Computer Science

Computer Science ›› 2022, Vol. 49 ›› Issue (11): 326-334.doi: 10.11896/jsjkx.211200039

• Information Security • Previous Articles     Next Articles

Automatic Analysis Technology of Kernel Vulnerability Attack Based on Finite State Machine

LIU Pei-wen1, SHU Hui2, LYU Xiao-shao2, ZHAO Yun-tian2   

  1. 1 School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450001,China
    2 State Key Laboratory of Mathematical Engineering and Advanced Computing,Information Engineering University,Zhengzhou 450001,China
  • Received:2021-12-03 Revised:2022-04-22 Online:2022-11-15 Published:2022-11-03
  • About author:LIU Pei-wen,born in 1997,postgra-duate.His main research interests include cyber security and reverse engineering.
    SHU Hui,born in 1974,Ph.D,professor,Ph.D supervisor.His main research interests include cyber security and reverse engineering.
  • Supported by:
    National Key R & D Program of China(2019QY1305).

PDF (PC)

400

Abstract: Kernel vulnerability attack is a common attack way for operating systems,and the analysis of each attack stage is the key to defend against such attacks.Due to the complexity and variety of kernel vulnerability types,trigger paths,and exploit modes,it is difficult to analyze the attack process of kernel vulnerability.Moreover,the existing analysis work mainly focuses on forward program analysis methods such as taint analysis,and the efficiency is low.In order to improve the analysis efficiency,this thesis implements an automatic analysis technology of kernel vulnerability attack based on finite state machine.Firstly,the state transition diagram of kernel vulnerability attack is constructed as the key basis for analysis.Secondly,the idea of reverse analysis is introduced,and a reverse analysis model of kernel vulnerability attack process based on finite state machine is established,which can reduce the unnecessary analysis cost.Finally,based on the model,a reverse analysis method of kernel vulnerability attack is implemented,which can automatically and quickly analyze the kernel vulnerability attack process.By testing 10 attack samples,the results show that the reverse analysis method can accurately obtain the key code execution information,and compared with the traditional forward analysis method,the analysis efficiency is greatly improved.

Key words: Kernel vulnerability, Vulnerability exploit, Privilege escalation attack, Reverse analysis, Vulnerability trigger point positioning

CLC Number: 

  • TP393
[1]Vulnerability and technical analysis of Windows local rights rai-sing in APT activities [EB/OL].https://paper.seebug.org/1753/#apt.
[2]ZHANG K,LIU J J.Network Attack Path Analysis MethodBased on Vulnerability Dynamic Availability[J].Netinfo Security,2021,21(4):62-72.
[3]MA M Y,CHEN L W,MENG N.A Survey of Memory Corruption Attack and Defense [J].Journal of Cyber Security,2017,2(4):82-98.
[4]Data-Oriented Programming:On the Expressiveness of Non-control Data Attacks[C]//Symposium on Security and Privacy(SP).2016:969-986.
[5]JANG H,PARK M C,LEE D H.IBV-CFI:Efficient fine-grained control-flow integrity preserving CFG precision[J/OL].Computers & Security.https://www.researchgate.net/publication/340442234_IBV-CFI_Efficient_fine-grained_control-flow_integrity_preserving_CFG_precision.
[6]LU S B,LIN Z C,ZHANG M.Kernel Vulnerability Analysis:A Survey[C]//2019 IEEEFourth International Conference on Data Science in Cyberspace(DSC).Hangzhou,China,2019:549-554.
[7]PAN J F,YAN G L,FAN X C.Digtool:A virtualization-based framework for detecting kernel vulnerabilities[C]//26th USENIX Security Symposium(USENIX Security 17).Vancouver,BC:USENIX Association,2017:149-165.
[8]JURCZYK M,COLDWIND G.Bochspwn:Exploiting KernelRace Conditions Found via Memory Access Patterns[C]//The Syscan’12 Conference.2013.
[9]BRENDAN D G,JOSH H,PATRICK H,et al.Repeatable Reverse Engineering with PANDA[C]//5th Program Protection and Reverse Engineering Workshop(PPREW-5).Association for Computing Machinery,New York,NY,USA,2015:1-11.
[10]MING J,WU D H,WANG J,et al.StraightTaint:decoupled offline symbolic taint analysis[C]//the 31st IEEE/ACM International Conference on Automated Software Engineering(ASE’16).2016:308-319.
[11]WANG X J,MA R,DOU B W,et al.OFFDTAN:A New Approach of Offline Dynamic Taint Analysis for Binaries[C]//Security and Communication Networks.2018:1-13.
[12]XU J,MU D L,CHEN P,et al.CREDAL:Towards Locating a Memory Corruption Vulnerability with Your Core Dump[C]//the 2016 ACM SIGSAC Conference on Computer and Communications Security(CCS ’16).Association for Computing Machinery,New York,NY,USA,2016:529-540.
[13]XU J,MU D L,CHEN P,et al.POMP:Postmortem programanalysis with hardware-enhanced post-crash artifacts[C]//the 26th USENIX Security Symposium.USENIX Association,2017:17-32.
[14]CUI W D,PEINADO M,CHA S K,et al.RETracer:Triaging Crashes by Reverse Execution from Partial Memory Dumps[C]//the 38th International Conference on Software Enginee-ring(ICSE).2016:820-831.
[15]ZHENG Y,WANG Z,FAN X Y,et al.Localizing multiple software faults based on evolution algorithm[J].The Journal of Systems & Software,2018,139:107-123.
[16]JIANG S J,ZHANG X,WANG R C,et al.Fault Localization Approach Based on Path Analysis and Information Entrop[J].Journal of Software,2021,32(7):2166-2182.
[17]GUO W B,MU D L,XING X Y,et al.DEEPVSA:Facilitating Value-set Analysis with Deep Learning for Postmortem Program Analysis[C]//Proceedings of the 28th USENIX Security Symposium.Santa Clara:USENIX Association,2019:1787-1804.
[18]YAGEMANN C,PRUETT M,CHUNG S P,et al.ARCUS:Symbolic Root Cause Analysis of Exploits in Production Systems[C]//the 30th USENIX Security Symposium.2021.
[19]BLAZYTKO T,SCHLOGEL M,ASCHERMANN C,et al.AURORA:Statistical Crash Analysis for Automated Root Cause Explanation[C]// the 29th USENIX Security Symposium.2020.
[20]NI T,YE X.Privilege Escalation Technology of Kernel Vulnerabilities in Write What Where Mode[J].Journal of Information Engineering University,2014,15(2):232-236.
[1] ZHANG Xiong and LI Zhou-jun. Survey of Fuzz Testing Technology [J]. Computer Science, 2016, 43(5): 1-8.
[2] XU Qian and TAN Cheng-xiang. Mandatory Access Control Model for Android Based on Dynamic Privilege Set [J]. Computer Science, 2015, 42(11): 191-196.
[3] . Firm-code Disassembly Technology Based on IVT Reconstruction [J]. Computer Science, 2012, 39(7): 302-204.
[4] MENG Chen. Web Browser Vulnerability Exploitation Attack Test Technology Based on Code Overriding [J]. Computer Science, 2011, 38(Z10): 41-43.
[5] TANG He-ping HUANG Shu-guang ZHANG Liang. Dynamic Information Flow Analysis for Vulnerability Exploits Detection [J]. Computer Science, 2010, 37(7): 148-151.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.