%0 Journal Article
%T PDF文件漏洞检测<br>PDF file vulnerability detection
%A 文伟平
%A 王永剑
%A 孟正
%J 清华大学学报（自然科学版）
%D 2017
%R 10.16511/j.cnki.qhdxxb.2017.21.007
%X 近年来，针对商业组织和政府机构的网络攻击事件层出不穷，高级持续性威胁（APT）攻击时有发生。恶意PDF文件是APT攻击的重要载体，它通过执行嵌入在文件内部的恶意代码完成攻击过程。查找PDF文件自身存在的安全漏洞，检测利用PDF漏洞的关键代码如面向返回的编程（ROP）链等，将在根源上对PDF恶意代码的传播路径进行阻断，从而更好地应对PDF恶意代码的多样性和多变性。该文首先对PDF文件格式漏洞的原理和分析方法进行介绍，然后结合PDF漏洞分析实例，对漏洞检测规则库进行构建，提出一种基于规则匹配的PDF已知漏洞检测方法，接下来描述ROP技术的原理，对ROP链的检测方法进行分析，最后比较所实现的漏洞检测系统与现有的安全检测工具赛门铁克和BitDefender的已知漏洞检测能力，由检测结果可知该系统对已知漏洞的检测能力明显高于同类产品。<br>Abstract：Recent years have seen more network attacks on business organizations and government agencies. Advanced persistent threat (APT) attacks are one key example. Malicious PDF files are an important carrier for APT attacks, which complete the attack process by executing malicious code embedded in the file. The security vulnerabilities in PDF files and the key codes in PDF vulnerabilities (such as the ROP chain) are detected to block the propagation path of the PDF malicious code at the root to better deal with the diverse malicious PDF codes. This paper introduces the principle and analysis method for identifying PDF file format vulnerabilities. The vulnerability detection rules are defined with a PDF vulnerability detection method combined with a PDF vulnerability analysis based on rule matching. Next this paper describes the principles of the ROP method and analyzes the ROP chain detection method. Finally, this paper compares this vulnerability detection system with Symantec and BitDefender. The results show that this system more effectively detects vulnerabilities than similar products.
%K PDF文件
%K 漏洞检测
%K 规则匹配
%K 面向返回的编程(ROP)链检测
%K &lt
%K br&gt
%K PDF file
%K vulnerability detection
%K rule matching
%K return-oriented programming (ROP) chain detection
%U http://jst.tsinghuajournals.com/CN/Y2017/V57/I1/33