基于电网系统的远程代码执行漏洞自动化分析与重现技术  被引量：2

作　　者：伍红文 王晓明 周柯 邹建明 巫聪云 温文剑 Wu Hongwen;Wang Xiaoming;Zhou Ke;Zou Jianming;Wu Congyun;Wen Wenjian(Wuzhou Power Supply Bureau of Guangxi Power Grid Co.,Ltd.,Wuzhou,Guangxi 543002;Electric Power Research Institute of Guangxi Power Grid Co.,Ltd.,Nanning 530023;Power Dispatching Center,Guangxi Power Grid Co.,Ltd.,Nanning 530023)

机构地区：[1]广西电网有限责任公司梧州供电局,广西梧州543002 [2]广西电网有限责任公司电力科学研究院,南宁530023 [3]广西电网有限责任公司电力调度控制中心,南宁530023

出　　处：《信息安全研究》2022年第9期939-946,共8页Journal of Information Security Research

基　　金：南方电网科技项目(GXKJXM20200242)。

摘　　要：远程代码执行漏洞是工业界的网络安全攻防中危害最大的漏洞种类之一,能够直接控制目标电网系统.在遭受攻击后,对内存破坏类型的漏洞进行分析十分困难,由于在此类漏洞利用过程中,攻击者可能会随机化地绕过地址空间.针对二进制远程代码执行类漏洞中对地址空间随机化的绕过手段,设计并实现了基于流量的自动化分析与利用工具,能够分析并且重现执行漏洞.提出影子服务技术,在完全可控的环境下建立与目标服务环境相同的影子服务;在此基础上提出同步处理技术,处理已记录攻击流量.实验结果表明,防御者可以使用该工具快速针对原生服务的远程代码执行漏洞调查,从而防止利用同类漏洞再次攻击.Remote code execution vulnerability is one of the most harmful vulnerabilities in industrial network security attacks and defense,which can directly control the target power grid system.After an attack,it is difficult to analyze the memory corruption type vulnerability,because the attacker may use address space randomization bypass during such vulnerability exploitation.Aiming at the circumvention of address space randomization in binary remote code execution vulnerability,this paper designs and implements an automatic analysis and utilization tool based on traffic,which can analyze and reproduce execution vulnerability.The shadow service technology is proposed to establish the same shadow service as the target service environment in a completely controllable environment.On this basis,a synchronous processing technique is proposed to deal with the recorded attack traffic.The results show that defenders can use this tool to quickly perform vulnerability investigations against remote code targeting native services,thus preventing similar exploits from being used again.

关 键 词：内存破坏 远程代码执行 网络流量分析 自动化漏洞利用重现 地址空间随机化绕过 

分 类 号：TP309.1[自动化与计算机技术—计算机系统结构]