自動產生攔截控制流程之攻擊程式碼

Abstract

由於資訊領域的快速發展與應用，各類安全威脅日趨嚴重，而這些威脅都根源於軟體的缺陷，軟體安全性的探討因此成為重要的議題。這些議題中，最大的威脅來自於軟體缺陷經常性地被揭露、使得駭客的攻擊事件層出不窮，其中零日攻擊(zero-day attacks)更造成系統及經濟上的重大危害。我們以軟體發展過程的角度分析，瞭解到安全漏洞的修補過程，是一場與零日攻擊的時間競賽，若能儘早修補漏洞，將可大幅降低其威脅性。為了快速掌握漏洞，我們運用在軟體測試領域中，已被廣泛研究運用、自動尋找程式錯誤的方法。然而如何分析眾多的程式錯誤，優先尋找出安全性威脅的漏洞，仍是一個很困難的研究領域。在此論文中，我們將轉換角色，以攻擊者的角度來試圖產生攻擊程式碼、並將過程自動化，以此證明程式中存在安全性漏洞。我們提出基於符號執行的軟體測試方法，實作攻擊程式產生器，可任意攔截控制流程。此概念已實驗在多個真實的程式，證明此方法之可行性。

Due to the rapid deployment of information technology, the threats on information assets are getting more serious. These threats are originated from software vulnerabilities. The vulnerabilities bring about attacks. If attacks launched before the public exposure of the targeted vulnerability, they are called zero-day attacks. These attacks usually damage system and economy seriously. We have analyzed the process of zero-day attacks in the perspective of software process and recognize that it is a race competition between attacks and software patch development and deployment. If developers can fix the vulnerabilities as soon as possible, the threats will be significantly reduced. In order to faster the vulnerability finding process, we use the software testing techniques, focusing on finding bugs automatically. However, it is still hard to locate security vulnerabilities from a large number of bugs. In our paper, we switch to the roles of attackers and aim at generating attacks automatically to prove that a bug is a security vulnerability. Based on symbolic execution, we are able to automatically generate exploit for control-flow hijacking attacks and perform several experiments with real-world programs to prove our method is feasible.