基于補(bǔ)丁特性的漏洞掃描研究
信息技術(shù)與網(wǎng)絡(luò)安全
劉思琦,王一鳴
(北京交通大學(xué) 計算機(jī)與信息技術(shù)學(xué)院,北京100044)
摘要: 為抵御漏洞引發(fā)的黑客攻擊和漏洞自身產(chǎn)生的威脅,1day漏洞應(yīng)用修復(fù)的通用辦法是使用代碼匹配檢測。但目前源代碼匹配誤報率高,二進(jìn)制代碼匹配不精確且不通用?;诖耍岢隽艘环N由源代碼到二進(jìn)制的基于補(bǔ)丁特性的漏洞掃描模型——BinScan。它先形成已知漏洞數(shù)據(jù)庫并對源代碼進(jìn)行已知漏洞掃描得出漏洞檢測結(jié)果;然后利用源代碼檢測信息對打補(bǔ)丁前后源代碼編譯生成二進(jìn)制文件,形成二進(jìn)制漏洞庫;最后比較目標(biāo)二進(jìn)制文件相似性,利用源代碼結(jié)果進(jìn)行檢驗(yàn)。最終生成Linux Kernel的2 700條漏洞數(shù)據(jù),15 496個patch文件,實(shí)現(xiàn)了利用源代碼檢測限制二進(jìn)制文件的漏洞檢測范圍,然后基于CFG和二進(jìn)制代碼相似性檢測補(bǔ)丁存在以檢測漏洞。檢測結(jié)果表明,此方法與其他二進(jìn)制漏洞檢測工具相比,可以將源代碼級的漏洞掃描能力應(yīng)用于二進(jìn)制,是有效的。
中圖分類號: TP309
文獻(xiàn)標(biāo)識碼: A
DOI: 10.19358/j.issn.2096-5133.2021.07.009
引用格式: 劉思琦,王一鳴. 基于補(bǔ)丁特性的漏洞掃描研究[J].信息技術(shù)與網(wǎng)絡(luò)安全,2021,40(7):52-58.
文獻(xiàn)標(biāo)識碼: A
DOI: 10.19358/j.issn.2096-5133.2021.07.009
引用格式: 劉思琦,王一鳴. 基于補(bǔ)丁特性的漏洞掃描研究[J].信息技術(shù)與網(wǎng)絡(luò)安全,2021,40(7):52-58.
Research on vulnerability scanning based on patch characteristics
Liu Siqi,Wang Yiming
(School of Computer and Information Technology,Beijing Jiaotong University,Beijing 100044,China)
Abstract: In order to resist the hacker attack caused by the vulnerability and the threat generated by the vulnerability itself, the general method of 1day vulnerability application repair is to use code matching to detect. But at present, the false alarm rate of source code matching is high, and the binary code similarity matching is not accurate and universal. Based on this, this paper proposes a vulnerability scanning model from source code to binary code, BinScan, which is based on patch features. Firstly, it forms a known vulnerability database and scans the source code for known vulnerabilities to obtain the vulnerability detection results; then it uses the source code detection information to compile the source code before and after the patch to generate a binary file and to form a binary vulnerability library; finally it compares the target binary files for similarity performance, using the source code results for verification. In the end, this paper generates 2 700 vulnerability data and 15 496 patch files of Linux Kernel. It has been realized to use source code detection to limit the vulnerability detection range of binary files, and to detect the existence of patches based on the similarity of CFG and binary code to detect vulnerabilities. The detection results show that compared with other binary vulnerability detection tools, this method can apply source code level vulnerability scanning capabilities to binary and is effective.
Key words : patch characteristics;vulnerability scanning;binary;source code;security
0 引言
在時間維度上,漏洞都會經(jīng)歷產(chǎn)生、發(fā)現(xiàn)、公開和消亡等過程,不同的時間段,漏洞有不同的名稱和表現(xiàn)形式。1day漏洞是指在廠商發(fā)布安全補(bǔ)丁之后,大部分用戶還未打補(bǔ)丁的漏洞,此類漏洞依然具有可利用性。在各類型軟件中,許多漏洞的壽命超過12個月,針對此類漏洞的通用應(yīng)用修復(fù)辦法是使用代碼匹配[1],但是往往通過補(bǔ)丁做出的修補(bǔ)都是一些細(xì)微的變化,這會導(dǎo)致許多代碼匹配的方法不精確且不通用,造成結(jié)果高誤報。
本文詳細(xì)內(nèi)容請下載:http://theprogrammingfactory.com/resource/share/2000003678
作者信息:
劉思琦,王一鳴
(北京交通大學(xué) 計算機(jī)與信息技術(shù)學(xué)院,北京100044)
此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。