CN117879866A - Attack accessory extraction and sequencing method and system for vulnerability detection sample - Google Patents
Attack accessory extraction and sequencing method and system for vulnerability detection sample Download PDFInfo
- Publication number
- CN117879866A CN117879866A CN202311650417.8A CN202311650417A CN117879866A CN 117879866 A CN117879866 A CN 117879866A CN 202311650417 A CN202311650417 A CN 202311650417A CN 117879866 A CN117879866 A CN 117879866A
- Authority
- CN
- China
- Prior art keywords
- address
- test
- vulnerability detection
- attack
- detection sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 137
- 238000000605 extraction Methods 0.000 title claims abstract description 30
- 238000012163 sequencing technique Methods 0.000 title claims abstract description 23
- 238000012360 testing method Methods 0.000 claims abstract description 117
- 238000000034 method Methods 0.000 claims abstract description 38
- 238000007781 pre-processing Methods 0.000 claims abstract description 10
- 238000012545 processing Methods 0.000 claims description 34
- 230000006870 function Effects 0.000 claims description 32
- 238000012546 transfer Methods 0.000 claims description 28
- 238000004088 simulation Methods 0.000 claims description 23
- 238000004891 communication Methods 0.000 claims description 8
- 238000012790 confirmation Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 6
- 230000008260 defense mechanism Effects 0.000 claims description 4
- 230000002265 prevention Effects 0.000 claims description 4
- 230000003068 static effect Effects 0.000 claims description 4
- 230000008520 organization Effects 0.000 abstract description 4
- 230000009191 jumping Effects 0.000 description 28
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000000903 blocking effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000009194 climbing Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method and a system for extracting and sequencing attack accessories of a vulnerability detection sample, wherein the method comprises the following steps: configuring a detection environment; in the detection environment, obtaining a vulnerability detection sample; preprocessing the vulnerability detection sample to generate a test address dictionary; if the test address dictionary is not empty, detecting the test address dictionary to obtain a target address dictionary and a record file; and obtaining a detection result of the attack accessory according to the target address dictionary and the record file, wherein the detection result comprises an extraction result and a sequencing result. The invention realizes the extraction and sequencing of the attack accessories and improves the information extraction efficiency and the organization sequence identification efficiency of the attack accessories. The method and the device can be widely applied to the technical field of vulnerability detection.
Description
Technical Field
The invention relates to the technical field of vulnerability detection, in particular to a method and a system for extracting and sequencing attack accessories of a vulnerability detection sample.
Background
The current network space threat situation is urgent, the luxury attack event, the data steal event and the APT attack event are in a climbing trend, and the network attack and defense are increasingly vigorous. However, the existing vulnerability detection samples have poor universality, taking Linux kernels as an example, many Linux kernel vulnerabilities are cross-version vulnerabilities, and the vulnerability detection samples are often only valid for specific versions. The vulnerability detection method ignores the original ROP/JOP attack accessory information in the vulnerability detection sample, is influenced by the memory layout, and the occurrence sequence of the attack accessory addresses in the vulnerability detection sample is disordered, so that the information extraction efficiency of the attack accessory is low, the organization sequence recognition efficiency is low, and the detection failure rate is high.
Disclosure of Invention
The following is a summary of the subject matter described in detail herein. This summary is not intended to limit the scope of the claims.
The embodiment of the invention provides a method and a system for extracting and sequencing attack accessories of a vulnerability detection sample, which effectively improve the information extraction efficiency and the tissue sequence identification efficiency of the attack accessories.
In one aspect, an embodiment of the present invention provides a method for extracting and ordering attack accessories of a vulnerability detection sample, including the following steps:
configuring a detection environment;
in the detection environment, obtaining a vulnerability detection sample;
preprocessing the vulnerability detection sample to generate a test address dictionary;
if the test address dictionary is not empty, detecting the test address dictionary to obtain a target address dictionary and a record file;
and obtaining a detection result of the attack accessory according to the target address dictionary and the record file, wherein the detection result comprises an extraction result and a sequencing result.
In some embodiments, the preprocessing the vulnerability detection sample to generate a test address dictionary includes:
deleting comments of the source code file in the vulnerability detection sample;
extracting a kernel-mode executable area address set in the vulnerability detection sample after deleting the annotation, wherein the kernel-mode executable area address set comprises a plurality of test addresses or kernel symbol addresses;
deleting all kernel symbol addresses in the kernel mode executable area address set;
and generating the test address dictionary by taking the test address as a key and taking 0 as a key value in the kernel executable area address set after deleting all the kernel symbol addresses.
