Dandan Xu,Kai Chen,Miaoqian Lin,Chaoyang Lin,XiaoFeng Wang

DOI: https://doi.org/10.1109/tifs.2023.3322319

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Capture-the-flag (CTF) competitions have become highly successful in security education, and heap corruption is considered one of the most difficult and rewarding challenges due to its complexity and real-world impact. However, developing a heap exploit is a challenging task that often requires significant human involvement to manipulate memory layouts and bypass security checks. To facilitate the exploitation of heap corruption, existing solutions develop automated systems that rely on manually crafted patterns to generate exploits. Such manual patterns tend to be specific, which limits their flexibility to cope with the evolving exploit techniques. To address this limitation, we explore the problem of the automatic summarization of exploit patterns. We leverage an observation that public attack artifacts provide key insights into heap exploits. Based upon this observation, we develop AutoPwn, the first artifact-assisted AEG system that automatically summarizes exploit patterns from artifacts of known heap exploits and uses them to guide the exploitation of new programs. Considering the diversity of programs and exploits, we propose to use a novel Exploitation State Machine (ESM), with generic states and transitions to model the exploit patterns, and then efficiently construct it through combining the dynamic monitoring of exploits and the semantic analysis of their text descriptions. We implement a prototype of AutoPwn and evaluate it on 96 testing CTF binaries. The results show that AutoPwn produces 22 successful exploits and 13 partial exploits, preliminarily demonstrating its efficacy.

Zheyue Jiang,Yuan Zhang,Jun Xu,Xinqian Sun,Zhuang Liu,Min Yang

DOI: https://doi.org/10.1109/sp46215.2023.10179286

2023-01-01

Abstract:This paper studies the problem of cross-version exploitability assessment for Linux kernels. Specifically, given an exploit demonstrating the exploitability of a vulnerability on a specific kernel version, we aim to understand the exploitability of the same vulnerability on other kernel versions. To tackle crossversion exploitability assessment, automated exploit generation (AEG), a recently popular topic, is the only existing, applicable solution. However, AEG is not well-suited due to its templatedriven nature and ignorance of the capabilities offered by the available exploit. In this work, we introduce a new method, automated exploit migration (AEM), to facilitate cross-version exploitability assessment for Linux kernels. The key insight of AEM is the observation that the strategy adopted by the exploit is often applicable to other exploitable kernel versions. Technically, we consider the kernel version where the exploit works as a reference and adjust the exploit to force the other kernel versions to align with the reference. This way, we can reproduce the exploiting behaviors on the other versions. To reduce the cost and increase the feasibility, we strategically identify execution points that truly affect the exploitation and only enforce alignment at those points. We have designed and implemented a prototype of AEM. In our evaluation of 67 cases where exploit migration is needed, our prototype successfully migrates the exploit for 56 cases, producing a success rate of 83.5%.

Yu Wang,You Zhai,Zhoujun Li,Yipeng Zhang

DOI: https://doi.org/10.2139/ssrn.4632938

2023-01-01

Abstract:Automatic exploit generation (AEG) refers to the process of automatically finding the path in the program that can trigger vulnerabilities and generate exploits. The existing AEG usually sets the preset environment ideally, which does not enable all protection mechanisms. In response to this situation, we propose an exploit generation system Protection Bypass Automatic Exploit Generator (PBAEG) which automatically detects stack overflow vulnerabilities and format string vulnerabilities. Then PBAEG combines the above two vulnerabilities to generate exploits. PBAEG uses symbolic execution and dynamic binary analysis to find the above two vulnerabilities, adopts different exploit generation strategies for different protection mechanisms, and defeats Non-Executable (NX), Position-Independent Executable (PIE), Canary, and Address Space Layout Randomization (ASLR) protection mechanisms. At the same time, for some difficult-to-exploit situations, advanced stack overflow exploitation methods are applied to generate exploits. Finally, we also use docker to simulate the remote environment to test the ability of PBAEG to attack the remote environment. Experiments show that PBAEG can complete the vulnerability detection and exploitation generation of 124 binary files, 22 capture-the-flag (CTF) binary files, and 10 public softwares, which takes a shorter time than the existing AEG and covers more types of vulnerabilities.

