Lei Zhao,Run Wang,Lina Wang,Yueqiang Cheng

DOI: https://doi.org/10.1109/compsac.2015.32

2015-01-01

Abstract:Exploits diagnosis requires great manual effort and desires to be automated as much as possible. In this paper, we investigate how the syntactic format of program inputs, as well as reverse engineering of data structures, could be used to identify overwritten data structures, and propose a binary-level exploit diagnosis approach, deExploit, that is generic to attack types and effective in identifying key attack steps. In details, we design to use a fine-grained dynamic tainting technique to model how the exploit is dynamically processed during program execution, dynamically reverse corresponding data structures of program input and then identify overwritten data structures by detecting the deviation between dynamic processing of exploit and that of benign input. We implement deExploit and perform it to diagnose multiple exploits in the wild. The results show that deExploit works well to diagnose memory corruption exploits.

Yanzhen Ren,Changjun Li,Ziwei Liu,Lina Wang

DOI: https://doi.org/10.13245/j.hust.160308

2016-01-01

Abstract:In order to detect memory corruption exploit effectively with only binary program,based on field independence of data structure,an exploit-detecting method was proposed which was on account of field integrity.It recorded program execution tracks by means of fine-grained tainting technique, then fetched the data structure within the program which was relevant to the input data.Based on field independence of data structure and comparing input fields and resultant data structure,data structures was obtained which were destroyed by memory corruption exploit.Finally the memory cor-ruption exploit was detected by locating corrupted data structures.Experiment results show that this method is able to detect memory corruption exploit rapidly and precisely.

Runhao Li,Bin Zhang,Chaojing Tang

DOI: https://doi.org/10.1049/ell2.13136

2024-02-27

Electronics Letters

Abstract:The study proposes a novel method for identifying potential exploitable memory objects. It focuses on corrupted data propagation processes and designs a corrupted data‐oriented fuzzing method. Exploiting an out‐of‐bounds write vulnerability in general‐purpose applications has become a current research focus. Given the large scale of code in programs, selecting appropriate memory objects for exploitation is challenging. This letter proposes a corrupted data propagation‐guided fuzzing method. By tracking the propagation process of corrupted data among memory objects, a multi‐level fuzzing schedule is proposed to search the execution paths. Experimental results show that this proposed method, EMOFuzz, can effectively identify exploitable objects under various overflow lengths, significantly enhancing the efficiency of exploitability analysis.

engineering, electrical & electronic

Dandan Xu,Kai Chen,Miaoqian Lin,Chaoyang Lin,XiaoFeng Wang

DOI: https://doi.org/10.1109/tifs.2023.3322319

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Capture-the-flag (CTF) competitions have become highly successful in security education, and heap corruption is considered one of the most difficult and rewarding challenges due to its complexity and real-world impact. However, developing a heap exploit is a challenging task that often requires significant human involvement to manipulate memory layouts and bypass security checks. To facilitate the exploitation of heap corruption, existing solutions develop automated systems that rely on manually crafted patterns to generate exploits. Such manual patterns tend to be specific, which limits their flexibility to cope with the evolving exploit techniques. To address this limitation, we explore the problem of the automatic summarization of exploit patterns. We leverage an observation that public attack artifacts provide key insights into heap exploits. Based upon this observation, we develop AutoPwn, the first artifact-assisted AEG system that automatically summarizes exploit patterns from artifacts of known heap exploits and uses them to guide the exploitation of new programs. Considering the diversity of programs and exploits, we propose to use a novel Exploitation State Machine (ESM), with generic states and transitions to model the exploit patterns, and then efficiently construct it through combining the dynamic monitoring of exploits and the semantic analysis of their text descriptions. We implement a prototype of AutoPwn and evaluate it on 96 testing CTF binaries. The results show that AutoPwn produces 22 successful exploits and 13 partial exploits, preliminarily demonstrating its efficacy.

Lei Zhao,Keyang Jiang,Yuncong Zhu,Lina Wang,Jiang Ming

DOI: https://doi.org/10.1109/tdsc.2022.3145022

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Memory corruption diagnosis, especially at the binary level where all high-level program abstractions are missing, is a tedious and time-consuming task. Given a crash, memory corruption diagnosis is expected to not only locate the root cause of the vulnerability, but also deliver rich semantics to understand the vulnerability. However, existing techniques can barely satisfy the above requirements. In this article, we present ${{\sf MemRay}}$ , a dynamic memory corruption diagnosis technique. The insight behind our approach is that most memory corruption is caused by malformed inputs, which further leads the vulnerable program to manipulate inputs by referencing invalid data structures. We design the “data structure reference sequence” to characterize how a program references various data structures to manipulate program inputs. Then, we identify memory corruptions by detecting violations in the input manipulations via data structures. We demonstrate the effectiveness of ${{\sf MemRay}}$ on a wide range of memory-corruption vulnerabilities. The result shows that ${{\sf MemRay}}$ precisely locates the root cause of vulnerabilities. Moreover, the “data structure reference” enables ${{\sf MemRay}}$ to deliver rich semantics and context information to assist vulnerability diagnosis on binary code.

Zhi Liu,Xiaosong Zhang,Yue Wu,Ting Chen

DOI: https://doi.org/10.1108/03321641311296873

2013-01-01

Abstract:PurposeThe purpose of this paper is to propose an approach to detect Indirect Memory‐Corruption Exploit (IMCE) at runtime on binary code, which is often caused by integer conversion error. Real‐world attacks were evaluated for experimentation.Design/methodology/approachCurrent dynamic analysis detects attacks by enforcing low level policy which can only detect control‐flow hijacking attack. The proposed approach detects IMCE with high level policy enforcement using dynamic taint analysis. Unlike low‐level policy enforced on instruction level, the authors' policy is imposed on memory operation routine. The authors implemented a fine‐grained taint analysis system with accurate taint propagation for detection.FindingsConversion errors are common and most of them are legitimate. Taint analysis with high‐level policy can accurately block IMCE but have false positives. Proper design of data structures to maintain taint tag can greatly improve overhead.Originality/valueThis paper proposes an approach to block IMCE with high‐level policy enforcement using taint analysis. It has very low false negatives, though still causes certain false positives. The authors made several implementation contributions to strengthen accuracy and performance.

Meining Nie,Purui Su,Qi Li,Zhi Wang,Lingyun Ying,Jinlong Hu,Dengguo Feng

DOI: https://doi.org/10.1007/978-3-319-26362-5_10

2015-01-01

Abstract:Code reuse and code injection attacks have become the popular techniques for advanced persistent threat (APT) to bypass exploit-mitigation mechanisms deployed in modern operating systems. Meanwhile, complex, benign programs such as Microsoft Office employ many advanced techniques to improve the performance. Code execution patterns generated by these techniques are surprisingly similar to exploits. This makes the practical exploit detection very challenging, especially on the Windows platform. In this paper, we propose a practical exploit early detection system called Xede to comprehensively detect code reuse and code injection attacks. Xede can effectively reduce false positives and false negatives in the exploit detection. We demonstrate the effectiveness of Xede by experimenting with exploit samples and deploying Xede on the Internet. Xede can accurately detect all types of exploits. In particular, it can capture many exploits that cannot be captured by mainstream anti-virus software and detect exploits that fail to compromise the systems due to variations in the system configurations.

Yan Wang,Chao Zhang,Xiaobo Xiang,Zixuan Zhao,Wen-Jie Li,Xiaojing Gong,Bingchang Liu,Kaixiang Chen,Wei Zou

DOI: https://doi.org/10.1145/3243734.3243847

2018-01-01

Abstract:Automatic exploit generation is an open challenge. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (POC) inputs triggering vulnerabilities, and generate exploits when exploitable states are found along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In addition, few solutions could exploit heap-based vulnerabilities. In this paper, we propose a new solution revery to search for exploitable states in paths diverging from crashing paths, and generate control-flow hijacking exploits for heap-based vulnerabilities. It adopts three novel techniques:(1) a digraph to characterize a vulnerability's memory layout and its contributor instructions;(2) a fuzz solution to explore diverging paths, which have similar memory layouts as the crashing paths, in order to search more exploitable states and generate corresponding diverging inputs;(3) a stitch solution to stitch crashing paths and diverging paths together, and synthesize EXP inputs able to trigger both vulnerabilities and exploitable states. We have developed a prototype of revery based on the binary analysis engine angr, and evaluated it on a set of 19 real world CTF (capture the flag) challenges. Experiment results showed that it could generate exploits for 9 (47%) of them, and generate EXP inputs able to trigger exploitable states for another 5 (26%) of them.

