標題: Software Crash Analysis for Automatic Exploit Generation on Binary Programs
作者: Huang, Shih-Kun
Huang, Min-Hsiang
Huang, Po-Yen
Lu, Han-Lin
Lai, Chung-Wei
資訊工程學系
資訊技術服務中心
Department of Computer Science
Information Technology Services Center
關鍵字: Automatic exploit generation;bug forensics;software crash analysis;symbolic execution;taint analysis
公開日期: 1-Mar-2014
摘要: This paper presents a new method, capable of automatically generating attacks on binary programs from software crashes. We analyze software crashes with a symbolic failure model by performing concolic executions following the failure directed paths, using a whole system environment model and concrete address mapped symbolic memory in (SE)-E-2 We propose a new selective symbolic input method and lazy evaluation on pseudo symbolic variables to handle symbolic pointers and speed up the process. This is an end-to-end approach able to create exploits from crash inputs or existing exploits for various applications, including most of the existing benchmark programs, and several large scale applications, such as a word processor (Microsoft office word), a media player (mpalyer), an archiver (unrar), or a pdf reader (foxit). We can deal with vulnerability types including stack and heap overflows, format string, and the use of uninitialized variables. Notably, these applications have become software fuzz testing targets, but still require a manual process with security knowledge to produce mitigation-hardened exploits. Using this method to generate exploits is an automated process for software failures without source code. The proposed method is simpler, more general, faster, and can be scaled to larger programs than existing systems. We produce the exploits within one minute for most of the benchmark programs, including mplayer. We also transform existing exploits of Microsoft office word into new exploits within four minutes. The best speedup is 7,211 times faster than the initial attempt. For heap overflow vulnerability, we can automatically exploit the unlink() macro of glibc, which formerly requires sophisticated hacking efforts.
URI: http://dx.doi.org/10.1109/TR.2014.2299198
http://hdl.handle.net/11536/24012
ISSN: 0018-9529
DOI: 10.1109/TR.2014.2299198
期刊: IEEE TRANSACTIONS ON RELIABILITY
Volume: 63
Issue: 1
起始頁: 270
結束頁: 289
Appears in Collections:Articles


Files in This Item:

  1. 000332520700022.pdf