Web-based virtual machines are one of the primary targets of attackers due to number of design flaws they contain and the connectivity provided by the Web. The design and implementation of Inscription, the first fully automated Adobe Flash binary code transformation system that can guard major Flash vulnerability categories without modifying vulnerable Flash VMs, is presented and evaluated. Inscription affords a means of mitigating the significant class of web attacks that target unpatched, legacy Flash VMs and their apps.

This new enforcement capability is most effective when supplied with security policies that accurately characterize VM security vulnerabilities and their mitigations. Researchers and security engineers commonly depend on well-known, public vulnerability databases that document such vulnerabilities and provide details about each; but vulnerability information that is inconsistent, inaccurate, or vague hinders diagnosis of vulnerabilities residing in the implementations of web-based VMs, which is one of the crucial prerequisites of building generic, comprehensive security solutions for mitigating them. For example, a large percentage of disclosed vulnerabilities of the ActionScript VM (AVM), which executes Flash binaries, are vaguely classified as “Memory Corruption” or “Unspecified”. Deeper analysis of these vulnerabilities reveals that most can be more precisely classified as (1) use-after-free, (2) double-free, (3) integer overflow, (4) buffer overflow, or (5) heap overflow vulnerability sub-classes. To improve web vulnerability analysis and mitigation, a more thorough, comprehensive and accurate reclassification of web-based vulnerabilities is presented, in which “Memory Corruption” and “Unspecified” vulnerabilities are reclassified into one of these fine-grained vulnerability sub-classes.

由于基于Web的虚拟机包含的设计缺陷数量众多，并且网络提供了连接，因此基于Web的虚拟机是攻击者的主要目标之一。介绍并评估了Inscription的设计和实现，Inscription是第一个全自动的Adobe Flash二进制代码转换系统，该系统可以保护主要的Flash漏洞类别，而无需修改易受攻击的Flash VM。铭文提供了一种缓解针对未打补丁的旧版Flash VM及其应用程序的重要Web攻击的方法。

当提供可准确表征VM安全漏洞及其缓解措施的安全策略时，此新的强制执行功能最有效。研究人员和安全工程师通常依赖于众所周知的公共漏洞数据库，这些数据库记录了此类漏洞并提供了每个漏洞的详细信息；但是，不一致，不准确或模糊不清的漏洞信息会阻碍对基于Web的VM实施中存在的漏洞的诊断，这是构建通用，全面的安全解决方案以缓解这些漏洞的关键前提之一。例如，执行Flash二进制文件的ActionScript VM（AVM）的大部分已公开漏洞被模糊地分类为“内存损坏”或“未指定”。对这些漏洞的更深入分析显示，大多数漏洞可以更精确地分类为（1）释放后使用，（2）双重释放，（3）整数溢出，（4）缓冲区溢出或（5）堆溢出漏洞子类。为了改进Web漏洞分析和缓解，提出了对基于Web的漏洞的更彻底，全面和准确的重新分类，其中“内存损坏”和“未指定”漏洞被重新分类为这些细粒度的漏洞子类之一。