Binfa Gui,Wei Song,Hailong Xiong,Jeff Huang

DOI: https://doi.org/10.1109/tse.2021.3121994

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:C/C++ programs frequently encounter memory errors, such as Use-After-Free (UAF), buffer overflow, and integer overflow. Among these memory errors, UAF vulnerabilities are increasingly being exploited by attackers to disrupt critical software systems, leading to serious consequences, such as remote code execution and data breaches. Researchers have proposed dozens of approaches to detect UAFs in testing environments and to mitigate UAF exploit in production environments. However, to the best of our knowledge, no comprehensive studies have evaluated and compared these approaches. In this paper, we shed light on the current UAF detection and exploit mitigation approaches and provide a systematic overview, comprehensive comparison, and evaluation. Specifically, we evaluate the effectiveness and efficiency of publicly available UAF detection and exploit mitigation tools. The experimental results show that static UAF detectors are suitable for detecting intra-procedural UAFs but are not sufficient to detect inter-procedural UAFs in real-world programs. Dynamic UAF detectors are still the first choice for detecting inter-procedural UAFs. Our evaluation also demonstrates that the runtime overhead of existing UAF exploit mitigation tools is relatively stable whereas the memory overhead may vary dramatically with respect to different programs. Finally, we envision potential valuable future research directions.

Yu Ding,Tao Wei,Hui Xue,Yulong Zhang,Chao Zhang,Xinhui Han

DOI: https://doi.org/10.1007/s11432-016-5521-0

2016-01-01

Science China Information Sciences

Abstract:Software exploits, especially zero-day exploits, are major security threats. Every day, security experts discover and collect numerous exploits from honeypots, malware forensics, and underground channels.However, no easy methods exist to classify these exploits into meaningful categories and to accelerate diagnosis as well as detailed analysis. To address this need, we present Seismo Meter, which recognizes both control-flowhijacking, and data-only attacks by combining approximate control-flow integrity, fast dynamic taint analysis and API sandboxing schemes. Once it detects an exploit incident, Seismo Meter generates a succinct data representation, called an exploit skeleton, to characterize the captured exploit. Seismo Meter then classifies the captured exploits into different exploit families by performing distance computing on the extracted skeletons.To evaluate the efficiency of Seismo Meter, we conduct a field test using exploit samples from public exploit databases, such as Metasploit, as well as wild-captured exploits. Our experiments demonstrate that Seismo Meter is a practical system that successfully detects and correctly classifies all these exploit attacks.

YANG Song-Tao,CHEN Kai-Xiang,WANG Zhun,ZHANG Chao

DOI: https://doi.org/10.21655/ijsi.1673-7288.00290

2022-01-01

International Journal of Software and Informatics

Abstract:PDF HTML XML Export Cite reminder Exploit-oriented Automated Information Leakage DOI: 10.21655/ijsi.1673-7288.00290 Author: Affiliation: Clc Number: Fund Project: Article | Figures | Metrics | Reference | Related | Cited by | Materials | Comments Abstract:Automatic Exploit Generation (AEG) has become one of the most important ways to demonstrate the exploitability of vulnerabilities. However, state-of-the-art AEG solutions in general assume the target system has no mitigations deployed, which is not true in modern operating systems since they often deploy mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). This paper presents the automatic solution EoLeak that can exploit heap vulnerabilities to leak sensitive data and bypass ASLR and DEP at the same time. At a high level, EoLeak analyzes the program execution trace of the Proof-Of-Concept (POC) input that triggers the heap vulnerabilities, characterizes the memory profile from the trace, locates sensitive data (e.g., code pointers), constructs leakage primitives that disclose sensitive data, and generates exploits for the entire process when possible. We have implemented a prototype of EoLeak and evaluated it on a set of Capture The Flag (CTF) binary programs and several real-world applications. Evaluation results reveal that EoLeak is effective at leaking data and generating exploits. Reference Related Cited by

Yan Wang,Chao Zhang,Xiaobo Xiang,Zixuan Zhao,Bingchang Liu,Wenjie Li,Xiaorui Gong,Kaixiang Chen,Wei Zou

DOI: https://doi.org/10.1145/3243734.3243847

2018-01-01

Abstract:Automatic exploit generation is an open challenge. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (PoC) inputs triggering vulnerabilities, and generate exploits when exploitable states are found along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In addition, few solutions could exploit heap-based vulnerabilities.In this paper, we propose a new solution Revery to search for exploitable states in paths diverging from crashing paths, and generate control-flow hijacking exploits for heap-based vulnerabilities. It adopts three novel techniques: (1) a layout-contributor digraph to characterize a vulnerability's memory layout and its contributor instructions; (2) a layout-oriented fuzzing solution to explore diverging paths, which have similar memory layouts as the crashing paths, in order to search more exploitable states and generate corresponding diverging inputs; (3) a control-flow stitching solution to stitch crashing paths and diverging paths together, and synthesize EXP inputs able to trigger both vulnerabilities and exploitable states.We have developed a prototype of Revery based on the binary analysis engine angr, and evaluated it on a set of 19 CTF (capture the flag) programs. Experiment results showed that it could generate exploits for 9 (47%) of them, and generate EXP inputs able to trigger exploitable states for another 5 (26%) of them.