In some embodiments, the detecting the test address dictionary to obtain a target address dictionary and a record file includes:
acquiring the test address in the test address dictionary;
initializing the length of a reuse code attack chain;
setting the value of the reentrant preventing mark variable as false;
starting a Linux simulation kernel;
setting a breakpoint at the test address according to the debugging interface of the Linux simulation kernel;
invoking a test sub-thread, wherein the test sub-thread is used for performing test processing on the vulnerability detection sample by executing a debugging command to obtain a sub-thread return value;
if a debugger asynchronous event occurs in the process of executing the debugging command, asynchronous event processing is carried out according to the breakpoint and the value of the anti-reentry flag variable, the reuse code attack chain length is updated, and the record file is generated;
if the return value of the sub-thread is 1, deleting the breakpoint and stopping the Linux simulation kernel;
and taking the updated reuse code attack chain length as a key value corresponding to the test address to obtain the target address dictionary.
In some embodiments, the performing test processing on the vulnerability detection sample to obtain a returned value of the sub-thread includes:
initializing an initial return value;
creating a named pipe for communicating with the desired script;
calculating a test threshold according to the probability of success of test execution;
if the test execution times are smaller than the test threshold, executing the expected script, wherein the expected script is used for carrying out expected processing on the vulnerability detection sample;
receiving test information sent by the expected script through the naming pipeline, and sending receipt confirmation feedback information to the expected script;
if the test information is that the right is successfully raised, updating the initial return value to be 1; otherwise, updating the initial return value to 0, and increasing the test execution times by 1;
closing the named pipe;
and obtaining the return value of the sub-thread through the SIGINT signal and the shared memory according to the initial return value.
In some embodiments, the performing the desired processing on the vulnerability detection sample includes:
setting an initial mark stamp;
executing an expected command on the vulnerability detection sample to obtain a right raising result;
if the right raising result is that the right raising is successful, updating the initial mark stamp to be a super user command prompt; otherwise, updating the initial mark stamp as an exit mark stamp;
and sending the updated initial mark stamp to the naming pipeline, and waiting until the receiving confirmation feedback information is received.
In some embodiments, the asynchronous event processing, updating the reuse code attack chain length and generating the record file according to the breakpoint and the value of the anti-reentry flag variable includes:
if the value of the re-entry prevention mark variable is false, updating the value of the re-entry prevention mark variable to be true;
initializing the value of the control flow transfer flag to be a true and output buffer;
extracting assembly codes of program counter addresses according to the debugging commands and the breakpoints;
if the value of the control flow transfer mark is true, updating the value of the control flow transfer mark to false, updating the reuse code attack chain length self-increment 1 and outputting first record information to the output buffer zone, wherein the first record information is used for recording a new node of a reuse code call chain;
if the value of the control flow transfer mark is false, judging whether the program counter address is a function symbol corresponding address;
if the program counter address is the address corresponding to the function symbol, processing the program counter address; otherwise, outputting second record information to the output buffer area, wherein the second record information is used for recording the assembly code;
if the assembler instruction pointed by the program counter is returned to the user state after being executed, judging whether the assembler instruction is a jump instruction or not;
if the assembly instruction is a jump instruction, updating the value of the control flow transfer mark to be true;
controlling the debugger to execute the debugging command;
generating a file name according to the named prefix, the named suffix and the test address;
outputting the content in the output buffer area to a file corresponding to the file name to generate the record file;
wherein said processing said program counter address comprises:
outputting third record information to the output buffer area, wherein the third record information is used for recording function addresses;
updating the value of the control flow transfer flag to true;
extracting data pointed by a register storage address as an expected return address;
setting a new breakpoint at the expected return address;
the control debugger executes the debug command.
In some embodiments, the obtaining, according to the target address dictionary and the record file, a detection result of the attack accessory includes:
performing descending order sorting on a plurality of key values in the target address dictionary to obtain the sorting result of the attack accessory;
selecting a key with the serial number of 0 in the target address dictionary after descending order sequencing as an output address;
and obtaining the extraction result of the attack accessory from the record file corresponding to the output address.
In some embodiments, the configuration detection environment includes:
writing the vulnerability detection sample binary file and the program static binary file into a file system so that the file system sets a fixed IP address corresponding to a communication interface of a Linux simulation kernel;
starting a routing forwarding function of a host;
according to the fixed IP address and the route forwarding function, configuring a host bridge, wherein the host bridge is used for communication between the host and the Linux simulation kernel;
closing a KASLR defense mechanism of the Linux simulation kernel;
and starting the host machine and connecting the host machine with the Linux simulation kernel to obtain the detection environment.
On the other hand, the embodiment of the invention provides an attack accessory extracting and sorting system of a vulnerability detection sample, which comprises the following steps:
the first module is used for configuring a detection environment;
the second module is used for acquiring a vulnerability detection sample in the detection environment;
the third module is used for preprocessing the vulnerability detection sample and generating a test address dictionary;
a fourth module, configured to detect the test address dictionary if the test address dictionary is not empty, to obtain a target address dictionary and a record file;
and a fifth module, configured to obtain a detection result of the attack accessory according to the target address dictionary and the record file, where the detection result includes an extraction result and a sequencing result.
On the other hand, the embodiment of the invention provides an attack accessory extracting and sorting system of a vulnerability detection sample, which comprises the following steps:
at least one memory for storing a program;
and the at least one processor is used for loading the program to execute the attack accessory extraction and sequencing method of the vulnerability detection sample.
