基于动态分析的漏洞自动化验证技术研究

发布时间：2018-11-21 13:08

【摘要】：近年来互联网恶意攻击事件频发,各大安全平台捕获的攻击样本数量不断增多,样本分析成为了互联网安全研究领域的重点。样本分析中的一个核心环节就是漏洞验证。漏洞验证即验证样本是否利用了软件漏洞进行攻击,具体的验证内容包括漏洞类型和攻击手段。传统的漏洞验证通常采用人工分析的方式,然而人工分析存在效率低下和成本较高的问题,因此研究一种漏洞自动化验证的新方法来缓解这些问题就显得很有意义。针对此需求,本文从动态分析技术出发,提出了对大量样本进行漏洞自动化验证的新方法,并设计和实现了验证系统原型。漏洞自动化验证方法分为环境搭建和验证规则设计两个方面,对此,本文进行了如下研究:1.本文研究了环境搭建所面临两个主要问题。一是单一样本进行漏洞验证,所需的环境有什么特征;二是在样本类型复杂的情况下,如何构建方案来满足所需环境复杂的需求。本文归纳出单一样本所需环境的特征,并对其做出形式化描述。在此基础上,提出了漏洞自动化验证的环境搭建方案。该方案采取将样本分发至环境集群的方法,提高环境匹配的成功率。进一步,针对环境集群搭建成本高的问题,本文提出了软件环境集合划分算法,在不降低漏洞验证的准确率前提下,减少了环境搭建的成本。2.本文研究了缓冲区溢出漏洞和ROP攻击的自动化验证规则。通过分析缓冲区溢出漏洞触发时函数返回地址特征,提出了基于函数返回地址匹配的规则来验证样本是否触发了缓冲区溢出漏洞。通过构造大量的ROP攻击链,分析链中Gadget的长度特征,以及Gadget中Ret指令之前两条指令的行为特征,构建出了基于统计规则和行为规则的ROP攻击混合检测方案。3.针对不同平台下动态分析技术的优劣,选择基于调试器和动态插桩的技术,搭建环境集群,实现了漏洞自动化验证原型系统。采用实际的攻击样本对系统进行了功能和性能测试,测试结果表明,本验证系统误报率更低性能更好。
[Abstract]:In recent years, malicious attacks on the Internet occur frequently, and the number of attack samples captured by major security platforms is increasing. Sample analysis has become the focus of Internet security research. A key link in sample analysis is vulnerability verification. Vulnerability verification is to verify whether the sample exploits the software vulnerability to attack. The specific verification content includes vulnerability type and attack means. Traditional vulnerability verification usually adopts manual analysis, but manual analysis has the problems of low efficiency and high cost, so it is very meaningful to study a new method of vulnerability automatic verification to alleviate these problems. In order to meet this requirement, this paper presents a new method for automated verification of large numbers of samples based on dynamic analysis technology, and designs and implements the prototype of the verification system. Vulnerability automatic verification method can be divided into two aspects: environment building and verification rule design. In this paper, the following research is carried out: 1. In this paper, two main problems of environmental construction are studied. One is to verify the vulnerability of a single sample, the other is how to construct a scheme to meet the complex requirements of the required environment when the sample type is complex. In this paper, the characteristics of a single environment are summarized and formalized. On this basis, the environment construction scheme of vulnerability automatic verification is put forward. The scheme adopts the method of distributing samples to the environment cluster to improve the success rate of environment matching. Furthermore, in order to solve the problem of high cost of environment cluster building, this paper proposes a software environment set partition algorithm, which reduces the cost of environment building without reducing the accuracy of vulnerability verification. This paper studies the automatic verification rules for buffer overflow vulnerabilities and ROP attacks. By analyzing the feature of function return address when buffer overflow vulnerability is triggered, a rule based on function return address matching is proposed to verify whether the sample triggered the buffer overflow vulnerability. By constructing a large number of ROP attack chains and analyzing the length characteristics of Gadget in the chain and the behavior characteristics of the two instructions before the Ret instruction in Gadget, a hybrid detection scheme for ROP attacks based on statistical rules and behavioral rules is proposed. 3. According to the merits and demerits of dynamic analysis technology under different platforms, the technology based on debugger and dynamic pile insertion is selected to set up the environment cluster and realize the prototype system of automatic verification of vulnerability. The actual attack samples are used to test the system's function and performance. The test results show that the system has lower false alarm rate and better performance.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【相似文献】