信息网络安全
信息網絡安全
신식망락안전
NETINFO SECURITY
2014年
7期
20-29
,共10页
李孟哲%武学礼%张涛%伟平
李孟哲%武學禮%張濤%偉平
리맹철%무학례%장도%위평
Windows 子系统%CSRSS%Windows 内核%漏洞分析
Windows 子繫統%CSRSS%Windows 內覈%漏洞分析
Windows 자계통%CSRSS%Windows 내핵%루동분석
Windows subsystem%CSRSS%Windows kernel%vulnerabilities study
随着技术的进步,Windows 操作系统日益完善,多种内存保护技术的结合使得传统的基于缓冲区溢出攻击越来越困难。在这种情况下,内核漏洞往往可以作为突破安全防线的切入点,一旦漏洞被病毒、木马利用,将会彻底瓦解安全软件的所有防御,沉重打击系统安全。随着 Windows NT 的开发,操作系统被设计成可以支持多个子系统,包括 POSIX、OS/2以及Windows 子系统(也被称为客户端/服务器运行时子系统或者 CSRSS)。文章展开了一系列关于 CSRSS 的研究,描述了 CSRSS 内部机制。尽管一些研究已经在少数文章中有所提及,但是直到现在没有深入的案例研究。文章详细地介绍了 CSRSS 及其通信机制,以及最近常见于现代操作系统的 CSRSS 变化。另外,站在安全的角度,文章对 Windows 内核漏洞进行了分类,并且提出了一套漏洞研究的流程。按照这套流程,研究了 CSRSS 进程的权限提升漏洞和拒绝服务漏洞。文章通过对 CVE-2011-1281漏洞的分析,发现 use-after-free 漏洞不仅出现在浏览器漏洞中,在系统软件中同样有可能出现。
隨著技術的進步,Windows 操作繫統日益完善,多種內存保護技術的結閤使得傳統的基于緩遲區溢齣攻擊越來越睏難。在這種情況下,內覈漏洞往往可以作為突破安全防線的切入點,一旦漏洞被病毒、木馬利用,將會徹底瓦解安全軟件的所有防禦,沉重打擊繫統安全。隨著 Windows NT 的開髮,操作繫統被設計成可以支持多箇子繫統,包括 POSIX、OS/2以及Windows 子繫統(也被稱為客戶耑/服務器運行時子繫統或者 CSRSS)。文章展開瞭一繫列關于 CSRSS 的研究,描述瞭 CSRSS 內部機製。儘管一些研究已經在少數文章中有所提及,但是直到現在沒有深入的案例研究。文章詳細地介紹瞭 CSRSS 及其通信機製,以及最近常見于現代操作繫統的 CSRSS 變化。另外,站在安全的角度,文章對 Windows 內覈漏洞進行瞭分類,併且提齣瞭一套漏洞研究的流程。按照這套流程,研究瞭 CSRSS 進程的權限提升漏洞和拒絕服務漏洞。文章通過對 CVE-2011-1281漏洞的分析,髮現 use-after-free 漏洞不僅齣現在瀏覽器漏洞中,在繫統軟件中同樣有可能齣現。
수착기술적진보,Windows 조작계통일익완선,다충내존보호기술적결합사득전통적기우완충구일출공격월래월곤난。재저충정황하,내핵루동왕왕가이작위돌파안전방선적절입점,일단루동피병독、목마이용,장회철저와해안전연건적소유방어,침중타격계통안전。수착 Windows NT 적개발,조작계통피설계성가이지지다개자계통,포괄 POSIX、OS/2이급Windows 자계통(야피칭위객호단/복무기운행시자계통혹자 CSRSS)。문장전개료일계렬관우 CSRSS 적연구,묘술료 CSRSS 내부궤제。진관일사연구이경재소수문장중유소제급,단시직도현재몰유심입적안례연구。문장상세지개소료 CSRSS 급기통신궤제,이급최근상견우현대조작계통적 CSRSS 변화。령외,참재안전적각도,문장대 Windows 내핵루동진행료분류,병차제출료일투루동연구적류정。안조저투류정,연구료 CSRSS 진정적권한제승루동화거절복무루동。문장통과대 CVE-2011-1281루동적분석,발현 use-after-free 루동불부출현재류람기루동중,재계통연건중동양유가능출현。
With advances in technology, Windows operating system has improved steadily. The combination of many memory protection mechanisms makes the traditional buffer-overflow-based attacks to be more useless. In this case, the kernel vulnerabilities can be used to break through the security line of defense as a starting point. If these vulnerabilities are used by viruses and Trojans, the defense of security software will be collapsed. That means a heavy blow to the system security. Since the Microsoft Windows NT's development, the operating system has been designed to support a number of different subsystems, such as POSIX or OS/2. This paper opens a series of CSRSS-oriented study, aiming at describing the uncovered CSRSS mechanism internals. Although some great research has already been carried out by some articles, no thorough case study is available until now. This paper covers both the very basic ideas and their implementations, as well as the recent CSRSS changes applied in modern operating systems. In addition, standing on the point of safety, in this paper, the Windows kernel vulnerabilities are classified, a set of vulnerability research process is presented. According to the process, this article studies local privilege escalation vulnerability and denial of service vulnerability about CSRSS. Through the analysis of the CVE-2011-1281 vulnerability, use-after-free exploit not only appears in the browser vulnerabilities, but also in the software of the system.
