异质环境下第三方库漏洞触发代码重构研究

Research on PoC Refactoring of Third-party Library in Heterogeneous Environment

第三方库中的漏洞被大量传播到宿主应用(即引用了第三方库的软件)中去,而宿主应用的开发者通常不能及时地修复这些漏洞,容易引发安全问题。为了深度探究第三方库漏洞对宿主应用的影响,如何有效地验证传播到宿主应用中的漏洞是否仍可触发显得尤为重要。最新的研究工作应用污点分析技术和符号执行技术重构第三方库的漏洞触发代码,使其适用于宿主应用并验证漏洞的可触发性。然而第三方库测试环境与宿主应用的真实环境通常存在差异(即互为异质环境),使得通过上述方法重构的漏洞触发代码仍难以适用于宿主应用。为解决上述问题,提出了一种在异质环境下进行漏洞触发代码重构的方法,具体可以分为4个步骤:首先分别提取以原始漏洞触发代码为输入时第三方库测试环境和宿主应用环境中的代码执行轨迹;随后对执行轨迹进行分析对比,识别出路径差异点;然后,对路径差异点处的代码进行分析测试,识别出导致差异的关键变量;最后,定位漏洞触发代码中能够影响到关键变量状态的关键输入域,通过对关键输入域进行变异,尝试修改关键变量的状态并对齐差异路径,最终引导宿主应用的执行流到达漏洞代码处,验证漏洞的可触发性。在11个真实世界的漏洞触发代码上进行实验,结果表明,所提方法能够在异质环境下成功验证传播后的漏洞在宿主应用中的可触发性。

Vulnerabilities in third-party libraries are widely propagated to host applications(software that using third-party libra-ries),and developers of host applications usually fail to fix these vulnerabilities in a timely manner,which easily leads to security problems.In order to explore the impact of third-party library vulnerabilities on the host applications,it is particularly important to effectively verify whether the vulnerabilities propagated to the host application can still be triggered.The latest research applies taint analysis and symbolic execution to transform the PoC of third-party libraries to make it suitable for host applications.However,there are often differences between the test environment of the third-party library and the real environment of the host application(they are heterogeneous environments),so that the PoC transformed by the above method is still difficult to apply to the host application.To solve the above problems,a method for PoC refactoring in heterogeneous environment is proposed,which can be divided into four steps.Firstly,we exeract the execution traces in the third-party library test environment and the host application environment respectively when the original PoC is input.Secondly,we compare and analyze the two traces obtained in the first step to identify differences.Thirdly,we analyze codes at difference points to identify the key variables that cause the diffe-rences.Finally,we locate the key fields in the PoC that can affect the state of key variables,by mutating the key fields of the PoC,we try to modify the state of the key variables and align the difference paths,guide the execution flow of the host application to reach the vulnerability code,and eventually we complete the refactoring of the PoC.Experiments are carried out on 11 real-world PoCs,and the experimental results show that the proposed method can successfully verify the triggerability of the propagated vu-lnerability in the host application in a heterogeneous environment.