Oscar Llorente-Vazquez,Igor Santos-Grueiro,Iker Pastor-Lopez,Pablo Garcia Bringas

DOI: https://doi.org/10.1093/jigpal/jzae008

2024-03-16

Abstract:Abstract Software vulnerabilities are the root cause for a multitude of security problems in computer systems. Owing to their efficiency and tight control over low-level system resources, the C and C++ programming languages are extensively used for a myriad of purposes, from implementing operating system kernels to user-space applications. However, insufficient or improper memory management frequently leads to invalid memory accesses, eventually resulting in memory corruption vulnerabilities. These vulnerabilities are used as a foothold for elaborated attacks that bypass existing defense methods. In this paper, we summarise the main memory safety violation types (i.e. memory errors), and analyse how they are exploited by attackers and the main mitigation methods proposed in the research community. We further systematise the most relevant techniques with regards to memory corruption identification in current programs.

mathematics, applied,logic

Jie Liu,Hang An,Jin Li,Hongliang Liang

DOI: https://doi.org/10.48550/arxiv.2212.13990

2022-01-01

Abstract: Automated Exploit Generation (AEG) is a well-known difficult task, especially for heap vulnerabilities. Previous works first detected heap vulnerabilities and then searched for exploitable states by using symbolic execution and fuzzing techniques on binary programs. However, it is not always easy to discovery bugs using fuzzing or symbolic technologies and solvable for internal overflow of heap objects. In this paper, we present a solution DEPA to detect exploit primitives based on primitive-crucial-behavior model for heap vulnerabilities. The core of DEPA contains two novel techniques, 1) primitive-crucial-behavior identification through pointer dependence analysis, and 2) exploit primitive determination method which includes triggering both vulnerabilities and exploit primitives. We evaluate DEPA on eleven real-world CTF(capture the flag) programs with heap vulnerabilities and DEPA can discovery arbitrary write and arbitrary jump exploit primitives for ten programs except for program multi-heap. Results showed that primitive-crucial-behavior identification and determining exploit primitives are accurate and effective by using our approach. In addition, DEPA is superior to the state-of-the-art tools in determining exploit primitives for the heap object internal overflow

Chao Zhang,Zhongyuan Qin,Liquan Chen,Xin Sun,Wen Wang

DOI: https://doi.org/10.1109/icsip57908.2023.10271009

2023-01-01

Abstract:The rapid growth of program complexity and the development of security mitigation for program have brought serious challenges to program security research. It is more difficult to evaluate program security efficiently by analyzing vulnerabilities manually. Therefore, an automatic method of detecting vulnerabilities and generating exploit is in critical demand. This paper proposes AutoExploit, which is an automatic scheme to detect various vulnerabilities and generate exploit in binary programs after bypassing the security mitigation. The method detects potential vulnerabilities including format string vulnerability and buffer overflow vulnerability using symbolic execution and dynamic analysis at the dangerous functions. For the potential buffer overflow vulnerability, this method generates exploit automatically by constructing constraints expressions and solving constraints after bypassing the security mitigation through code reuse. The effectiveness of our method is demonstrated using the datasets from CTF competition.

Lei Zhao,Debin Gao,Lina Wang

DOI: https://doi.org/10.1007/978-3-642-33383-5_10

2012-01-01

Abstract:Inputs to many application and server programs contain rich and consistent structural information. The propagation of such input in program execution could serve as accurate and reliable signatures for detecting memory corruptions. In this paper, we propose a novel approach to detect memory corruptions at the binary level. The basic insight is that different parts of an input are usually processed in different ways, e.g., by different instructions. Identifying individual parts in an input and learning the pattern in which they are processed is an attractive approach to detect memory corruptions. We propose a fine-grained dynamic taint analysis system to detect different fields in an input and monitor the propagation of these fields, and show that deviations from the execution pattern learned signal a memory corruption. We implement a prototype of our system and demonstrate its success in detecting a number of memory corruption attacks in the wild. In addition, we evaluate the overhead of our system and discuss its advantages over existing approaches and limitations.

