CanaryExp: A Canary-Sensitive Automatic Exploitability Evaluation Solution for Vulnerabilities in Binary Programs-Reference-Cited by-同舟云学术

CanaryExp: A Canary-Sensitive Automatic Exploitability Evaluation Solution for Vulnerabilities in Binary Programs

Published:2023-11-21 Issue:23 Volume:13 Page:12556
ISSN:2076-3417
Container-title:Applied Sciences
language:en
Short-container-title:Applied Sciences

Author:

Huang Hui¹²^ORCID,Lu Yuliang¹²,Zhu Kailong¹²^ORCID,Zhao Jun¹²

Affiliation:

1. College of Electronic Engineering, National University of Defense Technology, Hefei 230037, China

2. Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation, Hefei 230037, China

Abstract

We propose CanaryExp, an exploitability evaluation solution for vulnerabilities among binary programs protected by StackGuard. CanaryExp devises three novel techniques, namely canary leakage proof of concept generation, canary leaking analysis time exploitation, and dynamic canary-relocation-based exploitability evaluation. The canary leakage proof of concept input generation mechanism first traces the target program’s execution, transforming the execution state into some canary leaking state, from which some canary leaking input is derived. This input can be deemed as proof that some vulnerability that can lead to canary leakage exists. The canary leaking analysis time exploit generation then performs incremental analysis based on the canary leaking input, crafting analysis time exploit that can complete vulnerability exploitation in the analysis time environment. Based on the analysis time exploit, the dynamic canary-relocation-based exploitability evaluation component collects the necessary metadata, on which an exploitation session is automatically constructed that can not only leak the runtime canary and relocate it in the input stream but also evaluate the exploitability of the desired vulnerability. Using a benchmark containing six test programs, eight challenges from some network challenging events and four real-world applications, we demonstrate that CanaryExp can generate canary leaking samples more effectively than existing test case generation methods and automatically evaluate the exploitability for vulnerabilities among programs where the StackGuard protection mechanism is deployed.

Publisher

MDPI AG

Subject

Fluid Flow and Transfer Processes,Computer Science Applications,Process Chemistry and Technology,General Engineering,Instrumentation,General Materials Science

Link

https://www.mdpi.com/2076-3417/13/23/12556/pdf

Reference46 articles.

1. Avgerinos, T., Cha, S.K., Hao, B.L.T., and Brumley, D. (2011, January 6–9). AEG: Automatic Exploit Generation. Proceedings of the Network and Distributed System Security Symposium, NDSS’11, San Diego, CA, USA.

2. Huang, S.K., Huang, M.H., Huang, P.Y., Lai, C.W., Lu, H.L., and Leong, W.M. (2012, January 20–22). CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations. Proceedings of the 2012 IEEE Sixth International Conference on Software Security and Reliability, Gaithersburg, MD, USA.

3. Shellphish (2023, September 20). Rex. Available online: https://github.com/angr/rex.

4. Cha, S.K., Avgerinos, T., Rebert, A., and Brumley, D. (2012, January 20–23). Unleashing Mayhem on Binary Code. Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP’12, San Francisco, CA, USA.

5. Satisfiability Modulo Theories;Barrett;Handb. Satisf.,2009