| SSL,as a standard encrypted communication protocol of transport layer,has greaty influenced on the world.As one suit of code implementation of SSL protocol,OpenSSL has been widely used in the world and the world.Once the 0day vulnerabilities of OpenSSL flow into international black market,the world will be greatly affected.As a code library,there must exist vulnerabilities in OpenSSL.Its vulnerabilities have already been the potential safety hazard to our country's society along with the widely use of information techniques.This means it's necessary to launch the vulnerabilities analysis of OpenSSL to find its weakness in advance before the attackers.This passage talks about the vulnerabilities analysis of OpenSSL based on the techniques of vulnerabilities exploitation.Since a 0day vulnerability of OpenSSL was found,it's important study the system of the current formalized vulnerabilities exploitation techniques.Besides,it needs to improve the security attributes definition method based on the underlying behavior and the degree of automation of theorem proving machine.A tool was made to support the relevant improvement and used to launch vulnerabilities analysis to Xen(virtual machine)to test the practicability of the improving scheme.Concrete works as follow:1.Analyze vulnerabilities completely and find out a 0day vulnerability by code audit,with resulted in the number CVE-2016-2179.2.Summary of the complete process vulnerabilities analysis of OpenSSL and study the system of the current formalized vulnerabilities exploitation techniques.A quantitative analysis of historical vulnerabilities is combined with the author's experiences of vulnerabilities exploitation with try to enhance the automation of the code audit tools using existing methods.The improving advice to theorem proving of code audit is proposed by modifying current open sources to support the improving scheme.3.The improved code audit tool was used to launch code audit to xen4.7 and a bug has been reported to Xen team. |
PDF Full Text Request