Automatic Techniques to Systematically Discover New Heap Exploitation Primitives

Heap exploitation techniques to abuse the metadata of allocators have been widely studied since they are application independent and can be used in restricted environments that corrupt only metadata. Although prior work has found several interesting exploitation techniques, they are ad-hoc and manual, which cannot effectively handle changes or a variety of allocators. In this paper, we present a new naming scheme for heap exploitation techniques that systematically organizes them to discover the unexplored space in finding the techniques and ArcHeap, the tool that finds heap exploitation techniques automatically and systematically regardless of their underlying implementations. For that, ArcHeap generates a set of heap actions (e.g. allocation or deallocation) by leveraging fuzzing, which exploits common designs of modern heap allocators. Then, ArcHeap checks whether the actions result in impact of exploitations such as arbitrary write or overlapped chunks that efficiently determine if the actions can be converted into the exploitation technique. Finally, from these actions, ArcHeap generates Proof-of-Concept code automatically for an exploitation technique. We evaluated ArcHeap with real-world allocators --- ptmalloc, jemalloc, and tcmalloc --- and custom allocators from the DARPA Cyber Grand Challenge. ArcHeap successfully found 14 out of 16 known exploitation techniques and found five new exploitation techniques in ptmalloc. Moreover, ArcHeap found several exploitation techniques for jemalloc, tcmalloc, and even for the custom allocators. Further, ArcHeap can automatically show changes in exploitation techniques along with version change in ptmalloc using differential testing.

[1]  Hanqing Zhao,et al.  Breaking Turtles All the Way Down: An Exploitation Chain to Break out of VMware ESXi , 2019, WOOT @ USENIX Security Symposium.

[2]  Chupoo Alafonté,et al.  Yesterday , 2023, Calabash. A journal of Caribbean arts and letters.

[3]  Wenke Lee,et al.  Preventing Use-after-free with Dangling Pointers Nullification , 2015, NDSS.

[4]  Yang Liu,et al.  Skyfire: Data-Driven Seed Generation for Fuzzing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[5]  Andreas Zeller,et al.  Yesterday, my program worked. Today, it does not. Why? , 1999, ESEC/FSE-7.

[6]  David Brumley,et al.  Enhancing symbolic execution with veritesting , 2014, ICSE.

[7]  Poul-Henning Kamp malloc(3) Revisited , 1998, USENIX Annual Technical Conference.

[8]  Hui Liu,et al.  New Exploit Methods against Ptmalloc of GLIBC , 2016, 2016 IEEE Trustcom/BigDataSE/ISPA.

[9]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[10]  Zhiqiang Lin,et al.  FreeGuard: A Faster Secure Heap Allocator , 2017, CCS.

[11]  Sang Kil Cha,et al.  IMF: Inferred Model-based Fuzzer , 2017, CCS.

[12]  Lorenzo Cavallaro,et al.  Modular Synthesis of Heap Exploits , 2017, PLAS@CCS.

[13]  Daniel Kroening,et al.  Gollum: Modular and Greybox Exploit Generation for Heap Overflows in Interpreters , 2019, CCS.

[14]  Daniel Kroening,et al.  Automatic Heap Layout Manipulation for Exploitation , 2018, USENIX Security Symposium.

[15]  Andrew McGregor,et al.  Mesh: compacting memory management for C/C++ applications , 2019, PLDI.

[16]  Salvatore J. Stolfo,et al.  NEZHA: Efficient Domain-Independent Differential Testing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[17]  Zhiqiang Lin,et al.  Guarder: A Tunable Secure Allocator , 2018, USENIX Security Symposium.

[18]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[19]  Zhendong Su,et al.  Coverage-directed differential testing of JVM implementations , 2016, PLDI.

[20]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[21]  Andrew Ruef,et al.  Evaluating Fuzz Testing , 2018, CCS.

[22]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[23]  Mathias Payer,et al.  T-Fuzz: Fuzzing by Program Transformation , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[24]  Hao Chen,et al.  Angora: Efficient Fuzzing by Principled Search , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[25]  Junfeng Yang,et al.  DeepXplore: Automated Whitebox Testing of Deep Learning Systems , 2017, SOSP.

[26]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[27]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[28]  Wen Xu,et al.  CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems , 2017, USENIX Annual Technical Conference.

[29]  Peiyuan Zong,et al.  SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits , 2017, CCS.

[30]  Emery D. Berger,et al.  DieHarder: securing the heap , 2010, CCS '10.

[31]  Christopher Krügel,et al.  HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security , 2018, USENIX Security Symposium.

[32]  Yang Liu,et al.  Steelix: program-state based binary fuzzing , 2017, ESEC/SIGSOFT FSE.

[33]  Dinghao Wu,et al.  In-memory fuzzing for binary code similarity analysis , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[34]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[35]  Vitaly Shmatikov,et al.  Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations , 2014, 2014 IEEE Symposium on Security and Privacy.

[36]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[37]  Angelos D. Keromytis,et al.  SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities , 2017, CCS.

[38]  Wenke Lee,et al.  Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying , 2017, NDSS.

[39]  Andreas Zeller,et al.  Fuzzing with Code Fragments , 2012, USENIX Security Symposium.

[40]  Chao Zhang,et al.  Revery: From Proof-of-Concept to Exploitable , 2018, CCS.