RTF数组溢出漏洞挖掘技术研究

乐德广; 龚声蓉; 吴少刚; 徐锋; 刘文生

doi:10.11959/j.issn.1000-436x.2017104

您当前的位置：

首页 >

文章列表页 >

RTF数组溢出漏洞挖掘技术研究

学术论文 | 更新时间：2024-06-05

- RTF数组溢出漏洞挖掘技术研究
- Research on RTF array overflow vulnerability detection
- 通信学报 2017年38卷第5期页码：96-107
- 作者机构：
  
  1. 常熟理工学院计算机科学与工程学院，江苏常熟 215500
  2. 苏州大学计算机科学与技术学院，江苏苏州 215006
  3. 中科梦兰电子科技有限公司，江苏常熟 215500
  4. 泉州市公安局公共信息网络安全监察支队，福建泉州 362000
- 作者简介：
  
  [ "乐德广（1975-），男，福建三明人，博士，常熟理工学院副教授，主要研究方向为信息安全与下一代互联网技术等。" ]
  [ "龚声蓉（1966-），男，湖北天门人，博士，常熟理工学院教授、博士生导师，主要研究方向为图像处理与信息安全等。" ]
  [ "吴少刚（1973-），男，安徽宿松人，博士，中科梦兰电子科技有限公司研究员，主要研究方向为计算机系统结构、并行与分布式计算等。" ]
  [ "徐锋（1981-），男，江苏常熟人，中科梦兰电子科技有限公司高级工程师，主要研究方向为计算机体系结构及自主安全。" ]
  [ "刘文生（1969-），男，福建泉州人，泉州公安局高级工程师，主要研究方向为网络安全。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61202440);国家自然科学基金资助项目(61402057);江苏省产学研前瞻性联合研究基金资助项目(BY2016050-01);江苏省科技计划基金资助项目(BK20160411)
- DOI：10.11959/j.issn.1000-436x.2017104
  中图分类号： TP393
- 网络出版日期：2017-05，
  
  纸质出版日期：2017-05-25
- 稿件说明：
移动端阅览
乐德广, 龚声蓉, 吴少刚, 等. RTF数组溢出漏洞挖掘技术研究[J]. 通信学报, 2017,38(5):96-107.

De-guang LE, Sheng-rong GONG, Shao-gang WU, et al. Research on RTF array overflow vulnerability detection[J]. Journal on communications, 2017, 38(5): 96-107.
乐德广, 龚声蓉, 吴少刚, 等. RTF数组溢出漏洞挖掘技术研究[J]. 通信学报, 2017,38(5):96-107. DOI： 10.11959/j.issn.1000-436x.2017104.

De-guang LE, Sheng-rong GONG, Shao-gang WU, et al. Research on RTF array overflow vulnerability detection[J]. Journal on communications, 2017, 38(5): 96-107. DOI： 10.11959/j.issn.1000-436x.2017104.

摘要

在虚函数执行中，由于错误操作C++对象的虚函数表而引起数组溢出漏洞。通过攻击虚函数造成系统崩溃，甚至导致攻击者可直接控制程序执行，严重威胁用户安全。为尽早发现并修复此类安全漏洞，对该安全漏洞的挖掘技术进行深入研究，结合MS Word解析RTF文件和虚函数调用之间的联系，发现MS Word在解析异常的RTF文件时存在数组溢出漏洞，并进一步提出基于文件结构解析的Fuzzing测试方法来挖掘RTF数组溢出漏洞。在此基础上，设计了RTF数组溢出漏洞挖掘工具（RAVD，RTF array vulnerability detector）。通过RAVD对RTF文件进行测试，能够正确挖掘出数组溢出漏洞。实际的模糊测试表明，设计的工具相比传统的漏洞挖掘工具具有更高的挖掘效率。

Abstract

When the virtual function was executed

it could cause array overflow vulnerability due to error operation of the virtual function table of C++ object.By attacking the virtual function

it could cause the system crash

or even the attacker to control the execution of program directly was allowed

which threatened user’s security seriously.In order to find and fix this potential security vulnerability as soon as possible

the technology for detecting such security vulnerability was studied.Based on the analysis of the virtual function call during the MS Word parsing RTF files

the array overflow vulnerability generated by MS Word parsing abnormal RTF files

and a new RTF array overflow vulnerability detection method based on the file structure analytical Fuzzing was proposed.Besides

an RTF array overflow vulnerability detection tool (RAVD

RTF array vulnerability detector) was designed.The test results show RAVD can detect RTF array overflow vulnerabilities correctly.Moreover

the Fuzzing results show RAVD has higher efficiency in comparison with traditional file Fuzzing tools.

关键词

Keywords

references

CABALLERO J，LIN Z . Type inference on executables [J ] . ACM Computing Surveys , 2016 , 48 ( 4 ): 65 .

HUANG S K , HUANG M H , HUANG P Y , et al . Software crash analysis for automatic exploit generation on binary programs [J ] . IEEE Transactions on Reliability , 2014 , 63 ( 1 ): 270 - 289 .

刘奇旭 , 温涛 , 闻观行 , 等 . Flash 跨站脚本漏洞挖掘技术研究 [J ] . 计算机研究与发展 , 2014 , 51 ( 7 ): 1624 - 1632 .

