基于函數(shù)注入的沙箱攔截識(shí)別方法
doi: 10.11999/JEIT151074
基金項(xiàng)目:
國(guó)家863計(jì)劃項(xiàng)目(2012AA012902)
Sandbox-interception Recognition Method Based on Function Injection
Funds:
The National 863 Program of China (2012AA012902)
-
摘要: 沙箱驗(yàn)證機(jī)制的測(cè)試需要首先識(shí)別沙箱攔截,即識(shí)別沙箱截獲的系統(tǒng)函數(shù)集。已有的Hook識(shí)別方法大多僅關(guān)注鉤子的存在性,識(shí)別沙箱攔截的能力不足。該文設(shè)計(jì)了一種基于函數(shù)注入的沙箱攔截識(shí)別方法,該方法分析系統(tǒng)函數(shù)的指令執(zhí)行記錄(Trace)來(lái)識(shí)別沙箱截獲的系統(tǒng)函數(shù)。首先,向不可信進(jìn)程注入并執(zhí)行系統(tǒng)函數(shù)來(lái)獲取函數(shù)的執(zhí)行記錄;其次,根據(jù)沙箱截獲系統(tǒng)函數(shù)執(zhí)行記錄的特點(diǎn),設(shè)計(jì)了地址空間有限狀態(tài)自動(dòng)機(jī),并在自動(dòng)機(jī)內(nèi)分析獲取的執(zhí)行記錄來(lái)判別沙箱截獲的系統(tǒng)函數(shù);最后,遍歷測(cè)試函數(shù)集來(lái)識(shí)別目標(biāo)沙箱截獲的系統(tǒng)函數(shù)集。該文設(shè)計(jì)實(shí)現(xiàn)了原型系統(tǒng)SIAnalyzer,并對(duì)Chromium和Adobe Reader進(jìn)行了沙箱攔截識(shí)別測(cè)試,測(cè)試結(jié)果驗(yàn)證了方法的有效性和實(shí)用性。
-
關(guān)鍵詞:
- 沙箱攔截 /
- 系統(tǒng)函數(shù)集 /
- 鉤子 /
- 函數(shù)注入 /
- 自動(dòng)機(jī)
Abstract: Testing sandbox authentication mechanism needs to recognize the sandbox interception first, i.e. to recognize the intercepted system function sets by the sandbox. Existing Hook recognition methods and tools mainly focus on the existence of the hook, lacking the ability of recognizing sandbox interception. This study proposes a sandbox interception recognition method based on function injection. The method recognizes the sandbox intercepts testing functions by analyzing the trace of system functions. First, the method injects and executes the system functions in untrusted process to record the function trace. Then, according to the features of intercepted system function trace, the paper designs the address space finite state automata and identifies intercepted system functions by analyzing the trace. Next, the function sets are traversed to identify the intercepted system function sets by target sandbox. Finally, a prototype is implementedSIAnalyzer, and tested with Chromium Sandbox and Adobe Reader Sandbox. Results show the method proposed is effective and practical.-
Key words:
- Sandbox interception /
- System functionset /
- Hook /
- Function injection /
- Automata
-
YEE B, SEHR D, DARDYK G, et al. Native client: A sandbox for portable, untrusted x86 native code[C]. 2009 IEEE Symposium on Security and Privacy, Oakland, USA, 2009: 79-93. MAASS M, SALES A, CHUNG B, et al. A systematic analysis of the science of sandboxing[J]. PeerJ Computer Science, 2016, 2: e43. doi: 10.7717/peerj-cs.43. CVE-2014-0512[OL]. https://web.nvd.nist.gov/view/vuln /detail?vulnId=CVE-2014-0512, 2014. CVE-2014-0546[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2014-0546, 2014. CVE-2015-2429[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2015-2429, 2015. CVE-2011-1353[OL], https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2011-1353, 2011. CVE-2013-0641[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2013-0641, 2013. CVE-2013-3186[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2013-3186, 2013. 