雲端軟體弱點探索分析資料庫

Abstract

觀察過去Stuxnet、APT與最近Google、Facebook和微軟遭攻擊事件，網路世界的戰爭已不容輕視，其中所使用的武器便是針對各種軟體弱點的攻擊程式。本研究擬基於雲端系統建置一個軟體弱點探索分析資料庫，儲存可執行的軟體弱點環境，同時也改善實驗室開發的自動脅迫產生器(Automatic Exploit Generator, CRAX)，與此資料庫整合，利用雲端系統自動化軟體弱點的探索過程，除能針對軟體弱點自動產生脅迫(Exploit)外，還可將建置的實驗環境轉換為wargame，提供人員安全意識訓練的教材。

Recent attacks like Stuxnet, APT, and on large corporations including Google, Facebook and Microsoft have caused much damage on valuable information asset. The Internet warfare can no longer be ignored. In this thesis we developed a cloud-based benchmark database for software vulnerability analysis and discovery. This system is capable of maintaining executable environment of various software vulnerabilities. We integrate the automated exploit generation system (called CRAX) formerly developed by our laboratory into the system, taking advantage of cloud system to automate the software exploit writing process. The system not only provides the automatic exploit of software vulnerability but can also construct a wargame for training security expertise from emulated environment.