面向资源泄漏的浏览器沙箱测试方法

doi:10.3969/j.issn.0372-2112.2017.07.031

电子学报 ›› 2017, Vol. 45 ›› Issue (7): 1775-1783.DOI: 10.3969/j.issn.0372-2112.2017.07.031

面向资源泄漏的浏览器沙箱测试方法

赵旭^1,2, 颜学雄¹, 王清贤¹, 魏强¹, 李继中³

1. 解放军信息工程大学网络空间安全学院, 河南郑州 450001;
2. 63892 部队, 河南洛阳 471003;
3. 郑州战略投送基地, 河南郑州 450002

收稿日期:2016-01-27 修回日期:2016-06-12 出版日期:2017-07-25
- 作者简介:
- 赵旭,男,1986年1月出生,河南三门峡人.2016年在解放军信息工程大学网络空间安全学院获博士学位,研究方向为网络安全、二进制程序分析、漏洞挖掘等.E-mail:zhx0117@sina.cn;颜学雄,男,1975年12月出生,湖南耒阳人.2008年在解放军信息工程大学信息工程学院获博士学位,现为解放军信息工程大学网络空间安全学院副教授,研究方向为网络信息安全、Web应用系统漏洞分析等.E-mail:yanxuexiong@sina.com
- 基金资助:
- 国家863高技术研究发展计划 (No.2012AA012902）

A Resource-Leakage Oriented Browser Sandbox Testing Method

ZHAO Xu^1,2, YAN Xue-xiong¹, WANG Qing-xian¹, WEI Qiang¹, LI Ji-zhong³

1. College of Cyberspace Security PLA Information Engineering University, Zhengzhou, Henan 450002, China;
2. 63892 Unit, Luoyang, Henan 471003, China;
3. Strategic Delivery Base, Zhengzhou, Henan 450002, China

Received:2016-01-27 Revised:2016-06-12 Online:2017-07-25 Published:2017-07-25
- Supported by:
- National High-tech R&D Program of China (863 Program) (No.2012AA012902)

摘要/Abstract

摘要：

资源泄漏是导致浏览器沙箱逃逸的重要缺陷之一，已有浏览器沙箱测试方法不完全适用于发现资源泄漏缺陷.基于大多数导致沙箱逃逸的资源具有相同或相似属性取值的分析，本文提出了一种面向资源泄漏的浏览器沙箱测试方法.该方法首先分析并约简敏感资源的属性来生成资源筛选规则；其次，定义资源与资源筛选规则前件的最大加权语义相似度为逃逸指数，并使用逃逸指数阈值来筛选测试资源；再次，设计并实现了原型系统BSTS（Browser Sandbox Testing System），并在BSTS内分析了方法的性能.进一步，选择多个主流浏览器沙箱来测试本文方法的资源泄漏发现能力，实验结果显示本文方法具有良好的资源泄漏发现能力.

关键词: 浏览器沙箱, 资源泄漏, 粗糙集理论, 语义匹配

Abstract:

Resource leakage is one of the important defects of sandbox escape.The existing browser sandbox testing methods are insufficient to discovery leak resources.Based on most leaking resources have same or similar attribute values,this paper designed a resource-leakage oriented browser testing method.The method firstly analyzes resources attributes and create resource selecting rules,secondly,Calculates the escape index of every resource of system and use threshold to select testing resources; thirdly,Design and Implement a prototype system-Browser Sandbox Testing System(BSTS) and analysis the capability of our method,then we select and test some browser sandboxes,in the end,We found an undisclosed resource leakage vulnerability.

Key words: browser sandbox, resource leakage, rough set theory, semantic match

中图分类号:

TP311.1

赵旭, 颜学雄, 王清贤, 等. 面向资源泄漏的浏览器沙箱测试方法[J]. 电子学报, 2017, 45(7): 1775-1783.

ZHAO Xu, YAN Xue-xiong, WANG Qing-xian, et al. A Resource-Leakage Oriented Browser Sandbox Testing Method[J]. Acta Electronica Sinica, 2017, 45(7): 1775-1783.

