請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/88539
標題: | 使用符號執行和污點分析增強搜索 WDM 驅動程式漏洞 IOCTLance: Enhanced Vulnerability Hunting in WDM Drivers Using Symbolic Execution and Taint Analysis |
作者: | 林哲宇 Che-Yu Lin |
指導教授: | 雷欽隆 Chin-Laung Lei |
關鍵字: | Windows 核心,符號執行,汙點分析,漏洞, Windows Kernel,Symbolic Execution,Taint Analysis,Vulnerability, |
出版年 : | 2023 |
學位: | 碩士 |
摘要: | 發現 WDM 驅動程式的資安漏洞很困難,因為它們大多不是開源的,有些驅動程式甚至需要指定的環境才能將它們加載到系統核心中。符號執行和污點分析是軟體安全中常用的技術,用於識別程式中的漏洞。然而,符號執行可能會出現「路徑爆炸「問題,當程式複雜度增加時,可能的程式路徑數量呈指數級增長。污點分析也可能會出現「污點爆炸」問題,當程式複雜度增加時,可能被污染的輸入數量呈指數級增長。
本研究提出了一種名為 IOCTLance 的解決方案,它利用符號執行和污點分析來檢測 WDM 驅動程式中的漏洞。通過將目標輸入緩衝區從用戶模式進程標記為「污點」,IOCTLance能夠檢測各種漏洞類型,例如「映射物理內存」、「可控進程句柄」、「緩衝區溢出」、「空指針引用」、「可讀/可寫可控地址」、「任意 shellcode 執行」、「任意 wrmsr」、“任意 out」以及「危險的文件操作」。此外還開發了幾個可調整的選項,以解決符號執行中的「路徑爆炸「問題。將 IOCTLance 應用於 104 個已知有漏洞的驅動程式上,在其中 22 個驅動程式中發現了 117 個未知的漏洞,目前已回報並取得 41 個 CVE,其中包括 25 個拒絕服務,5 個訪問權限控制不足以及 11 個提權漏洞。 Discovering the security vulnerabilities of WDM drivers is challenging because most of them are not open-source and some drivers even need the specified environment to load them into the kernel. Symbolic execution and taint analysis are common techniques used in software security to identify vulnerabilities in software. However, symbolic execution can suffer from the "path explosion" problem, where the number of possible paths through a program grows exponentially as the program complexity increases. Taint analysis can also suffer from the "taint explosion" problem, where the number of potentially tainted inputs grows exponentially as the program complexity increases. This research paper presents a solution called IOCTLance that aims to detect vulnerabilities in WDM drivers using symbolic execution and taint analysis. By marking the target input buffer from the user mode process, IOCTLance is able to detect various vulnerability types, such as "map physical memory", "controllable process handle", "buffer overflow", "null pointer dereference", "read/write controllable address", "arbitrary shellcode execution", "arbitrary wrmsr", "arbitrary out", and "dangerous file operation". Several customizable options have also been developed to improve the performance while symbolic execution. IOCTLance is evaluated on 104 known vulnerable WDM drivers and 318 unknown WDM drivers and discovered 117 previously unknown vulnerabilities in 26 unique drivers, resulting in 41 CVEs, including 25 denial of service, 5 insufficient access control, and 11 elevation of privilege vulnerabilities. |
URI: | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/88539 |
DOI: | 10.6342/NTU202302404 |
全文授權: | 同意授權(全球公開) |
顯示於系所單位: | 電機工程學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-111-2.pdf | 866.31 kB | Adobe PDF | 檢視/開啟 |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。