面向缓解机制评估的自动化信息泄露方法
作者:
作者简介:

杨松涛(1996-),男,博士生,主要研究领域为系统软件安全,二进制攻防;王准(1999-),男,工程师,主要研究领域为软件安全,二进制攻防;陈凯翔(1995-),男,博士生,主要研究领域为安全攻防技术;张超(1986-),男,博士,长聘副教授,博士生导师,CCF高级会员,主要研究领域为软件与系统安全

通讯作者:

张超,E-mail:chaoz@tsinghua.edu.cn

中图分类号:

TP311

基金项目:

国家重点研发计划(2021YFB2701000);国家自然科学基金(61972224,U1736209)


Exploit-oriented Automated Information Leakage
Author:
  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [43]
  • |
  • 相似文献 [20]
  • | | |
  • 文章评论
    摘要:

    自动生成漏洞利用样本(AEG)已成为评估漏洞的最重要的方式之一,但现有方案在目标系统部署有漏洞缓解机制时受到很大阻碍.当前主流的操作系统默认部署多种漏洞缓解机制,包括数据执行保护(DEP)和地址空间布局随机化(ASLR)等,而现有AEG方案仍无法面对所有漏洞缓解情形.提出了一种自动化方案EoLeak,可以利用堆漏洞实现自动化的信息泄露,进而同时绕过数据执行保护和地址空间布局随机化防御.EoLeak通过动态分析漏洞触发样本(POC)的程序执行迹,对执行迹中的内存布局进行画像并定位敏感数据(如代码指针),进而基于内存画像自动构建泄漏敏感数据的原语,并在条件具备时生成完整的漏洞利用样本.实现了EoLeak原型系统,并在一组夺旗赛(CTF)题目和多个实际应用程序上进行了实验验证.实验结果表明,该系统具有自动化泄露敏感信息和绕过DEP及ASLR缓解机制的能力.

    Abstract:

    Automated exploit generation (AEG) has become one of the most important ways to demonstrate the exploitability of vulnerabilities. However, state-of-the-art AEG solutions in general assume that the target system has no mitigations deployed, which is not true in modern operating systems since they often deploy mitigations like data execution prevention (DEP) and address space layout randomization (ASLR). This paper presents an automated solution EoLeak, able to exploit heap vulnerabilities to leak sensitive data and bypass ASLR and DEP at the same time. At a high level, EoLeak analyzes the program execution trace of the POC input that triggers the heap vulnerability, characterizes the memory profile from the trace and locates important data (e.g., code pointers), constructs leak primitives that discloses sensitive data, and generates exploits for the entire process when possible. A prototype of EoLeakis implemented and it is evaluated on a set of CTF binary programs and several real-world applications. Evaluation results show that EoLeak is effective in terms of leaking data and generating exploits.

    参考文献
    [1] Liu J, Su PR, Yang M, He L, Zhang Y, Zhu XY, Lin HM. Software and cyber security-A survey. Ruan Jian Xue Bao/Journal of Software, 2018, 29(1):42-68(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5320.htm[doi:10.13328/j.cnki. jos.005320]
    [2] Zhao SR, Li XJ, Fang Y, Yu YP, Huang WH, Chen K, Su PR, Zhang YQ. A survey on automated exploit generation. Computer Research and Development, 2019, 56(10):2097-2111(in Chinese with English abstract).[doi:10.7544/issn1000-1239.2019. 20190655]
    [3] Heelan S. Automatic generation of control flow hijacking exploits for software vulnerabilities[MS. Thesis]. Oxford:University of Oxford, 2009.
    [4] Avgerinos T, Cha SK, Rebert A, Schwartz EJ, Woo M, Brumley D. Automatic exploit generation. Communications of the ACM, 2014, 57(2):74-84.[doi:10.1145/2560217.2560219]
    [5] Cha SK, Avgerinos T, Rebert A, Brumley D. Unleashing mayhem on binary code. In:Proc. of the 2012 IEEE Symp. on Security and Privacy. San Francisco:IEEE, 2012. 380-394.[doi:10.1109/SP.2012.31]
    [6] Schwartz EJ, Avgerinos T, Brumley D. Q:Exploit hardening made easy. In:Proc. of the 20th USENIX Security Symp. San Francisco:USENIX Association, 2011.
    [7] Huang SK, Huang MH, Huang PY, Lai CW, Lu HL, Leong WM. CRAX:Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations. In:Proc. of the 6th IEEE Int'l Conf. on Software Security and Reliability. Gaithersburg:IEEE, 2012. 78-87.[doi:10.1109/SERE.2012.20]
    [8] Caselden D, Bazhanyuk A, Payer M, Szekeres L, McCamant S, Song D. Transformation-aware exploit generation using a HI-CFG. University Berkeley, Department of Electrical Engineering and Computer Science, 2013.[doi:10.21236/ADA587051]
    [9] Heelan S, Melham T, Kroening D. Automatic heap layout manipulation for exploitation. In:Proc. of the 27th USENIX Security Symp. Baltimore:USENIX Association, 2018. 763-779.
    [10] Heelan S, Melham T, Kroening D. Gollum:Modular and greybox exploit generation for heap overflows in interpreters. In:Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security. London:ACM, 2019. 1689-1706.[doi:10.1145/3319535.3354224]
    [11] Wang Y, Zhang C, Zhao Z, Zhang B, Gong X, Zou W. MAZE:Towards automated heap feng shui. In:Proc. of the 30th USENIX Security Symp. Virtual:USENIX Association, 2021. 1647-1664.
    [12] Wang Y, Zhang C, Xiang X, Zhao Z, Li W, Gong X, Liu B, Chen K, Zou W. Revery:From proof-of-concept to exploitable. In:Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. Toronto:ACM, 2018. 1914-1927.[doi:10. 1145/3243734.3243847]
    [13] Chen W, Zou X, Li G, Qian Z. KOOBE:Towards facilitating exploit generation of kernel out-of-bounds write vulnerabilities. In:Proc. of the 29th USENIX Security Symp. Virtual:USENIX Association, 2020. 1093-1110.
    [14] Wu W, Chen Y, Xu J, Xing X, Gong X, Zou W. FUZE:Towards facilitating exploit generation for kernel use-after-free vulnerabilities. In:Proc. of the 27th USENIX Security Symp. Baltimore:USENIX Association, 2018. 781-797.
    [15] Ning G, Zhang T, Wen W, Mei R. Study of non-heapspray IE's vulnerability exploitation technique. Netinfo Security, 2014(6):39-42(in Chinese with English abstract).[doi:10.3969/j.issn.1671-1122.2014.06.007]
    [16] van de Ven A. New Security Enhancements in Red Hat Enterprise Linux v.3, update 3. Raleigh:Red Hat, 2004.
    [17] Cowan C, Pu C, Maier D, Walpole J, Bakke P. StackGuard:Automatic adaptive detection and prevention of buffer-overflow attacks. In:Proc. of the 7th USENIX Security Symp. San Antonio:USENIX Association, 1998. 63-78.
    [18] PaX T. PaX address space layout randomization (ASLR). 2003. http://pax.grsecurity.net/docs/aslr.txt
    [19] Abadi M, Budiu M, Erlingsson U, Ligatti J. Control-flow integrity principles, implementations, and applications. ACM Trans. on Information and System Security, 2009, 13(1):1-40.[doi:10.1145/1609956.1609960]
    [20] Burow N, Carr SA, Nash J, Larsen P, Franz M, Brunthaler S, Payer M. Control-flow integrity:Precision, security, and performance. ACM Computing Serveys, 2017, 50(1):1-33.[doi:10.1145/3054924]
    [21] Tice C, Roeder T, Collingbourne P, Checkoway S, Erlingsson U, Lozano L, Pike G. Enforcing forward-edge control-flow integrity in GCC& LLVM. In:Proc. of the 23rd USENIX Security Symp. San Diego:USENIX Association, 2014. 941-955.
    [22] Brumley D, Poosankam P, Song D, Zheng J. Automatic patch-based exploit generation is possible:Techniques and implications. In:Proc. of the 2008 IEEE Symp. on Security and Privacy. Oakland:IEEE, 2008. 143-157.[doi:10.1109/SP.2008.17]
