摘要
近年来,软件漏洞已成为系统安全与攻防对抗的核心要素,随着软件数量的增加和规模的复杂化,漏洞数量逐年增加,而依赖于人工的漏洞分析与利用生成已难以满足现实需求,漏洞的自动分析和利用生成是亟待解决的难点问题.现有研究已经取得了相关的成果,文章从控制流劫持漏洞自动利用、面向堆漏洞的自动分析与利用、安全机制自动化对抗方法和综合性的漏洞自动利用框架等四个方面介绍当前软件漏洞自动利用研究进展,进而分析未来软件漏洞自动利用发展趋势.
With the complexity of software increasing year by year, software security vulnerability has become one of the root factors of cyber-security threats. However, it is hard to meet the needs of vulnerability analysis and exploitation on labor. To analyze and exploit the vulnerabilities automatically in time, researchers have proposed several techniques, some of which can get good results. This paper presents a summary of the recent advances in four aspects, which include: control flow hijacking vulnerabilities automatic exploitation, heap-oriented vulnerabilities automatic analysis and exploitation, security mechanism automatic countermeasure, and the comprehensive framework of vulnerability automatic exploitation. Finally, we conclude the tendency of software vulnerability automatic exploitation to shed lights on potential future directions.
作者
苏璞睿
黄桦烽
余媛萍
张涛
SU Pu-rui;HUANG Hua-feng;YU Yuan-ping;ZHANG Tao(Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China;School of Computer Science and Technology, University of Chinese Academy of Sciences, Beijing 100190, China;China Information Technology Security Evaluation Center, Beijing 100085, China)
出处
《广州大学学报(自然科学版)》
CAS
2019年第3期52-58,共7页
Journal of Guangzhou University:Natural Science Edition
基金
国家自然科学基金资助项目(U1736209,61572483,U1836117,U1836113)
关键词
漏洞
控制流劫持
安全机制
漏洞利用自动生成
vulnerability
control flow hijacking
security mechanism
automatic exploitation