信息网络安全
信息網絡安全
신식망락안전
NETINFO SECURITY
2013年
12期
16-19
,共4页
漏洞挖掘%动态污点分析%ActiveX控件
漏洞挖掘%動態汙點分析%ActiveX控件
루동알굴%동태오점분석%ActiveX공건
vulnerability detection%dynamic taints analysis%ActiveX controls
ActiveX控件以其跨平台、简单易用的特点被广泛应用于其他应用程序,例如大型统计软件、网上银行安全控件等。因此,其安全问题也越来越值得关注。目前针对ActiveX控件的漏洞挖掘的主要方法是模糊测试,但模糊测试的局限性会造成漏报。文章基于动态污点分析的ActiveX漏洞挖掘工具CMPTracer,分析可控数据在ActiveX控件内部的处理流程,反馈出程序内部进行正确性检测的指令,进而指导测试数据的修改,得以测试程序深层的处理逻辑。经过试验比对发现,CMPTracer可以降低漏洞挖掘过程中的漏报率,能够发现普通模糊测试工具遗漏的安全漏洞。
ActiveX控件以其跨平檯、簡單易用的特點被廣汎應用于其他應用程序,例如大型統計軟件、網上銀行安全控件等。因此,其安全問題也越來越值得關註。目前針對ActiveX控件的漏洞挖掘的主要方法是模糊測試,但模糊測試的跼限性會造成漏報。文章基于動態汙點分析的ActiveX漏洞挖掘工具CMPTracer,分析可控數據在ActiveX控件內部的處理流程,反饋齣程序內部進行正確性檢測的指令,進而指導測試數據的脩改,得以測試程序深層的處理邏輯。經過試驗比對髮現,CMPTracer可以降低漏洞挖掘過程中的漏報率,能夠髮現普通模糊測試工具遺漏的安全漏洞。
ActiveX공건이기과평태、간단역용적특점피엄범응용우기타응용정서,례여대형통계연건、망상은행안전공건등。인차,기안전문제야월래월치득관주。목전침대ActiveX공건적루동알굴적주요방법시모호측시,단모호측시적국한성회조성루보。문장기우동태오점분석적ActiveX루동알굴공구CMPTracer,분석가공수거재ActiveX공건내부적처리류정,반궤출정서내부진행정학성검측적지령,진이지도측시수거적수개,득이측시정서심층적처리라집。경과시험비대발현,CMPTracer가이강저루동알굴과정중적루보솔,능구발현보통모호측시공구유루적안전루동。
For its cross-platform and easy-to-use features, ActiveX controls have been widely used in other applications, such as statistical software, online banking security controls. Thus, its security problems are more worthy of attention. Currently, Fuzzing is the primary method of vulnerability detection of ActiveX controls, but its disadvantage is it may cause false negatives. CMPTracer, as a tool for ActiveX vulnerability detection, which is based on Dynamic Taint Analysis (DTA) technology, is able to analyze the internal processes of the controllable data in the ActiveX control and to feed back the instructions for reasonable veriifcation in the program, and then guide the test data modiifcations to testing the deep processing logic of ActiveX controls. After testing, CMPTracer can reduce the false negative rate in the process of vulnerability detection.thus,CMPTacer is able to detect some vulnerabilities which are missed by other Fuzzing tools.