检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
作 者:李超 胡建伟 崔艳鹏 Li Chao;Hu Jianwei;Cui Yanpeng(School of Cyber Engineering, Xidian University, Xi’an 710071, Shaanxi, China)
机构地区:[1]西安电子科技大学网络与信息安全学院
出 处:《计算机应用与软件》2019年第9期327-333,共7页Computer Applications and Software
摘 要:软件规模与数量的快速增长给软件安全研究带来了严峻的挑战,以人工方式分析漏洞已难以完成漏洞危害性的评估。分析缓冲区溢出漏洞的形成原理,提出一种缓冲区溢出漏洞自动化利用方法。该方法采用符号执行检测漏洞,为缓解符号执行中状态爆炸问题,使用危险函数切片减少状态数量。对于检测到的漏洞,通过构建约束表达式和约束求解自动生成exploit。针对进程中不存在空间足够的可控内存块的情况,以shellcode分段存放的方式利用漏洞。实验结果表明,该方法可有效缓解符号执行路径爆炸问题,自动检测漏洞并生成适用性较好的exploit。The rapid growth of the software scale and quantity has brought severe challenges to software security research. It is difficult to perform vulnerability assessment by analyzing the vulnerability manually. This paper analyzed the principle of buffer overflow and proposed an automatic exploit generation method. The method used symbolic execution to detect vulnerabilities. To alleviate the state explosion of symbolic execution, we pruned the states according to the slice of unsafe function calls. For detected vulnerabilities, exploit was automatically generated by constructing constraint expressions and constraint solving. In the case that there was no enough controllable memory block in the process, we segmented shellcode to construct the exploit. The experimental results show that the method can detect vulnerabilities and generate exploit with good applicability automatically.
分 类 号:TP311[自动化与计算机技术—计算机软件与理论]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.185