崔寶江, 梁曉兵, 王禹, 等. 基于回溯和引導(dǎo)的關(guān)鍵代碼區(qū)域覆蓋的二進(jìn)制程序測(cè)試技術(shù)研究[J].電子與信息學(xué)報(bào), 2012, 34(1): 108-114. doi: 10.3724/SP.J.1146.2011.00532. CUI B J, LIANG X B, WANG Y, et al. The study of binary program test techniques based on backtracking and leading for covering key code area[J]. Journal of Electronics Information Technology, 2012, 34(1): 108-114. doi: 10.3724/SP.J.1146.2011.00532. 歐陽(yáng)永基, 魏強(qiáng), 王清賢, 等. 基于異常分布導(dǎo)向的智能Fuzzing方法[J].電子與信息學(xué)報(bào), 2015, 37(1): 143-149. doi: 10.11999/JEIT140262. OUYANG Y J, WEI Q, WANG Q X, et al. Intelligent fuzzing based on exception distribution steering[J]. Journal of Electronics Information Technology, 2015, 37(1): 143-149. doi: 10.11999/JEIT140262. SABABAL P and MARK V Y. Playing in the reader X sandbox[C]. Black Hat USA 2011, Las Vegas, USA 2011. https://media.blackhat.com/bh-us-11/Sabanal/BH_US_11_SabanalYason_Readerx_WP.pdf. MARK V Y. Understanding the attack surface and attack resilience of project spartans new edgeHtml rendering engine[C]. Black Hat USA 2015, Las Vegas, USA, 2015. https: //www. blackhat. com/ docs/ us-15/materials/us-15-Yason- Understanding-The-Attack-Surface-And-Attack-Resilience-Of-Project-Spartans-New-EdgeHTML-Rendering-Engine-wp.pdf. JAMES F. Digging for sandbox escapes-finding sandbox breakouts in Internet explorer[C]. Black Hat USA 2014, Las Vegas, USA, 2014. https://www.blackhat.com/docs/ us-14/ materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes. pdf. LI X N and LI H F. Smart COM fuzzing-auditing IE sandbox bypass in COM objects[C]. CanSecWest Vancouver 2015, Vancouver, Canada, 2015. https://cansecwest.com/ slides/ 2015/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects-Xiaoning_li.pdf. BRIAN G and JASIEL S. Thinking outside the sandbox: Violating trust boundaries in uncommon ways[C]. Black Hat USA 2014, Las Vegas, USA, 2014. https: //www. blackhat. com/docs/us-14/materials/us-14-Gorenc-Thinking-Outside-The-Sandbox-Violating-Trust-Boundaries-In-Uncommon- Ways-WP.pdf. LIU Z H and GUILAUME L. Breeding Sandworms: How to fuzz your way out of Adobe Readers Sandbox[C]. Black Hat EUROPE 2012, Amsterdam, Netherlands, 2012. https:// media.blackhat.com/bh-eu-12/Liu_Lovet/bh-eu-12-Liu_Lovet-Sandworms-Slides.pdf. Wang Z, JIANG X, CUI W, et al. Countering persistent kernel rootkits through systematic hook discovery[C]. Recent Advances in Intrusion Detection 2008, Cambridge, England, 2008: 21-38. YIN H, POOSANKAM P, HANNA S, et al. HookScout: proactive binary-centric hook detection[C]. 7th Detection of Intrusions and Malware, and Vulnerability Assessment, Bonn, Germany, 2010: 1-20. BELLARD F. QEMU, a fast and portable dynamic translator[C]. Proc. USENIX Annual Technical Conference, Marroitt Anaheim, USA, 2005: 41-46. -
計(jì)量
- 文章訪(fǎng)問(wèn)數(shù): 1347
- HTML全文瀏覽量: 82
- PDF下載量: 407
- 被引次數(shù): 0