基于数据结构特征发现的脚本引擎内置对象别名关系识别

Identifying Alias Relationship between Built-in Objects of Script Engine Based on the Discovery of Data Structure Signatures

越来越多的软件提供内置脚本引擎,支持通过脚本语言可编程式地调用各项程序功能。内置脚本引擎除了支持标准的脚本语言规范,还提供了一系列扩展的应用程序编程接口(Application Programming Interface,API)和内置对象。脚本引擎在丰富软件功能的同时,也引入了额外的攻击面。近年来曝出的内置脚本引擎安全漏洞多数与扩展API和内置对象相关。针对脚本引擎中的安全漏洞,目前的检测技术仅能检测出脚本引擎浅层解析代码中的漏洞,难以有效检测出涉及内置对象别名关系的深层次漏洞,例如释放后使用漏洞(use-after-free,UAF)。检测对象别名关系导致的UAF漏洞,需要解决两个关键的技术挑战。其一,如何高效地识别内置对象别名关系。其二,如何利用识别出的对象别名关系检测脚本引擎的UAF漏洞。为此,本文设计了一种基于数据结构特征发现的脚本引擎内置对象别名关系识别方法,并提出了一种利用别名关系构造式触发UAF漏洞的检测方案。我们利用内置对象数据结构特征,提高了别名关系识别效率。同时,引入了内置对象内存共享区域以辅助触发UAF漏洞。为了验证方案的有效性,我们在Adobe Reader的内置JavaScript脚本引擎中进行了实验。我们提出的方案成功地识别出了284对内置对象的别名关系,并检测出了4个未知的UAF漏洞,获得了厂商的确认和修复。实验结果表明,本文方法能有效识别内置对象别名关系并能成功应用于脚本引擎UAF漏洞的检测。

More and more software products provide embedded script engine to enable the users to programmatically invoke various program functions.The embedded script engine not only supports the standard script language speci-fication,but also extends a set of application programming interface(API)and built-in objects.While enriching the software functionality,the embedded script engine also introduces additional attack surfaces.Recent years have wit-nessed large number of security vulnerabilities found in the embedded script engine,most of which are related to extended API and build-in objects.For the vulnerability detection in the script engine,the existing works can only detect vulnerabilities in the shallow part of the script engine,and fails to effectively detect deep vulnerabilities in-volving alias relationships between built-in objects,such as use-after-free(UAF)vulnerabilities.Two technical chal-lenges need to be addressed for detecting UAF vulnerabilities caused by the alias relationship between built-in ob-jects.The first one is how to efficiently identify the alias relationship between built-in objects.The second one is how to use the identified object alias relationship to detect UAF vulnerabilities in the script engine.To this end,we propose a method to identify the alias relationship of built-in objects in script engine based on the discovery of data structure signatures,and use the alias relationship to constructively trigger UAF vulnerabilities.Using data structure signatures of built-in objects,we greatly improve the efficiency of alias relationship identification.At the same time,we introduce shared memory areas within built-in objects,helping trigger UAF vulnerabilities.In order to assess the effectiveness of the proposed method,we conducted experiments in Adobe Reader's embedded JavaScript engine.Our method successfully identified 284 pairs of alias relationships between built-in objects,which in turn exposed four unknown UAF vulnerabilities.These vulnerabilities are confirmed by the vendor and got fixed.The experimen-tal results show that our method can effectively identify alias relationship between built-in objects and helps the detection of UAF vulnerabilities in the embedded script engine.