二进制程序整型溢出漏洞的自动验证方法

doi:10.3969/j.issn.1671-1122.2017.05.003

信息网络安全 ›› 2017, Vol. 17 ›› Issue (5): 14-21.doi: 10.3969/j.issn.1671-1122.2017.05.003

二进制程序整型溢出漏洞的自动验证方法

彭建山^1,²(), 奚琪^1,², 王清贤^1,²

1.解放军信息工程大学,河南郑州 450002
2.数学工程与先进计算国家重点实验室,河南郑州 450002

收稿日期:2017-04-15 出版日期:2017-05-20 发布日期:2020-05-12
作者简介:
作者简介：彭建山（1979—）,男,江西,副教授,博士研究生,主要研究方向为网络空间安全;奚琪（1978—）,男,河南,副教授,博士,主要研究方向为网络空间安全;王清贤（1960—） ,男,河南,教授,硕士,主要研究方向为网络空间安全。
基金资助:
河南省自然科学基金[162300410187]

Automatic Exploitation of Integer Overflow Vulnerabilities in Binary Programs

Jianshan PENG^1,²(), Qi XI^1,², Qingxian WANG^1,²

1. PLA Information Engineering University, Zhengzhou Henan 450002, China
2. State Key Laboratory of Mathematics Engineering and Advanced Computing, Zhengzhou Henan 450002, China

Received:2017-04-15 Online:2017-05-20 Published:2020-05-12

摘要/Abstract

摘要：

整型溢出漏洞已成为威胁软件安全的第二大类漏洞,现有的整型溢出漏洞挖掘工具不支持自动验证漏洞,且现有的漏洞自动验证工具不支持整型溢出漏洞模式。因此,文章提出了一种二进制程序整型溢出漏洞的自动验证方法以填补这一空白。针对整型溢出漏洞中有价值的IO2BO漏洞,为避免程序在缓冲区溢出过程中发生Crash导致无法劫持控制流,通过污点分析建立可疑污点集合以缩小待分析污点范围,利用污点回溯技术追踪污点来源,通过符号执行收集内存读写操作的循环条件,控制循环次数以覆盖堆栈关键数据,最后通过约束求解生成新样本,将IO2BO漏洞的自动验证问题转化为传统缓冲区溢出漏洞的自动验证。实验证明该方法能够自动验证典型的IO2BO漏洞,生成能够劫持控制流并执行任意代码的新样本。

关键词: 漏洞验证, 符号执行, 污点分析, 整型溢出, 缓冲区溢出

Abstract:

Integer overflow vulnerabilities have become the second largest threat to software security. The existing tools for mining integer overflow vulnerability do not support automatic exploitation. Neither do the automatic exploitation tools support integer overflow vulnerability. To fill the gaps we proposes an automatic exploitation method of integer overflow vulnerabilities in binary programs. Aiming at the valuable IO2BO vulnerability of integer overflow, firstly trying to avoid crashing in the process of buffer overflow, which would make hijacking control-flow fail. Secondly building suspicious taint set to reduce the scope of taints. Thirdly collecting the loops condition of reading and writing memory by taint analysis and symbolic execution. Lastly overwriting the critical data in the stack and heap by controlling the number of loops and generating new samples for testing by solving constraint. The proposed method can transform the automatic exploitation of IO2BO vulnerability into that of traditional buffer overflow vulnerability. The test results show that this method work well for the typical IO2BO vulnerabilities and could generate new samples for hijacking the control-flow of testing programs.

Key words: vulnerability exploitation, symbolic execution, taint analysis, integer overflow, buffer overflow

中图分类号:

TP311

彭建山, 奚琪, 王清贤. 二进制程序整型溢出漏洞的自动验证方法[J]. 信息网络安全, 2017, 17(5): 14-21.

Jianshan PENG, Qi XI, Qingxian WANG. Automatic Exploitation of Integer Overflow Vulnerabilities in Binary Programs[J]. Netinfo Security, 2017, 17(5): 14-21.

