Yan Wang,Wei Wu,Chao Zhang,Xinyu Xing,Xiaorui Gong,Wei Zou

DOI: https://doi.org/10.1186/s42400-019-0028-9

2019-01-01

Abstract:Exploitability assessment of vulnerabilities is important for both defenders and attackers. The ultimate way to assess the exploitability is crafting a working exploit. However, it usually takes tremendous hours and significant manual efforts. To address this issue, automated techniques can be adopted. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (PoC) inputs triggering vulnerabilities, and assess exploitability by finding exploitable states along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In this paper, we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit. Technically, we utilize oriented fuzzing to explore diverging paths from vulnerability point. For userspace programs, we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit. For kernel UAF, we leverage a lightweight symbolic execution to identify, analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities. We have developed a prototype system and evaluated it on a set of 19 CTF (capture the flag) programs and 15 realworld Linux kernel UAF vulnerabilities. Experiment results showed it could generate exploit for most of the userspace test set, and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.

Yan Wang,Chao Zhang,Xiaobo Xiang,Zixuan Zhao,Bingchang Liu,Wenjie Li,Xiaorui Gong,Kaixiang Chen,Wei Zou

DOI: https://doi.org/10.1145/3243734.3243847

2018-01-01

Abstract:Automatic exploit generation is an open challenge. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (PoC) inputs triggering vulnerabilities, and generate exploits when exploitable states are found along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In addition, few solutions could exploit heap-based vulnerabilities.In this paper, we propose a new solution Revery to search for exploitable states in paths diverging from crashing paths, and generate control-flow hijacking exploits for heap-based vulnerabilities. It adopts three novel techniques: (1) a layout-contributor digraph to characterize a vulnerability's memory layout and its contributor instructions; (2) a layout-oriented fuzzing solution to explore diverging paths, which have similar memory layouts as the crashing paths, in order to search more exploitable states and generate corresponding diverging inputs; (3) a control-flow stitching solution to stitch crashing paths and diverging paths together, and synthesize EXP inputs able to trigger both vulnerabilities and exploitable states.We have developed a prototype of Revery based on the binary analysis engine angr, and evaluated it on a set of 19 CTF (capture the flag) programs. Experiment results showed that it could generate exploits for 9 (47%) of them, and generate EXP inputs able to trigger exploitable states for another 5 (26%) of them.

Mingxi Ye,Xingwei Lin,Yuhong Nan,Jiajing Wu,Zibin Zheng

DOI: https://doi.org/10.1145/3650212.3680321

2024-01-01

Abstract:In the context of boosting smart contract applications, prioritizing their security becomes paramount. Smart contract exploits often result in notable financial losses. Ensuring their security is by no means trivial. Rather than resulting in program crashes, most attacks in on-chain smart contracts aim to induce financial loss, referred to as profitable exploits. By constructing seemingly innocuous inputs, profitable exploits try to extract extra profit or compromise the interests of others. However, due to the complexity of call chains in on-chain smart contracts and the need for effective oracles for profitable exploits, smart contract fuzzing suffers from low efficiency and low effectiveness in finding profitable exploits. In this paper, we present Midas, a novel feedback-driven fuzzing framework to mine profitable exploits in on-chain smart contracts effectively. Midas consists of two modules: diverse validity fuzzing and profitable transaction identification. The diverse validity fuzzing module applies two waypoints to efficiently generate valid transactions, addressing the complexity of on-chain smart contract call chains. The profitable transaction identification module applies differential analysis to effectively identify profitable exploits, addressing the limitation of ad-hoc oracles. Evaluation of Midas over on-chain smart contracts showed it effectively identified 40 real-world exploits with a precision of 80%, outperforming state-of-the-art tools (i.e., ItyFuzz and Slither) in both efficiency and effectiveness. Particularly, Midas effectively mines five unknown exploits in valuable smart contracts, and two of them have already been confirmed by their DApp developers.

Yan Wang,Chao Zhang,Xiaobo Xiang,Zixuan Zhao,Wen-Jie Li,Xiaojing Gong,Bingchang Liu,Kaixiang Chen,Wei Zou

DOI: https://doi.org/10.1145/3243734.3243847

2018-01-01

Abstract:Automatic exploit generation is an open challenge. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (POC) inputs triggering vulnerabilities, and generate exploits when exploitable states are found along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In addition, few solutions could exploit heap-based vulnerabilities. In this paper, we propose a new solution revery to search for exploitable states in paths diverging from crashing paths, and generate control-flow hijacking exploits for heap-based vulnerabilities. It adopts three novel techniques:(1) a digraph to characterize a vulnerability's memory layout and its contributor instructions;(2) a fuzz solution to explore diverging paths, which have similar memory layouts as the crashing paths, in order to search more exploitable states and generate corresponding diverging inputs;(3) a stitch solution to stitch crashing paths and diverging paths together, and synthesize EXP inputs able to trigger both vulnerabilities and exploitable states. We have developed a prototype of revery based on the binary analysis engine angr, and evaluated it on a set of 19 real world CTF (capture the flag) challenges. Experiment results showed that it could generate exploits for 9 (47%) of them, and generate EXP inputs able to trigger exploitable states for another 5 (26%) of them.

Dandan Xu,Kai Chen,Miaoqian Lin,Chaoyang Lin,XiaoFeng Wang

DOI: https://doi.org/10.1109/tifs.2023.3322319

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Capture-the-flag (CTF) competitions have become highly successful in security education, and heap corruption is considered one of the most difficult and rewarding challenges due to its complexity and real-world impact. However, developing a heap exploit is a challenging task that often requires significant human involvement to manipulate memory layouts and bypass security checks. To facilitate the exploitation of heap corruption, existing solutions develop automated systems that rely on manually crafted patterns to generate exploits. Such manual patterns tend to be specific, which limits their flexibility to cope with the evolving exploit techniques. To address this limitation, we explore the problem of the automatic summarization of exploit patterns. We leverage an observation that public attack artifacts provide key insights into heap exploits. Based upon this observation, we develop AutoPwn, the first artifact-assisted AEG system that automatically summarizes exploit patterns from artifacts of known heap exploits and uses them to guide the exploitation of new programs. Considering the diversity of programs and exploits, we propose to use a novel Exploitation State Machine (ESM), with generic states and transitions to model the exploit patterns, and then efficiently construct it through combining the dynamic monitoring of exploits and the semantic analysis of their text descriptions. We implement a prototype of AutoPwn and evaluate it on 96 testing CTF binaries. The results show that AutoPwn produces 22 successful exploits and 13 partial exploits, preliminarily demonstrating its efficacy.

Zhongyu Pei,Xingman Chen,Songtao Yang,Haixin Duan,Chao Zhang

DOI: https://doi.org/10.1109/tdsc.2022.3191693

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Acquiring and analyzing exploits, which take advantage of vulnerabilities to conduct malicious actions, are crucial for victims (and defenders) when responding to system compromising incidents. However, exploits are sensitive and valuable assets that are not available to victims. The most common resource available for victims to investigate is network traffic, which covers the exploitation period. Thus reconstructing exploits from network traffic is demanded. In practice, the reconstruction process is performed manually, thus inefficient and non-scalable. In this article, we present an automated solution TAICHI to reconstruct exploits from network traffic, able to generate replica exploits and facilitate timely incident analysis. By nature, a working exploit has to satisfy (1) path constraints which ensure the program path same as the original exploit's is explored and the same vulnerability is triggered, and (2) exploit constraints which ensure the same exploitation strategy is applied, e.g., to bypass deployed defenses or to stitch multiple gadgets together. We propose a hybrid solution to this problem by integrating techniques including multi-version execution (MVE), dynamic taint analysis (DTA), and concolic execution. We have implemented a prototype of TAICHI on x86 and x86-64 Linux and tested it on the Cyber Grand Challenge (CGC) dataset, several Capture the Flag (CTF) challenges, and Metasploit exploit modules targeting real world applications. The evaluation results showed that TAICHI could reconstruct exploits efficiently with a high success rate. Moreover, it could be applied to production environments without disrupting running services, and could reconstruct exploits even if only one round of exploitation traffic is available.

Minghua Wang,Purui Su,Qi Li,Lingyun Ying,Yi Yang,Dengguo Feng

DOI: https://doi.org/10.1007/978-3-319-04283-1_14

2013-01-01

Abstract:Generating exploits from the perspective of attackers is an effective approach towards severity analysis of known vulnerabilities. However, it remains an open problem to generate even one exploit using a program binary and a known abnormal input that crashes the program, not to mention multiple exploits. To address this issue, in this paper, we propose PolyAEG, a system that automatically generates multiple exploits for a vulnerable program using one corresponding abnormal input. To generate polymorphic exploits, we fully leverage different trampoline instructions to hijack control flow and redirect it to malicious code in the execution context. We demonstrate that, given a vulnerable program and one of its abnormal inputs, our system can generate polymorphic exploits for the program. We have successfully generated control flow hijacking exploits for 8 programs in our experiment. Particularly, we have generated 4,724 exploits using only one abnormal input for Irfan View, a widely used picture viewer.

Siyuan Li,Yuekang Li,Zuxin Chen,Chaopeng Dong,Yongpan Wang,Hong Li,Yongle Chen,Hongsong Zhu

2024-11-27

Abstract:Code reuse in software development frequently facilitates the spread of vulnerabilities, making the scope of affected software in CVE reports imprecise. Traditional methods primarily focus on identifying reused vulnerability code within target software, yet they cannot verify if these vulnerabilities can be triggered in new software contexts. This limitation often results in false positives. In this paper, we introduce TransferFuzz, a novel vulnerability verification framework, to verify whether vulnerabilities propagated through code reuse can be triggered in new software. Innovatively, we collected runtime information during the execution or fuzzing of the basic binary (the vulnerable binary detailed in CVE reports). This process allowed us to extract historical traces, which proved instrumental in guiding the fuzzing process for the target binary (the new binary that reused the vulnerable function). TransferFuzz introduces a unique Key Bytes Guided Mutation strategy and a Nested Simulated Annealing algorithm, which transfers these historical traces to implement trace-guided fuzzing on the target binary, facilitating the accurate and efficient verification of the propagated vulnerability. Our evaluation, conducted on widely recognized datasets, shows that TransferFuzz can quickly validate vulnerabilities previously unverifiable with existing techniques. Its verification speed is 2.5 to 26.2 times faster than existing methods. Moreover, TransferFuzz has proven its effectiveness by expanding the impacted software scope for 15 vulnerabilities listed in CVE reports, increasing the number of affected binaries from 15 to 53. The datasets and source code used in this article are available at <a class="link-external link-https" href="https://github.com/Siyuan-Li201/TransferFuzz" rel="external noopener nofollow">this https URL</a>.

Software Engineering

Chao Zhang,Zhongyuan Qin,Liquan Chen,Xin Sun,Wen Wang

DOI: https://doi.org/10.1109/icsip57908.2023.10271009

2023-01-01

Abstract:The rapid growth of program complexity and the development of security mitigation for program have brought serious challenges to program security research. It is more difficult to evaluate program security efficiently by analyzing vulnerabilities manually. Therefore, an automatic method of detecting vulnerabilities and generating exploit is in critical demand. This paper proposes AutoExploit, which is an automatic scheme to detect various vulnerabilities and generate exploit in binary programs after bypassing the security mitigation. The method detects potential vulnerabilities including format string vulnerability and buffer overflow vulnerability using symbolic execution and dynamic analysis at the dangerous functions. For the potential buffer overflow vulnerability, this method generates exploit automatically by constructing constraints expressions and solving constraints after bypassing the security mitigation through code reuse. The effectiveness of our method is demonstrated using the datasets from CTF competition.

