基于静态污点分析技术的软件内核驱动安全性检测

SECURITY DETECTION ON SOFTWARE KERNEL DRIVERS BASED ON STATIC TAINT ANALYSIS

在线阅读下载PDF

导出

摘要由于软件内核驱动运行在内核态,对其进行安全性检测需要与传统用户态软件不同的方法。通过对真实内核驱动漏洞的分析,总结其漏洞模式,针对性地提出一种检测方法。采用静态污点追踪技术,对内核函数进行收敛状态约束的计算求得其状态不动点,检测用户态下输入污点参数在内核Dispatch例程内的传播情况,判定是否存在内核驱动漏洞。通过对多款知名杀毒软件内核驱动的真实测试,发现四个未公开的内核驱动漏洞,验证了该检测方法的有效性。 Security detection on software kernel drivers seeks the method different from the one for traditional user mode software, as they run in kernel mode. By analysing the vulnerabilities of real kernel drives, we summerise their patterns and propose a new detection method in targeted way. Using static taint tracking technology we calculate the convergence state constraint on kernel function to find its state fix point, detect the spreading of taint parameter inputted in user mode within kernel Dispatch routine, and judge whether the vulnerability of kernel drives exists. Real testing is applied to the kernel drivers of a variety of famous antivirus software and four undiscovered kernel vulnerabilities are found, this verifies the effectiveness of the detection method.

作者倪涛

机构地区南京政治学院上海校区军事信息管理系

出处《计算机应用与软件》 CSCD 2015年第5期262-266,共5页 Computer Applications and Software

基金国家高技术研究发展计划主题项目(2012AA012902)

关键词内核驱动安全性检测污点分析状态不动点 Kernel drivers Security detection Taint analysis State fix point

分类号 TP393.08 [自动化与计算机技术—计算机应用技术]

引文网络
相关文献

参考文献14

1Petroni Jr N L, Hicks M. Automated detection of persistent kernel con- tml-flow attacks [ C ]//Proceedings of the 14th ACM conference on Computer and security. ACM, 2007 : 103 - 115.
2Lanzi A, Sharif M, Lee W. K-Tracer: A system for extracting kernel malware behavior[ C ]//Proceedings of the 16th Annual Network and Distributed System Security Symposium(NDSS). 2009.
3Xiong X, Tian D, Liu P. Practical protection of kernel integrity for commodity OS from untrnsted extensions [ C ]//Proceedings of the 18th Annual Network and Distributed System Security Symposium(NDSS). San Diego, California. 2011.
4Symantec awhost32 overflow [ EB/OL ]. http://www, cve. mitre, org/ cgi-bin/cvename, cgi? name = CVE-2011-3478.
5Kaspersky klim5 buffer overflow[ EB/OL]. http://www, cve. mitre. org/cgi-bin/cvename, cgi? name = CVE-20094)449.
6TrendMicro remote Vulnerability [ EB/OL ]. 2011. http://secunia. com/advisories/47114/.
7姚洪波,尹亮,文伟平.基于FUZZING测试技术的Windows内核安全漏洞挖掘方法研究及应用[J].信息网络安全,2011(12):9-16. 被引量：4
8Tian D, Zeng Q, wu D, et al. Kruiser: Semi-synchronized Non-bloc- king Concurrent Kernel Heap Buffer Overflow Monitoring [ C ]//Pro- ceedirtgs of the 18th Annum Network and Distributed System Security Symposium(NDSS) , California, USA, 2012.
9IOCtrlFuzzer[EB/OL]. http://code, google, corrr/p/ioctlfuzzer/.
10J Newsome, D Song. Dynamic taint analysis: Automatic detection, a-nalysis, and signature generation of exploit attacks on commodity soft- ware[ C ]//Proceedings of the Network and Distributed Systems Securi- ty Symposium, Feb. 2005.

二级参考文献13

1邵林,张小松,苏恩标.一种基于fuzzing技术的漏洞发掘新思路[J].计算机应用研究,2009,26(3):1086-1088. 被引量：17
2NEWSOME J, SONG D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software [ D]. Pittsburgh: Carnegie Mellon University, School of Computer Science, 2005.
3SUH G E, LEE J W, ZHANG D, et al. Secure program execution via dynarnie information flow tracking [ C]// ASPLOS-XI: Proceedings of the 11 th International Conference on Architectural Support for Programming Languages and Operating Systems. New York: ACM, 2004:85-96.
4KONG JINGFEI, ZOU C C, ZHOU HUIYANG. Improving software security via rumime instruction-level taint checking [ C]// ASID '06: Proceedings of the 1st Workshop on Architectural Support for Programming Languages and Operating Systems. New York: ACM, 2006:18 - 24.
5NGUYEN-TUONG A, GUARNIERI S, GREENE D, et al. Automatically hardening Web applications using precise tainting [ J]. IFIP Advances in Information and Communication Technology, 2005, 181(10) : 295 -307.
6LEEK T R, BAKER G Z, BROWN R E, et al. Coverage maximization using dynamic taint tracing, TR-I 112 [ R]. Lexington, Massachusetts, US: MIT Lincoln Laboratory, 2007.
7KANG M G, POOSANKAM P, YIN H. Renovo: a hidden code extractor for packed executables [ C]//WORM 07: Proceedings of the 2007 ACM Workshop on Recurring Malcode. New York: ACM, 2007: 46 - 53.
8YIN H, SONG D, EGELE M, et al. Panorama: capturing systemwide information flow for malware detection and analysis [ C]// CCS '07: Proceedings of the 14th ACM Conference on Computer and Communications Security. New York: ACM, 2007:116 - 127.
9YIN H, LIANG Z, SONG D. HookFinder: identifying and understanding malware hooking behaviors [ C]// NDSS 2008: Proceedings of the Network & Distributed System Security Symposium. San Diego, Califomia: [s.n], 2008: 16-23.
10BRUMLEY D, HARTWIG C, LIANG Z, et al. Automatically identifying trigger-based behavior in malware [ J]. Botnet Detection, 2008, 36(5): 65 -88.

共引文献10

1王颖,杨义先,钮心忻,谷利泽.基于控制流序位比对的智能Fuzzing测试方法[J].通信学报,2013,34(4):114-121. 被引量：6
2牛伟纳,丁雪峰,刘智,张小松.基于符号执行的二进制代码漏洞发现[J].计算机科学,2013,40(10):119-121. 被引量：9
3龚炳江,唐宇敬.Android平台下软件安全漏洞挖掘方法研究[J].计算机应用与软件,2014,31(1):311-314. 被引量：6
4杨海民,张涛,赵敏,鲁小杰.基于gdb的Android软件漏洞挖掘系统[J].计算机技术与发展,2015,25(8):156-160. 被引量：2
5倪涛.Windows内核驱动安全检测技术研究[J].信息通信,2017,30(1):183-184.
6曾杰,魏强,曹琰,王清贤.基于Hash缓存的细粒度污点分析优化方法[J].信息工程大学学报,2017,18(5):607-612. 被引量：1
7董国良,臧洌,李航,甘露,郭咏科.基于污点分析的二进制程序漏洞检测[J].计算机技术与发展,2018,28(3):137-142. 被引量：3
8邓其贵,韦彬贵.基于污点分析的工控系统漏洞挖掘技术研究[J].大众科技,2019,21(4):5-7. 被引量：1
9李贺,张超,杨鑫,朱俊虎.操作系统内核模糊测试技术综述[J].小型微型计算机系统,2019,40(9):1994-1999. 被引量：6
10姚纪卫,杨芳.基于内存保护技术的二进制内存破坏型漏洞攻击防护方法研究[J].信息安全研究,2022,8(7):694-699. 被引量：1

1康凯,郭颖,崔宝江.基于XML的面向二进制漏洞模式形式化描述研究[J].信息网络安全,2012(12):21-24. 被引量：1
2金玉荣,杨奕.Windows TDI通信监控的一种hook方法[J].网络与信息,2009,23(6):24-25.
3pixiebox.调用Disk驱动读取扇区的驱动实现[J].黑客防线,2008(8):69-73.
4王越.半导体的丰收（中）[J].程序员,2012(3):128-131.
5刘钊.Mac OS X v10．6 Snow Leopard操作系统底层技术分析[J].电脑知识与技术,2010(01Z):278-280.
6陈征.晶圆制造中的自动化管理[J].中国高新技术企业,2013(17):68-69. 被引量：1
7孙国勇.改造基于VC的普通应用程序成为自动化服务器[J].计算机应用,2003,23(10):124-125.
8liuke_blue.Inline Hook IoCallDriver保护文件[J].黑客防线,2010(2):121-123.
9于洪珍,刘富强,陈力军.Multimedia Technology for Monitoring Dispatching and Production Commanding System[J].International Journal of Mining Science and Technology,1998,19(1):15-19.
10唐艳武,蒋凡.上下文相关的软件漏洞模式自动提取方法[J].计算机工程,2010,36(17):51-53. 被引量：1

计算机应用与软件

2015年第5期

浏览历史

内容加载中请稍等...

基于静态污点分析技术的软件内核驱动安全性检测

参考文献14

二级参考文献13

共引文献10

相关作者

相关机构

相关主题

浏览历史