基于有限状态机的内核漏洞攻击自动化分析技术  被引量：4

作　　者：刘培文 舒辉[2] 吕小少 赵耘田 LIU Pei-wen;SHU Hui;LYU Xiao-shao;ZHAO Yun-tian(School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450001,China;State Key Laboratory of Mathematical Engineering and Advanced Computing,Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]郑州大学网络空间安全学院,郑州450001 [2]信息工程大学数学工程与先进计算国家重点实验室,郑州450001

出　　处：《计算机科学》2022年第11期326-334,共9页Computer Science

基　　金：国家重点研发计划(2019QY1305)。

摘　　要：内核漏洞攻击是针对操作系统常用的攻击手段,对各攻击阶段进行分析是抵御该类攻击的关键。由于内核漏洞类型、触发路径、利用模式的复杂多样,内核漏洞攻击过程的分析难度较大,而且现有的分析工作主要以污点分析等正向程序分析方法为主,效率较低。为了提高分析效率,文中实现了一种基于有限状态机的内核漏洞攻击自动化分析技术。首先,构建了内核漏洞攻击状态转移图,作为分析的关键基础;其次,引入反向分析的思路,建立了基于有限状态机的内核漏洞攻击过程反向分析模型,能够减小不必要的分析开销;最后,基于模型实现了一种内核漏洞攻击反向分析方法,能够自动、快速地解析内核漏洞攻击流程。通过对10个攻击实例进行测试,结果表明,反向分析方法能够准确得到关键代码执行信息,且相比传统正向分析方法,分析效率有较大提高。Kernel vulnerability attack is a common attack way for operating systems,and the analysis of each attack stage is the key to defend against such attacks.Due to the complexity and variety of kernel vulnerability types,trigger paths,and exploit modes,it is difficult to analyze the attack process of kernel vulnerability.Moreover,the existing analysis work mainly focuses on forward program analysis methods such as taint analysis,and the efficiency is low.In order to improve the analysis efficiency,this thesis implements an automatic analysis technology of kernel vulnerability attack based on finite state machine.Firstly,the state transition diagram of kernel vulnerability attack is constructed as the key basis for analysis.Secondly,the idea of reverse analysis is introduced,and a reverse analysis model of kernel vulnerability attack process based on finite state machine is established,which can reduce the unnecessary analysis cost.Finally,based on the model,a reverse analysis method of kernel vulnerability attack is implemented,which can automatically and quickly analyze the kernel vulnerability attack process.By testing 10 attack samples,the results show that the reverse analysis method can accurately obtain the key code execution information,and compared with the traditional forward analysis method,the analysis efficiency is greatly improved.

关 键 词：内核漏洞 漏洞利用 提权攻击 反向分析 漏洞触发点定位 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]