基于Windows的CSRSS进程漏洞分析与利用  

作　　者：李孟哲[1] 武学礼[2] 张涛[1] 文伟平[1] 

机构地区：[1]北京大学软件与微电子学院,北京102600 [2]中国石油集团东方地球物理勘探有限责任公司,陕西长庆710021

出　　处：《信息网络安全》2014年第7期20-29,共10页Netinfo Security

基　　金：国家自然科学基金[61170282]

摘　　要：随着技术的进步,Windows操作系统日益完善,多种内存保护技术的结合使得传统的基于缓冲区溢出攻击越来越困难。在这种情况下,内核漏洞往往可以作为突破安全防线的切入点,一旦漏洞被病毒、木马利用,将会彻底瓦解安全软件的所有防御,沉重打击系统安全。随着Windows NT的开发,操作系统被设计成可以支持多个子系统,包括POSIX、OS/2以及Windows子系统(也被称为客户端/服务器运行时子系统或者CSRSS)。文章展开了一系列关于CSRSS的研究,描述了CSRSS内部机制。尽管一些研究已经在少数文章中有所提及,但是直到现在没有深入的案例研究。文章详细地介绍了CSRSS及其通信机制,以及最近常见于现代操作系统的CSRSS变化。另外,站在安全的角度,文章对Windows内核漏洞进行了分类,并且提出了一套漏洞研究的流程。按照这套流程,研究了CSRSS进程的权限提升漏洞和拒绝服务漏洞。文章通过对CVE-2011-1281漏洞的分析,发现use-after-free漏洞不仅出现在浏览器漏洞中,在系统软件中同样有可能出现。With advances in technology, Windows operating system has improved steadily. The combination of many memory protection mechanisms makes the traditional buffer-overflow-based attacks to be more useless. In this case, the kernel vulnerabilities can be used to break through the security line of defense as a starting point. If these vulnerabilities are used by viruses and Trojans, the defense of security software will be collapsed. That means a heavy blow to the system security. Since the Microsoft Windows NT＇s development, the operating system has been designed to support a number of different subsystems, such as POSIX or OS/2. This paper opens a series of CSRSS-oriented study, aiming at describing the uncovered CSRSS mechanism internals. Although some great research has already been carried out by some articles, no thorough case study is available until now. This paper covers both the very basic ideas and their implementations, as well as the recent CSRSS changes applied in modern operating systems. In addition, standing on the point of safety, in this paper, the Windows kernel vulnerabilities are classified, a set of vulnerability research process is presented. According to the process, this article studies local privilege escalation vulnerability and denial of service vulnerability about CSRSS. Through the analysis of the CVE-2011-1281 vulnerability, use-after-free exploit not only appears in the browser vulnerabilities, but also in the software of the system.

关 键 词：Windows子系统 CSRSS WINDOWS内核 漏洞分析 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]