图/表 7

参考文献 22

[1]	高川,严寒冰,贾子骁. 基于特征的网络漏洞态势感知方法研究[J]. 信息网络安全,2016(12):28-33.
[2]	CHRISTEY S, MARTIN R A. Vulnerability Type Distributions in CVE[EB/OL]. .
[3]	WANG T L, WEI T, LIN Z Q, et al. IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution[EB/OL].2009-2-11/2017-4-5.
[4]	MOLNAR D, LI X C, WAGNER D A.Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs[C]// USENIX SSYM’09 Proceedings of the 18th Conference on USENIX Security Symposium, August 10-14, 2009, Montreal, Canada. Berkeley:USENIX ,2009:67-82.
[5]	CHEN P, HAN H, WANG Y, et al.IntFinder: Automatically Detecting Integer Bugs in x86 Binary Program[C]// Springer. ICICS’09 Proceedings of the 11th International Conference on Information and Communications Security, December 14-17, 2009, Beijing, China. Berlin, Heidelberg:Springer, 2009:336-345.
[6]	STELIOS S D, ERIC L, NATHAN R, et al.Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement[J]. ACM Sigplan Notices, 2015, 50(4):473-486.
[7]	JAMES N, DAWN S.Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software[C]// Network and Distributed System Security Symposium, February 3-4, 2005, San Diego, California, USA. DBLP, 2005.Beijing:Chinese Journal of Engineering Mathematics , 2012 :720-724.
[8]	GODEFROID P, LEVIN M Y, MOLNAR D A. Automated Whitebox Fuzz Testing[EB/OL]. , 2017-4-5.
[9]	BRUMLEY D, POOSANKAM P, SONG D, et al.Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications[C]// IEEE. Security and Privacy, May 18-21, 2008, Oakland, California, USA. New York:IEEE, 2008:143-157.
[10]	HEELAN S, KROENING D. Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities[EB/OL]. https://www.mendeley.com/research-papers/automatic-generation-control-flow-hijacking-exploits-software-vulnerabilities,2017-4-5.
[11]	SANG K C, AVGERINOS T, REBERT A, et al.Unleashing Mayhem on Binary Code[C]// IEEE. Security and Privacy, May 20-23, 2012, San Francisco, California, USA. New York:IEEE, 2012:380-394.
[12]	HUANG S K, HUANG M H, HUANG P Y, et al.CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations[C]// IEEE. Sixth International Conference on Software Security and Reliability, June 20-22, 2012, Washington, D.C., USA. New York:IEEE, 2012:78-87.
[13]	AHMAD D.The Rising Threat of Vulnerabilities Due to Integer Errors[C]// IEEE. Security and Privacy, May 11-14, 2003, Oakland, California, USA. New York:IEEE, 2003:77-82.
[14]	LEE J, AVGERINOS T, BRUMLEY D. TIE: Principled Reverse Engineering of Types in Binary Programs[EB/OL]. , 2017-4-5.
[15]	LIN Z, ZHANG X, XU D. Automatic Reverse Engineering of Data Structures from Binary Execution[EB/OL]. 2017-4-5.
[16]	DEBRARY S, MUTH R, WEIPPERT M.Alias Analysis of Executable Code[C]// ACM. POPL ‘98 Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January 19 - 21, 1998, San Diego, California, USA. New York:ACM, 1998:12-24.
[17]	ZHANG C, WANG T, WEI T, et al.IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time[C]// Springer.European Symposium on Research in Computer Security, September 20-22, 2010, Athens, Greece. Berlin, Heidelberg:Springer, 2010:71-86.
[18]	BRUMLEY D, JAGER I, AVGERINOS T, et al.BAP: A Binary Analysis Platform[C]// Springer.International Conference on Computer Aided Verification, July 14-20, 2011, Snowbird, Utah, USA. Berlin, Heidelberg:Springer, 2011:463-469.
[19]	KAMINSKY D, FERGUSON J, LARSEN J, et al.Reverse Engineering Code with IDA Pro[J]. Journal of the Royal Society for the Promotion of Health, 2008, 123(4):210-215.
[20]	SONG D, BRUMLEY D, YIN H, et al.BitBlaze: A New Approach to Computer Security via Binary Analysis[C]// Springer .Information Systems Security, December 16-20, 2008, Hyderabad, India. Berlin, Heidelberg:Springer, 2008:1-25.
[21]	Pin - A Dynamic Binary Instrumentation Tool[EB/OL]., 2015-1-30/2017-4-5.
[22]	陈颖聪,陈广清,陈智明,等. 面向智能电网SDN的二进制代码分析漏洞扫描方法研究[J]. 信息网络安全,2016(7):35-39.

二进制程序整型溢出漏洞的自动验证方法

Automatic Exploitation of Integer Overflow Vulnerabilities in Binary Programs

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 22

相关文章 10

编辑推荐

Metrics

本文评价

[1]	陈虎, 周瑶, 赵军锁. 针对特定文件结构和关键指令的符号执行优化方法[J]. 信息网络安全, 2018, 18(9): 86-94.
[2]	达小文, 毛俐旻, 吴明杰, 郭敏. 一种基于补丁比对和静态污点分析的漏洞定位技术研究[J]. 信息网络安全, 2017, 17(9): 5-5.
[3]	王夏菁, 胡昌振, 马锐, 高欣竺. 二进制程序漏洞挖掘关键技术研究综述[J]. 信息网络安全, 2017, 17(8): 1-13.
[4]	许子先, 罗建, 孟楠, 赵相楠. 工业控制系统组态软件安全研究[J]. 信息网络安全, 2017, 17(7): 73-79.
[5]	宋铮, 王永剑, 金波, 林九川. 二进制程序动态污点分析技术研究综述[J]. 信息网络安全, 2016, 16(3): 77-83.
[6]	崔化良;兰芸;崔宝江. 动态污点分析技术在ActiveX控件漏洞挖掘上的应用[J]. , 2013, 13(12): 0-0.
[7]	高传平;赵利军;谈利群. 缓冲区溢出的软件安全性测试技术研究[J]. , 2012, 12(8): 0-0.
[8]	时志伟;李小军. 基于信息流分析的源代码漏洞挖掘技术研究[J]. , 2011, 11(11): 0-0.
[9]	李振汕. 缓冲区溢出类黑客攻击与防御措施研究[J]. , 2010, (4): 0-0.
[10]	周虎生;文伟平. 基于Windows平台的RPC缓冲区溢出漏洞研究[J]. , 2009, 9(5): 0-0.