使用符號執行和污點分析增強搜索 WDM 驅動程式漏洞

林哲宇; Che-Yu Lin

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/88539

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	雷欽隆	zh_TW
dc.contributor.advisor	Chin-Laung Lei	en
dc.contributor.author	林哲宇	zh_TW
dc.contributor.author	Che-Yu Lin	en
dc.date.accessioned	2023-08-15T16:45:02Z	-
dc.date.available	2023-11-09	-
dc.date.copyright	2023-08-15	-
dc.date.issued	2023	-
dc.date.submitted	2023-08-07	-
dc.identifier.citation	[1] Andreas Klopsch. Remove all the callbacks–blackbyte ransomware disables edr via rtcore64.sys abuse. Technical report, Sophos News, Oct. 2022. [2] angr documentation. Simulation managers, 2023. [3] angr documentation. Source code for angr.exploration_techniques.tech_builder, 2023. [4] angr documentation. Source code for angr.exploration_techniques.timeout, 2023. [5] angr documentation. Symbolic expressions and constraint solving, 2023. [6] CaledoniaProject. drivers-binaries, 2022. [7] Debasish Mandal. debasishm89/iofuzz, 2014. [8] Dmytro Oleksiuk. Cr4sh/ioctlfuzzer, 2011. [9] eclypsium. Screwed-drivers, 2019. [10] R. Gupta, L. Dresel, N. Spahn, G. Vigna, C. Kruegel, and T. Kim. POPKORN: Popping Windows Kernel Drivers At Scale. PhD thesis, UC Santa Barbara, USA, 2022. [11] I. Haller, A. Slowinska, M. Neugschwandtner, and H. Bos. Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations. PhD thesis, VU University Amsterdam, USA, 2013. [12] IDontCode. _xeroxz/msrexec, 2021. [13] Jan Vojtěšek. The return of candiru: Zero-days in the middle east. Technical report, Avast, July 2022. [14] S. Y. Kim, S. Lee, I. Yun, W. Xu, B. Lee, Y. Yun, and T. Kim. CAB-FUZZ: Practical Concolic Testing Techniques for COTS Operating Systems. PhD thesis, Purdue University, USA, 2017. [15] koutto. Ioctlbf, 2017. [16] Linux manual page. objdump. [17] Lukas Dresel and Rajat Gupta. ucsb-seclab/popkorn-artifact, 2022. [18] Microsoft. Device input and output control (ioctl), 2021. [19] Microsoft. Fltgetroutineaddress function (fltkernel.h), 2021. [20] Microsoft. Introduction to wdm, 2021. [21] Microsoft. Iostartpacket function (ntifs.h), 2021. [22] Microsoft. __outbyte, 2021. [23] Microsoft. Windows kernel-mode i/o manager, 2021. [24] Microsoft. __writemsr, 2021. [25] Microsoft. Writing dispatch routines, 2021. [26] Microsoft. devtest/ioattack, 2022. [27] Microsoft. Exallocatepool3 function (wdm.h), 2022. [28] Microsoft. Iocreatesymboliclink function (wdm.h), 2022. [29] Microsoft. Irp structure (wdm.h), 2022. [30] Microsoft. Mmgetsystemroutineaddress function (wdm.h), 2022. [31] Microsoft. Mmmapiospaceex function (wdm.h), 2022. [32] Microsoft. Obopenobjectbypointer function (ntifs.h), 2022. [33] Microsoft. Osversioninfow structure (wdm.h), 2022. [34] Microsoft. Probeforread function (wdm.h), 2022. [35] Microsoft. Probeforwrite function (wdm.h), 2022. [36] Microsoft. Psgetversion function (wdm.h), 2022. [37] Microsoft. Rtlgetversion function (wdm.h), 2022. [38] Microsoft. Zwdeletefile function (ntifs.h), 2022. [39] Microsoft. Zwopenprocess function (ntddk.h), 2022. [40] Microsoft. Driver_object structure (wdm.h), 2023. [41] Microsoft. Driver_startio callback function (wdm.h), 2023. [42] Microsoft. Exallocatepool function (wdm.h), 2023. [43] Microsoft. Exallocatepool2 function (wdm.h), 2023. [44] Microsoft. Exallocatepoolwithtag function (wdm.h), 2023. [45] Microsoft. Iocreatedevice function (wdm.h), 2023. [46] Microsoft. Iocreatefile function (wdm.h), 2023. [47] Microsoft. Iocreatefileex function (ntddk.h), 2023. [48] Microsoft. Iocreatefilespecifydeviceobjecthint function (ntddk.h), 2023. [49] Microsoft. Irp major function codes, 2023. [50] Microsoft. Irp_mj_close, 2023. [51] Microsoft. Irp_mj_create, 2023. [52] Microsoft. Irp_mj_device_control, 2023. [53] Microsoft. Irp_mj_read, 2023. [54] Microsoft. Irp_mj_write, 2023. [55] Microsoft. Mmallocatecontiguousmemoryspecifycache function (wdm.h), 2023. [56] Microsoft. Mmallocatenoncachedmemory function (ntddk.h), 2023. [57] Microsoft. Mmisaddressvalid function (ntddk.h), 2023. [58] Microsoft. Mmmapiospace function (wdm.h), 2023. [59] Microsoft. Object_attributes structure (ntdef.h), 2023. [60] Microsoft. Osversioninfoexw structure (wdm.h), 2023. [61] Microsoft. Zwcreatefile function (wdm.h), 2023. [62] Microsoft. Zwmapviewofsection function (wdm.h), 2023. [63] Microsoft. Zwopenfile function (wdm.h), 2023. [64] D. Molnar, X. C. Li, and D. A. Wagner. Dynamic test generation to find integer bugs in x86 binary linux programs. PhD thesis, Peking University, USA, 2009. [65] namazso. physmem_drivers, 2019. [66] S. Sidiroglou-Douskos, E. Lahtinen, N. Rittenhouse, P. Piselli, F. Long, D. Kim, and M. Rinard. Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement. PhD thesis, USA, 2015. [67] T. Wang, T. Wei, Z. Lin, and W. Zou. IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution. PhD thesis, Peking University, PRC, 2009. [68] Yan Shoshitaishvili and Ruoyu (Fish) Wang and Audrey Dutcher and Lukas Dresel and Eric Gustafson and Nilo Redini and Paul Grosen and Colin Unger and Chris Salls and Nick Stephens and Christophe Hauser and John Grosen. angr/angr, 2023.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/88539	-
dc.description.abstract	發現 WDM 驅動程式的資安漏洞很困難，因為它們大多不是開源的，有些驅動程式甚至需要指定的環境才能將它們加載到系統核心中。符號執行和污點分析是軟體安全中常用的技術，用於識別程式中的漏洞。然而，符號執行可能會出現「路徑爆炸「問題，當程式複雜度增加時，可能的程式路徑數量呈指數級增長。污點分析也可能會出現「污點爆炸」問題，當程式複雜度增加時，可能被污染的輸入數量呈指數級增長。本研究提出了一種名為 IOCTLance 的解決方案，它利用符號執行和污點分析來檢測 WDM 驅動程式中的漏洞。通過將目標輸入緩衝區從用戶模式進程標記為「污點」，IOCTLance能夠檢測各種漏洞類型，例如「映射物理內存」、「可控進程句柄」、「緩衝區溢出」、「空指針引用」、「可讀/可寫可控地址」、「任意 shellcode 執行」、「任意 wrmsr」、“任意 out」以及「危險的文件操作」。此外還開發了幾個可調整的選項，以解決符號執行中的「路徑爆炸「問題。將 IOCTLance 應用於 104 個已知有漏洞的驅動程式上，在其中 22 個驅動程式中發現了 117 個未知的漏洞，目前已回報並取得 41 個 CVE，其中包括 25 個拒絕服務，5 個訪問權限控制不足以及 11 個提權漏洞。	zh_TW
dc.description.abstract	Discovering the security vulnerabilities of WDM drivers is challenging because most of them are not open-source and some drivers even need the specified environment to load them into the kernel. Symbolic execution and taint analysis are common techniques used in software security to identify vulnerabilities in software. However, symbolic execution can suffer from the "path explosion" problem, where the number of possible paths through a program grows exponentially as the program complexity increases. Taint analysis can also suffer from the "taint explosion" problem, where the number of potentially tainted inputs grows exponentially as the program complexity increases. This research paper presents a solution called IOCTLance that aims to detect vulnerabilities in WDM drivers using symbolic execution and taint analysis. By marking the target input buffer from the user mode process, IOCTLance is able to detect various vulnerability types, such as "map physical memory", "controllable process handle", "buffer overflow", "null pointer dereference", "read/write controllable address", "arbitrary shellcode execution", "arbitrary wrmsr", "arbitrary out", and "dangerous file operation". Several customizable options have also been developed to improve the performance while symbolic execution. IOCTLance is evaluated on 104 known vulnerable WDM drivers and 318 unknown WDM drivers and discovered 117 previously unknown vulnerabilities in 26 unique drivers, resulting in 41 CVEs, including 25 denial of service, 5 insufficient access control, and 11 elevation of privilege vulnerabilities.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2023-08-15T16:45:02Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2023-08-15T16:45:02Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Verification Letter from the Oral Examination Committee i Acknowledgements iii 摘要 v Abstract vii Contents ix List of Figures xiii List of Tables xv Denotation xvii Chapter 1 Introduction 1 Chapter 2 Background 5 2.1 WDM Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.1 Driver Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.2 Device Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.3 IRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.4 IOCTL Handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2 Symbolic Execution . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3 Taint Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Chapter 3 Design 13 3.1 Information Gathering . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.2 Preprocess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.2.1 Hook Opcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.2.2 Hook Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.2.3 Set Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.2.4 Use Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.2.5 Initialize Structures . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.3 First Phase - Find IOCTL Handler . . . . . . . . . . . . . . . . . . . 17 3.4 Second Phase - Hunt Vulnerabilities . . . . . . . . . . . . . . . . . . 