PDF文件漏洞检测

发布时间：2018-01-18 16:09

本文关键词：PDF文件漏洞检测　出处：《清华大学学报(自然科学版)》2017年01期 　论文类型：期刊论文

【摘要】：近年来,针对商业组织和政府机构的网络攻击事件层出不穷,高级持续性威胁(APT)攻击时有发生。恶意PDF文件是APT攻击的重要载体,它通过执行嵌入在文件内部的恶意代码完成攻击过程。查找PDF文件自身存在的安全漏洞,检测利用PDF漏洞的关键代码如面向返回的编程(ROP)链等,将在根源上对PDF恶意代码的传播路径进行阻断,从而更好地应对PDF恶意代码的多样性和多变性。该文首先对PDF文件格式漏洞的原理和分析方法进行介绍,然后结合PDF漏洞分析实例,对漏洞检测规则库进行构建,提出一种基于规则匹配的PDF已知漏洞检测方法,接下来描述ROP技术的原理,对ROP链的检测方法进行分析,最后比较所实现的漏洞检测系统与现有的安全检测工具赛门铁克和BitDefender的已知漏洞检测能力,由检测结果可知该系统对已知漏洞的检测能力明显高于同类产品。
[Abstract]:In recent years, network attacks against commercial organizations and government agencies have occurred one after another, and advanced persistent threats (APT) attacks have occurred from time to time. Malicious PDF files are important carriers of APT attacks. It completes the attack by executing malicious code embedded in the file and finds a security vulnerability in the PDF file itself. Detection of the key code utilizing the PDF vulnerability, such as return-oriented programming chain, will block the propagation path of PDF malicious code at the root. In order to better deal with the diversity and variability of PDF malicious code, this paper first introduces the principle and analysis method of PDF file format vulnerability, and then combines the PDF vulnerability analysis example. Build the rule base of vulnerability detection, propose a method of PDF vulnerability detection based on rule matching, then describe the principle of ROP technology, and analyze the detection method of ROP chain. Finally, the vulnerability detection system is compared with the known vulnerability detection capability of Symantec and BitDefender. The detection results show that the detection ability of the system for known vulnerabilities is obviously higher than that of similar products.
【作者单位】：北京大学软件与微电子学院;信息网络安全公安部重点实验室;
【基金】：信息网络安全公安部重点实验室项目(C14604)
【分类号】：TP309
【正文快照】： 从2009年开始,针对商业组织和政府机构的网络攻击事件数量急剧攀升。据卡巴斯基实验室统计,2013年约有91%的组织机构遭受网络攻击[1]。这些攻击通常会采用窃取敏感信息、网络钓鱼、监控组织以及扰乱组织运行等方式实施破坏。电子邮件是一种在发送者和接收者之间传递数字信息的

【相似文献】