检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
机构地区:[1]中国科学院研究生院国家计算机网络入侵防范中心,北京100049
出 处:《计算机研究与发展》2012年第7期1525-1532,共8页Journal of Computer Research and Development
基 金:国家自然科学基金项目(60773135;90718007;60970140)
摘 要:ActiveX控件漏洞存在广泛且往往具有较高的威胁等级,有必要对此类漏洞的挖掘技术展开研究,发现并修复漏洞,从而杜绝安全隐患.在对ActiveX控件特性进行分析的基础上,设计并实现了ActiveX控件漏洞挖掘工具——ActiveX-Fuzzer.它基于黑盒Fuzzing测试技术,能够自动地构造半有效数据对控件接口展开测试,尝试发现潜在的缓冲区溢出、整数溢出及格式化字符串错误等安全问题.通过使用该工具对常用ActiveX控件进行广泛的测试,发现多个未公布的高危漏洞,受影响的软件包括腾讯QQ、WinZip、微软Office等国内外重要软件,以及部分知名银行的网上服务中使用的控件.该测试结果表明了ActiveX-Fuzzer的有效性和先进性.Vulnerabilities in ActiveX controls are large in number and tend to exhibit high level of severity. They are frequently exploited in Web based attacks to compromise client computers, thus motivating the research into techniques for discovering such flaws automatically. In this work, the authors propose and implement an ActiveX vulnerability detection tool named ActiveX-Fuzzer. It is a blackbox fuzzing tool that automatically feeds the interface exposed by an ActiveX control with crafted semi-valid data, attempting to identify potential vulnerabilities including buffer overflow, integer overflow and format string flaws. The tool is tested against a broad range of commonly used ActiveX controls and detects a number of highly severe vulnerabilities that are previously undiscovered, affecting Tencent QQ, WinZip, Microsoft Office and other software products, as well as online services from several major banks. The test result well proves the effectiveness of such an approach.
关 键 词:软件脆弱性 漏洞挖掘 安全性测试 FUZZING技术 ACTIVEX控件
分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.88