The invention has the following beneficial effects:
according to the method, firstly, a detection environment is configured, a vulnerability detection sample is obtained, then the vulnerability detection sample is preprocessed, a test address dictionary is generated, if the test address dictionary is not empty, the test address dictionary is subjected to detection processing, a target address dictionary and a record file are obtained, and finally, according to the target address dictionary and the record file, the detection result of an attack accessory is obtained, so that the extraction and the sequencing of the attack accessory are realized, and the information extraction efficiency and the organization sequence identification efficiency of the attack accessory are improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of an attack accessory extraction and sequencing method for a vulnerability detection sample according to an embodiment of the present invention;
FIG. 2 is a flow chart of an environment configuration according to an embodiment of the present invention;
FIG. 3 is a flow chart of a primary function according to an embodiment of the present invention;
FIG. 4 is a flow chart of a test function according to an embodiment of the present invention;
FIG. 5 is a flow chart of a method for executing a test sub-thread according to an embodiment of the present invention;
FIG. 6 is a flow chart of a desired script according to an embodiment of the present invention;
fig. 7 is a flowchart of a stop event asynchronous event processing function according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative only and are not to be construed as limiting the invention.
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments. The step numbers in the following embodiments are set for convenience of illustration only, and the order between the steps is not limited in any way, and the execution order of the steps in the embodiments may be adaptively adjusted according to the understanding of those skilled in the art.
In the description of the present invention, the meaning of a number is one or more, the meaning of a number is two or more, and greater than, less than, exceeding, etc. are understood to exclude the present number, and the meaning of a number is understood to include the present number. The description of the first and second is for the purpose of distinguishing between technical features only and should not be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated or implicitly indicating the precedence of the technical features indicated.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the embodiments of the invention is for the purpose of describing embodiments of the invention only and is not intended to be limiting of the invention.
As shown in fig. 1, the embodiment of the invention provides an attack accessory extraction and sequencing method of a vulnerability detection sample, and the method of the embodiment can be applied to a background processor, a server or cloud equipment corresponding to attack accessory extraction and sequencing software. During application, the method of the present embodiment includes, but is not limited to, the following steps:
s11, configuring a detection environment;
step S12, in the detection environment, a vulnerability detection sample is obtained.
In this embodiment, as shown in fig. 2, a detection environment may be configured first, and then in the detection environment, a vulnerability detection sample may be obtained. The configuration detection environment may be that a vulnerability detection sample binary file and a program static binary file are written into a file system, so that the file system sets a fixed IP address corresponding to a communication interface of a Linux simulation kernel, then a routing forwarding function of a host is started, a host bridge is configured according to the fixed IP address and the routing forwarding function, the host bridge is used for communication between the host and the Linux simulation kernel, then a KASLR defense mechanism of the Linux simulation kernel is closed, and finally the host is started and connected with the Linux simulation kernel to obtain the detection environment.
In this embodiment, the steps of configuring the detection environment are as follows:
1.1 Writing an exploid vulnerability exploitation program (vulnerability detection sample) binary file and a gdbserver program static binary file into a file system;
1.2 A fixed IP address is possessed by the Linux analog kernel communication interface through a configuration file system;
1.3 Opening a routing forwarding function of a test platform (host machine);
1.4 A testing platform (host) network bridge is configured, so that the host and the Linux analog kernel can communicate with each other;
1.5 A KASLR defense mechanism of the Linux simulation kernel is closed.
And S13, preprocessing the vulnerability detection sample to generate a test address dictionary.
In this embodiment, the vulnerability detection sample is preprocessed to generate the test address dictionary, which may be that annotations of source code files in the vulnerability detection sample are deleted first, then in the vulnerability detection sample after deleting the annotations, a kernel-mode executable area address set is extracted, where the kernel-mode executable area address set includes a plurality of test addresses or kernel symbol addresses, then all kernel symbol addresses in the kernel-mode executable area address set are deleted, and finally in the kernel-mode executable area address set after deleting all kernel symbol addresses, the test address is used as a key, and 0 is used as a key value, to generate the test address dictionary.
In this embodiment, as shown in fig. 3, by extracting the core address of the illegal executable area in the source code of the explorer program, whether or not the explorer program uses the reuse code attack and what accessory is used to implement the reuse code attack can be detected. The step of preprocessing the vulnerability detection sample is as follows:
2.1 Deleting the source code file annotation of the explloit exploit program (vulnerability detection sample);
2.2 Extracting an exploid source code file to obtain a kernel-state executable area address;
2.3 Deleting the address corresponding to the kernel symbol from the address set obtained in the step 2.2);
2.4 With the test address as a key, the initial value of the key value is 0, and a test address dictionary is generated.
And S14, if the test address dictionary is not empty, detecting the test address dictionary to obtain a target address dictionary and a record file.
