[1] 刘剑,苏璞睿,杨珉,等.软件与网络安全研究综述[J].软件学报,2018,29(1):42-68.LIU J,SU P R,YANG M,et al.Software and cyber security:a survey[J].Journal of Software,2018,29(1):42-68.(in Chinese) [2] 张婧,周安民,刘亮,等.Crash可利用性分析方法研究综述[J].计算机科学,2018,45(5):8-14,23.ZHANG J,ZHOU A M,LIU L,et al.Review of Crash exploitability analysis methods[J].Computer Science,2018,45(5):8-14,23.(in Chinese) [3] 苏璞睿,黄桦烽,余媛萍,等.软件漏洞自动利用研究综述[J].广州大学学报(自然科学版),2019,18(3):52-58.SU P R,HUANG H F,YU Y P,et al.Summary of research on software vulnerability auto exploit[J].Journal of Guangzhou University (Natural Science Edition),2019,18(3):52-58.(in Chinese) [4] DELORIE D.Malloc per-thread cache:benchmarks[EB/OL].[2022-05-06].https://sourceware.org/ml/libc-alpha/2017-01/msg00452.html. [5] 裴中煜,张超,段海新.GLibc堆利用的若干方法[J].信息安全学报,2018,3(1):1-15.PEI Z Y,ZHANG C,DUAN H X.Several methods of exploiting GLibc heap[J].Journal of Cyber Security,2018,3(1):1-15.(in Chinese) [6] CHIPOUNOV V,KUZNETSOV V,CANDEA G.S2E:a platform for in-vivo multi-path analysis of software systems[J].ACM SIGPLAN Notices,2011,46(3):265-278. [7] CHIPOUNOV V,KUZNETSOV V,CANDEA G.The S2E platform:design,implementation,and applications[J].ACM Transactions on Computer Systems,2012,30(1):1-49. [8] 王学,李学新,周智鹏,等.S2E测试平台及并行性能分析[J].信息网络安全,2012(7):16-19.WANG X,LI X X,ZHOU Z P,et al.Analysis of the software testing platform:S2E[J].Netinfo Security,2012(7):16-19.(in Chinese) [9] BRUMLEY D,POOSANKAM P,SONG D,et al.Automatic patch-based exploit generation is possible:techniques and implications[C]//Proceedings of IEEE Symposium on Security and Privacy.Washington D.C.,USA:IEEE Press,2008:143-157. [10] AVGERINOS T,CHA S K,LIM B,et al.AEG:automatic exploit generation[C]//Proceedings of IEEE Conference on Network & Distributed System Security.Washington D.C.,USA:IEEE Press,2011:213-226. [11] AVGERINOS T,CHA S K,REBERT A,et al.Automatic exploit generation[J].Communications of the ACM,2014,57(2):74-84. [12] CHA S K,AVGERINOS T,REBERT A,et al.Unleashing mayhem on binary code[C]//Proceedings of IEEE Symposium on Security and Privacy.Washington D.C.,USA:IEEE Press,2012:380-394. [13] WANG M H,SU P R,LI Q,et al.Automatic polymorphic exploit generation for software vulnerabilities[C]//Proceedings of International Conference on Security and Privacy in Communication Systems.Berlin,Germany:Springer,2013:216-233. [14] HE L,CAI Y,HU H,et al.Automatically assessing crashes from heap overflows[C]//Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering.Washington D.C.,USA:IEEE Press,2017:274-279. [15] WANG Y,ZHANG C,XIANG X B,et al.Revery:from proof-of-concept to exploitable[C]//Proceedings of 2018 ACM SIGSAC Conference on Computer and Communications Security.New York,USA:ACM Press,2018:365-379. [16] HEELAN S,MELHAM T,KROENING D.Automatic heap layout manipulation for exploitation[C]//Proceedings of the 27th USENIX Conference on Security Symposium.New York,USA:ACM Press,2018:763-779. [17] 黄宁,黄曙光,梁智超.基于符号执行的Unlink攻击检测方法[J].华南理工大学学报(自然科学版),2018,46(8):81-87.HUANG N,HUANG S G,LIANG Z C.Detection of unlink attack based on symbolic execution[J].Journal of South China University of Technology (Natural Science Edition),2018,46(8):81-87.(in Chinese) [18] 张超,潘祖烈,樊靖.基于符号执行的堆溢出fastbin攻击检测方法[J].计算机工程,2020,46(10):151-158.ZHANG C,PAN Z L,FAN J.Detection method for heap overflow fastbin attack based on symbolic execution[J].Computer Engineering,2020,46(10):151-158.(in Chinese) [19] 张超,潘祖烈,樊靖.面向堆内存漏洞的double free攻击方法检测[J].计算机应用研究,2020,37(S1):275-278.ZHANG C,PAN Z L,FAN J.Detection of double free attack method for heap memory vulnerabilities[J].Computer Application Research,2020,37(S1):275-278.(in Chinese) [20] MYERS J.Sourceware.org.Fix assertion in malloc.c:tcache_get[EB/OL].[2022-05-03].https://sourceware.org/git/?p=glibc.git;a=commit;h=77dc0d8643aa99c92bf671352b0a8adde705896f. [21] The one-gadget in glibc[EB/OL].[2022-05-03].https://david942j.blogspot.com/2017/02/project-one-gadget-in-glibc.html. [22] BELLARD F.QEMU,a fast and portable dynamic translator[C]//Proceedings of Annual Conference on USENIX Annual Technical Conference.New York,USA:ACM Press,2005:41. [23] CADAR C,DUNBAR D,ENGLER D.KLEE:unassisted and automatic generation of high-coverage tests for complex systems programs[EB/OL].[2022-05-03].https://blog.csdn.net/cutedog2012/article/details/79537942. [24] DE MOURA L,BJØRNER N.Z3:an efficient SMT solver[C]//Proceedings of International Conference on Tools and Algorithms for the Construction and Analysis of Systems.Berlin,Germany:Springer,2008:337-340. [25] HUANG S K,HUANG M H,HUANG P Y,et al.CRAX:software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations[C]//Proceedings of the 6th IEEE International Conference on Software Security and Reliability.Washington D.C.,USA:IEEE Press,2012:78-87. [26] ZENGK L.Shellphish's automated exploitation engine[EB/OL].[2022-05-03].https://github.com/angr/rex. [27] ZANARDI V.Shellphish pursues the joy of hacking[EB/OL].[2022-05-03].https://shellphish.net/index.html. [28] YAN S.A powerful and user-friendly binary analysis platform![EB/OL].[2022-05-03].https://github.com/angr/angr. [29] ZENG K L.Shellphish.tcache_poisoning.c[EB/OL].[2022- 05-06].https://github.com/shellphish/how2heap/blob/master/glibc_2.31/Tcache_poisoning.c. [30] DELORIE D J.Sourceware.org.malloc:tcache double free check[EB/OL].[2022-05-03].https://sourceware.org/git/?p=glibc.git;a=commit;h=bcdaad21d4635931d1bd3b54a7894276925. [31] ZENG K L.Tcache_stashing_unlink_attack.c[EB/OL].[2022-05-03].https://github.com/shellphish/how2heap/blob/master/glibc_2.31/Tcache_stashing_unlink_attack.c. |