  • 李文超,李丰,薄德芳,周建华,霍玮.HiveAttacker:一个针对Hive数据仓库的两阶段安全性检测方案[J].信息安全学报,已采用    [点击复制]
  • Li Wenchao,Li Feng,Bo Defang,Zhou Jianhua,Huo Wei.HiveAttacker: A Two-stage Security Detecting Approach for Apache Hive[J].Journal of Cyber Security,Accept   [点击复制]
李文超1, 李丰2, 薄德芳1, 周建华2, 霍玮2
关键词:  Apache Hive  模糊测试  漏洞检测
基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目), 中国科学院先导科技专项
HiveAttacker: A Two-stage Security Detecting Approach for Apache Hive
Li Wenchao1, Li Feng2, Bo Defang1, Zhou Jianhua2, Huo Wei2
(1.University of Chinese Academy of Sciences;2.Institute of Information Engineering, Chinese Academy of Sciences)
Big data has immense value, which makes it one of major targets of cyber-attack. However, in a long period, Hive-represented data warehouse and big data processing engine rely highly on the distributed processing platform. Generally this formulation focuses on the availability and extension in service but ignores security and expose the storage and processing of big data to security risks. In the perspective of Hive data warehouse and query engine on Hadoop platform, we concluded two main attack surfaces Hive faces: (1) during the query compile process and (2) during the interaction process with Hadoop platform or other third-party components. Then we designed a two-stage security detecting approach. In the first stage we custom and extend the traditional fuzzing technology to detect the vulnerabilities that may lead to privilege escalation, authorization bypass etc. in Hive source code. In the second stage we focus on detecting and alerting vulnerabilities that may be triggered by Hive''s interactions with other components. We implement a prototype tool HiveAttacker based on the above method. A total of 8 authorization vulnerabilities were found in the two historical and latest versions of Hive, including 2 unfixed bugs in the latest version, and 7 security threats resulting from component interactions to verify the effectiveness of the method.
Key words:  Apache Hive  fuzzing test  vulnerability detecting