17 3.5 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Chapter 4 Target Vulnerability Types 19 4.1 Map Physical Memory . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.1.1 MmMapIoSpace and MmMapIoSpaceEx . . . . . . . . . . . . . . . 19 4.1.2 ZwMapViewOfSection . . . . . . . . . . . . . . . . . . . . . . . . 21 4.2 Controllable Process Handle . . . . . . . . . . . . . . . . . . . . . . 22 4.2.1 ZwOpenProcess . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.2.2 ObOpenObjectByPointer . . . . . . . . . . . . . . . . . . . . . . . 24 4.3 Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.4 Null Pointer Dereference . . . . . . . . . . . . . . . . . . . . . . . . 25 4.4.1 Tainted Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4.4.2 Allocated Memory . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.5 Read/Write Controllable Address . . . . . . . . . . . . . . . . . . . 26 4.5.1 Tainted Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.5.2 memcpy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.6 Arbitrary Shellcode Execution . . . . . . . . . . . . . . . . . . . . . 28 4.7 Arbitrary Wrmsr . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.8 Arbitrary Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.9 Dangerous File Operation . . . . . . . . . . . . . . . . . . . . . . . 30 Chapter 5 Implementation 33 5.1 Hook Opcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.1.1 wrmsr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.1.2 out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 5.1.3 rep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 5.1.4 indirect jump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 5.2 Hook Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 5.2.1 memset and memcpy . . . . . . . . . . . . . . . . . . . . . . . . . 36 5.2.2 Imported Kernel APIs . . . . . . . . . . . . . . . . . . . . . . . . . 37 5.2.2.1 Restricted Address . . . . . . . . . . . . . . . . . . . . 38 5.2.2.2 Unicode String . . . . . . . . . . . . . . . . . . . . . . 38 5.2.2.3 ObjectAttributes . . . . . . . . . . . . . . . . . . . . . 39 5.2.2.4 Map Physical Memory . . . . . . . . . . . . . . . . . 40 5.2.2.5 Allocated Memory . . . . . . . . . . . . . . . . . . . . 41 5.2.2.6 Process Operation . . . . . . . . . . . . . . . . . . . . 41 5.2.2.7 File Operation . . . . . . . . . . . . . . . . . . . . . . 42 5.2.2.8 Other . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 5.3 Set Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.3.1 mem_read and mem_write . . . . . . . . . . . . . . . . . . . . . . 45 5.3.2 Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 5.4 Use Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 5.5 Initialize Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Chapter 6 Evaluation 51 6.1 Known Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 6.2 Unknown Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 6.3 Comparison with POPKORN . . . . . . . . . . . . . . . . . . . . . 55 6.4 False Positive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 6.5 False Negative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Chapter 7 Discussion 59 7.1 Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 7.2 Bugs Not Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . 61 7.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Chapter 8 Conclusion 63 References 65 Appendix A — IOCTLance CVEs 71	-
dc.language.iso	en	-
dc.subject	汙點分析	zh_TW
dc.subject	Windows 核心	zh_TW
dc.subject	符號執行	zh_TW
dc.subject	漏洞	zh_TW
dc.subject	Symbolic Execution	en
dc.subject	Taint Analysis	en
dc.subject	Windows Kernel	en
dc.subject	Vulnerability	en
dc.title	使用符號執行和污點分析增強搜索 WDM 驅動程式漏洞	zh_TW
dc.title	IOCTLance: Enhanced Vulnerability Hunting in WDM Drivers Using Symbolic Execution and Taint Analysis	en
dc.type	Thesis	-
dc.date.schoolyear	111-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	郭斯彥;王銘宏	zh_TW
dc.contributor.oralexamcommittee	Sy-Yen Kuo;Ming-Hung Wang	en
dc.subject.keyword	Windows 核心,符號執行,汙點分析,漏洞,	zh_TW
dc.subject.keyword	Windows Kernel,Symbolic Execution,Taint Analysis,Vulnerability,	en
dc.relation.page	73	-
dc.identifier.doi	10.6342/NTU202302404	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2023-08-07	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	電機工程學系	-
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-111-2.pdf	866.31 kB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。