D. Everson, Ashish Bastola, Rajat Mittal, Siddheshwar Munde, Long Cheng
{"title":"log4shell测试工具的比较研究","authors":"D. Everson, Ashish Bastola, Rajat Mittal, Siddheshwar Munde, Long Cheng","doi":"10.1109/SecDev53368.2022.00016","DOIUrl":null,"url":null,"abstract":"Log4Shell was a critical Remote Code Execution vulnerability publicly disclosed on December 10th, 2021. Given its potential to be found in any Java application, organizations around the globe were scrambling to determine their exposure as well as identify methods to eliminate their exposure where possible and mitigate the risk elsewhere. This led to security teams needing tools to check for the vulnerability, assess fixes and mitigations, and demonstrate the vulnerability's impact in their environment. Both open-source and vendor communities were quick to deliver a wide variety of tools. In this paper we present a taxonomy and an analysis of 18 Log4Shell test tools spanning dynamic analysis, static analysis, honeypot, etc. As expected, dynamic tools could demonstrate exploitability while static tools provided more certainty. Most importantly, our analysis showed that understanding how each tool interprets the attack surface of the test item has a profound effect on the results and how they should be interpreted.","PeriodicalId":407946,"journal":{"name":"2022 IEEE Secure Development Conference (SecDev)","volume":"23 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A Comparative Study of Log4Sheil Test Tools\",\"authors\":\"D. Everson, Ashish Bastola, Rajat Mittal, Siddheshwar Munde, Long Cheng\",\"doi\":\"10.1109/SecDev53368.2022.00016\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Log4Shell was a critical Remote Code Execution vulnerability publicly disclosed on December 10th, 2021. Given its potential to be found in any Java application, organizations around the globe were scrambling to determine their exposure as well as identify methods to eliminate their exposure where possible and mitigate the risk elsewhere. This led to security teams needing tools to check for the vulnerability, assess fixes and mitigations, and demonstrate the vulnerability's impact in their environment. Both open-source and vendor communities were quick to deliver a wide variety of tools. In this paper we present a taxonomy and an analysis of 18 Log4Shell test tools spanning dynamic analysis, static analysis, honeypot, etc. As expected, dynamic tools could demonstrate exploitability while static tools provided more certainty. Most importantly, our analysis showed that understanding how each tool interprets the attack surface of the test item has a profound effect on the results and how they should be interpreted.\",\"PeriodicalId\":407946,\"journal\":{\"name\":\"2022 IEEE Secure Development Conference (SecDev)\",\"volume\":\"23 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2022 IEEE Secure Development Conference (SecDev)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SecDev53368.2022.00016\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE Secure Development Conference (SecDev)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SecDev53368.2022.00016","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Log4Shell was a critical Remote Code Execution vulnerability publicly disclosed on December 10th, 2021. Given its potential to be found in any Java application, organizations around the globe were scrambling to determine their exposure as well as identify methods to eliminate their exposure where possible and mitigate the risk elsewhere. This led to security teams needing tools to check for the vulnerability, assess fixes and mitigations, and demonstrate the vulnerability's impact in their environment. Both open-source and vendor communities were quick to deliver a wide variety of tools. In this paper we present a taxonomy and an analysis of 18 Log4Shell test tools spanning dynamic analysis, static analysis, honeypot, etc. As expected, dynamic tools could demonstrate exploitability while static tools provided more certainty. Most importantly, our analysis showed that understanding how each tool interprets the attack surface of the test item has a profound effect on the results and how they should be interpreted.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