参考文献

[1] VREUGDENHIL P.Adobe Sandbox When The Broker is Broken[OL].https://cansecwest.com/csw13archive.html,2016-01-27.
[2] NIST.CVE-2011-1353[OL].https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1353,2016-01-03.
[3] YASON M V.Diving into IE 10's Enhanced Protected Mode Sandbox[OL].https://www.blackhat.com/html/bh-media-archives/bh-archives-2013.html,2016-01-07.
[4] NIST.CVE-2013-3186[OL].https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3186,2015-01-22.
[5] NIST.CVE-2013-4015[OL].https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4015,2016-01-03.
[6] KEETCH T.Escaping from Protected Mode Internet Explorer[OL].http://archive.hack.lu/2010/Keetch-Escaping-from-Protected-Mode-Internet-Explorer-slides.ppt,2015-12-13.
[7] YASON M V.Understanding the Attack Surface and Attack Resilience of Project Spartans New EdgeHtml Rendering Engine[OL].https://www.blackhat.com/html/bh-media-archives/bh-archives-2015.html,2015-03-05.
[8] FORSHAW J.Digging for Sandbox Escapes Finding sandbox breakouts in Internet Explorer[OL].https://www.blackhat.com/html/bh-media-archives/bh-archives-2014.html,2015-12-15.
[9] FORSHAW J.The Windows Sandbox Paradox[OL].http://nullcon.net/website/archives/ppt/goa-15/the-windows-sandbox-paradox.pdf,2015-12-11.
[10] LI Xiao-ning,LI Hai-fei.Smart COM Fuzzing-Auditing IE Sandbox Bypass in COM Objects[OL].https://cansecwest.com/slides/2015/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects-Xiaoning_li.pdf,2015-11-13.
[11] LIU Zhen-hua,LOVET G.Breeding Sandworms:How to fuzz your way out of Adobe Reader's Sandbox[OL].http://media.blackhat.com/bh-eu-12/Liu_Lovet/bh-eu-12-Liu_Lovet-Sandworms-WP.pdf,2016-01-05.
[12] CUI Bao-jiang,JI Yu-peng,WANG Jian-xin.An instruction-level symbolic checksum system for Windows X86 program[J].Chinese Journal of Electronics,2012,21(1):22-26.
[13] CUI Bao-jiang,LIANG Xiao-bing,ZHAO Bing,et al.Detecting integer overflow vulnerabilities in binary executables based on target filtering and dynamic taint tracing[J].Chinese Journal of Electronics,2014,23(2):348-352.
[14] 王颖,谷利泽,杨义先,等.EWFT:基于程序执行过程的白盒测试工具[J].电子学报,2014,42(10):2016-2023.DOI:10.3969/j.issn.0372-2112.2014.10.023. WANG Ying,GU Li-ze,YANG Yi-xian,et al.EWFT:execution-based whitebox fuzzing for executables[J].Acta Electronica Sinia,2014,42(10):2016-2023.DOI:10.3969/j.issn.0372-2112.2014.10.023.(in Chinese)
[15] 欧阳永基,魏强,王清贤,等.基于异常分布导向的智能Fuzzing方法[J].电子与信息学报,2015,37(1):143-149.DOI:10.11999/JEIT140262. OUYANG Y J,WEI Q,WANG Q X,et al.Intelligent fuzzing based on exception distribution steering[J].Journal of Electronics& Information Technology,2015,37(1):143-149.DOI:10.11999/JEIT140262.(in Chinese)
[16] MA Yong-bin.Ontology of Operating System[OL].http://medianet.kent.edu/techreports/TR2006-09-01-OSontology/index.html,2015-04-08.
[17] ONKI.Operating system Ontology[OL].https://onki.fi/en/browser/overview/operating-system,2015-03-09.
[18] 张文修,吴伟志,梁吉业,等.粗糙集理论与方法[M].北京:科学出版社,2001:19-32.

面向资源泄漏的浏览器沙箱测试方法

A Resource-Leakage Oriented Browser Sandbox Testing Method

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 4

编辑推荐

Metrics

[1]	邱田;胡晓惠;李鹏飞;马恒太. 基于OWL-S的服务发现语义匹配机制[J]. 电子学报, 2010, 38(1): 42-47.
[2]	邱田;李鹏飞;林品;. 一个基于概念语义近似度的Web服务匹配算法[J]. 电子学报, 2009, 37(2): 429-432.
[3]	程玉胜;张佑生;胡学钢;章晓良. 基于任意分割的串行进位链规则获取的计算流程[J]. 电子学报, 2009, 37(12): 2797-2802.
[4]	张新峰, 沈兰荪. 多特征融合技术应用于中医舌象分析的初步研究[J]. 电子学报, 2006, 34(4): 717-721.