Abstract：Recent years have seen more network attacks on business organizations and government agencies. Advanced persistent threat (APT) attacks are one key example. Malicious PDF files are an important carrier for APT attacks, which complete the attack process by executing malicious code embedded in the file. The security vulnerabilities in PDF files and the key codes in PDF vulnerabilities (such as the ROP chain) are detected to block the propagation path of the PDF malicious code at the root to better deal with the diverse malicious PDF codes. This paper introduces the principle and analysis method for identifying PDF file format vulnerabilities. The vulnerability detection rules are defined with a PDF vulnerability detection method combined with a PDF vulnerability analysis based on rule matching. Next this paper describes the principles of the ROP method and analyzes the ROP chain detection method. Finally, this paper compares this vulnerability detection system with Symantec and BitDefender. The results show that this system more effectively detects vulnerabilities than similar products.
Nick Sato. 91% of organisations hit by cyberattacks in 2013[Z/OL].[2013-12-10]. http://www.humanipo.com/news/37983/91-of-organisations-hit-by-cyberattacks-in-2013/.
Andy O'Donnell. Tools and Utilities Commonly Used to Hack Computer Systems[Z/OL].[2013-12-11]. http://netsecurity. about.com/cs/hackertools/a/aa030504.htm.
周培和.PDF文件格式漏洞挖掘系统的研究及实现[D]. 成都:电子科技大学, 2012. ZHOU Peihe. Research and Implementation of PDF File Format Vulnerability Mining System[D]. Chengdu:University of Electronic Science and Technology of China, 2012. (in Chinese)
Palo Alto Networks. What is an intrusion detection system ids[Z/OL].[2013-12-11]. https://www.paloaltonetworks.com/resources/learning-center/what-is-an-intrusion-detection-system-ids.html.
刘磊, 王轶骏, 薛质. 漏洞利用技术Heap Spray检测方法研究[J]. 信息安全与通信保密, 2012(6):70-72. LIU Lei, WANG Yijun, XUE Zhi. Research on the detection method of Spray Heap based on vulnerability[J]. Information Security and Communications Privacy, 2012(6):70-72. (in Chinese)
王清.0day:软件漏洞分析技术[M]. 北京:电子工业出版社, 2008. WANG Qing. 0day:Software Vulnerability Analysis Technology[M]. Beijing:Publishing House of Electronics Industry, 2008. (in Chinese)
Infosecurity. 91% of APT attacks start with a spear-phishing email[Z/OL].[2013-12-11]. http://www.Infosecurity-magazine.com/view/29562/91-ofapt-attacks-start-with-a-spearphishing-email/, 2012-11-28.
Vatamanu C, Gavrilut, D, Benchea R. A practical approach on clustering malicious PDF documents[J]. Journal in Computer Virology, 2012,8(4):151-163.
Nissima N, Cohena A, Glezerb C, et al. Detection of malicious PDF files and directions for enhancements:A state-of-the art survey[J]. Computers & Security, 2015(48):246-266.