前言
本文旨在阅读2017 Asia CCS会议论文:Pinpointing vulnerabilities 。
1 基本信息
Chen Y, Khandaker M, Wang Z. Pinpointing vulnerabilities[C]//Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 2017: 334-345.
该文章和 顶会论文阅读 [USENIX security 17] Adaptive Android Kernel Live Patching https://blog.csdn.net/weixin_39278265/article/details/87859201 文章一脉相承,同一作者。
2 文章内容
先介绍基于内存的漏洞:
Memory-based vulnerabilities are a major source of attack vectors. They allow attackers to gain unauthorized access to computers and their data. Previous research has made significant progress in detecting attacks.
当前挑战:
However, developers still need to locate and fix these vulnerabilities, a mostly manual and time-consuming process. They face a number of challenges. Particularly, the manifestation of an attack does not always coincide with the exploited vulnerabilities, and many attacks are hard to reproduce in the lab environment, leaving developers with limited information to locate them.
我们的工具:
In this paper, we propose Ravel, an architectural approach to pinpoint vulnerabilities from attacks. Ravel consists of an online attack detector and an offline vulnerability locator linked by a record & replay mechanism.
进一步描述方法:
Specifically, Ravel records the execution of a production system and simultaneously monitors it for attacks. If an attack is detected, the execution is replayed to reveal the targeted vulnerabilities by analyzing the program’s memory access patterns under attack.
实证:
We have built a prototype of Ravel based on the open-source FreeBSD operating system. The evaluation results in security and performance demonstrate that Ravel can effectively pinpoint various types of memory vulnerabilities and has low performance overhead
大意是:
基于内存的漏洞是一个主要攻击源,能让攻击者获取对计算机及其数据的未授权访问。之前的研究已经在检测攻击上做出了显著进步。
但是呢,开发人员仍然需要定位并修复这些漏洞,这常常是一个人工的、耗时的过程。他们面临着一系列困难,尤其是,攻击的显现和被利用的漏洞并不总是一致的,且很多攻击在实验室场景(环境)里面很难复现,所以供开发人员定位漏洞的可参考信息非常有限。
本文推出Ravel工具,一个建筑学方法来从攻击定位漏洞。Ravel组成有二:1)线上攻击检测器;2)线下漏洞定位器(linked by a 记录&重播机制)。
具体地,Ravel记录一个产品系统的执行信息,并且同时监控这些执行信息(for attacks)。如果一个攻击被检测到了,执行就会被重播来揭露这个目标漏洞(通过分析攻击下的程序内存访问模式)。
我们已经基于开源的FreeBSD操作系统构建了Ravel原型。评估结果表明Ravel可以高效的定位各种类型的内存漏洞并且只有很低的性能开销。
3 几个QA
3.1 QA1
问:检测(定位)漏洞的技术都有哪些呢?related work
Many systems have been proposed to detect attacks. However, they often focus on detecting symptoms of attacks. A detected attack thus does not necessarily coincide with the targeted vulnerabilities. For example, system call (syscall) interposition tries to detect anomalies in the syscalls made by a protected program [27, 28, 30]
Similarly, the detection of control-flow hijacking may not concur with the vulnerabilities as well. For example, taint-based attack detection systems [12, 48]
Attack detection and exploit mitigation: the first category of the related work is a long stream of research in the attack detection and exploit mitigation [1, 3, 4, 6, 11, 21, 22, 29, 33, 51, 10, 63, 64, 66, 67] (a recent survey paper provides a comprehensive overview of these systems [59])
没想到还有综述,厉害:
[59] L. Szekeres, M. Payer, T. Wei, and D. Song. Sok: Eternal War in Memory. In Proceedings of the 34th IEEE Symposium on Security and Privacy, pages 48–62. IEEE, 2013.
W ⊕ X [22] and ASLR [60]: Nevertheless, W ⊕ X and ASLR have significantly raised the bar for reliable exploits. These defenses can be integrated with Ravel to enable the defense in depth. They will also improve Ravel’s attack detection since they make exploits crash more often
Vulnerability/bug discovery: There are also many efforts to discover vulnerabilities through dynamic and static analysis [5, 25, 55, 58].
3.2 QA2
问:Ravel的原理?
Ravel的好处:
A system that can not only detect attacks but also pinpoint the exploited vulnerabilities could greatly help us in the arms-race against attackers. First, it can significantly reduce the window of vulnerability. Developers often spend lots of time to reproduce and analyze reported attacks. This is usually a manual, time-consuming, and error-prone process as many attacks are hard to reproduce in the development environments. Second, it can automatically locate zero-day vulnerabilities, as long as the attacks can be detected. Many existing systems can detect zero-day attacks (i.e., they do not rely on the details of known attacks), including the previously mentioned syscall interposition and taint-/CFI-based systems. Lastly, locating vulnerabilities is an important first step towards automatic software repair and self-healing.
感觉安全这方面就是self-healing还挺多的。
APR是分支?
Ravel介绍:
In this paper, we propose Ravel 1, a system that can pinpoint the targeted vulnerabilities from detected attacks. Ravel stands for “Root cause Analysis of Vulnerabilities from Exploitation Log.” It consists of three components: an online attack detector, a record & replay (R&R) mechanism, and an offline vulnerability locator
大意是:
Ravel,全名Root cause Analysis of Vulnerabilities from Exploitation Log。有三部分组成:线上的攻击检测,记录&重播机制,线下的漏洞定位。记录&重播机制起的是一个decouple的作者,将1、3分离,有点像B/S模式咯,都是为了因地制宜,发挥最大效率。如下:
R&R decouples the other two components so that the online attack detector can operate as efficiently as possible to minimize the performance overhead, and the offline vulnerability locator can employ multiple, time-consuming algorithms to improve its precision and coverage.
我对具体的定位漏洞比较关心:
Vulnerability locator aims at pinpointing the targeted vulnerabilities from a recorded execution that is known to contain attacks. It is based on the key observation that memory exploits often change the data flow. As such, it first uses a data-flow analysis to locate the rough locations of the vulnerability and further refines them with specific analyses targeting common types of memory vulnerabilities. Ravel is designed as an extensible framework so that analyses for less common types of vulnerabilities can be added later.
大意是:
漏洞定位主要从记录的执行(已经知道包含了攻击)里面来获取信息,从而定位到目标漏洞。这个想法是基于我们的观察:内存漏洞经常改变数据流。因此,先使用一个数据流分析来定位粗略位置,然后用specific analyses(特定分析,针对性分析)来辨别常见的内存漏洞的类型。 作者还特意补充:Ravel是可扩展的,所以以后可以加入对不那么常见类型的漏洞的定位。
3.3 QA3
问:定位漏洞难点是什么?挑战呢
现在只能定位内存漏洞。那么还有其他工作呢?
总结
不足:
感觉related work 写的不够,很难看出和其他工作有什么显著改进。
是一种combination呢。还是有独创性工作呢?这个值得研究
感觉作者的语气不是那么肯定。
未来工作见注释。