摘要
软件漏洞自动验证是分析漏洞可利用性、评估其危害性的重要手段。然而在目标系统开启地址空间布局随机化(address space layout randomization,ASLR)漏洞缓解机制条件下,由于缺乏地址泄露事件的构造能力和有效的漏洞利用载荷运行时重定位方法,当前技术无法生成能有效验证漏洞可利用性的输入样本。为解决上述问题,提出了一种地址泄露敏感的二进制软件漏洞自动验证方法。该方法包含完全地址泄露漏洞状态自动构造和运行时环境无关的漏洞利用会话自动生成2个阶段。首先,综合执行状态动态监控、地址泄露样本自动构造、地址泄露导引的模糊测试等技术,自动生成能够蕴含执行目标载荷所需的全部地址泄露事件,并于其后触发漏洞的程序状态。然后,基于该漏洞触发状态,综合漏洞可利用状态构造、漏洞利用模板自动提取、基于载荷运行时动态重定位的漏洞可利用性自动验证等技术,自动构造出能够动态适配于目标系统运行环境的漏洞利用会话,并基于该会话自动完成目标漏洞可利用性分析。基于上述技术实现了LeakableExp原型系统,并以该原型系统对2个测试程序、14个CTF、RHG竞赛赛题程序和4个实际漏洞程序进行了实验分析。实验结果表明,LeakableExp具备在ASLR开启条件下,自动泄露目标系统敏感地址、分析漏洞可利用性的能力。
Automatic exploit generation is a critical method in evaluating the exploitability and assessing the severity of software vulnerabilities.However,due to lack of ability in construction of address leakage events and effective runtime relocation on exploit payloads,current methods generally fail in generating exploits adaptable to environments where the address space layout randomization(ASLR)vulnerability mitigation option is turned on.To solve the above problem,an automatic address leakage sensitive exploit generation method was proposed for vulnerabilities in binary programs.This method is composed of 2 stages,one for automatic construction of vulnerable program state under complete address leakage,the other automatic runtime environment irrelevant exploitation session generation.In the first stage,techniques including dynamic execution monitoring,automatic address leakage sample construction and address leakage guided fuzzing were employed to generate vulnerable program state that can not only trigger all the address leakage events necessary to execute the target payload,but also invoke some vulnerability afterwards.In the second stage,those were performed including exploitable state construction,automatic exploitation template extraction and exploit payload runtime relocation based automatic vulnerability exploitability verification on the vulnerable program state generated by stage 1,exploitation session that can dynamically fit on the runtime environment of the target system automatically constructed.The generated session is then used to automatically evaluate the exploitability of the target vulnerabilities.LeakableExp was implemeted based on the aforementioned techniques and was evaluated on 2 test programs,14 CTF&RHG challenges and 4 real world programs.The results of the experiments demonstrate that LeakableExp is effective in address leakage test case generation and exploitability evaluation for vulnerabilities under ASLR environments.
作者
黄晖
陆余良
朱凯龙
赵军
HUANG Hui;LU Yuliang;ZHU Kailong;ZHAO Jun(College of Electronic Engineering,National University of Defense Technology,Hefei 230037,China;Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation,Hefei 230037,China)
出处
《信息对抗技术》
2024年第2期82-94,共13页
Information Countermeasures Technology
基金
国家自然科学基金资助项目(62202484)
国防科技大学青年自主创新基金资助项目(ZK23-48)。
关键词
地址泄露
载荷重定位
漏洞自动验证
address leakage
payload relocation
automatic exploit generation
