PVDF: An automatic Patch-based Vulnerability Description and Fuzzing method

机译：PVDF：一种基于修补程序的自动漏洞描述和模糊处理方法

获取原文

获取原文并翻译 | 示例

页面导航

摘要
著录项
相似文献
相关主题

摘要

Patch-based vulnerability analysis is a hot topic for security researchers and attackers, some important semantic can be used to discover new bugs or errors via information revealed from patch differences. However, automatic description for patched differences is always viewed as such a difficult task that similar work is usually achieve in manual method. In this paper, we present an automatic patch-based description for a type of privilege elevation vulnerability, and perform fuzzing test to excavate unknown bugs in further step. Focusing on feature in this type of vulnerability, we recognize vulnerability-related positions from patched differences, and divide them into multi-level attributes via normalized definitions. Furthermore, we present analysis procedure as relationship measurement among several attributes: binary difference, data structure of object, operation semantic and constraint formula. The root cause and exploitation method for vulnerability can be described on the leverage of gradual attribute deductions. At last, a CF-oriented fuzzing method is introduced based on verification of semantic and constraint formula. The effectiveness and performance of our prototype have been tested in evaluation, it proves that patch-related bugs all can be described in PVD (Patch-based Vulnerability Description) automatically, and some new bugs can be discovered in PVF (Patch-based Vulnerability Fuzzing). In addition, average time consumption of global running is less than systems or projects of related work.

机译：基于补丁的漏洞分析是安全研究人员和攻击者的热门话题，可以使用一些重要的语义通过补丁差异所揭示的信息来发现新的错误或错误。但是，自动描述已修补的差异始终被视为一项艰巨的任务，通常可以通过手动方法完成类似的工作。在本文中，我们为一种特权提升漏洞提供了一种基于补丁的自动描述，并进行了模糊测试以挖掘未知错误，这是下一步的工作。着眼于此类漏洞的功能，我们从已修补的差异中识别与漏洞相关的位置，并通过归一化定义将其划分为多级属性。此外，我们提出了分析程序作为关系度量的几个属性：二进制差异，对象的数据结构，操作语义和约束公式。漏洞的根本原因和利用方法可以通过逐步属性推论来描述。最后，基于语义和约束公式的验证，提出了一种基于CF的模糊测试方法。我们的原型的有效性和性能已经过评估测试，证明与补丁相关的错误都可以自动在PVD（基于补丁的漏洞描述）中描述，并且可以在PVF（基于补丁的漏洞Fuzzing）中发现一些新错误。）。另外，全球运行的平均时间消耗少于相关工作的系统或项目。

著录项

来源
《2014 Communications security conference》|2014年|1-8|共8页
会议地点 Beijing(CN)
作者
Letian Sha; Fu Jianming; Chen Jing; Peng Guojun;
展开▼
作者单位

School of Computer, Wuhan University, 430072, China;

展开▼
会议组织
原文格式 PDF
正文语种 eng
中图分类
关键词
Patch-based; exploitation; fuzzing test; root cause; vulnerability description;

机译：基于补丁的漏洞利用;模糊测试;根本原因;漏洞描述;;

相似文献

外文文献
中文文献
专利

1. An automatic method for CVSS score prediction using vulnerabilities description [J] . Khazaei Atefeh, Ghasemzadeh Mohammad, Derhami Vali Journal of intelligent & fuzzy systems: Applications in Engineering and Technology . 2016,第1期

机译：一种使用漏洞描述的CVSS分数预测的自动方法
2. Modeling the Search for Vulnerabilities via the Fuzzing Method Using an Automation Representation of Network Protocols [J] . A. I. Pechenkin, D. S. Lavrova Automatic Control and Computer Sciences . 2015,第8期

机译：使用网络协议的自动化表示，通过模糊方法对漏洞搜索进行建模
3. Algebraic description and automatic generation of multigrid methods inrnSPIRAL [J] . Matthias Bolten, Franz Franchetti, Paul H. J. Kelly, Concurrency and Computation . 2017,第17期

机译：SPIRAL中多网格方法的代数描述和自动生成
4. Network Protocol Automatic Vulnerability Mining Technology Based on Fuzzing [C] . Jintao Zhang, Duyu Liu, Wei Xiang International Conference on Intelligent Systems and Knowledge Engineering . 2019

机译：基于模糊的网络协议自动漏洞挖掘技术
5. Detect Iago Vulnerabilities in Legacy Code with Reverse Syscall Fuzzing [D] . Cui, Rongzhen. 2021

机译：用反向Syscall模糊检测遗留代码中的IAGO漏洞
6. Vulnerability Mining Method for the Modbus TCP Using an Anti-Sample Fuzzer [O] . Yingxu Lai, Huijuan Gao, Jing Liu 2020

机译：使用反采样模糊器的Modbus TCP漏洞挖掘方法
7. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection [O] . Tielei Wang, Tao Wei, Guofei Gu, 2010

机译：Taintscope：用于自动软件漏洞检测的Checksum-aware定向模糊测试工具

PVDF: An automatic Patch-based Vulnerability Description and Fuzzing method

摘要

著录项

相似文献

相关主题

期刊订阅