This commit is contained in:
firmianay 2018-06-17 17:46:53 +08:00
parent a18cdcf1bf
commit 4aa53ac3bf
48 changed files with 182 additions and 5 deletions

View File

@ -223,7 +223,7 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [8.25 (State of) The Art of War: Offensive Techniques in Binary Analysis](doc/8.25_angr.md)
* [8.26 Driller: Augmenting Fuzzing Through Selective Symbolic Execution](doc/8.26_driller.md)
* [8.27 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](doc/8.27_firmalice.md)
* [8.28 Cross-Architecture Bug Search in Binary Executables](doc/8.28_cross_arch_bug_search.md)
* [8.28 Cross-Architecture Bug Search in Binary Executables](doc/8.28_cross_arch_bug.md)
* [8.29 Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data](doc/8.29_dynamic_hooks.md)
* [8.30 Preventing brute force attacks against stack canary protection on networking servers](doc/8.30_prevent_brute_force_canary.md)
* [8.31 WYSINWYX What You See Is Not What You eXecute](doc/8.31_wysinwyx.md)
@ -239,6 +239,7 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [8.41 IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time](doc/8.41_intpatch.md)
* [8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software](doc/8.42_taintcheck.md)
* [8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation](doc/8.43_dta++.md)
* [8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics](doc/8.44_multiverse.md)
* [九、附录](doc/9_appendix.md)
* [9.1 更多 Linux 工具](doc/9.1_Linuxtools.md)
* [9.2 更多 Windows 工具](doc/9.2_wintools.md)

View File

@ -8,7 +8,7 @@
- [求解器引擎](#求解器引擎)
- [程序状态](#程序状态)
- [模拟管理器](#模拟管理器)
- [VEX IR 翻译器](#vex-ir-翻译)
- [VEX IR 翻译器](#vex-ir-翻译)
- [扩展工具](#扩展工具)
- [CTF 实例](#ctf-实例)
- [参考资料](#参考资料)
@ -783,7 +783,7 @@ t1
'Ijk_Ret'
```
到这里 angr 的核心概念就介绍得差不多了,更多更详细的内容还是推荐查看官方教程和 API 文档。
到这里 angr 的核心概念就介绍得差不多了,更多更详细的内容还是推荐查看官方教程和 API 文档。另外在我的博客里有 angr 源码分析的笔记。
## 扩展工具

View File

@ -1,6 +1,8 @@
# 8.10 AEG: Automatic Exploit Generation
论文http://security.ece.cmu.edu/aeg/aeg-current.pdf
## 简介
- 这篇论文向我们展示了如何将控制流劫持攻击的漏洞利用生成模型化为一个形式化验证问题。
- 提出了预处理符号执行,这是一种新的符号执行技术。

View File

@ -1 +1,6 @@
# 8.11 Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software
论文https://www.acsac.org/2006/papers/44.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.12 ASLR on the Line: Practical Cache Attacks on the MMU
论文https://www.cs.vu.nl/~giuffrida/papers/anc-ndss-2017.pdf
## 简介

View File

@ -1,6 +1,8 @@
# 8.13 New Frontiers of Reverse Engineering
论文http://reversingproject.info/project_repository/reversing_references/pdf/new_frontiers_of_reverse_engineering.pdf
## What is your take-away message from this paper?
This paper briefly presents an overview of the field of reverse engineering, reviews main achievements and areas of application, and highlights key open research issues for the future.

View File

@ -1 +1,6 @@
# 8.14 Who Allocated My Memory? Detecting Custom Memory Allocators in C Binaries
论文https://www.cs.vu.nl/~herbertb/papers/membrush_wcre13.pdf
## 简介

View File

@ -1,6 +1,8 @@
# 8.15 EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning
论文https://pure.qub.ac.uk/portal/files/127232616/IWSPA_codaspy_2017.pdf
## What is your take-away message from this paper?
The authors present an investigation of machine learning based malware detection using dynamic analysis on real devices.

View File

@ -1,6 +1,8 @@
# 8.16 DynaLog: An automated dynamic analysis framework for characterizing Android applications
论文https://pure.qub.ac.uk/portal/files/93998809/DynaLog_2016.pdf
## What is your take-away message from this paper?
The authors presented DynaLog, a framework that enable automated mass dynamic analysis of applications in order to characterize them for analysis and potential detection of malicious behaviour.

View File

@ -1,6 +1,8 @@
# 8.17 A Static Android Malware Detection Based on Actual Used Permissions Combination and API Calls
论文http://waset.org/publications/10005499
## What is your take-away message from this paper?
The paper put forward a machine learning detection method that based on the actually used Permissions Combination and API calls.

View File

@ -1,6 +1,8 @@
# 8.18 MaMaDroid: Detecting Android malware by building Markov chains of behavioral models
论文http://discovery.ucl.ac.uk/1532047/1/Stringhini_mamadroid.pdf
## What is your take-away message from this paper?
This paper presented an Android malware detection system based on modeling the sequences of API calls as Markov chains.

