Dispatcher
计算机科学, 2018, 45(1): 240-244. https://doi.org/10.11896/j.issn.1002-137X.2018.01.042
[12] 董加星,许畅.
一种面向功能类似程序的高效克隆检测技术
Efficient Clone Detection Technique for Functionally Similar Programs
计算机科学, 2017, 44(4): 12-15. https://doi.org/10.11896/j.issn.1002-137X.2017.04.003
[13] 朱丽华,文艳军,董威.
基于语义补丁的Linux驱动程序后向移植技术
Backporting of Linux Device Drivers Using Semantic Patch
计算机科学, 2017, 44(11): 64-68. https://doi.org/10.11896/j.issn.1002-137X.2017.11.010
[14] 陈勇,徐超.
基于符号执行和人机交互的自动向量化方法
Symbolic Execution and Human-Machine Interaction Based Auto Vectorization Method
计算机科学, 2016, 43(Z6): 461-466. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.109
[15] 董卫宇,王瑞敏,戚旭衍,曾韵.
译码制导的动态二进制翻译优化
Decoding-directed Dynamic Binary Translation Optimization
计算机科学, 2015, 42(6): 189-192. https://doi.org/10.11896/j.issn.1002-137X.2015.06.041
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!