信息网络安全 ›› 2017, Vol. 17 ›› Issue (5): 14-21.doi: 10.3969/j.issn.1671-1122.2017.05.003

• • 上一篇    下一篇

二进制程序整型溢出漏洞的自动验证方法

彭建山1,2(), 奚琪1,2, 王清贤1,2   

  1. 1.解放军信息工程大学,河南郑州 450002
    2.数学工程与先进计算国家重点实验室,河南郑州 450002
  • 收稿日期:2017-04-15 出版日期:2017-05-20 发布日期:2020-05-12
  • 作者简介:

    作者简介: 彭建山(1979—),男,江西,副教授,博士研究生,主要研究方向为网络空间安全;奚琪(1978—),男,河南,副教授,博士,主要研究方向为网络空间安全;王清贤(1960—) ,男,河南,教授,硕士,主要研究方向为网络空间安全。

  • 基金资助:
    河南省自然科学基金[162300410187]

Automatic Exploitation of Integer Overflow Vulnerabilities in Binary Programs

Jianshan PENG1,2(), Qi XI1,2, Qingxian WANG1,2   

  1. 1. PLA Information Engineering University, Zhengzhou Henan 450002, China
    2. State Key Laboratory of Mathematics Engineering and Advanced Computing, Zhengzhou Henan 450002, China
  • Received:2017-04-15 Online:2017-05-20 Published:2020-05-12

摘要:

整型溢出漏洞已成为威胁软件安全的第二大类漏洞,现有的整型溢出漏洞挖掘工具不支持自动验证漏洞,且现有的漏洞自动验证工具不支持整型溢出漏洞模式。因此,文章提出了一种二进制程序整型溢出漏洞的自动验证方法以填补这一空白。针对整型溢出漏洞中有价值的IO2BO漏洞,为避免程序在缓冲区溢出过程中发生Crash导致无法劫持控制流,通过污点分析建立可疑污点集合以缩小待分析污点范围,利用污点回溯技术追踪污点来源,通过符号执行收集内存读写操作的循环条件,控制循环次数以覆盖堆栈关键数据,最后通过约束求解生成新样本,将IO2BO漏洞的自动验证问题转化为传统缓冲区溢出漏洞的自动验证。实验证明该方法能够自动验证典型的IO2BO漏洞,生成能够劫持控制流并执行任意代码的新样本。

关键词: 漏洞验证, 符号执行, 污点分析, 整型溢出, 缓冲区溢出

Abstract:

Integer overflow vulnerabilities have become the second largest threat to software security. The existing tools for mining integer overflow vulnerability do not support automatic exploitation. Neither do the automatic exploitation tools support integer overflow vulnerability. To fill the gaps we proposes an automatic exploitation method of integer overflow vulnerabilities in binary programs. Aiming at the valuable IO2BO vulnerability of integer overflow, firstly trying to avoid crashing in the process of buffer overflow, which would make hijacking control-flow fail. Secondly building suspicious taint set to reduce the scope of taints. Thirdly collecting the loops condition of reading and writing memory by taint analysis and symbolic execution. Lastly overwriting the critical data in the stack and heap by controlling the number of loops and generating new samples for testing by solving constraint. The proposed method can transform the automatic exploitation of IO2BO vulnerability into that of traditional buffer overflow vulnerability. The test results show that this method work well for the typical IO2BO vulnerabilities and could generate new samples for hijacking the control-flow of testing programs.

Key words: vulnerability exploitation, symbolic execution, taint analysis, integer overflow, buffer overflow

中图分类号: