Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2017, Vol. 57 Issue (1): 33-38,43    DOI: 10.16511/j.cnki.qhdxxb.2017.21.007
  计算机科学与技术 本期目录 | 过刊浏览 | 高级检索 |
PDF文件漏洞检测
文伟平1, 王永剑2, 孟正1
1. 北京大学 软件与微电子学院, 北京 102600;
2. 信息网络安全公安部重点实验室, 上海 201204
PDF file vulnerability detection
WEN Weiping1, WANG Yongjian2, MENG Zheng1
1. School of Software & Microelectronics, Peking University, Beijing 102600, China;
2. Key Laboratory of Information Network Security of Ministry of Public Security, Shanghai 201204, China
全文: PDF(1492 KB)  
输出: BibTeX | EndNote (RIS)      
摘要 近年来,针对商业组织和政府机构的网络攻击事件层出不穷,高级持续性威胁(APT)攻击时有发生。恶意PDF文件是APT攻击的重要载体,它通过执行嵌入在文件内部的恶意代码完成攻击过程。查找PDF文件自身存在的安全漏洞,检测利用PDF漏洞的关键代码如面向返回的编程(ROP)链等,将在根源上对PDF恶意代码的传播路径进行阻断,从而更好地应对PDF恶意代码的多样性和多变性。该文首先对PDF文件格式漏洞的原理和分析方法进行介绍,然后结合PDF漏洞分析实例,对漏洞检测规则库进行构建,提出一种基于规则匹配的PDF已知漏洞检测方法,接下来描述ROP技术的原理,对ROP链的检测方法进行分析,最后比较所实现的漏洞检测系统与现有的安全检测工具赛门铁克和BitDefender的已知漏洞检测能力,由检测结果可知该系统对已知漏洞的检测能力明显高于同类产品。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
文伟平
王永剑
孟正
关键词 PDF文件漏洞检测规则匹配面向返回的编程(ROP)链检测    
Abstract:Recent years have seen more network attacks on business organizations and government agencies. Advanced persistent threat (APT) attacks are one key example. Malicious PDF files are an important carrier for APT attacks, which complete the attack process by executing malicious code embedded in the file. The security vulnerabilities in PDF files and the key codes in PDF vulnerabilities (such as the ROP chain) are detected to block the propagation path of the PDF malicious code at the root to better deal with the diverse malicious PDF codes. This paper introduces the principle and analysis method for identifying PDF file format vulnerabilities. The vulnerability detection rules are defined with a PDF vulnerability detection method combined with a PDF vulnerability analysis based on rule matching. Next this paper describes the principles of the ROP method and analyzes the ROP chain detection method. Finally, this paper compares this vulnerability detection system with Symantec and BitDefender. The results show that this system more effectively detects vulnerabilities than similar products.
Key wordsPDF file    vulnerability detection    rule matching    return-oriented programming (ROP) chain detection
收稿日期: 2016-01-19      出版日期: 2017-01-15
ZTFLH:  TP309.1  
通讯作者: 王永剑,副研究员,E-mail:wangyongjian@stars.org.cn     E-mail: wangyongjian@stars.org.cn
引用本文:   
文伟平, 王永剑, 孟正. PDF文件漏洞检测[J]. 清华大学学报(自然科学版), 2017, 57(1): 33-38,43.
WEN Weiping, WANG Yongjian, MENG Zheng. PDF file vulnerability detection. Journal of Tsinghua University(Science and Technology), 2017, 57(1): 33-38,43.
链接本文:  
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2017.21.007  或          http://jst.tsinghuajournals.com/CN/Y2017/V57/I1/33
  图1 堆喷射攻击执行流程
  图2 ROP链构成的Shellcode
  图3 PDF漏洞检测子系统总体架构
  图4 漏洞分析流程
  表1 漏洞检测规则库
  图5 基于规则匹配的静态检测方法流程
  图6 ROP链检测模块流程
  图7 PDF文件解析运行结果
  图8PDF已知漏洞检测运行结果
  图9PDF漏洞利用关键代码检测结果
  表2 PDF漏洞检测结果比较
[1] Nick Sato. 91% of organisations hit by cyberattacks in 2013[Z/OL].[2013-12-10]. http://www.humanipo.com/news/37983/91-of-organisations-hit-by-cyberattacks-in-2013/.
[2] Andy O'Donnell. Tools and Utilities Commonly Used to Hack Computer Systems[Z/OL].[2013-12-11]. http://netsecurity. about.com/cs/hackertools/a/aa030504.htm.
[3] 周培和.PDF文件格式漏洞挖掘系统的研究及实现[D]. 成都:电子科技大学, 2012. ZHOU Peihe. Research and Implementation of PDF File Format Vulnerability Mining System[D]. Chengdu:University of Electronic Science and Technology of China, 2012. (in Chinese)
[4] Palo Alto Networks. What is an intrusion detection system ids[Z/OL].[2013-12-11]. https://www.paloaltonetworks.com/resources/learning-center/what-is-an-intrusion-detection-system-ids.html.
[5] 刘磊, 王轶骏, 薛质. 漏洞利用技术Heap Spray检测方法研究[J]. 信息安全与通信保密, 2012(6):70-72. LIU Lei, WANG Yijun, XUE Zhi. Research on the detection method of Spray Heap based on vulnerability[J]. Information Security and Communications Privacy, 2012(6):70-72. (in Chinese)
[6] 王清.0day:软件漏洞分析技术[M]. 北京:电子工业出版社, 2008. WANG Qing. 0day:Software Vulnerability Analysis Technology[M]. Beijing:Publishing House of Electronics Industry, 2008. (in Chinese)
[7] Infosecurity. 91% of APT attacks start with a spear-phishing email[Z/OL].[2013-12-11]. http://www.Infosecurity-magazine.com/view/29562/91-ofapt-attacks-start-with-a-spearphishing-email/, 2012-11-28.
[8] Vatamanu C, Gavrilut, D, Benchea R. A practical approach on clustering malicious PDF documents[J]. Journal in Computer Virology, 2012,8(4):151-163.
[9] Nissima N, Cohena A, Glezerb C, et al. Detection of malicious PDF files and directions for enhancements:A state-of-the art survey[J]. Computers & Security, 2015(48):246-266.
[1] 杨宏宇, 唐瑞文. 基于电量消耗的Android平台恶意软件检测[J]. 清华大学学报(自然科学版), 2017, 57(1): 44-49.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn