ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2019, Vol. 56 ›› Issue (11): 2299-2314.doi: 10.7544/issn1000-1239.2019.20190341

所属专题: 2019密码学与智能安全研究专题

• 信息安全 •    下一篇



  1. 1(中国科学院软件研究所可信计算与信息保障实验室 北京 100190);2(中国科学院大学计算机科学与技术学院 北京 100190);3(中国信息安全测评中心 北京 100085) (
  • 出版日期: 2019-11-12
  • 基金资助: 

Automatic Software Vulnerability Discovery and Exploit Under the Limited Resource Conditions

Huang Huafeng1,2, Wang Jiajie3, Yang Yi1,2, Su Purui1,2, Nie Chujiang1,2, Xin Wei3   

  1. 1(Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190);2(School of Computer Science and Technology, University of Chinese Academy of Sciences, Beijing 100190);3(China Information Technology Security Evaluation Center, Beijing 100085)
  • Online: 2019-11-12

摘要: 漏洞是系统安全与攻防对抗的核心要素,漏洞的自动发现、分析、利用是长期以来研究的热点和难点,现有研究主要集中在模糊测试、污点分析、符号执行等方面.当前研究一方面主要从漏洞的发现、分析和利用的不同环节提出了一系列解决方案,缺乏系统性的研究和实现;另一方面相关方法未考虑现实环境的有限资源条件, 其中模糊测试主要基于大规模的服务器集群实施,污点分析和符号执行方法时间与空间复杂度高,且容易出现状态爆炸.针对有限资源条件下的漏洞自动挖掘与利用问题,建立了Weak-Tainted程序运行时漏洞模型,提出了一套面向漏洞自动挖掘、分析、利用的完整解决方案;提出了污点传播分析优化方法和基于输出特征反馈的输入求解方法等有限资源条件下的分析方案,提升了漏洞挖掘分析与利用生成能力;实现了漏洞自动挖掘和利用原型系统,单台服务器设备可并发运行25个漏洞挖掘与分析任务.对2018年BCTF比赛样本进行了实验对比测试,该输入求解方法在求解atoi,hex,base64编码的能力均优于ANGR, 同等漏洞挖掘能力条件下效率比AFL提高45.7%,测试的50个样本中有24个能够自动生成利用代码,验证了Weak-Tainted漏洞描述模型用于漏洞自动挖掘和利用生成的优势.

关键词: 漏洞, 模糊测试, 污点传播, 符号执行, 输入求解, 漏洞自动利用

Abstract: Vulnerabilities are the core elements of system security and attack-defense confrontation. The automatic discovery, analysis and exploit of vulnerabilities has been a hot and difficult issue for a long time. The related researches mainly focus on fuzzing, propagate taint analysis and symbolic execution. On one hand, current solutions focus on different aspects of vulnerability discovery, analysis and exploit, which lack systematic researches and implementations. On the other hand, current solutions ignore the feasibility of limited resources under the realistic environment. Inside, the fuzzing is mainly based on large-scale server cluster system implementation, and the methods of propagate taint analysis and symbolic execution have high time and space complexity, which are prone to state explosion. Counter the problem of vulnerability automatic discovery and exploit under the limited resources, a program dynamic runtime Weak-Tainted model is established, then a complete solution for automatic vulnerability discovery, analysis and exploit is presented. The paper optimizes and enhances the ability of propagate taint analysis, and proposes a method for input solving based on output feature feedback, and any other analysis solutions under the limited resources to improve the ability and efficiency of vulnerability discovery, analysis and exploit. The paper designs and implements the vulnerability discovery and exploit automatic prototype system, which can concurrent 25 tasks for fuzzing, and propagate taint analysis and input solving with one server. The paper tests experiments on the samples of the 2018 BCTF competition, and the results show that the method of input solving in this paper is superior to ANGR for solving the atoi, hex and base64 encoding. The efficiency of vulnerability discovery is improved 45.7% higher than AFL, and 24 of the 50 samples can generate exploits automatically successfully. The advantages of Weak-Tainted vulnerability description model for vulnerability discovery and exploit are verified.

Key words: vulnerability, fuzzing, taint propagate, symbolic execution, input solving, automatic exploit