In the present embodiment, 2.5) judges whether the test address dictionary is empty: if not, jumping to the step 2.6); if empty, jump to step 2.10). The test address dictionary is subjected to detection processing to obtain a target address dictionary and a record file, including but not limited to step S201-step S209:
step S201, obtaining a test address in a test address dictionary;
step S202, initializing the attack chain length of reuse codes;
step S203, setting the value of the reentrant preventing mark variable as false;
step S204, starting a Linux simulation kernel;
step S205, setting a breakpoint at a test address according to a debugging interface of the Linux simulation kernel.
In this embodiment, as shown in fig. 4, the following steps may be included:
3.1 Judging whether the parameters of the test address dictionary are traversed completely: if not, jumping to the step 3.2); if yes, jumping to the step 3.17);
3.2 A test address is fetched from the test address dictionary;
3.3 Initializing a temporary key value to 0, namely initializing a reuse code attack chain length record to 0;
3.4 Resetting stop event asynchronous event handling function anti-reentry flag variable self triggered_hardwaterbp=false;
3.5 Simulation starting Linux kernel and synchronizing;
3.6 Attaching the program to a debugging interface of the simulated Linux kernel;
3.7 A hardware breakpoint is set at the test address.
And S206, calling a test sub-thread, wherein the test sub-thread is used for carrying out test processing on the vulnerability detection sample by executing the debug command to obtain a sub-thread return value.
In this embodiment, 3.8) call 4) thread test sub-thread. The main functions of the test sub-thread are as follows: automated execution of an explloit exploit program (vulnerability detection sample) tests. The method for testing the vulnerability detection sample comprises the steps of:
initializing an initial return value;
creating a named pipe for communicating with the desired script;
calculating a test threshold according to the probability of success of test execution;
if the test execution times are smaller than the test threshold, executing an expected script, wherein the expected script is used for carrying out expected processing on the vulnerability detection sample;
receiving test information sent by an expected script through a naming pipeline, and sending receipt confirmation feedback information to the expected script;
if the test information is that the right is successfully raised, updating an initial return value to be 1; otherwise, updating the initial return value to 0, and increasing the test execution times by 1;
closing the named pipeline;
and obtaining a sub-thread return value through the SIGINT signal and the shared memory according to the initial return value.
In this embodiment, the expected script is used to characterize the expect script. As shown in fig. 5, the steps of calling 4) thread test sub-thread and performing test processing on the vulnerability detection sample are as follows:
4.1 Initializing an initial return value after the sub-thread is blocked and waits for a main thread continuous debugging command to run;
4.2 Creating a named pipe for the sub-process to call expect script communications;
4.3 Judging whether the number of times of executing the test by the explorer program (vulnerability detection sample) is larger than a test threshold value: if not, jumping to the step 4.4); if yes, go to step 4.13). The method for selecting the threshold value comprises the following steps: let the probability of successful execution of the exploit program (vulnerability detection sample) be p, then test the threshold
4.4 Opening a subprocess, and calling 5) an expect script to execute an expect vulnerability exploiting program, wherein the expect script is used for carrying out expected processing on the expect vulnerability exploiting program;
4.5 Obtaining information sent by an expect script subprocess through a naming pipeline;
4.6 Transmitting information receiving confirmation to the expect script subprocess through the naming pipeline;
4.7 Judging the message transmitted by the expect script subprocess: if the information indicates that the right-raising of the explloit vulnerability exploiting program (vulnerability detection sample) fails, the step is skipped to step 4.8); if the information indicates that the right of the explicit exploit program is successfully raised, jumping to the step 4.9);
4.8 Updating the initial return value of the thread to 0, and automatically increasing the test execution times by 1, and jumping to the step 4.3);
4.9 Updating the initial return value of the thread to be 1, and jumping to the step 4.10);
4.10 Closing the named pipe;
4.11 A SIGINT signal is sent to the main thread. The main function of the step is: the method comprises the steps that a SIGINT signal is sent to a main thread, and the main thread is awakened from a blocking state after a continuous command is executed;
4.12 Returning the updated thread initial return value through the shared memory;
4.13 A sub-thread ends.
In this embodiment, the expected processing of the vulnerability detection sample may be that an initial flag is set first, then an expected command is executed on the vulnerability detection sample to obtain a right-raising result, if the right-raising result is that the right-raising is successful, the initial flag is updated to be a super user command prompt, otherwise, the initial flag is updated to be an exit flag, and finally the updated initial flag is sent to a naming pipeline, and waiting is performed until receiving the receipt confirmation feedback information. Where the desired command is used to characterize expect naming.