Mingxi Ye,Xingwei Lin,Yuhong Nan,Jiajing Wu,Zibin Zheng

DOI: https://doi.org/10.1145/3650212.3680321

2024-01-01

Abstract:In the context of boosting smart contract applications, prioritizing their security becomes paramount. Smart contract exploits often result in notable financial losses. Ensuring their security is by no means trivial. Rather than resulting in program crashes, most attacks in on-chain smart contracts aim to induce financial loss, referred to as profitable exploits. By constructing seemingly innocuous inputs, profitable exploits try to extract extra profit or compromise the interests of others. However, due to the complexity of call chains in on-chain smart contracts and the need for effective oracles for profitable exploits, smart contract fuzzing suffers from low efficiency and low effectiveness in finding profitable exploits. In this paper, we present Midas, a novel feedback-driven fuzzing framework to mine profitable exploits in on-chain smart contracts effectively. Midas consists of two modules: diverse validity fuzzing and profitable transaction identification. The diverse validity fuzzing module applies two waypoints to efficiently generate valid transactions, addressing the complexity of on-chain smart contract call chains. The profitable transaction identification module applies differential analysis to effectively identify profitable exploits, addressing the limitation of ad-hoc oracles. Evaluation of Midas over on-chain smart contracts showed it effectively identified 40 real-world exploits with a precision of 80%, outperforming state-of-the-art tools (i.e., ItyFuzz and Slither) in both efficiency and effectiveness. Particularly, Midas effectively mines five unknown exploits in valuable smart contracts, and two of them have already been confirmed by their DApp developers.

Chao Zhang,Zhongyuan Qin,Liquan Chen,Xin Sun,Wen Wang

DOI: https://doi.org/10.1109/icsip57908.2023.10271009

2023-01-01

Abstract:The rapid growth of program complexity and the development of security mitigation for program have brought serious challenges to program security research. It is more difficult to evaluate program security efficiently by analyzing vulnerabilities manually. Therefore, an automatic method of detecting vulnerabilities and generating exploit is in critical demand. This paper proposes AutoExploit, which is an automatic scheme to detect various vulnerabilities and generate exploit in binary programs after bypassing the security mitigation. The method detects potential vulnerabilities including format string vulnerability and buffer overflow vulnerability using symbolic execution and dynamic analysis at the dangerous functions. For the potential buffer overflow vulnerability, this method generates exploit automatically by constructing constraints expressions and solving constraints after bypassing the security mitigation through code reuse. The effectiveness of our method is demonstrated using the datasets from CTF competition.

Peng Xu,Liangze Yin,Jiantong Ma,Dong Yang,Wei Dong

DOI: https://doi.org/10.1145/3609437.3609461

2023-01-01

Abstract:Buffer overflow vulnerabilities are prevalent in software applications, and their automatic detection and exploitation are of great significance. Modern operating systems implement security mitigation to prevent the exploitation of these vulnerabilities, which in turn become obstacles for automatic exploit generation (AEG). Many current AEG solutions do not fully consider security mitigation bypassing and the exploitation of vulnerabilities in special cases, resulting in an inability to accurately assess the exploitability of vulnerabilities in such scenarios. In this paper, we propose a feature-driven buffer overflow vulnerability automatic exploit generation method - FAEG, which uses optimized symbolic execution to search target software for potential buffer overflow vulnerabilities, constructs complete vulnerability models, and then adaptively selects appropriate exploitation techniques based on vulnerability type and features, bypassing system protection and generating effective exploit program. In this paper, we use FAEG to test 15 open-source Capture The Flag (CTF) challenges, successfully identifying vulnerabilities in all 15 applications and automatically generating exploitation schemes for 14 of these vulnerabilities. The results demonstrate that FAEG performs well in automatically detecting and exploiting vulnerabilities, achieving better bypassing of system security mitigation compared to existing AEG solutions, and offers higher success rates and flexibility.

Zhehui Liu,Zhongru Wang,Yuntao Zhang,Tong Liu,Binxing Fang,Zhengyuan Pang

DOI: https://doi.org/10.1109/dsc55868.2022.00017

2022-01-01

Abstract:Recently, more and more software vulnerabilities are disclosed and researchers tend to study on automatically discover and exploit the vulnerabilities. However, the main challenges of automated exploit generation are: 1) it is hard to analyze the program failure and extract useful information, 2) the scenario of the vulnerability too complex to successfully exploit. Therefore, This paper proposes a vulnerability exploit generation framework AEG-E. AEG-E can extract the control flow graph from the target program and employ the crash reproduce algorithm in symbolic execution to reduce the problem of path explosion. To adapt to complex vulnerability scenarios, we design the extendable and user-configurable exploit model to generate different exploit. Finally, we used the binaries from Robo Hacking Games and real world program to demonstrate the validity and efficiency of AEG-E. The experiment results shows that AEG-E is 2.913 times more efficient than previous exploit generation tool, REX.

Shenglin Xu,Yongjun Wang

DOI: https://doi.org/10.1155/2022/1251987

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Stack buffer overflow vulnerability is a common software vulnerability that can overwrite function return addresses and hijack program control flow, causing serious system problems. Existing automated exploit generation (AEG) solutions cannot bypass position-independent executable (PIE) exploit mitigation and cannot cope with the situation where the standard output function is not introduced into the program. In this paper, we propose a solution to alleviate the above difficulties: BofAEG, which is based on symbolic execution and dynamic analysis to automatically detect stack buffer overflow vulnerability and generate exploit. We used to capture the flag (CTF) and common vulnerabilities and exposures (CVE) programs for experiments. Results show that BofAEG can not only detect and generate exploits effectively but also implement more exploit techniques and is faster than existing AEG solutions.

Minghua Wang,Purui Su,Qi Li,Lingyun Ying,Yi Yang,Dengguo Feng

DOI: https://doi.org/10.1007/978-3-319-04283-1_14

2013-01-01

Abstract:Generating exploits from the perspective of attackers is an effective approach towards severity analysis of known vulnerabilities. However, it remains an open problem to generate even one exploit using a program binary and a known abnormal input that crashes the program, not to mention multiple exploits. To address this issue, in this paper, we propose PolyAEG, a system that automatically generates multiple exploits for a vulnerable program using one corresponding abnormal input. To generate polymorphic exploits, we fully leverage different trampoline instructions to hijack control flow and redirect it to malicious code in the execution context. We demonstrate that, given a vulnerable program and one of its abnormal inputs, our system can generate polymorphic exploits for the program. We have successfully generated control flow hijacking exploits for 8 programs in our experiment. Particularly, we have generated 4,724 exploits using only one abnormal input for Irfan View, a widely used picture viewer.

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Yan Wang,Wei Wu,Chao Zhang,Xinyu Xing,Xiaorui Gong,Wei Zou

DOI: https://doi.org/10.1186/s42400-019-0028-9

2019-01-01

Abstract:Exploitability assessment of vulnerabilities is important for both defenders and attackers. The ultimate way to assess the exploitability is crafting a working exploit. However, it usually takes tremendous hours and significant manual efforts. To address this issue, automated techniques can be adopted. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (PoC) inputs triggering vulnerabilities, and assess exploitability by finding exploitable states along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In this paper, we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit. Technically, we utilize oriented fuzzing to explore diverging paths from vulnerability point. For userspace programs, we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit. For kernel UAF, we leverage a lightweight symbolic execution to identify, analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities. We have developed a prototype system and evaluated it on a set of 19 CTF (capture the flag) programs and 15 realworld Linux kernel UAF vulnerabilities. Experiment results showed it could generate exploit for most of the userspace test set, and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.

Jie Liu,Hang An,Jin Li,Hongliang Liang

DOI: https://doi.org/10.1145/3573428.3573550

2023-01-01

Abstract:Automated Exploit Generation (AEG) is a well-known difficult task, especially for heap vulnerabilities. The premise of this task is the determination of exploit primitives, and prior research efforts for exploit primitive determination are usually based on vulnerability identification. However, it is not always easy to discovery bugs using fuzzing or symbolic technologies for some programs. In this paper, we present a solution DEPA to determine exploit primitives based on primitive-crucial-behavior model for heap vulnerabilities. The core of DEPA contains two novel techniques, 1) primitive-crucial-behavior identification through pointer dependence analysis, and 2) exploit primitive determination method which includes triggering both vulnerabilities and exploit primitives. We evaluate DEPA on real-world CTF (capture the flag) programs with heap vulnerabilities and DEPA can discovery arbitrary write and arbitrary jump exploit primitives for some programs except for program multi-heap. Results showed that primitive-crucial-behavior identification and determining exploit primitives are accurate and effective by using our approach. In addition, DEPA is superior to the state-of-the-art tools in determining exploit primitives for the heap internal overflow vulnerability.

YANG Song-Tao,CHEN Kai-Xiang,WANG Zhun,ZHANG Chao

DOI: https://doi.org/10.21655/ijsi.1673-7288.00290

2022-01-01

International Journal of Software and Informatics

Abstract:PDF HTML XML Export Cite reminder Exploit-oriented Automated Information Leakage DOI: 10.21655/ijsi.1673-7288.00290 Author: Affiliation: Clc Number: Fund Project: Article | Figures | Metrics | Reference | Related | Cited by | Materials | Comments Abstract:Automatic Exploit Generation (AEG) has become one of the most important ways to demonstrate the exploitability of vulnerabilities. However, state-of-the-art AEG solutions in general assume the target system has no mitigations deployed, which is not true in modern operating systems since they often deploy mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). This paper presents the automatic solution EoLeak that can exploit heap vulnerabilities to leak sensitive data and bypass ASLR and DEP at the same time. At a high level, EoLeak analyzes the program execution trace of the Proof-Of-Concept (POC) input that triggers the heap vulnerabilities, characterizes the memory profile from the trace, locates sensitive data (e.g., code pointers), constructs leakage primitives that disclose sensitive data, and generates exploits for the entire process when possible. We have implemented a prototype of EoLeak and evaluated it on a set of Capture The Flag (CTF) binary programs and several real-world applications. Evaluation results reveal that EoLeak is effective at leaking data and generating exploits. Reference Related Cited by

Yun-Peng WAN,Yi DENG,Dong-Hui SHI,Liang CHENG,Yang ZHANG

DOI: https://doi.org/10.15888/j.cnki.csa.005991

2017-01-01

Abstract:In this paper we present BAEG,a system to automatically look for exploitable bugs in the binary program.Every bug reported by BAEG is accompanied by the control flow hijacking exploit.The working exploits ensure robustness that each bug report is security-critical and exploitable.Giving BAEG a vulnerable program and an input crash,the challenges are:1) how to replay crash and get the state of crash;2) how to automatically generate exploit.For the first challenge,we present a path-guided algorithm,take crash input as symbolic data,and replay crash path.For the second challenge,we summarize the principles of multiple control-flow hijack and establish the corresponding exploit generation model.Besides,BAEG can explore deep code especially for invalid symbolic read and symbolic write,which can help us decide whether there still are exploits at deeper code.

Yu Wang,Yipeng Zhang,Zhoujun Li

DOI: https://doi.org/10.3390/sym15122197

2023-01-01

Symmetry

Abstract:Automatic Exploit Generation (AEG) involves automatically discovering paths in a program that trigger vulnerabilities, thereby generating exploits. While there is considerable research on heap-related vulnerability detection, such as detecting Heap Overflow and Use After Free (UAF) vulnerabilities, among contemporary heap-automated exploit techniques, only certain automated exploit techniques can hijack program control flow to the shellcode. An important limitation of this approach is that it cannot effectively bypass Linux’s protection mechanisms. To solve this problem, we introduced Automatic Advanced Heap Exploit Generation (AAHEG). It first applies symbolic execution to analyze heap-related primitives in files and then detects potential heap-related vulnerabilities without a source code. After identifying these vulnerabilities, AAHEG builds an exploit abstract syntax tree (AST) to identify one or more successful exploit strategies, such as fast bin attack and Safe-unlink. AAHEG then selects exploitable methods via an abstract syntax tree (AST) and performs final testing to produce the final exploit. AAHEG chose to generate advanced heap-related exploits because the exploits can bypass Linux protections. Basically, AAHEG can automatically detect heap-related vulnerabilities in binaries without source code, build an exploit AST, choose from a variety of advanced heap exploit methods, bypass all Linux protection mechanisms, and generate final file-form exploit based on pwntools which can pass local and remote testing. Experimental results show that AAHEG successfully completed vulnerability detection and exploit generation for 20 Capture The Flag (CTF) binary files, 11 of which have all protection mechanisms enabled.

Yan Wang,Chao Zhang,Xiaobo Xiang,Zixuan Zhao,Bingchang Liu,Wenjie Li,Xiaorui Gong,Kaixiang Chen,Wei Zou

DOI: https://doi.org/10.1145/3243734.3243847

2018-01-01

Abstract:Automatic exploit generation is an open challenge. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (PoC) inputs triggering vulnerabilities, and generate exploits when exploitable states are found along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In addition, few solutions could exploit heap-based vulnerabilities.In this paper, we propose a new solution Revery to search for exploitable states in paths diverging from crashing paths, and generate control-flow hijacking exploits for heap-based vulnerabilities. It adopts three novel techniques: (1) a layout-contributor digraph to characterize a vulnerability's memory layout and its contributor instructions; (2) a layout-oriented fuzzing solution to explore diverging paths, which have similar memory layouts as the crashing paths, in order to search more exploitable states and generate corresponding diverging inputs; (3) a control-flow stitching solution to stitch crashing paths and diverging paths together, and synthesize EXP inputs able to trigger both vulnerabilities and exploitable states.We have developed a prototype of Revery based on the binary analysis engine angr, and evaluated it on a set of 19 CTF (capture the flag) programs. Experiment results showed that it could generate exploits for 9 (47%) of them, and generate EXP inputs able to trigger exploitable states for another 5 (26%) of them.

Xueshuai Ge,Tieming Liu,Yaobin Xie,YuanYuan Zhang

DOI: https://doi.org/10.1117/12.2682314

2023-01-01

Abstract:With increasing number of software vulnerabilities, the quantity of attacks utilizing malicious samples is also on rise, leading to intensified adversarial competition. In particular, the application of automatic vulnerability mining techniques has resulted in a significant increase in the number of vulnerabilities, but security researchers often do not have enough time to deal with them. This paper proposes a symbol-execution-based automated vulnerability exploitation method, which can achieve automation of vulnerability detection, classification and exploitation. Finally, this paper designs and implements a prototype system for symbol-execution-based automated vulnerability exploitation and verifies its effectiveness through experiments. This research provides security analysts with an in-depth understanding of the types of vulnerabilities and determines methods for vulnerability exploitability, further improving the efficiency of analyzing and fixing vulnerabilities.

Hui Huang,Yuliang Lu,Zulie Pan,Kailong Zhu,Lu Yu,Liqun Zhang

DOI: https://doi.org/10.3390/app12136593

2022-01-01

Applied Sciences

Abstract:Current automatic exploit generation solutions generally adopt an 1-step exploit generation philosophy and neglect the potential difference between analysis-time environment and runtime environment. Therefore, they usually fail in evaluating exploitability for vulnerable programs running in an ASLR environment. We propose ExpGen, a 2-step vulnerability-exploitability evaluation solution for binary programs running in an ASLR environment, with three novel techniques introduced, separately partial-exploit sensitive-POC generation, exploitation context sensitive analysis-time exploit generation, and runtime exploit relocation. ExpGen firstly generates an analysis-time exploit that can carry out all the desired exploitation steps through applying the first two techniques in an iterative manner, then dynamically gaps the address-space layout differences between the analysis-time environment and runtime environment by adopting the runtime exploit-relocation technique, making the analysis-time exploit dynamically adaptable to the runtime exploitation session. Using a benchmark containing six test programs, 10 CTF&RHG programs and four real-world applications with known vulnerabilities, we demonstrate that ExpGen can effectively generate partial exploit input that carries out some address-leakage event and provide a complete automated exploitability evaluation workflow on vulnerable programs running in the ASLR environment.

Yan Wang,Chao Zhang,Xiaobo Xiang,Zixuan Zhao,Wen-Jie Li,Xiaojing Gong,Bingchang Liu,Kaixiang Chen,Wei Zou

DOI: https://doi.org/10.1145/3243734.3243847

2018-01-01

Abstract:Automatic exploit generation is an open challenge. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (POC) inputs triggering vulnerabilities, and generate exploits when exploitable states are found along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In addition, few solutions could exploit heap-based vulnerabilities. In this paper, we propose a new solution revery to search for exploitable states in paths diverging from crashing paths, and generate control-flow hijacking exploits for heap-based vulnerabilities. It adopts three novel techniques:(1) a digraph to characterize a vulnerability's memory layout and its contributor instructions;(2) a fuzz solution to explore diverging paths, which have similar memory layouts as the crashing paths, in order to search more exploitable states and generate corresponding diverging inputs;(3) a stitch solution to stitch crashing paths and diverging paths together, and synthesize EXP inputs able to trigger both vulnerabilities and exploitable states. We have developed a prototype of revery based on the binary analysis engine angr, and evaluated it on a set of 19 real world CTF (capture the flag) challenges. Experiment results showed that it could generate exploits for 9 (47%) of them, and generate EXP inputs able to trigger exploitable states for another 5 (26%) of them.

Luhang Xu,Weixi Jia,Wei Dong,Yongjun Li

DOI: https://doi.org/10.1109/qrs-c.2018.00085

2018-01-01

Abstract:Buffer overflow vulnerabilities are widely found in software. Finding these vulnerabilities and identifying whether these vulnerabilities can be exploit is very important. However, it is not easy to find all of the buffer overflow vulnerabilities in software programs, and it is more difficult to find and exploit these vulnerabilities in binary programs. This paper proposes a method and a corresponding tool that automatically finds buffer overflow vulnerabilities in binary programs, and then automatically generate exploit for the vulnerability. The tool uses symbolic execution to search the target software and find potential buffer overflow vulnerabilities, then try to bypass system protection by choosing different exploiting method according to the different level of protections. Finally, the exploit of software vulnerability is generated using constraint solver. The method and tool can automatically find vulnerabilities and generate exploits for three kinds of protection: without system protection, with address space layout randomization protection, and with stack non-executable protection.