透過您的圖書館登入 IP:18.217.182.45
透過您的圖書館登入
IP:18.217.182.45
  • 精確檢索 : 冠狀病毒
  • 模糊檢索 : 冠狀病毒
  • 冠狀病毒感染
    冠狀病毒疾病
  • 查詢出版品: 冠狀病毒
進階查詢
查詢歷史
主題瀏覽
  • 學位論文

自動化脅迫生成設計與實作

Design and Implement of Automatic Exploit Generation Process

林政德(Cheng-Te Lin)
指導教授 : 黃世昆
國立交通大學/資訊學院/資訊科學與工程研究所/碩士(2017年)
全文下載

摘要

隨著資訊技術的發展和網際網路的普及運用,大量應用程式與服務都經由網路連接與溝通。但這些應用程式與服務可能有軟體漏洞,有心人士可經網路利用,形成威脅。在資訊安全領域中,可分為防禦和攻擊二種方向。防禦方面的研究主要是透過軟體測試和漏洞修補來避免或減少危害,而攻擊方面的研究則是注重如何有效利用軟體漏洞。自動脅迫生成是屬於攻擊方面的研究。 我們過去有發展稱為 CRAX的自動脅迫生成平台 (Automatic exploit generation)。CRAX採用全系統符號執行的方式,可利用底層核心與大型軟體的漏洞,但同時因為全系統的模擬操作,必須記錄完整核心狀態,操作過程較為繁瑣,可用性較低。為了增進CRAX的可用性,我們實作Python API來達成CRAX操作流程的自動化。透過這套自動化脅迫生成API,使用者可以自動生成大量脅迫測試資料。

關鍵字

自動化脅迫產生 符號執行

並列摘要

With the development of information technology and the popularity of the Internet, client applications and services communicate with each through network. However, there may be some software vulnerabilities in these applications, so that those vulnerabilities can be exploited, resulting in security threats. In the security research field, there are defense and attack directions . For defense research, we mainly focus on avoiding and reducing the security risks by software testing and vulnerability repair. For attack research, we focus on how to effectively exploit the software vulnerabilities. Automatic exploit generation is one of main area of attack research. We formerly have developed an automatic exploit generation platform called CRAX. CRAX inherits some good features from its underlying platform, but it also inherits some bad features, especially the cumbersome operation process. In order to improve the usability of CRAX, this study implements a set of Python API to automate the operation process of CRAX. With this automatic exploit generation API, users can easily exploit a large number of programs at once.

並列關鍵字

Automatic Exploit Generation Symbolic Execution

參考文獻

1. MITRE. CVE Official Website. Available from: https://cve.mitre.org/.
2. Brumley, D., et al., Automatic exploit generation, in Communications of the ACM. 2014. p. 74-84.
3. Huang, S.-K., et al., CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations, in IEEE Sixth International Conference on Software Security and Reliability. 2012, IEEE: Gaithersburg, MD, USA.
4. Chipounov, V., V. Kuznetsov, and G. Candea, S2E: a platform for in-vivo multi-path analysis of software systems. ACM SIGARCH Computer Architecture News - ASPLOS '11, 2011. 39(1): p. 265-278.
5. King, J.C., Symbolic execution and program testing, in Communications of the ACM. 1976. p. 385-394.

延伸閱讀

全文下載