基于双层BiLSTM的安装程序DLL劫持漏洞挖掘方法  

作　　者：陈霄 肖甫[1,2] 沙乐天[1,2] 王众 底伟鹤 CHEN Xiao;XIAO Fu;SHA Le-Tian;WANG Zhong;DI Wei-He(School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China;Jiangsu High Technology Research Key Laboratory for Wireless Sensor Networks,Nanjing 210023,China;Wuheng Lab,ByteDance,Hangzhou 311100,China)

机构地区：[1]南京邮电大学计算机学院,江苏南京210023 [2]江苏省无线传感网高技术研究重点实验室,江苏南京210023 [3]字节跳动无恒实验室,浙江杭州311100

出　　处：《软件学报》2023年第12期5552-5577,共26页Journal of Software

基　　金：国家重点研发计划(2018YFB0803400);国家杰出青年科学基金(62125203);国家自然科学基金面上项目(62072253)。

摘　　要：动态链接库(dynamic link library,DLL)的出现给开发人员提供了极大的便利,也提高了操作系统与应用程序之间的交互性.然而,动态链接库本身存在的安全性隐患不容忽视,如何有效地挖掘Windows平台下安装程序执行过程中出现的DLL劫持漏洞是当下保障Windows操作系统安全的关键问题之一.搜集并提取大量安装程序的属性特征,从安装程序、安装程序调用DLL模式、DLL文件本身3个角度出发,使用双层BiLSTM(bi-directional long short-term memory)神经网络进行学习,抽取出漏洞数据集的多维特征,挖掘DLL劫持未知漏洞.实验可有效检测Windows平台下安装程序的DLL劫持漏洞,共挖掘10个未知漏洞并获得CNVD漏洞授权,此外通过和其他漏洞分析工具进行对比进一步验证该方法的有效性和完整性.The emergence of the dynamic link library(DLL)provides great convenience for developers,which improves the interaction between the operating system(OS)and applications.However,the potential security problems of DLL cannot be ignored.Determining how to mine DLL-hijacking vulnerabilities during the running of Windows installers is important to ensure the security of Windows OS.In this paper,the attribute features of numerous installers are collected and extracted,and the double-layer bi-directional long short-term memory(BiLSTM)neural network is applied for machine learning from the perspectives of installers,the invocation modes of DLL from installers,and the DLL file itself.The multi-dimensional features of the vulnerability data set are extracted,and unknown DLL-hijacking vulnerabilities are mined.In experiments,DLL-hijacking vulnerabilities can be effectively detected from Windows installers,and 10 unknown vulnerabilities are discovered and assigned CNVD authorizations.In addition,the effectiveness and integrity of this method are further verified by comparison with other vulnerability analyzers.

关 键 词：漏洞挖掘 神经网络 动态链接库 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]