    [23] Wang M, Su P, Li Q, Ying L, Yang Y, Feng D. Automatic polymorphic exploit generation for software vulnerabilities. In:Zia T, ed. Proc. of the Security and Privacy in Communication Networks. Cham:Springer Int'l Publishing, 2013. 216-233.
    [24] Bao T, Wang R, Shoshitaishvili Y, Brumley D. Your exploit is mine:Automatic shellcode transplant for remote exploits. In:Proc. of the 2017 IEEE Symp. on Security and Privacy. San Jose:IEEE, 2017. 824-839.[doi:10.1109/SP.2017.67]
    [25] Wu W, Chen Y, Xing X, Zou W. KEPLER:Facilitating control-flow hijacking primitive evaluation for Linux kernel vulnerabilities. In:Proc. of the 28th USENIX Security Symp. Santa Clara:USENIX Association, 2019. 1187-1204.
    [26] Fang H, Wu L, Wu Z. Automatic return-to-dl-resolve exploit generation method based on symbolic execution. Computer Science, 2019, 46(2):127-132(in Chinese with English abstract).[doi:10.11896/j.issn.1002-137X.2019.02.020]
    [27] Dolan-Gavitt B, Hodosh J, Hulin P, Leek T, Whelan R. Repeatable reverse engineering with PANDA. In:Proc. of the 5th Program Protection and Reverse Engineering Workshop. Los Angeles:ACM, 2015.[doi:10.1145/2843859.2843867]
    [28] Chen K, Zhang C, Yin T, Chen X, Zhao L. VScape:Assessing and escaping virtual call protections. In:Proc. of the 30th USENIX Security Symp. Virtual:USENIX Association, 2021. 1719-1736.
    [29] Brumley D, Jager I, Avgerinos T, Schwartz EJ. BAP:A binary analysis platform. In:Gopalakrishnan G, ed. Proc. of the Computer Aided Verification. Berlin:Springer, 2011. 463-469.[doi:10.1007/978-3-642-22110-1_37]
    [30] Hu H, Chua ZL, Adrian S, Saxena P, Liang Z. Automatic generation of data-oriented exploits. In:Proc. of the 24th USENIX Security Symp. Washington:USENIX Association, 2015. 177-192.
    [31] Hu H, Shinde S, Adrian S, Chua ZL, Saxena P, Liang Z. Data-oriented programming:On the expressiveness of non-control data attacks. In:Proc. of the 2016 IEEE Symp. on Security and Privacy. San Jose:IEEE, 2016. 969-986.[doi:10.1109/SP.2016.62]
    [32] Ispoglou KK, AlBassam B, Jaeger T, Payer M. Block oriented programming:Automating data-only attacks. In:Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. Toronto:ACM, 2018. 1868-1882.
    [33] Clause J, Li W, Orso A. Dytan:A generic dynamic taint analysis framework. In:Proc. of the 2007 Int'l Symp. on Software Testing and Analysis. London:ACM, 2007. 196-206.[doi:10.1145/1273463.1273490]
    [34] Kemerlis VP, Portokalidis G, Jee K, Keromytis AD. libdft:Practical dynamic data flow tracking for commodity systems. In:Proc. of the 8th ACM SIGPLAN/SIGOPS Conf. on Virtual Execution Environments. New York:ACM, 2012. 121-132.
    [35] Schwartz EJ, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (bug might have been afraid to ask). In:Proc. of the 2010 IEEE Symp. on Security and Privacy. Oakland:IEEE, 2010. 317-331.[doi:10.1109/SP.2010.26]
    [36] Chua ZL, Wang Y, Baluta T, Saxena P, Liang Z, Su P. One engine to serve'em all:Inferring taint rules without architectural semantics. In:Proc. of the Network and Distributed System Security Symp. San Diego:Internet Society, 2019.[doi:10.14722/ndss. 2019.23339]
    [37] Song D, Brumley D, Yin H, Caballero J, Jager I, Kang MG, Liang Z, Newsome J, Poosankam P, Saxena P. BitBlaze:A new approach to computer security via binary analysis. In:Sekar R, ed. Proc. of the Information Systems Security. Berlin:Springer, 2008. 1-25.[doi:10.1007/978-3-540-89862-7_1]
    [38] Saudel F, Salwan J. Triton:Concolic execution framework. In:Proc. of the Rennes:Symp. sur la Sécurité des Technologies de l'Information et des Communications, 2015.
    [39] She D, Chen Y, Shah A, Ray B, Jana S. Neutaint:Efficient dynamic taint analysis with neural networks. In:Proc. of the 2020 IEEE Symp. on Security and Privacy. San Francisco:IEEE, 2020. 1527-1543.[doi:10.1109/SP40000.2020.00022]
    附中文参考文献:
    [1] 刘剑,苏璞睿,杨珉,和亮,张源,朱雪阳,林惠民.软件与网络安全研究综述.软件学报, 2018, 29(1):42-68. http://www.jos. org.cn/1000-9825/5320.htm[doi:10.13328/j.cnki.jos.005320]
    [2] 赵尚儒,李学俊,方越,余媛萍,黄伟豪,陈恺,苏璞睿,张玉清.安全漏洞自动利用综述.计算机研究与发展, 2019, 56(10):2097-2111.[doi:10.7544/issn1000-1239.2019.20190655]
    [15] 宁戈,张涛,文伟平,梅瑞.一种非堆喷射的IE浏览器漏洞利用技术研究.信息网络安全, 2014(6):39-42.[doi:10.3969/j.issn. 1671-1122.2014.06.007]
    [26] 方皓,吴礼发,吴志勇.基于符号执行的Return-to-dl-resolve利用代码自动生成方法.计算机科学, 2019, 46(2):127-132.[doi:10.11896/j.issn.1002-137X.2019.02.020]
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

杨松涛,陈凯翔,王准,张超.面向缓解机制评估的自动化信息泄露方法.软件学报,2022,33(6):2082-2096

复制
分享
文章指标
  • 点击次数:1428
  • 下载次数: 4154
  • HTML阅读次数: 2686
  • 引用次数: 0
历史
  • 收稿日期:2021-09-05
  • 最后修改日期:2021-10-15
  • 在线发布日期: 2022-01-28
  • 出版日期: 2022-06-06
文章二维码
您是第19705231位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号