In this embodiment, as shown in fig. 6, the steps of calling 5) the expect script to perform the expected processing on the vulnerability detection sample are as follows:
5.1 Set the explloit program initial flag as a feature string. If the right of the explloit vulnerability exploiting program (vulnerability detection sample) is successfully raised, the super user command prompt is output before the exit mark stamp; otherwise, the method is reverse;
5.2 Using expect command to make Linux operating system execute the exploit program, after the program is terminated, updating the initial mark stamp into exit mark stamp and outputting;
5.3 Monitoring the output content of the standard output stream;
5.4 Judging each output content in turn: if the output content contains an exit mark stamp, jumping to the step 5.5); if the output content contains the command prompt of the super user, jumping to the step 5.6);
5.5 Transmitting information indicating failure of the right-lifting of the exploit program to the main process through the naming pipe. Jump to step 5.7);
5.6 Transmitting information indicating that the upgrade of the explloid exploit program is successful to the main process through a naming pipeline, and jumping to the step 5.7);
5.7 Blocking the reception acknowledgement feedback information sent by the waiting master process;
5.8 Expected script running ends.
Step S207, if a debugger asynchronous event occurs in the process of executing the debugging command, asynchronous event processing is performed according to the values of the breakpoint and the anti-reentry flag variable, and the reuse code attack chain length is updated and a record file is generated;
in the present embodiment, after 3.9) the control debugger executes the continuous debug command, 3.10) determines whether a GDB debugger stop event asynchronous event occurs: if yes, jump to step 3.11), if no, jump to step 3.12), then 3.11) call 6) stop event asynchronous event handling function and jump to step 3.12). In this embodiment, asynchronous event processing is performed according to the values of the breakpoint and the anti-reentry flag variable, and updating the reuse code attack chain length and generating the record file includes:
if the value of the anti-reentry flag variable is false, updating the value of the anti-reentry flag variable to be true;
initializing the value of the control flow transfer flag to be a true and output buffer;
extracting assembly codes of addresses of the program counter according to the debugging command and the breakpoint;
if the value of the control flow transfer mark is true, updating the value of the control flow transfer mark to be false, updating the reuse code attack chain length to be self-increased by 1, and outputting first record information to an output buffer zone, wherein the first record information is used for recording a new node of the reuse code call chain;
if the value of the control flow transfer mark is false, judging whether the address of the program counter is the address corresponding to the function symbol;
if the program counter address is the address corresponding to the function symbol, processing the program counter address; otherwise, outputting second record information to an output buffer area, wherein the second record information is used for recording assembly codes;
if the assembler instruction pointed by the program counter is returned to the user state after being executed, judging whether the assembler instruction is a jump instruction or not;
if the assembly instruction is a jump instruction, updating the value of the control flow transfer mark to be true;
controlling the debugger to execute the debugging command;
generating a file name according to the named prefix, the named suffix and the test address;
outputting the content in the output buffer area to a file corresponding to the file name to generate a record file;
wherein processing the program counter address includes:
outputting third record information to the output buffer area, wherein the third record information is used for recording the function address;
updating the value of the control flow transfer flag to true;
extracting data pointed by a register storage address as an expected return address;
setting a new breakpoint at the expected return address;
the control debugger executes the debug command.
In this embodiment, as shown in fig. 7, the steps of calling 6) the stop event asynchronous event processing function to perform asynchronous event processing are as follows:
6.1 Detecting whether the stop event asynchronous event occurs due to the reception of the SIGINT signal: if not, jumping to the step 6.2); if yes, jumping to the step 6.24);
6.2 Judging whether the anti-reentry flag variable self_trigged_hardwarebp is True: if not, jumping to the step 6.3); if yes, jumping to the step 6.24);
6.3 A) setting the anti-reentry flag variable self.triggered_hardwaterbp=true;
6.4 Initializing a control flow transfer flag cf_transfer=true and an output buffer;
6.5 After executing the debug command, extracting the assembly code of the address pointed by the program counter at the breakpoint position;
6.6 Judging whether the control flow transfer flag cf_transfer is True: if yes, jumping to the step 6.7); if not, jumping to the step 6.10);
6.7 Updating the control flow transfer flag cf_transfer to False;
6.8 Outputting the first record information to the output buffer: the address is a new node of the reuse code call chain;
6.9 Reuse code attack chain length record self-increment 1, namely: step 3.3), the temporary key value in step 3.3) is increased by 1, and the step 6.10) is skipped;
6.10 Judging whether the program counter address is a function symbol corresponding address: if yes, jumping to step 6.11); if not, jumping to the step 6.16);
6.11 Outputting the third record information to the output buffer: the address is a function address;
6.12 Updating the control flow transfer flag cf_transfer to True;
6.13 A) fetch $rsp register memory address refers to data of "expected return address";
6.14 Setting a breakpoint at the "expected return address";
6.15 Controlling the debugger to execute a continuous debugging command, and jumping to the step 6.5);
6.16 Outputting the second record information to the output buffer: assembly code corresponding to the program counter address;
6.17 Judging whether the assembler instruction pointed by the program counter returns to the user mode after the execution is finished: if not, jumping to the step 6.18); if yes, jumping to the step 6.21); executing the assembly code, as viewed, may return control flow to user mode when one of the following conditions is met: (1) The address of the program counter is 22 bytes of address offset corresponding to the common_interrupt_return symbol; (2) The assembly code at the program counter address is iretq or sysretq; (3) The assembly code at the program counter is ret or jmp, and the destination address of the jump is a non-canonic address;
6.18 Judging whether the assembler instruction corresponding to the program counter is a jump instruction or not: if yes, jumping to the step 6.19); if not, jumping to the step 6.20);
6.19 Updating the control flow transfer flag cf_transfer to True, and jumping to step 6.20);
6.20 Controlling the debugger to execute the ni debugging command, and jumping to the step 6.5);
6.21 Deleting the break point set in the stop event asynchronous processing function;
6.22 Combining the given prefix and suffix with the test address in the step 3.2) to generate a file name;
6.23 Outputting the content of the output buffer area to a file corresponding to the file name to generate a record file;
