一种针对网络设备的已知漏洞定位方法

王琛; 邹燕燕; 刘龙权; 彭跃; 张禹; 卢昊良; 王鹏举; 郭涛; 霍玮

引用本文：

王琛,邹燕燕,刘龙权,彭跃,张禹,卢昊良,王鹏举,郭涛,霍玮.一种针对网络设备的已知漏洞定位方法[J].信息安全学报,2023,8(6):48-63 [点击复制]
WANG Chen,ZOU Yanyan,LIU Longquan,PENG Yue,ZHANG Yu,LU Haoliang,WANG Pengju,GUO Tao,HUO Wei.Locating 1-Day Vulnerabilities in Network Equipment[J].Journal of Cyber Security,2023,8(6):48-63 [点击复制]

本文已被：浏览 3976次下载 2850次	码上扫一扫！
一种针对网络设备的已知漏洞定位方法
王琛^1,2,3,4, 邹燕燕^1,2,3,4, 刘龙权^1,2,3,4, 彭跃^1,2,3,4, 张禹^1,2,3,4, 卢昊良^1,2,3,4, 王鹏举^1,2,3,4, 郭涛¹, 霍玮^1,2,3,4
0 字体:加大+\|默认\|缩小-
(1.中国科学院信息工程研究所北京中国 100093;2.中国科学院网络测评技术重点实验室北京中国 100195;3.网络安全防护技术北京市重点实验室北京中国 100195;4.中国科学院大学网络空间安全学院北京中国 100049)

摘要:

骨干级网络设备作为关键基础设施, 一直是网络攻防中的焦点, 与此同时, 其作为一个封闭、复杂的信息系统, 漏洞的公开研究资料相对较少、漏洞细节缺失较多。补丁对比是一种有效的漏洞分析手段, 而骨干级网络设备固件解包后通常具有单体式可执行文件, 这类文件具有函数数量多、文件规模大、调试符号信息缺失等特点, 直接进行补丁比对会产生大量待确认的误报差异, 同时启发式算法可能将两个不相关的函数错误匹配, 导致正确的安全修补缺失及漏报。传统的补丁比对方法无法有效地解决这类文件的补丁分析问题, 漏洞细节的分析遇到挑战。本文提出了一种针对单体式可执行文件中已知漏洞的定位方法MDiff, 通过漏洞公告描述中的子系统概念与目标二进制文件的内部模块结构对目标进行了拆分, 在基于局部性的二进制比对技术之上, 利用语义相似度衡量方法对比对结果进行筛选排序。具体来讲, MDiff首先利用入口函数及局部性原理识别存在漏洞的网络协议服务代码, 即粗粒度定位阶段。其次针对已识别出的、存在漏洞的网络协议服务代码模块中存在差异的函数进行动静态结合的语义信息分析, 包括基于扩展局部轨迹的安全修补识别, 基于代码度量的安全修补排序等步骤, 即细粒度定位阶段。基于该两阶段漏洞定位方法, 我们实现了一个原型系统, 对4个厂商设备中已经披露的15个漏洞进行实验。实验结果表明, 本文提出的漏洞定位方法可以提高网络设备的补丁分析效率, 支持研究人员发现已知漏洞细节。

关键词: 网络设备模块划分补丁比对

DOI：10.19363/J.cnki.cn10-1380/tn.2023.11.05

投稿时间：2020-04-07修订日期：2020-05-13

基金项目:本课题得到自然科学基金项目(No. U1836209, No. 61802394)、中科院先导项目(No. XDC02040100)、国家重点研发计划(No.2016QY071405)资助。

Locating 1-Day Vulnerabilities in Network Equipment

WANG Chen^1,2,3,4, ZOU Yanyan^1,2,3,4, LIU Longquan^1,2,3,4, PENG Yue^1,2,3,4, ZHANG Yu^1,2,3,4, LU Haoliang^1,2,3,4, WANG Pengju^1,2,3,4, GUO Tao¹, HUO Wei^1,2,3,4

(1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences, Beijing 100195, China;3.Beijing Key Laboratory of Network Security and Protection Technology, Beijing 100195, China;4.University of Chinese Academy of Sciences, Beijing 100049, China)

Abstract:

Backbone network equipment, a key infrastructure, has always been the focus of network attack and defense. At the same time, as a closed and complex information system, there are relatively few public research materials on vulnerabilities and many details of vulnerabilities are missing. Patch comparison is an effective method for vulnerability analysis, but the firmware of backbone network equipment is usually unpacked into monolithic executable files, which have characteristics such as a large number of functions, a large file size, and missing debugging symbol information. Direct patch comparison will produce a large number of unconfirmed false positive differences, and heuristic algorithms may mistakenly match two unrelated functions, resulting in the lack of correct security patches and false negatives. Traditional patch comparison methods cannot effectively solve the patch analysis problem of these files, and the analysis of vulnerability details faces challenges. This paper proposes a method called MDiff for locating known vulnerabilities in monolithic executable files. MDiff decomposes the target binary file into internal modules based on the subsystem concept in the description of the vulnerability bulletin and the internal module structure of the target binary file, and uses semantic similarity measurement to filter and sort the comparison results based on binary comparison technology based on locality. Specifically, MDiff first uses entry functions and the principle of locality to identify vulnerable network protocol service codes, that is, the coarse-grained location phase. For the identified network protocol service code modules with vulnerabilities, MDiff performs semantic information analysis combining static and dynamic analysis, including the identification of security patches based on extended local traces and the ranking of security patches based on code metrics, that is, the fine-grained location phase. Based on this two-phase vulnerability location method, we have implemented a prototype system and experimented with 15 vulnerabilities disclosed in devices from four vendors. The experimental results show that the proposed vulnerability location method can improve the efficiency of patch analysis for network devices and support researchers in discovering known vulnerability details.

Key words: network equipment module decomposition patch comparison