检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
作 者:王伟兵[1] WANG Weibing(Department of Cyber Security,Guangdong Police College,Guangzhou 510230,China)
机构地区:[1]广东警官学院网络信息安全系,广东广州510230
出 处:《中国人民公安大学学报(自然科学版)》2022年第4期23-29,共7页Journal of People’s Public Security University of China(Science and Technology)
基 金:广东省重点领域研发计划项目(2020B1111430001)。
摘 要:近年来,随着堆的漏洞不断被挖掘出来,Glibc也对自身的算法和代码进行了针对性地修补,采取了漏洞缓解、堆块尺寸检测等防御保护机制,但是仍然存在漏洞被利用的可能。首先对House of Force技术原理进行了分析,在此基础之上分析了针对该技术可利用漏洞的检测方法,包括生成崩溃输入、符号化种子输入、基于符号执行的漏洞检测和生成测试用例等过程,通过审计有漏洞的程序代码,发现该程序的漏洞点,并通过House of Force技术,编写脚本实现了漏洞的成功利用,最后指出了针对House of Force攻击的防御思路和方法。In recent years,as heap vulnerabilities are continuously discovered,Glibc has made targeted repairs towards its algorithms and codes by adopting vulnerability mitigation,heap size detection and other defense and protection mechanisms.However,there is still the possibility of vulnerability being exploited.Firstly,the principle of House of Force technology was analyzed.On this basis,detection methods for exploitable vulnerabilities of this technology were explored,including generating crash input,symbolic seed input,vulnerability detection based on symbolic execution,and generating test cases.Then,through auditing the vulnerable program code,the vulnerability points of this program were found,and scripting realized the successful exploitation of vulnerabilities by House of Force technology.Finally,the defense ideas and methods against House of Force attack were pointed out.
关 键 词:House of Force 漏洞分析 漏洞检测 漏洞利用
分 类 号:TP309.2[自动化与计算机技术—计算机系统结构]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.43