Title

結合滲透測試框架之攻擊脅迫強化系統

Translated Titles

A Systematic Exploit Strengthening Method Integrating with Penetration Testing Framework

DOI

10.6842/NCTU.2015.00212

Authors

陳泓文

Key Words

脅迫強化 ; 返回導向編程 ; 自動脅迫生成 ; 軟體安全 ; 軟體弱點 ; 後脅迫框架 ; Exploit Strengthening ; ROP ; Automatic Exploit Generation ; Software Security ; Software Vulnerability ; Post Exploitation Framework

PublicationName

交通大學資訊科學與工程研究所學位論文

Volume or Term/Year and Month of Publication

2015年

Academic Degree Category

碩士

Advisor

黃世昆

Content Language

繁體中文

Chinese Abstract

近年來,由於軟體品質良莠不齊,軟體漏洞持續揭露、駭客攻擊的事件層出不窮,軟體安全議題因此逐漸受到重視。在現今高度資訊化的社會環境中,這些漏洞甚至危害到公共基礎建設、進而可能影響到人身安全。儘管目前作業系統已支援多種保護機制,例如:資料防止執行 (W⊕X or DEP)、位址空間配置隨機載入 (ASLR)等,但仍有繞過這些保護機制的攻擊方法,例如:返回導向編程 (ROP, Return-Oriented Programming)。 在本篇論文中,我們提出改良 ROP,有效繞過保護機制的脅迫強化方法 (Exploit Strengthening Method)並結合自動脅迫生成 (Automatic Exploit Generation, CRAX),產生可繞過保護機制的脅迫 (Exploit)。我們的方法 (Exploit Strengthening Method)主要是運用返回導向編程 (ROP)的技術,透過蒐集受測程式的機器語言指令片段 (稱為Gadget),經過Gadget的篩選,組合出攻擊的目標程式,例如:執行”/bin/sh”程式、產生Reverse/Bind TCP Shell後門。自動脅迫生成 (Automatic Exploit Generation, CRAX)則自動將軟體漏洞 (Vulnerability)轉換成可以運用的脅迫 (Exploit)。脅迫成功後,將Exploit以模組的形式匯入至Metasploit後脅迫框架 (Post Exploitation Framework)中,測試者只要透過Metasploit產生符合自己環境的脅迫執行檔或代碼,就可以在第一時間檢測相關系統,判斷與找尋可被脅迫利用的高危險性漏洞。 我們的方法經評估,優於現行公開且最普遍運用的系統:ROPgadget,10個大於100KB動態鏈結程式中,相較於 ROPgadget 只有三個成功,我們全部都能成功生成。我們也是唯一能結合後脅迫框架的脅迫工具鏈。

English Abstract

Due to software quality issues, recent attacks on various systems are getting serious, and the software security issues therefore become an important research topic. These attacks on the software vulnerability will not only endanger the information infrastructure, but also impact the human safety. To improve the overall robustness of the system, we need a penetration test system to audit related systems. We have proposed the concept of the exploit toolchain to automate the whole process of fuzzing, exploitation, and post-exploitation integration with the metasploit framework. For the exploitation process, we must be able to bypass the recent protections and mitigations of the operating system, for example ASLR (Address space layout randomization) and DEP (Data Execution Prevention). We have enhanced the ROP (Return-oriented programming) technique to bypass ASLR and DEP protections by searching gadgets with larger sizes. We evaluate our system by generating ROP payloads from ten target programs in the size greater than 100K bytes. Compared with the results of another popular ROP tool, called ROPgadget, only three targets have been succeeded. We can also integrate the generated exploits into the Metasploit framework.