Tielei Wang,Tao Wei,Guofei Gu,Wei Zou

DOI: https://doi.org/10.1109/sp.2010.37

2010-01-01

Abstract:Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated malformed inputs are rejected in the early stage of program running, especially when target programs employ checksum mechanisms to verify the integrity of inputs. In this paper, we present TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has several novel contributions: 1) TaintScope is the first checksum-aware fuzzing tool to the best of our knowledge. It can identify checksum fields in input instances, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. 2) TaintScope is a directed fuzzing tool working at X86 binary level (on both Linux and Window). Based on fine-grained dynamic taint tracing, TaintScope identifies which bytes in a well-formed input are used in security-sensitive operations (e.g., invoking system/library calls) and then focuses on modifying such bytes. Thus, generated inputs are more likely to trigger potential vulnerabilities. 3) TaintScope is fully automatic, from detecting checksum, directed fuzzing, to repairing crashed samples. It can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing. TaintScope has already found 27 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Google Picasa, Microsoft Paint, and ImageMagick. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-2009-2688). Corresponding patches from vendors are released or in progress based on our reports.

Yu Ding,Tao Wei,Hui Xue,Yulong Zhang,Chao Zhang,Xinhui Han

DOI: https://doi.org/10.1007/s11432-016-5521-0

2016-01-01

Science China Information Sciences

Abstract:Software exploits, especially zero-day exploits, are major security threats. Every day, security experts discover and collect numerous exploits from honeypots, malware forensics, and underground channels.However, no easy methods exist to classify these exploits into meaningful categories and to accelerate diagnosis as well as detailed analysis. To address this need, we present Seismo Meter, which recognizes both control-flowhijacking, and data-only attacks by combining approximate control-flow integrity, fast dynamic taint analysis and API sandboxing schemes. Once it detects an exploit incident, Seismo Meter generates a succinct data representation, called an exploit skeleton, to characterize the captured exploit. Seismo Meter then classifies the captured exploits into different exploit families by performing distance computing on the extracted skeletons.To evaluate the efficiency of Seismo Meter, we conduct a field test using exploit samples from public exploit databases, such as Metasploit, as well as wild-captured exploits. Our experiments demonstrate that Seismo Meter is a practical system that successfully detects and correctly classifies all these exploit attacks.

Tielei Wang,Tao Wei,Guofei Gu,Wei Zou

DOI: https://doi.org/10.1145/2019599.2019600

2011-01-01

ACM Transactions on Information and System Security

Abstract:Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated inputs are rejected at the early stage of program running, especially when target programs employ checksum mechanisms to verify the integrity of inputs. This article presents TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has several novel features: (1) TaintScope is a checksum-aware fuzzing tool. It can identify checksum fields in inputs, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. Furthermore, it can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. (2) TaintScope is a taint-based fuzzing tool working at the x86 binary level. Based on fine-grained dynamic taint tracing, TaintScope identifies the “hot bytes” in a well-formed input that are used in security-sensitive operations (e.g., invoking system/library calls), and then focuses on modifying such bytes with random or boundary values. (3) TaintScope is also a symbolic-execution-based fuzzing tool. It can symbolically evaluate a trace, reason about all possible values that can execute the trace, and then detect potential vulnerabilities on the trace. We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing. TaintScope has already found 30 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Flash Player, Google Picasa, and Microsoft Paint. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-2009-2688). Vendor patches have been released or are in preparation based on our reports.

