Summary of vulnerability mining analysis technology

Summary of vulnerability mining analysis technology

There are many kinds of vulnerability mining and analysis technologies. It is difficult to complete the analysis work by only applying one kind of vulnerability mining technology. In general, several vulnerability mining technologies are optimized and combined to seek the balance of efficiency and quality.

2.1. Manual analysis

Manual analysis is a gray box analysis technique. For the analyzed target program, special input conditions are manually constructed, and the change of output and target state is observed to obtain the vulnerability analysis technology. Inputs include valid and invalid inputs, and outputs include normal and abnormal outputs. Abnormal output is a prerequisite for a bug, or a bug in the target program. The change of abnormal target state is also a harbinger of finding loopholes, which is the direction of in-depth digging. Manual analysis is highly dependent on the experience and skill of the analyst. Manual analysis is mostly used in the target program with human-computer interaction interface. Manual analysis is often used in Web vulnerability mining.

2.2. The Fuzzing technology

Fuzzing technology is a kind of automatic software testing technology based on defect injection. It uses a large amount of semi-valid data as the input of application program by using black box analysis technology method, and finds possible security vulnerabilities in application program by marking whether there is abnormality in the program. Semi-valid data refers to that the necessary identification part and most of the data of the tested target program are valid, while the data part intentionally constructed is invalid. The application program may make mistakes when processing this data, which may lead to the crash of the application program or trigger the corresponding security vulnerability.

According to the characteristics of analysis targets, Fuzzing can be divided into three categories:

1. Dynamic Web page Fuzzing, for ASP, PHP, Java, Perl and other written Web programs, including the USE of such technologies to build B/S architecture applications, the typical application software is HTTP Fuzz;

2. File format Fuzzing, for various document formats, the typical application software is PDF Fuzz;

3. Protocol Fuzzing: for network protocols, the typical application software is Fuzz for Microsoft RPC (Remote procedure call).

The input construction method of Fuzzer software is similar to the construction method of black box test software, boundary value, string, file header, additional string at the end of the file can be used as the basic construction conditions. Fuzzer software can be used to detect a variety of security vulnerabilities, including buffer overflow vulnerability, integer overflow vulnerability, format string and special character vulnerability, race conditions and deadlock vulnerability, SQL injection, cross-site scripting, RPC vulnerability attacks, file system attacks, information leakage, etc.

Compared with other technologies, Fuzzing technology has the advantages of simple thinking, easy to understand, easy to find and reproduce vulnerabilities, and no false positives. At the same time, it also has all the disadvantages of black box analysis, and has some problems such as ungenerality and long construction test cycle.

Commonly used Fuzzer software includes SPIKE Proxy, Peach Fuzzer Framework, HTTP Fuzzer of Acunetix Web Vulnerability Scanner and OWASP JBroFuzz, WebScarab, etc.

2.3. Patch comparison technology

Patch comparison technology is mainly used by hackers or competitors to find out the vulnerabilities that have been corrected but not disclosed by software publishers. It is often used by hackers before exploiting vulnerabilities.

Security bulletins or patch release notes generally do not specify the exact location and cause of vulnerabilities, so it is difficult for hackers to exploit vulnerabilities based on the statement alone. Hackers can compare the binary files before and after the patch to determine the location of the vulnerability, and then combine with other vulnerability mining techniques to understand the details of the vulnerability, and finally get the attack code to exploit the vulnerability.

Simple comparison methods include binary byte and string comparison and reverse engineering of the target program. The first method is suitable for the comparison of small changes before and after the patch, and is commonly used for the analysis of vulnerabilities caused by string changes and boundary value changes. The second method applies to the analysis in which the program can be decompilated and a vulnerability caused by a change in function parameters can be found by decompilation. Neither of these methods is suitable for situations where files are modified frequently.

Complex comparison methods include graphic comparison based on instruction similarity proposed by Tobb Sabin and structured binary comparison proposed by Halvar Flake, which can find some unstructured changes in files, such as buffer size changes, and display them graphically.

Common patch comparison tools include Beyond Compare, IDACompare, Binary Diffing Suite (EBDS), BinDiff, NIPC Binary Differ (NBD). A number of advanced text editing tools have similar features, such as Ultra Edit, HexEdit, etc. These patch comparison tools are based on string comparison or binary comparison techniques.

2.4. Static analysis techniques

Static analysis technology is a typical white box analysis technology to analyze and detect the source program of the analyzed target and find the security vulnerabilities or hidden dangers in the program. Its methods mainly include static string search and context search. The static analysis process is mainly to find incorrect function calls and return states, especially function calls that may not be bound checked or incorrectly bound checked, functions that may cause buffer overflows, external calling functions, shared memory functions, and function Pointers.

For open source programs, security defects can be found by detecting file structures, naming rules, functions and stack Pointers that do not conform to security rules. When the analyzed target does not have a source program attached, the program needs to be reverse-engineered to obtain the reverse-engineered code similar to the source code, and then search. Vulnerabilities in programs can also be found using a method similar to source code, a static analysis method called a disassembly scan. Because of the use of the underlying assembly language vulnerability analysis, in theory can find all the computer can run vulnerabilities, for the program is not open source code is often the most effective way to find security vulnerabilities.

However, this method also has great limitations. The ever-expanding feature database or dictionary will result in a large result set and a high false positive rate. At the same time, this method focuses on analyzing the “characteristics” of the code, but does not care about the function of the program, there will be no analysis and inspection for the function and program structure.

2.5. Dynamic analysis technology

Dynamic analysis technology originated from software debugging technology, which uses debugger as dynamic analysis tool. But different from software debugging technology, it often deals with the analyzed program without source code, or the analyzed program that has been reverse-engineered.

Dynamic analysis needs to run the target program in the debugger and find vulnerabilities by observing the running state, memory usage and register value of the program during execution. The general analysis process is divided into code flow analysis and data flow analysis. Code flow analysis mainly tracks the target program code flow dynamically by setting breakpoints to detect defective function calls and their parameters. Data flow analysis triggers potential errors by constructing special data.

In particular, dynamic code replacement technology can be used in the process of dynamic analysis to destroy the program running process, replace function entry and function parameters, which is equivalent to constructing semi-valid data, so as to find hidden defects in the system.

Common dynamic analysis tools include SoftIce, OllyDbg, WinDbg and so on.

3. Typical technology application

I am a penetrating workers, perennial wander among holes, you encounter any problems in learning, can apply for to join my community, the front is: 603: is among 916 behind is: 224, need to let me get the information, and more complete set of network security video, kit, such as books, emergency response notes with you

Acunetix HTTP Fuzzer tool for Web Vulnerability Scanner

Exploit vulnerabilities using the Acunetix Web Vulnerability Scanner, which provides a library of predefined Fuzz parameters for beginners and analysts to use. The process is as follows:

1. Define HTTP Request, that is, define the URL of the web page to be accessed.

2. Define operation parameters (Add Generator), that is, define string expressions that may generate vulnerabilities, such as: find password, password, password, passwd, $token;

3. Insert into Request, that is, bind multiple defined operation parameters into a search policy.

4. Define Fuzzer Filters that bind the operation parameters to the HTTP request.

5. Scan (Start);

6. Wait for the software to return matching items, which are potential vulnerabilities.

After the above steps, a possible vulnerability in a web page is found.

3.2. Examples of using patch matching techniques to find vulnerabilities

On October 23, 2008, Microsoft released a patch for MS08-067 in which the problem was listed as critical. The security update addresses a secretly reported vulnerability in the server service. The vulnerability may allow code to be executed remotely if a user receives a special RPC request on an affected system.

The application of patch comparison technology is illustrated in the process of vulnerability mining.

Keep an original file, install a new patch, extract the same and new files, and use the software for comparison.

Three modified functions were found after comparison

The comparison software lists three function names, 0.25, 0.67, and 0.94, and lists their similarity before and after the patch. By comparing the results, parameters can be constructed specifically and behaviors before and after the patch can be observed. Finally, two of the three functions given are directly related to vulnerabilities.

4. The conclusion

Originated from software testing theory and software development and debugging technology, vulnerability mining technology can greatly improve the security of software. Third party organizations and technology enthusiasts in the network security field also use the technology to find various software vulnerabilities and timely release them to the public, making a contribution to improving the overall level of information security. However, vulnerability mining is also a double-edged sword and has become a mainstream technology for hackers to crack software. The development prospect of vulnerability mining technology is broad. With more and more attention paid to information security and more and more advanced software development technology, new analysis methods will appear.