雲端軟體弱點探索分析資料庫

觀察過去Stuxnet、APT與最近Google、Facebook和微軟遭攻擊事件，網路世界的戰爭已不容輕視，其中所使用的武器便是針對各種軟體弱點的攻擊程式。本研究擬基於雲端系統建置一個軟體弱點探索分析資料庫，儲存可執行的軟體弱點環境，同時也改善實驗室開發的自動脅迫產生器(Automatic Exploit Generator, CRAX)，與此資料庫整合，利用雲端系統自動化軟體弱點的探索過程，除能針對軟體弱點自動產生脅迫(Exploit)外，還可將建置的實驗環境轉換為wargame，提供人員安全意識訓練的教材。

關鍵字

資訊安全；雲端；軟體弱點；自動化系統

並列摘要

Recent attacks like Stuxnet, APT, and on large corporations including Google, Facebook and Microsoft have caused much damage on valuable information asset. The Internet warfare can no longer be ignored. In this thesis we developed a cloud-based benchmark database for software vulnerability analysis and discovery. This system is capable of maintaining executable environment of various software vulnerabilities. We integrate the automated exploit generation system (called CRAX) formerly developed by our laboratory into the system, taking advantage of cloud system to automate the software exploit writing process. The system not only provides the automatic exploit of software vulnerability but can also construct a wargame for training security expertise from emulated environment.

並列關鍵字

Security Programming ； Exploit ； Cloud ； Wargame ； 0day

參考文獻

[18] 許基傑, 藉由選擇性符號操作執行之Android APPs隨性測試, in 資訊科學與工程研究所2012, 國立交通大學碩士論文. p. 40.

[1] Farwell, J.P. and R. Rohozinski, Stuxnet and the future of cyber war. Survival, 2011. 53(1): p. 23-40.

[2] King, J.C., Symbolic execution and program testing. Communications of the ACM, 1976. 19(7): p. 385-394.

[3] Schwartz, E.J., T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). in Security and Privacy (SP), 2010 IEEE Symposium on. 2010. IEEE.

[6] Lattner, C. and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. in Code Generation and Optimization, 2004. CGO 2004. International Symposium on. 2004. IEEE.

國際替代計量

雲端軟體弱點探索分析資料庫

全文下載

主題瀏覽