6.24 Stop event asynchronous event processing function end return.
Step S208, if the return value of the sub-thread is 1, deleting the breakpoint and stopping the Linux simulation kernel;
step S209, the updated reuse code attack chain length is used as a key value corresponding to the test address, and a target address dictionary is obtained.
In this embodiment, the return value of the sub-thread may be determined first, and then the key value corresponding to the test address may be updated to obtain the target address dictionary. The method comprises the following steps:
3.12 Waiting for the end of the sub-thread and obtaining a sub-thread return value returned by the 4) thread test sub-thread;
3.13 Judging the return value of the sub-thread: if the return value of the child thread is 1, which indicates that the right of the explorer program of the explloit is successful, the step 3.14 is skipped; if the return value of the sub-thread is 0, and the explicit exploit program fails to give the right within the threshold of the test times, the step is skipped to 3.16);
3.14 Deleting the set hardware breakpoint, stopping simulating the Linux kernel, and jumping to the step 3.15);
3.15 Updating and assigning the temporary key value to the index key value corresponding to the test address dictionary to obtain the target address dictionary. Wherein, the corresponding index is: the test address fetched in this cycle;
3.16 Deleting the set hardware breakpoint, stopping simulating the Linux kernel, and jumping to the step 3.1);
3.17 The test function ends up returning to the target address dictionary.
And S15, obtaining a detection result of the attack accessory according to the target address dictionary and the record file, wherein the detection result comprises an extraction result and a sequencing result.
In this embodiment, according to the target address dictionary and the record file, the detection result of the attack accessory may be obtained by first performing descending order sorting on a plurality of key values in the target address dictionary to obtain the sorting result of the attack accessory, then selecting a key with a serial number of 0 in the target address dictionary after descending order sorting as the output address, and finally obtaining the extraction result of the attack accessory from the record file corresponding to the output address.
In this embodiment, the steps of obtaining the detection result of the attack accessory are as follows:
2.7 Ordering the target address dictionary by taking the descending order of the key values as a strategy to obtain an ordering result of the ROP/JOP attack accessory;
2.8 Selecting a key with the serial number of 0 in the sorted target address dictionary as an output address, wherein the output address is used for representing a reuse code calling starting point;
2.9 Selecting a record file corresponding to the output address to obtain an extraction result of the ROP/JOP attack accessory, wherein the record file is used for representing a reuse code calling sequence chain result, and jumping to the step 2.11);
2.10 Output information): the method comprises the steps that an application exploit program is not detected to use reuse code attack, and the step 2.11 is skipped;
2.11 The program operation is ended.
The embodiment of the invention has the beneficial effects that: the embodiment of the invention firstly configures a detection environment, acquires a vulnerability detection sample, then carries out pretreatment on the vulnerability detection sample to generate a test address dictionary, carries out detection processing on the test address dictionary to obtain a target address dictionary and a record file if the test address dictionary is not empty, and finally obtains the detection result of the attack accessory according to the target address dictionary and the record file, thereby realizing the extraction and sequencing of the attack accessory and improving the information extraction efficiency and the organization sequence identification efficiency of the attack accessory.
The embodiment of the invention also provides an attack accessory extracting and sorting system of the vulnerability detection sample, which comprises the following steps:
the first module is used for configuring a detection environment;
the second module is used for acquiring a vulnerability detection sample in a detection environment;
the third module is used for preprocessing the vulnerability detection sample and generating a test address dictionary;
a fourth module, configured to detect the test address dictionary if the test address dictionary is not empty, to obtain a target address dictionary and a record file;
and a fifth module, configured to obtain a detection result of the attack accessory according to the target address dictionary and the record file, where the detection result includes an extraction result and a sequencing result.
The content in the method embodiment is applicable to the system embodiment, the functions specifically realized by the system embodiment are the same as those of the method embodiment, and the achieved beneficial effects are the same as those of the method embodiment.
The embodiment of the invention also provides an attack accessory extracting and sorting system of the vulnerability detection sample, which comprises the following steps:
at least one memory for storing a program;
at least one processor configured to load a program to perform the attack accessory extraction and ordering method of a vulnerability detection sample of FIG. 1.
The content in the method embodiment is applicable to the system embodiment, the functions specifically realized by the system embodiment are the same as those of the method embodiment, and the achieved beneficial effects are the same as those of the method embodiment.
While the preferred embodiment of the present invention has been described in detail, the present invention is not limited to the above embodiment, and various equivalent modifications and substitutions can be made by those skilled in the art without departing from the spirit of the present invention, and these equivalent modifications and substitutions are intended to be included in the scope of the present invention as defined in the appended claims.
Claims (10)
1. The attack accessory extraction and sequencing method for the vulnerability detection sample is characterized by comprising the following steps of:
configuring a detection environment;
in the detection environment, obtaining a vulnerability detection sample;
preprocessing the vulnerability detection sample to generate a test address dictionary;
if the test address dictionary is not empty, detecting the test address dictionary to obtain a target address dictionary and a record file;
and obtaining a detection result of the attack accessory according to the target address dictionary and the record file, wherein the detection result comprises an extraction result and a sequencing result.
2. The method for extracting and sorting attack accessories of a vulnerability detection sample according to claim 1, wherein the preprocessing the vulnerability detection sample to generate a test address dictionary comprises:
deleting comments of the source code file in the vulnerability detection sample;
extracting a kernel-mode executable area address set in the vulnerability detection sample after deleting the annotation, wherein the kernel-mode executable area address set comprises a plurality of test addresses or kernel symbol addresses;
deleting all kernel symbol addresses in the kernel mode executable area address set;
and generating the test address dictionary by taking the test address as a key and taking 0 as a key value in the kernel executable area address set after deleting all the kernel symbol addresses.
3. The method for extracting and sorting attack accessories of a vulnerability detection sample according to claim 2, wherein the detecting the test address dictionary to obtain a target address dictionary and a record file comprises:
acquiring the test address in the test address dictionary;
initializing the length of a reuse code attack chain;
setting the value of the reentrant preventing mark variable as false;
starting a Linux simulation kernel;
setting a breakpoint at the test address according to the debugging interface of the Linux simulation kernel;
invoking a test sub-thread, wherein the test sub-thread is used for performing test processing on the vulnerability detection sample by executing a debugging command to obtain a sub-thread return value;
if a debugger asynchronous event occurs in the process of executing the debugging command, asynchronous event processing is carried out according to the breakpoint and the value of the anti-reentry flag variable, the reuse code attack chain length is updated, and the record file is generated;
if the return value of the sub-thread is 1, deleting the breakpoint and stopping the Linux simulation kernel;
and taking the updated reuse code attack chain length as a key value corresponding to the test address to obtain the target address dictionary.
4. The method for extracting and sorting attack accessories of a vulnerability detection sample according to claim 3, wherein the performing test processing on the vulnerability detection sample to obtain a sub-thread return value comprises:
initializing an initial return value;
creating a named pipe for communicating with the desired script;
calculating a test threshold according to the probability of success of test execution;
if the test execution times are smaller than the test threshold, executing the expected script, wherein the expected script is used for carrying out expected processing on the vulnerability detection sample;
receiving test information sent by the expected script through the naming pipeline, and sending receipt confirmation feedback information to the expected script;
if the test information is that the right is successfully raised, updating the initial return value to be 1; otherwise, updating the initial return value to 0, and increasing the test execution times by 1;
closing the named pipe;
and obtaining the return value of the sub-thread through the SIGINT signal and the shared memory according to the initial return value.
5. The method for extracting and ordering attack accessories of a vulnerability detection sample according to claim 4, wherein the performing expected processing on the vulnerability detection sample comprises:
setting an initial mark stamp;
executing an expected command on the vulnerability detection sample to obtain a right raising result;
if the right raising result is that the right raising is successful, updating the initial mark stamp to be a super user command prompt; otherwise, updating the initial mark stamp as an exit mark stamp;
and sending the updated initial mark stamp to the naming pipeline, and waiting until the receiving confirmation feedback information is received.
6. The method for extracting and sorting attack accessories of a vulnerability detection sample according to claim 3, wherein the asynchronous event processing is performed according to the values of the breakpoint and the anti-reentry flag variable, and updating the reuse code attack chain length and generating the record file comprises:
if the value of the re-entry prevention mark variable is false, updating the value of the re-entry prevention mark variable to be true;
initializing the value of the control flow transfer flag to be a true and output buffer;
extracting assembly codes of program counter addresses according to the debugging commands and the breakpoints;
if the value of the control flow transfer mark is true, updating the value of the control flow transfer mark to false, updating the reuse code attack chain length self-increment 1 and outputting first record information to the output buffer zone, wherein the first record information is used for recording a new node of a reuse code call chain;
if the value of the control flow transfer mark is false, judging whether the program counter address is a function symbol corresponding address;
if the program counter address is the address corresponding to the function symbol, processing the program counter address; otherwise, outputting second record information to the output buffer area, wherein the second record information is used for recording the assembly code;
if the assembler instruction pointed by the program counter is returned to the user state after being executed, judging whether the assembler instruction is a jump instruction or not;
if the assembly instruction is a jump instruction, updating the value of the control flow transfer mark to be true;
controlling the debugger to execute the debugging command;
generating a file name according to the named prefix, the named suffix and the test address;
outputting the content in the output buffer area to a file corresponding to the file name to generate the record file;
wherein said processing said program counter address comprises:
outputting third record information to the output buffer area, wherein the third record information is used for recording function addresses;
updating the value of the control flow transfer flag to true;
extracting data pointed by a register storage address as an expected return address;
setting a new breakpoint at the expected return address;
the control debugger executes the debug command.