View File

@ -1,6 +1,8 @@
# 8.19 DroidNative: Semantic-Based Detection of Android Native Code Malware
论文http://pages.cs.wisc.edu/~vrastogi/static/papers/aqrcr17.pdf
## What is your take-away message from this paper?
The paper proposed DroidNative for detection of both bytecode and native code Android malware variants.

View File

@ -1,6 +1,8 @@
# 8.1 The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
论文https://hovav.net/ucsd/dist/geometry.pdf
## 简介
论文提出了一种 return-into-libc 的攻击方法以对抗针对传统代码注入攻击的防御技术W⊕X。它不会调用到完整的函数而是通过将一些被称作 gadgets 的指令片段组合在一起形成指令序列以达到任意代码执行的效果。这一技术为返回导向编程Return-Oriented Programming奠定了基础。

View File

@ -1,6 +1,8 @@
# 8.20 DroidAnalytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware
论文https://www.cse.cuhk.edu.hk/~cslui/PUBLICATION/TRUST13DROIDANALYTICS.pdf
## What is your take-away message from this paper?
The authors present DroidAnalytics, an Android malware analytic system for malware collection, signature generation, information retrieval, and malware association based on similarity score. Furthermore, DroidAnalytics can efficiently detect zero-day repackaged malware.

View File

@ -1 +1,6 @@
# 8.21 Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks
论文https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cristalli.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.22 Practical Memory Checking With Dr. Memory
论文http://groups.csail.mit.edu/commit/papers/2011/bruening-cgo11-drmemory.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.23 Evaluating the Effectiveness of Current Anti-ROP Defenses
论文https://www.syssec.rub.de/media/emma/veroeffentlichungen/2014/05/09/TR-HGI-2014-001_1_1.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.24 How to Make ASLR Win the Clone Wars: Runtime Re-Randomization
论文https://www.cs.umd.edu/class/fall2017/cmsc818O/papers/aslr-clone-wars.pdf
## 简介

View File

@ -1,5 +1,8 @@
# 8.25 (State of) The Art of War: Offensive Techniques in Binary Analysis
论文https://www.cs.ucsb.edu/~vigna/publications/2016_SP_angrSoK.pdf
## 简介
这篇文章提出了一个二进制分析框架,并实现了许多现有的分析技术。通过将这些技术系统化地实现,可以让其他研究人员直接利用并开发新的技术。此外,在统一框架中实现这些技术可以更直接地进行比较,并确定各自的优缺点。

View File

@ -1,6 +1,8 @@
# 8.26 Driller: Augmenting Fuzzing Through Selective Symbolic Execution
论文http://cs.ucsb.edu/~chris/research/doc/ndss16_driller.pdf
## 简介
这篇文章提出了 Driller这是一种混合漏洞挖掘工具它以互补的方式将模糊测试和选择性混合执行结合起来以发现隐藏更深的漏洞。模糊测试用于探索程序空间的不同区间并使用混合执行来生成满足不同区间的输入。

View File

@ -1,6 +1,8 @@
# 8.27 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware
论文https://seclab.cs.ucsb.edu/media/uploads/papers/firmalice.pdf
## 简介
这篇文章提出了 Firmalice一种二进制分析框架以支持对嵌入式设备上所运行的固件进行分析。Firmalice 构建在符号执行引擎之上并且提供了程序切片之类的技术来提高其可扩展性。此外Firmalice 构建了一种新型的认证旁路漏洞模型,基于攻击者的能力来确定执行特权操作所需要的输入。

View File

@ -0,0 +1,10 @@
# 8.28 Cross-Architecture Bug Search in Binary Executables
论文https://christian-rossow.de/publications/crossarch-ieee2015.pdf
## 简介
## 方法
## 实现

View File

@ -1 +0,0 @@
# 8.28 Cross-Architecture Bug Search in Binary Executables

View File

@ -1 +1,6 @@
# 8.29 Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data
论文https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-vogl.pdf
## 简介

View File

@ -1,6 +1,8 @@
# 8.2 Return-Oriented Programming without Returns
论文https://www2.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf
## 简介
论文提出了一种不依赖于使用 return 指令的 ROP 技术。这种攻击方法是在 libc 中找到一些特定的指令序列,来替代 return 指令,完成和 return 同样的工作。这些指令具备图灵完备性,已经在 (x86)Linux 和 (ARM)Android 中被证实。

View File

@ -1 +1,6 @@
# 8.30 Preventing brute force attacks against stack canary protection on networking servers
论文http://hmarco.org/data/Preventing_brute_force_attacks_against_stack_canary_protection_on_networking_servers.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.31 WYSINWYX What You See Is Not What You eXecute
论文http://research.cs.wisc.edu/wpis/papers/wysinwyx.final.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.32 Unleashing MAYHEM on Binary Code
论文http://www.cse.psu.edu/~trj1/cse597-s13/docs/binary_mayhem_oakland_12.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.33 Under-Constrained Symbolic Execution: Correctness Checking for Real Code
论文https://cseweb.ucsd.edu/~dstefan/cse291-winter18/papers/ucklee.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.34 Enhancing Symbolic Execution with Veritesting
论文https://users.ece.cmu.edu/~aavgerin/papers/veritesting-icse-2014.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.35 Q: Exploit Hardening Made Easy
论文http://static.usenix.org/legacy/events/sec11/tech/full_papers/Schwartz.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.36 A Survey of Symbolic Execution Techniques
论文http://season-lab.github.io/papers/survey-symbolic-execution-preprint-CSUR18.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.37 CUTE: A Concolic Unit Testing Engine for C
论文http://mir.cs.illinois.edu/marinov/publications/SenETAL05CUTE.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.38 TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking
论文http://people.eecs.berkeley.edu/~dawnsong/papers/2011%20tainteraser%20p142-zhu.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.39 DART: Directed Automated Random Testing
论文https://web.eecs.umich.edu/~weimerw/2011-6610/reading/p213-godefroid.pdf
## 简介

View File

@ -1,6 +1,8 @@
# 8.3 Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms
论文https://www.usenix.org/legacy/event/sec09/tech/full_papers/hund.pdf
## 简介
本论文设计并实现了一个能够自动化构建 ROP 指令序列的攻击系统。由于系统使用的指令序列来自内核已有的代码,而不需要进行代码注入,所以能够绕过内核代码完整性保护机制。

View File

@ -1 +1,6 @@
# 8.40 EXE: Automatically Generating Inputs of Death
论文https://web.stanford.edu/~engler/exe-ccs-06.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.41 IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time
论文https://llvm.org/pubs/2010-09-ESORICS-FixOverflows.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
论文http://valgrind.org/docs/newsome2005.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation
论文http://bitblaze.cs.berkeley.edu/papers/dta%2B%2B-ndss11.pdf
## 简介

6
doc/8.44_multiverse.md Normal file
View File

@ -0,0 +1,6 @@
# 8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics
http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_05A-4_Bauman_paper.pdf
## 简介

View File

@ -1,6 +1,8 @@
# 8.4 ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks
论文https://www.ei.ruhr-uni-bochum.de/media/trust/veroeffentlichungen/2010/12/14/HGI-TR-2010-001.pdf
## 简介
论文设计并实现了工具 ROPdefender可以动态地检测传统的 ROP 攻击基于return指令。ROPdefender 可以由用户来执行,而不依赖于源码、调试信息等在现实中很难获得的信息。

View File

@ -1,4 +1,6 @@
# 8.5 Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks
论文https://www.comp.nus.edu.sg/~shweta24/publications/dop_oakland16.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.6 Hacking Blind
论文http://www.scs.stanford.edu/~sorbo/brop/bittau-brop.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.7 What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses
论文https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_maisuradze.pdf
## 简介

View File

@ -1 +1,6 @@
# 8.8 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)
论文https://users.ece.cmu.edu/~aavgerin/papers/Oakland10.pdf
## 简介

View File

@ -1,6 +1,8 @@
# 8.9 Symbolic Execution for Software Testing: Three Decades Later
论文https://people.eecs.berkeley.edu/~ksen/papers/cacm13.pdf
## 简介
近几年符号执行因其在生成高覆盖率的测试用例和发现复杂软件漏洞的有效性再次受人关注。这篇文章对现代符号执行技术进行了概述,讨论了这些技术在路径探索,约束求解和内存建模方面面临的主要挑战,并讨论了几个主要从作者自己的工作中获得的解决方案。

View File

@ -30,7 +30,7 @@
* [8.25 (State of) The Art of War: Offensive Techniques in Binary Analysis](8.25_angr.md)
* [8.26 Driller: Augmenting Fuzzing Through Selective Symbolic Execution](8.26_driller.md)
* [8.27 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](8.27_firmalice.md)
* [8.28 Cross-Architecture Bug Search in Binary Executables](8.28_cross_arch_bug_search.md)
* [8.28 Cross-Architecture Bug Search in Binary Executables](8.28_cross_arch_bug.md)
* [8.29 Dynamic Hooks: Hiding Control Flow Changes within Non-Control Data](8.29_dynamic_hooks.md)
* [8.30 Preventing brute force attacks against stack canary protection on networking servers](8.30_prevent_brute_force_canary.md)
* [8.31 WYSINWYX What You See Is Not What You eXecute](8.31_wysinwyx.md)
@ -46,3 +46,4 @@
* [8.41 IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time](8.41_intpatch.md)
* [8.42 Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software](8.42_taintcheck.md)
* [8.43 DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation](8.43_dta++.md)
* [8.44 Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics](8.44_multiverse.md)