Linux二进制漏洞利用——突破系统防御的关键技术

信息安全研究 ›› 2018, Vol. 4 ›› Issue (9): 806-818.

Linux二进制漏洞利用——突破系统防御的关键技术

曾永瑞

北京天融信科技有限公司

收稿日期:2018-09-17 出版日期:2018-09-15 发布日期:2018-09-17
通讯作者: 曾永瑞
作者简介:曾永瑞安全研究员, 主要研究领域为信息安全.

Linux Binary Exploit -The Key Technology of Breaking Through the System Defense

Received:2018-09-17 Online:2018-09-15 Published:2018-09-17

摘要/Abstract

摘要： 随着开源软件在世界范围内与日俱增的影响力，Linux操作系统的市场份额保持着快速的增长率.Linux广泛应用于服务器、工控系统、嵌入式设备、云计算等领域，可以说其已成为我们生活中不可或缺的一部分.因此Linux系统的安全性研究具有极其重要的意义，而针对内存中漏洞的攻击和防御则是信息安全领域的研究热点.数十年来，虽然有各种二进制漏洞缓解机制不断提出，但漏洞攻击技术也不断发展，这也带来了诸多挑战.通过整理近年来二进制攻防领域的关键技术, 并回顾针对Linux二进制漏洞利用的传统方法以及相应的缓解机制.阐述了近几年来Linux二进制漏洞的利用方法以及其具体原理.最后, 对介绍的漏洞利用方法进行总结与梳理, 针对它们的特性提出相应的减缓措施, 并预测未来攻防博弈发展可能的趋势.

关键词: 漏洞, 利用, 攻防, 二进制, 安全

Abstract: With the increasing influence of open source software in the world, the market share of the Linux operating system has maintained a rapid growth rate and is widely used in many fields, such as servers, industrial control systems, embedded devices, cloud computing, etc. Therefore, the research on the security of Linux system is extremely important. The attack and defense against in-memory vulnerabilities is a research hotspot in the field of information security. Along with various binary vulnerability mitigation mechanisms have been proposed in decades, the exploit technology has also evolved. The challenges remain severe. This paper organized and summarizes the key technologies of Linux binary attack and defense in recent years. Firstly, it reviews the traditional utilization methods of Linux binary vulnerabilities and the corresponding mitigation mechanisms, also introduces the new utilization methods and their principles. Then, it combs and summarizes the methods of exploiting the vulnerability. Finally, it explores the future development trend of Linux binary attack and defense games, as well as some risks that may exist in widely used Linux systems, and part of security vulnerabilities that have been exposed.

Key words: vulnerability, exploit, offensive and defensive, binary, security

曾永瑞. Linux二进制漏洞利用——突破系统防御的关键技术[J]. 信息安全研究, 2018, 4(9): 806-818.

参考文献

[1] AlphaOne. Smashing The Stack For Fun And Profit[EB/OL]. (1996-11-08)[2018-08-11]. http://phrack.org/issues/49/14.html [2] Matt Conover. w00w00 on Heap Overflows[EB/OL]. (2002-05-06)[2018-08-11]. http://www.w00w00.org/files/articles/heaptut.txt [3] The OWASP Foundation. Double Free[EB/OL]. (2014-06-24)[2018-08-11]. https://www.owasp.org/index.php/Double_Free [4] CTF Wiki. Integer overflow[EB/OL]. (2018-04-26)[2018-08-11]. https://ctf-wiki.github.io/ctf-wiki/pwn/integeroverflow/intof/ [5] 赵世斌，周天阳，朱俊虎，等. 竞态漏洞检测方法综述[J]. 计算机工程与应用, 2018, 54(4): 1-10 [6] Wikipedia. NX Bit[EB/OL]. (2014-08-06)[2018-08-11]. https://en.wikipedia.org/wiki/NX_bit [7] Shacham H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)[C].//Proc of the 14th ACM Conf on Computer and Communications Security. New York: ACM, 2007: 552-561 [8] Phantasmagoria P. The Malloc Maleficarum: Glibc Malloc Exploitation Techniques[EB/OL]. (2005-10-12)[2018-08-11]. https://packetstormsecurity.com/files/40638/MallocMaleficarum.txt [9] Jonathan A. Dangling Pointer:Smashing the pointer for fun and Profit[EB/OL]. 2007[2018-08-11]. http://www.blackhat.com/presentations/bh-usa-07/Afek/Whitepaper/bh-usa-07-afek-WP.pdf [10]TESO Security. telnetd exploit code [CP/OL]. (2001-06-09)[2018-08-11]. http://seclists.org/bugtraq/2001/Jul/533 [11] Wikipedia. Address Space Layout Randomization[EB/OL]. (2016-12-02)[2018-08-11]. https://en.wikipedia.org/wiki/Address_space_layout_randomization [12] Wikipedia. Position Independent Code[EB/OL]. (2015-10-30)[2018-08-11]. https://en.wikipedia.org/wiki/Position-independent_code [13]Wikipedia. Relocation[EB/OL]. (2016-02-13)[2018-08-11]. https://en.wikipedia.org/wiki/Relocation_(computing) [14]Wikipedia. Buffer Overflow Protection[EB/OL]. (2016-04-23)[2018-08-12]. https://en.wikipedia.org/wiki/Buffer_overflow_protection [15]Jelinek J. Object size checking to prevent(some) buffer overflows[EB/OL]. (2004-09-21)[2018-08-12]. http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html [16]Bosman E, Bos H. Framing Signals - A Return to Portable Shellcode[C]// Security and Privacy. IEEE, 2014:243-258 [17] Bittau A, Belay A, Mashtizadeh A, et al. Hacking Blind[J]. 2014:227-242 [18]Markus G. DEP&ROP: Modern Binary Exploitation[EB/OL]. (2015-10-03)[2018-08-13]. http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdf [19]Federico A D, Cama A, Yan S, et al. How the ELF ruined Christmas[C]// Usenix Conf on Security Symposium. USENIX Association, 2015:643-658