HAEPG: An Automatic Multi-hop Exploitation Generation Framework

Automatic exploit generation for heap vulnerabilities is an open challenge. Current studies require a sensitive pointer on the heap to hijack the control flow and pay little attention to vulnerabilities with limited capabilities. In this paper, we propose HAEPG, an automatic exploit framework that can utilize known exploitation techniques to guide exploit generation. We implemented a prototype of HAEPG based on the symbolic execution engine S2E [15] and provided four exploitation techniques for it as prior knowledge. HAEPG takes crashing inputs, programs, and prior knowledge as input, and generates exploits for vulnerabilities with limited capabilities by abusing heap allocator’s internal functionalities. We evaluated HAEPG with 24 CTF programs, and the results show that HAEPG is able to accurately reason about the type of vulnerability for 21 (87.5%) of them, and generate exploits that spawn a shell for 16 (66.7%) of them. All the exploits could bypass NX [25] and Full RELRO [28] security mechanisms.

[1]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[2]  Christopher Krügel,et al.  HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security , 2018, USENIX Security Symposium.

[3]  Daniel Kroening,et al.  MSc Computer Science Dissertation Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities , 2009 .

[4]  Daniel Kroening,et al.  Automatic Heap Layout Manipulation for Exploitation , 2018, USENIX Security Symposium.

[5]  Yueqi Chen,et al.  SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel , 2019, CCS.

[6]  Daniel Kroening,et al.  Gollum: Modular and Greybox Exploit Generation for Heap Overflows in Interpreters , 2019, CCS.

[7]  Taesoo Kim,et al.  Automatic Techniques to Systematically Discover New Heap Exploitation Primitives , 2020, USENIX Security Symposium.

[8]  Wei Wu,et al.  FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities , 2018, USENIX Security Symposium.

[9]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[10]  Giovanni Vigna,et al.  Mechanical Phish: Resilient Autonomous Hacking , 2018, IEEE Security & Privacy.

[11]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[12]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[13]  Shih-Kun Huang,et al.  CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability.

[14]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Chao Zhang,et al.  Revery: From Proof-of-Concept to Exploitable , 2018, CCS.