高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

基于函数注入的沙箱拦截识别方法

赵旭 颜学雄 王清贤 魏强

赵旭, 颜学雄, 王清贤, 魏强. 基于函数注入的沙箱拦截识别方法[J]. 电子与信息学报, 2016, 38(7): 1823-1830. doi: 10.11999/JEIT151074
引用本文: 赵旭, 颜学雄, 王清贤, 魏强. 基于函数注入的沙箱拦截识别方法[J]. 电子与信息学报, 2016, 38(7): 1823-1830. doi: 10.11999/JEIT151074
ZHAO Xu, YAN Xuexiong, WANG Qingxian, WEI Qiang. Sandbox-interception Recognition Method Based on Function Injection[J]. Journal of Electronics & Information Technology, 2016, 38(7): 1823-1830. doi: 10.11999/JEIT151074
Citation: ZHAO Xu, YAN Xuexiong, WANG Qingxian, WEI Qiang. Sandbox-interception Recognition Method Based on Function Injection[J]. Journal of Electronics & Information Technology, 2016, 38(7): 1823-1830. doi: 10.11999/JEIT151074

基于函数注入的沙箱拦截识别方法

doi: 10.11999/JEIT151074
基金项目: 

国家863计划项目(2012AA012902)

Sandbox-interception Recognition Method Based on Function Injection

Funds: 

The National 863 Program of China (2012AA012902)

  • 摘要: 沙箱验证机制的测试需要首先识别沙箱拦截,即识别沙箱截获的系统函数集。已有的Hook识别方法大多仅关注钩子的存在性,识别沙箱拦截的能力不足。该文设计了一种基于函数注入的沙箱拦截识别方法,该方法分析系统函数的指令执行记录(Trace)来识别沙箱截获的系统函数。首先,向不可信进程注入并执行系统函数来获取函数的执行记录;其次,根据沙箱截获系统函数执行记录的特点,设计了地址空间有限状态自动机,并在自动机内分析获取的执行记录来判别沙箱截获的系统函数;最后,遍历测试函数集来识别目标沙箱截获的系统函数集。该文设计实现了原型系统SIAnalyzer,并对Chromium和Adobe Reader进行了沙箱拦截识别测试,测试结果验证了方法的有效性和实用性。
  • YEE B, SEHR D, DARDYK G, et al. Native client: A sandbox for portable, untrusted x86 native code[C]. 2009 IEEE Symposium on Security and Privacy, Oakland, USA, 2009: 79-93.
    MAASS M, SALES A, CHUNG B, et al. A systematic analysis of the science of sandboxing[J]. PeerJ Computer Science, 2016, 2: e43. doi: 10.7717/peerj-cs.43.
    CVE-2014-0512[OL]. https://web.nvd.nist.gov/view/vuln /detail?vulnId=CVE-2014-0512, 2014.
    CVE-2014-0546[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2014-0546, 2014.
    CVE-2015-2429[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2015-2429, 2015.
    CVE-2011-1353[OL], https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2011-1353, 2011.
    CVE-2013-0641[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2013-0641, 2013.
    CVE-2013-3186[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2013-3186, 2013.
    崔宝江, 梁晓兵, 王禹, 等. 基于回溯和引导的关键代码区域覆盖的二进制程序测试技术研究[J].电子与信息学报, 2012, 34(1): 108-114. doi: 10.3724/SP.J.1146.2011.00532.
    CUI B J, LIANG X B, WANG Y, et al. The study of binary program test techniques based on backtracking and leading for covering key code area[J]. Journal of Electronics Information Technology, 2012, 34(1): 108-114. doi: 10.3724/SP.J.1146.2011.00532.
    欧阳永基, 魏强, 王清贤, 等. 基于异常分布导向的智能Fuzzing方法[J].电子与信息学报, 2015, 37(1): 143-149. doi: 10.11999/JEIT140262.
    OUYANG Y J, WEI Q, WANG Q X, et al. Intelligent fuzzing based on exception distribution steering[J]. Journal of Electronics Information Technology, 2015, 37(1): 143-149. doi: 10.11999/JEIT140262.
    SABABAL P and MARK V Y. Playing in the reader X sandbox[C]. Black Hat USA 2011, Las Vegas, USA 2011. https://media.blackhat.com/bh-us-11/Sabanal/BH_US_11_SabanalYason_Readerx_WP.pdf.
    MARK V Y. Understanding the attack surface and attack resilience of project spartans new edgeHtml rendering engine[C]. Black Hat USA 2015, Las Vegas, USA, 2015. https: //www. blackhat. com/ docs/ us-15/materials/us-15-Yason- Understanding-The-Attack-Surface-And-Attack-Resilience-Of-Project-Spartans-New-EdgeHTML-Rendering-Engine-wp.pdf.
    JAMES F. Digging for sandbox escapes-finding sandbox breakouts in Internet explorer[C]. Black Hat USA 2014, Las Vegas, USA, 2014. https://www.blackhat.com/docs/ us-14/ materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes. pdf.
    LI X N and LI H F. Smart COM fuzzing-auditing IE sandbox bypass in COM objects[C]. CanSecWest Vancouver 2015, Vancouver, Canada, 2015. https://cansecwest.com/ slides/ 2015/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects-Xiaoning_li.pdf.
    BRIAN G and JASIEL S. Thinking outside the sandbox: Violating trust boundaries in uncommon ways[C]. Black Hat USA 2014, Las Vegas, USA, 2014. https: //www. blackhat. com/docs/us-14/materials/us-14-Gorenc-Thinking-Outside-The-Sandbox-Violating-Trust-Boundaries-In-Uncommon- Ways-WP.pdf.
    LIU Z H and GUILAUME L. Breeding Sandworms: How to fuzz your way out of Adobe Readers Sandbox[C]. Black Hat EUROPE 2012, Amsterdam, Netherlands, 2012. https:// media.blackhat.com/bh-eu-12/Liu_Lovet/bh-eu-12-Liu_Lovet-Sandworms-Slides.pdf.
    Wang Z, JIANG X, CUI W, et al. Countering persistent kernel rootkits through systematic hook discovery[C]. Recent Advances in Intrusion Detection 2008, Cambridge, England, 2008: 21-38.
    YIN H, POOSANKAM P, HANNA S, et al. HookScout: proactive binary-centric hook detection[C]. 7th Detection of Intrusions and Malware, and Vulnerability Assessment, Bonn, Germany, 2010: 1-20.
    BELLARD F. QEMU, a fast and portable dynamic translator[C]. Proc. USENIX Annual Technical Conference, Marroitt Anaheim, USA, 2005: 41-46.
  • 加载中
计量
  • 文章访问数:  1330
  • HTML全文浏览量:  78
  • PDF下载量:  407
  • 被引次数: 0
出版历程
  • 收稿日期:  2015-09-21
  • 修回日期:  2016-03-03
  • 刊出日期:  2016-07-19

目录

    /

    返回文章
    返回