LIU Q X , WEN T , WEN G X , et al . Detection of XSS vulnerabilities in online flash [J ] . Journal of Computer Research and Development , 2014 , 51 ( 7 ): 1624 - 1632 .

MASSACCI F , NGUYEN V H . An empirical methodology to evaluate vulnerability discovery models [J ] . IEEE Transactions on Software Engineering , 2014 , 40 ( 12 ): 1147 - 1162 .

乐德广 , 章亮 , 郑力新 , 等 . 面向RTF文件的Word漏洞分析 [J ] . 华侨大学学报（自然科学版） , 2015 , 36 ( 1 ): 17 - 22 .

LE D G , ZHANG L , ZHENG L X , et al . Research on Word vulnerability analysis for the RTF file [J ] . Journal of Huaqiao University (Natural Science) , 2015 , 36 ( 1 ): 17 - 22 .

乐德广 , 章亮 , 龚声蓉 , 等 . 面向RTF的OLE对象漏洞分析研究 [J ] . 网络与信息安全学报 , 2016 , 2 ( 1 ): 34 - 45 .

LE D G , ZHANG L , GONG S R , et al . Research on OLE object vulnerability analysis for RTF file [J ] . Chinese Journal of Network and Information Security , 2016 , 2 ( 1 ): 34 - 45 .

王清 . 0day 安全软件漏洞分析技术 [M ] . 北京市:电子工业出版社 . 2011 : 345 - 346 .

WANG Q . 0day security:software vulnerability analysis techniques [M ] . Beijing:Publishing House of Electronics Industry . 2011 : 345 - 346 .

DEWEY D , GIFFIN J T . Static detection of C++ vtable escape vulnerabilities in binary code [C ] // 19th Annual Network and Distributed System Security Symposium (NDSS) . 2012 : 1 - 14 .

JANG D , TATLOCK Z , LERNER S . SAFEDISPATCH:securing C++ virtual calls from memory corruption attacks [C ] // 21th Annual Network and Distributed System Security Symposium (NDSS) . 2014 : 1 - 15 .

PRAKASH A , HU X , YIN H . VfGuard:strict protection for virtual function calls in COTS C++ binaries [C ] // 22th Annual Network and Distributed System Security Symposium (NDSS) . 2015 : 1 - 15 .

BOUNOV D , KLCL R G , LERNER S . Protecting C++ dynamic dispatch through VTable interleaving [C ] // 23th Annual Network and Distributed System Security Symposium (NDSS) . 2016 : 1 - 15 .

李舟军 , 张俊贤 , 廖湘科 , 等 . 软件安全漏洞检测技术 [J ] . 计算机学报 , 2015 , 38 ( 4 ): 717 - 732 .

LI Z J , ZHANG J X , LIAO X K , et al . Survey of software vulnerability detection techniques [J ] . Chinese Journal of Computers , 2015 , 38 ( 4 ): 717 - 732 .

COWAN C , PU C , MAIER D , et al . StackGuard:automatic adaptive detection and prevention of buffer-overflow attacks [C ] // 7th Conference on USENIX Security Symposium (USENIX) . 1998 : 5 - 15 .

STOJANOVSKI N , GUSEV M , GLIGOROSKI D , et al . Bypassing data execution prevention on microsoft Windows XP SP2 [C ] // The Second International Conference on Availability,Reliability and Security . 2007 : 1222 - 1226 .

KHARBUTLI M , JIANG X W , SOLIHIN Y , et al . Comprehensively and efficiently protecting the heap [J ] . ACM Sigops Operating Systems Review , 2006 , 40 ( 5 ): 207 - 218

ZHANG C , CARR S A , LI T X , et al . VTrust:regaining trust on virtual calls [C ] // 23th Annual Network and Distributed System Security Symposium (NDSS) . 2016 : 1 - 15 .

RTF 1.9.1.Rich text format (RTF) specification [S ] . Microsoft Corporation , 2008 .

VOSTOKOV D . Windows debugging:practical foundations [M ] . Monkstown : Opentask PublisherPress , 2009 : 79 - 81 .

LI J X , XU X , LIAO L J , et al . Concolic execute Fuzzing based on control-flow analysis [C ] // 11th International Conference on Computational Intelligence and Security (CIS) . 2015 : 385 - 389 .

MS-DOC 6.1.Word (.doc) binary file format [S ] . Microsoft Corporation , 2017 .

OUYANG Y J , ZENG S , CAO Y , et al . A region-sensitive Fuzzing test based on multi-objective programming [J ] . Lecture Notes on Software Engineering , 2016 , 4 ( 2 ): 116 - 122 .

HU C J , Li Z J , MA J X , et al . File parsing vulnerability detection with symbolic execution [C ] // 6th IEEE International Symposium on Theoretical Aspects of Software Engineering (TASE) , 2012 : 135 - 142 .

COHN R , RUSSELL J . OllyDbg [M ] . VSD Publisher , 2012 : 24 - 26 .

KENNEDY D , O'GORMAN J , KEARNS D , et al . Metasploit:the penetration tester's guide [M ] . San Francisco : No Starch PressPress , 2011 : 56 - 58 .

浏览量

2075

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

暂无数据