Yaohui Chen,Peng Li,Jun Xu,Shengjian Guo,Rundong Zhou,Yulong Zhang,Taowei,Long Lu

DOI: https://doi.org/10.48550/arXiv.1906.07327

2019-06-18

Abstract:Hybrid testing combines fuzz testing and concolic execution. It leverages fuzz testing to test easy-to-reach code regions and uses concolic execution to explore code blocks guarded by complex branch conditions. However, its code coverage-centric design is inefficient in vulnerability detection. First, it blindly selects seeds for concolic execution and aims to explore new code continuously. However, as statistics show, a large portion of the explored code is often bug-free. Therefore, giving equal attention to every part of the code during hybrid testing is a non-optimal strategy. It slows down the detection of real vulnerabilities by over 43%. Second, classic hybrid testing quickly moves on after reaching a chunk of code, rather than examining the hidden defects inside. It may frequently miss subtle vulnerabilities despite that it has already explored the vulnerable code paths. We propose SAVIOR, a new hybrid testing framework pioneering a bug-driven principle. Unlike the existing hybrid testing tools, SAVIOR prioritizes the concolic execution of the seeds that are likely to uncover more vulnerabilities. Moreover, SAVIOR verifies all vulnerable program locations along the executing program path. By modeling faulty situations using SMT constraints, SAVIOR reasons the feasibility of vulnerabilities and generates concrete test cases as proofs. Our evaluation shows that the bug-driven approach outperforms mainstream automated testing techniques, including state-of-the-art hybrid testing systems driven by code coverage. On average, SAVIOR detects vulnerabilities 43.4% faster than DRILLER and 44.3% faster than QSYM, leading to the discovery of 88 and 76 more uniquebugs,respectively.Accordingtotheevaluationon11 well fuzzed benchmark programs, within the first 24 hours, SAVIOR triggers 481 UBSAN violations, among which 243 are real bugs.

Software Engineering

Shunfan Zhou,Zhemin Yang,Dan Qiao,Peng Liu,Min Yang,Zhe Wang,Chenggang Wu

2022-01-01

Abstract:Symbolic execution and fuzz testing are effective approaches for program analysis, thanks to their evolving path exploration approaches. The state-of-the-art symbolic execution and fuzzing techniques are able to generate valid program inputs to satisfy the conditional statements. However, they have very limited ability to explore the finite-state-machine models implemented by real-world programs. This is because such state machines contain program-state-dependent branches (state-dependent branches in this paper) which depend on earlier program execution instead of the current program inputs. This paper is the first attempt to thoroughly explore the state-dependent branches in real-world programs. We introduce program-state-aware symbolic execution, a novel technique that guides symbolic execution engines to efficiently explore the state-dependent branches. As we show in this paper, state-dependent branches are prevalent in many important programs because they implement state machines to fulfill their application logic. Symbolically executing arbitrary programs with state-dependent branches is difficult, since there is a lack of unified specifications for their state machine implementation. Faced with this challenging problem, this paper recognizes widely-existing data dependency between current program states and previous inputs in a class of important programs. Our insights into these programs help us take a successful first step on this task. We design and implement a tool Ferry, which efficiently guides symbolic execution engine by automatically recognizing program states and exploring state-dependent branches. By applying Ferry to 13 different real-world programs and the comprehensive dataset Google FuzzBench, Ferry achieves higher block and branch coverage than two state-of-the-art symbolic execution engines and manages to locate three 0-day vulnerabilities in jhead. Our further investigation shows that Ferry is able to cover more hard-to-reach code compared with existing symbolic executors and fuzzers. Further, we show that Ferry is able to reach more program-state-dependent vulnerabilities than existing symbolic executors and fuzzing approaches with 15 collected state-dependent vulnerabilities and a test suite of six prominent programs. Finally, we test Ferry on LAVA-M dataset to understand its strengths and limitations.

