| 摘要: | Visual Studio Code(VS Code)是一款免費、跨平台且輕量級的程式碼編輯器,憑藉豐富的擴充功能,在實務上已被廣泛用作整合式開發環境。其擴充套件生態系快速成長,有效提升開發效率,然而亦因架構開放且缺乏沙盒隔離機制,引入潛在的資訊安全風險。本文針對 VS Code擴充套件作為無檔案攻擊(Fileless Attack)實現途徑之可能性進行分析,說明攻擊者如何透過擴充套件動態下載並執行指令碼,於不觸發使用者察覺的情境下,達成資料存取、系統操作與橫向擴散等行為。其中,VS Code所支援的Remote-SSH功能亦可能使攻擊路徑延伸至遠端主機,擴大影響範圍。本研究設計並實作惡意擴充套件原型,針對Windows與Linux環境分別設計兩種攻擊手法,依據不同平台與使用場景採用合適的無檔案執行策略,並成功驗證四種手法皆可達成無檔案攻擊。研究亦評估多項現有主流防護機制,包括Windows Defender、Sysmon、Falco與趨勢科技PC-cillin企業版的偵測成效,並指出其在開發工具鏈場景下的侷限。最後,提出涵蓋開發者、市集平台與企業端的多層次防禦建議,補充現行開發生態系統在資安防護上的不足與潛在風險,並提供後續研究與機制設計之參考依據。;Visual Studio Code (VS Code) is a free, cross-platform, and lightweight code editor that, with its comprehensive extension support, has become widely used as an integrated development environment (IDE) in practice. Its growing extension ecosystem significantly improves developer productivity. However, the open architecture and lack of extension isolation introduce security concerns. This study examines how VS Code extensions can serve as a vector for fileless attacks, describing methods by which attackers might download and execute malicious scripts, leading to unauthorized data access, system control, and lateral movement without user awareness. The Remote-SSH feature of VS Code may further let such attacks affect remote systems, broadening their impact. This study designs and implements a prototype of a malicious extension, with two distinct attack techniques tailored for Windows and Linux environments respectively. Each technique adopts a suitable fileless execution strategy based on platform characteristics and usage scenarios, and all four methods are successfully validated to achieve fileless attacks. The study further evaluates the detection effectiveness of several mainstream security solutions, including Windows Defender, Sysmon, Falco, and Trend Micro Maximum Security (PC-cillin Enterprise Edition), revealing their limitations in the context of developer toolchains. Finally, the study proposes a multi-layered defense strategy covering developers, extension marketplaces, and enterprise endpoints, addressing the current security gaps and potential risks in the software development ecosystem, while providing insights for future research and mechanism design. |
