AAHEG: Automatic Advanced Heap Exploit Generation Based on Abstract Syntax Tree
Author:
Wang Yu1ORCID, Zhang Yipeng2, Li Zhoujun1
Affiliation:
1. State Key Lab of Software Development Environment, Beihang University, Beijing 100191, China 2. School of Information Science and Technology, North China University of Technology, Beijing 100144, China
Abstract
Automatic Exploit Generation (AEG) involves automatically discovering paths in a program that trigger vulnerabilities, thereby generating exploits. While there is considerable research on heap-related vulnerability detection, such as detecting Heap Overflow and Use After Free (UAF) vulnerabilities, among contemporary heap-automated exploit techniques, only certain automated exploit techniques can hijack program control flow to the shellcode. An important limitation of this approach is that it cannot effectively bypass Linux’s protection mechanisms. To solve this problem, we introduced Automatic Advanced Heap Exploit Generation (AAHEG). It first applies symbolic execution to analyze heap-related primitives in files and then detects potential heap-related vulnerabilities without a source code. After identifying these vulnerabilities, AAHEG builds an exploit abstract syntax tree (AST) to identify one or more successful exploit strategies, such as fast bin attack and Safe-unlink. AAHEG then selects exploitable methods via an abstract syntax tree (AST) and performs final testing to produce the final exploit. AAHEG chose to generate advanced heap-related exploits because the exploits can bypass Linux protections. Basically, AAHEG can automatically detect heap-related vulnerabilities in binaries without source code, build an exploit AST, choose from a variety of advanced heap exploit methods, bypass all Linux protection mechanisms, and generate final file-form exploit based on pwntools which can pass local and remote testing. Experimental results show that AAHEG successfully completed vulnerability detection and exploit generation for 20 Capture The Flag (CTF) binary files, 11 of which have all protection mechanisms enabled.
Funder
National Natural Science Foundation of China 2022 Tencent Big Travel Rhino-Bird Special Research Program Fund of the State Key Laboratory of Software Development Environment
Subject
Physics and Astronomy (miscellaneous),General Mathematics,Chemistry (miscellaneous),Computer Science (miscellaneous)
Reference50 articles.
1. The DARPA Cyber Grand Challenge: A Competitor’s Perspective;Song;IEEE Secur. Priv.,2015 2. Huang, S., Huang, M., Huang, P., Lai, C., Lu, H., and Leong, W. (2012, January 20–22). CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations. Proceedings of the Sixth International Conference on Software Security and Reliability, SERE 2012, Gaithersburg, MD, USA. 3. Cha, S.K., Avgerinos, T., Rebert, A., and Brumley, D. (2012, January 21–23). Unleashing Mayhem on Binary Code. Proceedings of the IEEE Symposium on Security and Privacy, SP 2012, San Francisco, CA, USA. 4. Kc, G.S., and Keromytis, A.D. (2005, January 5–9). e-NeXSh: Achieving an Effectively Non-Executable Stack and Heap via System-Call Policing. Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 2005), Tucson, AZ, USA. 5. BofAEG: Automated Stack Buffer Overflow Vulnerability Detection and Exploit Generation Based on Symbolic Execution and Dynamic Analysis;Xu;Secur. Commun. Netw.,2022
|
|