結合滲透測試框架之攻擊脅迫強化系統

Abstract

近年來，由於軟體品質良莠不齊，軟體漏洞持續揭露、駭客攻擊的事件層出不窮，軟體安全議題因此逐漸受到重視。在現今高度資訊化的社會環境中，這些漏洞甚至危害到公共基礎建設、進而可能影響到人身安全。儘管目前作業系統已支援多種保護機制，例如：資料防止執行 (W⊕X or DEP)、位址空間配置隨機載入 (ASLR)等，但仍有繞過這些保護機制的攻擊方法，例如：返回導向編程 (ROP, Return-Oriented Programming)。 在本篇論文中，我們提出改良 ROP，有效繞過保護機制的脅迫強化方法 (Exploit Strengthening Method)並結合自動脅迫生成 (Automatic Exploit Generation, CRAX)，產生可繞過保護機制的脅迫 (Exploit)。我們的方法 (Exploit Strengthening Method)主要是運用返回導向編程 (ROP)的技術，透過蒐集受測程式的機器語言指令片段 (稱為Gadget)，經過Gadget的篩選，組合出攻擊的目標程式，例如：執行”/bin/sh”程式、產生Reverse/Bind TCP Shell後門。自動脅迫生成 (Automatic Exploit Generation, CRAX)則自動將軟體漏洞 (Vulnerability)轉換成可以運用的脅迫 (Exploit)。脅迫成功後，將Exploit以模組的形式匯入至Metasploit後脅迫框架 (Post Exploitation Framework)中，測試者只要透過Metasploit產生符合自己環境的脅迫執行檔或代碼，就可以在第一時間檢測相關系統，判斷與找尋可被脅迫利用的高危險性漏洞。 我們的方法經評估，優於現行公開且最普遍運用的系統：ROPgadget，10個大於100KB動態鏈結程式中，相較於 ROPgadget 只有三個成功，我們全部都能成功生成。我們也是唯一能結合後脅迫框架的脅迫工具鏈。

Due to software quality issues, recent attacks on various systems are getting serious, and the software security issues therefore become an important research topic. These attacks on the software vulnerability will not only endanger the information infrastructure, but also impact the human safety. To improve the overall robustness of the system, we need a penetration test system to audit related systems. We have proposed the concept of the exploit toolchain to automate the whole process of fuzzing, exploitation, and post-exploitation integration with the metasploit framework. For the exploitation process, we must be able to bypass the recent protections and mitigations of the operating system, for example ASLR (Address space layout randomization) and DEP (Data Execution Prevention). We have enhanced the ROP (Return-oriented programming) technique to bypass ASLR and DEP protections by searching gadgets with larger sizes. We evaluate our system by generating ROP payloads from ten target programs in the size greater than 100K bytes. Compared with the results of another popular ROP tool, called ROPgadget, only three targets have been succeeded. We can also integrate the generated exploits into the Metasploit framework.