魏强,韦韬,王嘉捷

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2011.10.015

2011-01-01

Abstract:Vulnerability exploitation and its mitigation technologies have always been important in vulnerability offense and defense research.Major operating systems and compilers provide support for exploit mitigation.This paper summarizes research on heap protection,address randomization,sandbox protection and other related technologies which have been developed.Among them,the three rounds of combat for GS and SafeSEH for stack protection focus on both offensive and defensive strategies.ROP,DeActive,Spray breakthroughs and counterattacking are analyzed to illustrate the evolution of data execution prevention.The truncation attack vector is used to monitor data integration destruction,undermine reliable exploitation,prevent control flow redirection,and isolate failure risk.Current exploit mitigation methods use data integrity testing protection,memory features removal based protection,execution control based protection,and fault isolation protection.The lack of bypass protection and other protection measure make existing mitigation methods less effective for protecting data flow hijacking and compound attack vectors.

Dorel Yaffe,Danny Hendler

DOI: https://doi.org/10.1007/978-3-030-78086-9_29

2021-03-30

Abstract:In recent years malware has become increasingly sophisticated and difficult to detect prior to exploitation. While there are plenty of approaches to malware detection, they all have shortcomings when it comes to identifying malware correctly prior to exploitation. The trade-off is usually between false positives, causing overhead, preventing normal usage and the risk of letting the malware execute and cause damage to the target. We present a novel end-to-end solution for in-memory malicious activity detection done prior to exploitation by leveraging machine learning capabilities based on data from unique run-time logs, which are carefully curated in order to detect malicious activity in the memory of protected processes. This solution achieves reduced overhead and false positives as well as deployment simplicity. We implemented our solution for Windows-based systems, employing multi disciplinary knowledge from malware research, machine learning, and operating system internals. Our experimental evaluation yielded promising results. As we expect future sophisticated malware may try to bypass it, we also discuss how our solution can be extended to thwart such bypassing attempts.

Cryptography and Security,Machine Learning

Jie Liu,Hang An,Jin Li,Hongliang Liang

DOI: https://doi.org/10.1145/3573428.3573550

2023-01-01

Abstract:Automated Exploit Generation (AEG) is a well-known difficult task, especially for heap vulnerabilities. The premise of this task is the determination of exploit primitives, and prior research efforts for exploit primitive determination are usually based on vulnerability identification. However, it is not always easy to discovery bugs using fuzzing or symbolic technologies for some programs. In this paper, we present a solution DEPA to determine exploit primitives based on primitive-crucial-behavior model for heap vulnerabilities. The core of DEPA contains two novel techniques, 1) primitive-crucial-behavior identification through pointer dependence analysis, and 2) exploit primitive determination method which includes triggering both vulnerabilities and exploit primitives. We evaluate DEPA on real-world CTF (capture the flag) programs with heap vulnerabilities and DEPA can discovery arbitrary write and arbitrary jump exploit primitives for some programs except for program multi-heap. Results showed that primitive-crucial-behavior identification and determining exploit primitives are accurate and effective by using our approach. In addition, DEPA is superior to the state-of-the-art tools in determining exploit primitives for the heap internal overflow vulnerability.

Xiaoqiang Wang,Xuguo Wang,Fangfang Zhu,Qingguo Zhou,Rui Zhou

DOI: https://doi.org/10.1109/ISSSR.2016.028

2016-01-01

Abstract:Lots of studies have shown that memory hardware error rates are orders of magnitude higher than previously reported. In order to fight with these memory hardware errors, many memory testing tools have been developed, especially software level online memory testers, which means these memory testers implemented in software can work with the OS (operating system) at the same time. However, validation of these online memory testers is a hard work. Since the real broken memory chips is hard to find and using a virtual machine to do this work is really complex. So we have developed a memory error injection tool - MEI (Memory Error Injection), which is implemented in software on Linux platform and easy to use. The core function of MEI is implemented in the form of a Linux kernel module. MEI also provides some user space tools for memory errors injection and manipulation. The testers to be validated need to use the read interfaces provided by MEI. We have used two exists memory testers, the modified RAMpage and COMeT+ model, to validate the effectiveness of MEI. The results of experiments have shown that these two testers could detect the emulated memory hardware errors injected by MEI effectively.