Zirui Chen,Xing Hu,Xin Xia,Yi Gao,Tongtong Xu,David Lo,Xiaohu Yang

2023-12-15

Abstract:In software development, developers extensively utilize third-party libraries to avoid implementing existing functionalities. When a new third-party library vulnerability is disclosed, project maintainers need to determine whether their projects are affected by the vulnerability, which requires developers to invest substantial effort in assessment. However, existing tools face a series of issues: static analysis tools produce false alarms, dynamic analysis tools require existing tests and test generation tools have low success rates when facing complex vulnerabilities. Vulnerability exploits, as code snippets provided for reproducing vulnerabilities after disclosure, contain a wealth of vulnerability-related information. This study proposes a new method based on vulnerability exploits, called VESTA (Vulnerability Exploit-based Software Testing Auto-Generator), which provides vulnerability exploit tests as the basis for developers to decide whether to update dependencies. VESTA extends the search-based test generation methods by adding a migration step, ensuring the similarity between the generated test and the vulnerability exploit, which increases the likelihood of detecting potential library vulnerabilities in a project. We perform experiments on 30 vulnerabilities disclosed in the past five years, involving 60 vulnerability-project pairs, and compare the experimental results with the baseline method, TRANSFER. The success rate of VESTA is 71.7\% which is a 53.4\% improvement over TRANSFER in the effectiveness of verifying exploitable vulnerabilities.

Software Engineering

Wei Zheng,Peiran Deng,Kui Gui,Xiaoxue Wu

DOI: https://doi.org/10.1016/j.infsof.2023.107194

IF: 3.9

2023-06-01

Information and Software Technology

Abstract:Context: Zero-day vulnerabilities are highly destructive and sudden. However, traditional static and dynamic testing methods cannot efficiently detect them. Objective: In this paper, a static fuzzy mutation method for program code is studied. This method can improve the efficiency of mutation sample generation according to the vulnerability evolution law, thus promoting the development of zero-day vulnerability detection methods based on deep learning techniques. Method: A static fuzzy mutation method based on the Abstract Syntax Tree (AST) is proposed. Under the guidance of software vulnerability evolution law, potential evolution paths that threaten program security are detected, and mutation samples containing vulnerabilities are generated at the syntax tree level based on the paths. To verify the effectiveness of static fuzzy mutation based on ASTs, this paper starts with Concurrent Use After Free (CUAF) homologous vulnerability. It uses multi-threaded programs to perform vulnerability feature statement insertion processing to infer the optimal mutation operator execution sequence corresponding to CUAF vulnerabilities triggered by data competition. The Linux kernel code is used to verify whether it can effectively reduce the number of invalid mutation samples. Results: In this paper, we filter the code fragments in the Linux kernel public code containing CUAF vulnerability fix commits and perform static fuzzy mutation on the fix versions of the vulnerabilities to reproduce the vulnerabilities of this type triggered by these code fragments on the timeline. We compare the process with the execution of the random mutation operator in traditional detection methods horizontally and improve the efficiency by 42.4% on average. Conclusion: The static fuzzy mutation based on the AST is effective in stages. When this method is explored in more vulnerability-type evolution laws, it is expected to promote the development of the zero-day vulnerability active detection technology framework.

computer science, information systems, software engineering

Jiarun Dai,Yuan Zhang,Hailong Xu,Haiming Lyu,Zicheng Wu,Xinyu Xing,Min Yang

DOI: https://doi.org/10.1145/3460120.3484594

2021-01-01

Abstract:Recent research shows that, even for vulnerability reports archived by MITRE/NIST, they usually contain incomplete information about the software's vulnerable versions, making users of under-reported vulnerable versions at risk. In this work, we address this problem by introducing a fuzzing-based method. Technically, this approach first collects the crashing trace on the reference version of the software. Then, it utilizes the trace to guide the mutation of the PoC input so that the target version could follow the trace similar to the one observed on the reference version. Under the mutated input, we argue that the target version's execution could have a higher chance of triggering the bug and demonstrating the vulnerability's existence. We implement this idea as an automated tool, named VulScope. Using 30 real-world CVEs on 470 versions of software, VulScope is demonstrated to introduce no false positives and only 7.9% false negatives while migrating PoC from one version to another. Besides, we also compare our method with two representative fuzzing tools AFL and AFLGO. We find VulScope outperforms both of these existing techniques while taking the task of PoC migration. Finally, by using VulScope, we identify 330 versions of software that MITRE/NIST fails to report as vulnerable.

Yudi Zhao,Yuan Zhang,Min Yang

2023-01-01

Abstract:Template engines are widely used in web applications to ease the development of user interfaces. The powerful capabilities provided by the template engines can be abused by attackers through server-side template injection (SSTI), enabling severe attacks on the server side, including remote code execution (RCE). Hence, modern template engines have provided a sandbox mode to prevent SSTI attacks from RCE. In this paper, we study an overlooked sandbox bypass vulnerability in template engines, called template escape, that could elevate SSTI attacks to RCE. By escaping the template rendering process, template escape bugs can be used to inject executable code on the server side. Template escape bugs are subtle to detect and exploit, due to their dependencies on the template syntax and the template rendering logic. Consequently, little knowledge is known about their prevalence and severity in the real world. To this end, we conduct the first in-depth study on template escape bugs and present TEFUZZ, an automatic tool to detect and exploit such bugs. By incorporating several new techniques, TEFUZZ does not need to learn the template syntax and can generate PoCs and exploits for the discovered bugs. We apply TEFUZZ to seven popular PHP template engines. In all, TEFUZZ discovers 135 new template escape bugs and synthesizes RCE exploits for 55 bugs. Our study shows that template escape bugs are prevalent and pose severe threats.

Ruipeng Wang,Zulie Pan,Fan Shi,Min Zhang

DOI: https://doi.org/10.3390/app11209727

2021-01-01

Applied Sciences

Abstract:Modern operating systems set exploit mitigations to thwart the exploit, which has also become a barrier to automated exploit generation (AEG). Many current AEG solutions do not fully account for exploit mitigations, and as a result, they are unable to accurately assess the exploitability of vulnerabilities in such settings.This paper proposes AEMB, an automated solution for bypassing exploit mitigations and generating useable exploits (EXPs). Initially, AEMB identifies exploit mitigations in the system based on characteristics of the program execution environment. Then, AEMB implements exploit mitigations bypassing the payload generation by modeling expert experience and constructs the corresponding constraints. Next, during the program’s execution, AEMB uses symbol execution to collect symbol information and create exploit constraints. Finally, AEMB utilizes a solver to solve the constraints, including payload constraints and exploit constraints, to generate the EXP. In this paper, we evaluated a prototype of AEMB on six test programs and seven real-world applications. Furthermore, we conducted 54 sets of experiments on six different combinations of exploit mitigations. Experiment results indicate that AEMB can automatically overcome exploit mitigations and produce successful exploits for 11 out of 13 applications.

Jiacheng Xu,Xuhong Zhang,Shouling Ji,Yuan Tian,Binbin Zhao,Qinying Wang,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.14722/ndss.2024.23131

2024-01-01

Abstract:Kernels are at the heart of modern operating systems, whereas their development comes with vulnerabilities.Coverage-guided fuzzing has proven to be a promising software testing technique.When applying fuzzing to kernels, the salient aspect of it is that the input is a sequence of system calls (syscalls).As kernels are complex and stateful, specific sequences of syscalls are required to build up necessary states to trigger code deep in the kernels.However, the syscall sequences generated by existing fuzzers fall short in maintaining states to sufficiently cover deep code in the kernels where vulnerabilities favor residing.In this paper, we present a practical and effective kernel fuzzing framework, called MOCK, which is capable of learning the contextual dependencies in syscall sequences and then generating context-aware syscall sequences.To conform to the statefulness when fuzzing kernel, MOCK adaptively mutates syscall sequences in line with the calling context.MOCK integrates the context-aware dependency with (1) a customized language model-guided dependency learning algorithm, (2) a context-aware syscall sequence mutation algorithm, and (3) an adaptive task scheduling strategy to balance exploration and exploitation.Our evaluation shows that MOCK performs effectively in achieving branch coverage (up to 32% coverage growth), producing highquality input (50% more interrelated sequences), and discovering bugs (15% more unique crashes) than the state-of-the-art kernel fuzzers.Various setups including initial seeds and a pre-trained model further boost MOCK's performance.Additionally, MOCK also discovers 15 unique bugs in the most recent Linux kernels, including two CVEs.