Topic Category 基礎與應用科學 > 資訊科學
資訊學院 > 資訊科學與工程研究所
Reference
  1. 2. Team, P. Pax address space layout randomization. Available from: http://pax.grsecurity.net/docs/aslr.txt.
    連結:
  2. 3. Payer, M., Too much PIE is bad for performance. 2012.
    連結:
  3. 4. Huang, S.K., et al. CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations. in Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference on. 2012. IEEE.
    連結:
  4. 5. 黃世昆, et al., 自動脅迫產生器發展現況與威脅分析. 資訊安全通訊, 2012. 18(3): p. 88-100.
    連結:
  5. 6. Chipounov, V., V. Kuznetsov, and G. Candea, The S2E platform: Design, implementation, and applications. ACM Transactions on Computer Systems (TOCS), 2012. 30(1): p. 2.
    連結:
  6. 7. Bellard, F. QEMU, a Fast and Portable Dynamic Translator. in USENIX Annual Technical Conference, FREENIX Track. 2005.
    連結:
  7. 11. King, J.C., Symbolic execution and program testing. Communications of the ACM, 1976. 19(7): p. 385-394.
    連結:
  8. 12. Păsăreanu, C.S. and W. Visser, A survey of new trends in symbolic execution for software testing and analysis. International journal on software tools for technology transfer, 2009. 11(4): p. 339-353.
    連結:
  9. 16. Avgerinos, T., et al. AEG: Automatic Exploit Generation. in NDSS. 2011.
    連結:
  10. 17. Brumley, D., et al. Automatic patch-based exploit generation is possible: Techniques and implications. in Security and Privacy, 2008. SP 2008. IEEE Symposium on. 2008. IEEE.
    連結:
  11. 18. Chen, P., et al., DROP: Detecting return-oriented programming malicious code, in Information Systems Security. 2009, Springer. p. 163-177.
    連結:
  12. 25. Campbell, C. PowerSploit + Metasploit = Shells. Available from: http://obscuresecurity.blogspot.tw/2013/03/powersploit-metasploit-shells.html.
    連結:
  13. 26. Nguyen Anh Quynh, C., Capstone: Next-Gen Disassembly Framework. 2014: Blackhat USA.
    連結:
  14. 1. Shacham, H., The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). Ccs'07: Proceedings of the 14th Acm Conference on Computer and Communications Security, 2007: p. 552-561.
  15. 8. Maynor, D., Metasploit toolkit for penetration testing, exploit development, and vulnerability research. 2011: Elsevier.
  16. 9. c0ntex. Bypassing non-executable-stack during exploitation using return-to-libc. Available from: http://css.csail.mit.edu/6.858/2014/readings/return-to-libc.pdf.
  17. 10. Du, W. Return-to-libc Attack Lab. 2007; Available from: http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/Return_to_libc/Return_to_libc.pdf.
  18. 13. Sen, K. Concolic testing. in Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering. 2007. ACM.
  19. 14. Salwan, J. ROPgadget. Available from: https://github.com/JonathanSalwan/ROPgadget.
  20. 15. Schwartz, E.J., T. Avgerinos, and D. Brumley. Q: Exploit Hardening Made Easy. in USENIX Security Symposium. 2011.
  21. 19. Cao, J., et al., LGadget: ROP Exploit based on Long Instruction Sequences. 2013.
  22. 20. Dullien, T., T. Kornau, and R.-P. Weinmann. A Framework for Automated Architecture-Independent Gadget Search. in WOOT. 2010.
  23. 21. Kornau, T., Return oriented programming for the ARM architecture. Master's thesis, Ruhr-Universitat Bochum, 2010.
  24. 22. Roemer, R.G., Finding the bad in good code: Automated return-oriented programming exploit discovery. 2009.
  25. 23. Security, O. Metasploit Meterpreter. Available from: http://www.offensive-security.com/metasploit-unleashed/About_Meterpreter.
  26. 24. Graeber, M. PowerSploit - A PowerShell Post-Exploitation Framework. Available from: https://github.com/mattifestation/PowerSploit.
  27. 27. Burt, G.L. Linux System Call Table. 2004; Available from: http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html.
Times Cited
  1. 歐俠宏(2009)。UMTS的認證與金鑰協議及其應用之研究。中興大學資訊科學與工程學系所學位論文。2009。1-93。 
  2. 楊竣吉(2007)。會談啟始協議應用於網路電話。亞洲大學電腦與通訊學系碩士班學位論文。2007。1-64。