ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2019, Vol. 56 ›› Issue (10): 2097-2111.doi: 10.7544/issn1000-1239.2019.20190655

所属专题: 2019密码学与智能安全研究专题

• 综述 • 上一篇    下一篇

安全漏洞自动利用综述

赵尚儒1,2,李学俊1,方越1,2,余媛萍3,5,黄伟豪4,5,陈恺4,5,苏璞睿3,5,张玉清1,2   

  1. 1(西安电子科技大学网络与信息安全学院 西安 710071);2(国家计算机网络入侵防范中心(中国科学院大学) 北京 101408);3(中国科学院软件研究所可信计算与信息保障实验室 北京 100190);4(信息安全国家重点实验室(中国科学院信息工程研究所) 北京 100195);5(中国科学院大学 北京 100190) (zhaosr@nipc.org.cn)
  • 出版日期: 2019-10-16
  • 基金资助: 
    国家自然科学基金项目(U1836210,U1836211)

A Survey on Automated Exploit Generation

Zhao Shangru1,2, Li Xuejun1, Fang Yue1,2, Yu Yuanping3,5, Huang Weihao4,5, Chen Kai4,5, Su Purui3,5, Zhang Yuqing1,2   

  1. 1(School of Cyber Engineering, Xidian University, Xi’an 710071);2(National Computer Network Intrusion Protection Center (University of Chinese Academy of Sciences), Beijing 101408);3(Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190);4(State Key Laboratory of Information Security (Institute of Information Engineering, Chinese Academy of Sciences), Beijing 100195);5(University of Chinese Academy of Sciences, Beijing 100190)
  • Online: 2019-10-16

摘要: 随着安全漏洞数量急剧上升,高效率地评估与修复漏洞面临更大的挑战.目前漏洞的可利用性评估主要依赖人工方法,如何智能化和自动化地进行安全漏洞利用是本领域一个热点研究问题.调研了2006年至今安全漏洞自动利用文献,分析了现状并指出了漏洞利用研究的发展趋势,同时给出了漏洞自动利用的一般框架;分别从漏洞自动利用的信息输入、漏洞类型和利用方法这3个角度对当前研究成果进行了梳理,指出了这3个角度对漏洞自动利用的影响;分析了漏洞自动利用研究的不足与挑战,并对将来的研究趋势进行了展望.

关键词: 漏洞利用, 利用生成, 自动生成, 安全漏洞, 自动利用

Abstract: With the increase of security vulnerabilities, it has been a considerable challenge to evaluate and repair vulnerabilities efficiently. However, the current assessment of the availability of vulnerabilities mainly depends on manual methods. How to intelligently and automatically exploit security exploits is a hot research issue in this field. In this paper, the literature on automated exploit generation of security vulnerabilities from 2006 to the present are investigated. We analysize current research progress, point out the development trend of exploit generation research, and summarize the general framework of automated exploit generation of vulnerabilities. We sort out the current research results from the three aspects of information input, vulnerability types and utilization methods, and discuss the effects of the three aspects on the automated exploit generation of vulnerabilities. Then the current shortcomings and challenges of automatic exploit generation of vulnerabilities are analyzed, and the future research trends and directions are also pointed out.

Key words: vulnerability exploitation, exploit generation, automatic generation, vulnerability, automatic exploit

中图分类号: