Key Words

自動脅迫產生器 ; 符號執行 ; 擬真執行 ; 零日脅迫 ; Automatic Exploit Generation ; Symbolic Execution ; Concolic Execution ; Zero-day Exploit



Volume or Term/Year and Month of Publication

18卷3期(2012 / 07 / 01)

Page #

88 - 100

Content Language


Chinese Abstract

脅迫產生(Exploit Generation)過去都被視為一種無法自動化的過程,需具備純熟安全技能的人力介入。但近年來符號執行技術(Symbolic Execution)的快速發展,完全自動化的脅迫產生(Automatic Exploit Generation, 以下簡稱 AEG)已經可行。首先,我們將介紹目前僅有的三個組織(英國劍橋大學、美國卡內基美隆大學、與國立交通大學)的研發成果,並進行效能與定性的現況分析。最後,我們將針對AEG技術的未來發展,提出軟體系統與程式安全的思維改變。因為AEG可自動將程式的可靠性錯誤(Software Reliability),轉化為安全性弱點(Software Vulnerability),軟體安全與軟體品質的界線將趨於模糊,進而提出軟體錯誤即軟體安全缺陷(Bug as Vulnerability, BaV),軟體錯誤即隱含軟體後門(Bug as Backdoor, BaB)的思考方向。

Topic Category 基礎與應用科學 > 資訊科學
  1. “!exploitable crash analyzer,” http://msecdbg.codeplex.com/.
  2. Avgerinos, T.,Cha, S. K.,Hao, B. L. T.,Brumley, D.(2011).AEG: Automatic Exploit Generation.Proceedings of the Network and Distributed System Security Symposium (NDSS'11),San Diego, California, USA:
  3. Bellard, F.(2005).QEMU, a fast and portable dynamic translator.Proceedings of the FREENIX Track: 2005 USENIX Annual Technical Conference,Anaheim, CA, USA:
  4. Brumley, D.,Poosankam, P.,Song, D. X.,Zheng, J.(2008).Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications.Proceedings of the 2008 IEEE Symposium on Security and Privacy (S&P 2008),Oakland, California, USA:
  5. Cadar, C.,Dunbar, D.,Engler, D. R.(2008).KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs.Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation (OSDI'08),San Diego, California, USA:
  6. Cha, A. R.S.K.,Avgerinos, T.,Brumley, D.(2012).Unleashing mayhem on binary code.Proceedings of the 2012 IEEE Symposium on Security and Privacy (S&P 2012),San Francisco, USA:
  7. Chipounov, V.,Kuznetsov, V.,Candea, G.(2011).S2E: a platform for in-vivo multi-path analysis of software systems.Proceedings of the 16th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'11),Newport Beach, CA, USA:
  8. chwartz, E. J.,Avgerinos, T.,Brumley, D.(2011).Q: Exploit Hardening Made Easy.Proceedings of the 20th USENIX Security Symposium (USENIX'11),San Francisco, CA, USA:
  9. Ganesh, V.,Dill, D.(2007).A decision procedure for bit-vectors and arrays.Proceedings of the 19th International Conference on Computer Aided Verification (CAV'07),Berlin, Germany:
  10. Heelan, Sean(2009).UK,Computing Laboratory, University of Oxford.
  11. Huang, Shih-Kun(2009).CT-Exploit Controllable Taintedness for Automated Exploit Generator.5th iCAST/CMU/TRUST Joint Conference on Security and Privacy Technologies,Taipei, Taiwan:
  12. Huang, Shih-Kun,Huang, Po-Yen,Huang, Min-Hsiang,Lai,, Chung-Wei,Lu, Han-Lin,Leong , Wai-Meng(2012).CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations.sixth International Conference on Software Security and Reliability (SERE 2012),Gaithersburg, Maryland, USA:
  13. Kim, D.,Wang, X.,Kim, S.,Zeller, A.,Cheung, S.,Park, S.(2011).Which crashes should i fix first?: Predicting top crashes at an early stage to prioritize debugging efforts.IEEE Transactions on Software Engineering,37(3),430-447.
  14. Miller, C.,Caballero, J.,Johnson, N. M.,Kang, M. G.,Mc-Camant, S.,Poosankam, P.,Song, D.(2010).Crash Analysis using BitBlaze.Proceedings of the Black Hat USA 2010,Las Vegas, US:
  15. Schwartz, E.,Avgerinos, T.,Brumley, D.(2010).All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask).Proceedings of the 31st IEEE Symposium on Security and Privacy (SP 2010),Berleley/Oakland, California, USA:
  16. Song, D.,Brumley, D.,Yin, H.,Caballero, J.,Jager, I.,Kang, M.,Liang, Z.,Newsome, J.,Poosankam, P.,Saxena, P.(2008).BitBlaze: A new approach to computer security via binary analysis.Proceedings of the 4th International Conference on Information Systems Security,Hyderabad, India:
  17. Sutton, M.,Greene, A., Amini, P.(2007).Fuzzing: brute force vulnerabilty discovery.Addison-Wesley Professional.
  18. Wang, T.,Wei, T.,Gu, G.,Zou, W.(2010).TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection.IEEE Symposium on Security and Privacy
Times Cited
  1. 陳泓文(2015)。結合滲透測試框架之攻擊脅迫強化系統。交通大學資訊科學與工程研究所學位論文。2015。1-44。 
  2. 鍾翔(2014)。具目標認知符號執行模糊測試框架。交通大學資訊科學與工程研究所學位論文。2014。1-45。