7. The method for extracting and sorting the attack accessory from the vulnerability detection sample according to claim 1, wherein the obtaining the detection result of the attack accessory according to the target address dictionary and the record file includes:
performing descending order sorting on a plurality of key values in the target address dictionary to obtain the sorting result of the attack accessory;
selecting a key with the serial number of 0 in the target address dictionary after descending order sequencing as an output address;
and obtaining the extraction result of the attack accessory from the record file corresponding to the output address.
8. The method for extracting and ordering attack accessories of a vulnerability detection sample according to claim 1, wherein the configuring the detection environment comprises:
writing the vulnerability detection sample binary file and the program static binary file into a file system so that the file system sets a fixed IP address corresponding to a communication interface of a Linux simulation kernel;
starting a routing forwarding function of a host;
according to the fixed IP address and the route forwarding function, configuring a host bridge, wherein the host bridge is used for communication between the host and the Linux simulation kernel;
closing a KASLR defense mechanism of the Linux simulation kernel;
and starting the host machine and connecting the host machine with the Linux simulation kernel to obtain the detection environment.
9. An attack accessory extraction and sequencing system for vulnerability detection samples, comprising:
the first module is used for configuring a detection environment;
the second module is used for acquiring a vulnerability detection sample in the detection environment;
the third module is used for preprocessing the vulnerability detection sample and generating a test address dictionary;
a fourth module, configured to detect the test address dictionary if the test address dictionary is not empty, to obtain a target address dictionary and a record file;
and a fifth module, configured to obtain a detection result of the attack accessory according to the target address dictionary and the record file, where the detection result includes an extraction result and a sequencing result.
10. An attack accessory extraction and sequencing system for vulnerability detection samples, comprising:
at least one memory for storing a program;
at least one processor configured to load the program to perform an attack accessory extraction and ordering method of a vulnerability detection sample according to any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311650417.8A CN117879866A (en) | 2023-12-04 | 2023-12-04 | Attack accessory extraction and sequencing method and system for vulnerability detection sample |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311650417.8A CN117879866A (en) | 2023-12-04 | 2023-12-04 | Attack accessory extraction and sequencing method and system for vulnerability detection sample |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117879866A true CN117879866A (en) | 2024-04-12 |
Family
ID=90585433
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311650417.8A Pending CN117879866A (en) | 2023-12-04 | 2023-12-04 | Attack accessory extraction and sequencing method and system for vulnerability detection sample |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117879866A (en) |
-
2023
- 2023-12-04 CN CN202311650417.8A patent/CN117879866A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10242043B2 (en) | Software security via control flow integrity checking | |
| US8051479B1 (en) | Method and apparatus for detecting shellcode | |
| EP2182460A2 (en) | Structural recognition of malicious code patterns | |
| CN109643346B (en) | Control flow integrity | |
| US20160196428A1 (en) | System and Method for Detecting Stack Pivot Programming Exploit | |
| US7389538B2 (en) | Static code image modeling and recognition | |
| US8458794B1 (en) | System, method, and computer program product for determining whether a hook is associated with potentially unwanted activity | |
| JPWO2019013266A1 (en) | Determination device, determination method, and determination program | |
| CN108268773B (en) | Android application upgrade package local storage security detection method | |
| US7721331B1 (en) | Methods and apparatus for performing a pre-processing activity | |
| EP1977342A1 (en) | Analyzing interpretable code for harm potential | |
| KR20180039830A (en) | Apparatus and method for detecting code reuse attack | |
| US7739100B1 (en) | Emulation system, method and computer program product for malware detection by back-stepping in program code | |
| CN117879866A (en) | Attack accessory extraction and sequencing method and system for vulnerability detection sample | |
| US11934517B2 (en) | Systems and methods for reliably injecting control flow integrity into binaries without source code | |
| CN116781389B (en) | Determination method of abnormal data list, electronic equipment and storage medium | |
| CN108959915B (en) | Rootkit detection method, rootkit detection device and server | |
| JP4643201B2 (en) | Buffer overflow vulnerability analysis method, data processing device, analysis information providing device, analysis information extraction processing program, and analysis information provision processing program | |
| CN113312623B (en) | Process detection method and device in access control, electronic equipment and storage medium | |
| CN109426546B (en) | Application starting method and device, computer storage medium and equipment | |
| CN111753295B (en) | Vulnerability exploitation program detection method based on vulnerability exploitation program characteristics | |
| CN110674501B (en) | Malicious drive detection method, device, equipment and medium | |
| US7039907B2 (en) | Method of protecting entry addresses | |
| CN117077138B (en) | Anomaly detection method, system, medium and equipment based on browser | |
| CN112989345B (en) | Threat handling method and framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |