Automatic exploitation generation method of write-what-where vulnerability

Huafeng HUANG; Purui SU; Yi YANG; Xiangkun JIA

doi:10.11959/j.issn.1000-436x.2022003

您当前的位置：

首页 >

文章列表页 >

Automatic exploitation generation method of write-what-where vulnerability

Papers | 更新时间：2024-06-05

- Automatic exploitation generation method of write-what-where vulnerability
- Journal on Communications Vol. 43, Issue 1, Pages: 83-95(2022)
- 作者机构：
  
  1. 中国科学院软件研究所可信计算与信息保障实验室，北京 100190
  2. 中国科学院大学计算机科学与技术学院，北京 100190
- 作者简介：
- 基金信息：
  
  The National Natural Science Foundation of China(U1736209);The National Natural Science Foundation of China(61572483);The National Natural Science Foundation of China(U1836117);The National Natural Science Foundation of China(U1836113);The National Natural Science Foundation of China(62102406);The Strategic Priority Research Program of the Chinese Academy of Sciences(XDC02020300)
- DOI：10.11959/j.issn.1000-436x.2022003
  CLC： TP311
- Online First：2022-01，
  
  Published：25 January 2022
- 稿件说明：
移动端阅览
Huafeng HUANG, Purui SU, Yi YANG, et al. Automatic exploitation generation method of write-what-where vulnerability[J]. Journal on Communications, 2022, 43(1): 83-95.
DOI：

Huafeng HUANG, Purui SU, Yi YANG, et al. Automatic exploitation generation method of write-what-where vulnerability[J]. Journal on Communications, 2022, 43(1): 83-95. DOI： 10.11959/j.issn.1000-436x.2022003.

摘要

针对现有漏洞自动利用生成方法无法实现从“可控内存写”到“控制流劫持”的自动构造问题，提出一种可控内存写漏洞的自动利用生成方法。首先，基于内存地址控制力度的动态污点分析方法检测可控内存写漏洞；然后，基于漏洞利用模式进行利用要素搜索，通过约束求解自动构造可控内存写漏洞的利用。实验结果表明，所提方法可以有效检测可控内存写漏洞，搜索漏洞利用要素，自动生成从可控内存写到控制流劫持的利用。

Abstract

To solve the problem that the current vulnerability automatic exploitation generation methods cannot automatically generate control-flow-hijacking exploitation from write-what-where

a method of automatic exploitation generation for write-what-where was proposed.First

the write-what-where vulnerability was detected based on the memory address control strength dynamic taint analysis method.Then

the vulnerability exploitation elements were searched based on the vulnerability exploitation modes

and the exploitation of write-what-where vulnerability was generated automatically by constraint solving.The experimental results show that the proposed method can effectively detect write-what-where vulnerability

search exploitation elements

and automatically generate the control-flow-hijacking exploitation from write-what-where.

关键词

Keywords

references

孙鸿宇 , 何远 , 王基策 , 等 . 人工智能技术在安全漏洞领域的应用 [J ] . 通信学报 , 2018 , 39 ( 8 ): 1 - 17 .

UN H Y , HE Y , WANG J C , et al . Application of artificial intelligence technology in the field of security vulnerability [J ] . Journal on Communications , 2018 , 39 ( 8 ): 1 - 17 .

SONG J , ALVES-FOSS J , . The DARPA cyber grand challenge:a competitor’s perspective [J ] . IEEE Security ＆ Privacy , 2015 , 13 ( 6 ): 72 - 76 .

BRUMLEY D , POOSANKAM P , SONG D , et al . Automatic patch-based exploit generation is possible:techniques and implications [C ] // Proceedings of 2008 IEEE Symposium on Security and Privacy . Piscataway:IEEE Press , 2008 : 143 - 157 .

AVGERINOS T , CHA S K , HAO B L T , et al . AEG:automatic exploit generation [C ] // Network and Distributed System Security Symposium . San Diego:DBLP , 2011 : 1 - 18 .

AVGERINOS T , CHA S K , REBERT A , et al . Automatic exploit generation [J ] . Communications of the ACM , 2014 , 57 ( 2 ): 74 - 84 .

CHA S K , AVGERINOS T , REBERT A , et al . Unleashing mayhem on binary code [C ] // 2012 IEEE Symposium on Security and Privacy . Piscataway:IEEE Press , 2012 : 380 - 394 .

WANG M H , SU P R , LI Q , et al . Automatic polymorphic exploit generation for software vulnerabilities [C ] // Security and Privacy in Communication Networks . Cham:Springer , 2013 : 216 - 233 .

HUANG S K , HUANG M H , HUANG P Y , et al . CRAX:software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations [C ] // Proceedings of 2012 IEEE Sixth International Conference on Software Security and Reliability . Piscataway:IEEE Press , 2012 : 78 - 87 .

HE L , CAI Y , HU H , et al . Automatically assessing crashes from heap overflows [C ] // Proceedings of 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE) . Piscataway:IEEE Press , 2017 : 274 - 279 .

WANG Y , ZHANG C , XIANG X B , et al . Revery:from proof-of-concept to exploitable [C ] // Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2018 : 1914 - 1927 .

WU W , CHEN Y , XU J , et al . FUZE:towards facilitating exploit generation for kernel use-after-free vulnerabilities [C ] // Proceedings of the 27th USENIX Security Symposium . Berkeley:USENIX Association , 2018 : 781 - 797 .

方皓 , 吴礼发 , 吴志勇 . 基于符号执行的 Return-to-dl-resolve 利用代码自动生成方法 [J ] . 计算机科学 , 2019 , 46 ( 2 ): 127 - 132 .

FANG H , WU L F , WU Z Y . Automatic return-to-dl-resolve exploit generation method based on symbolic execution [J ] . Computer Science , 2019 , 46 ( 2 ): 127 - 132 .

HU H , CHUA Z L , ADRIAN S , et al . Automatic generation of data-oriented exploits [C ] // Proceedings of the 24th USENIX Security Symposium . Berkeley:USENIX Association , 2015 : 177 - 192 .

HU H , SHINDE S , ADRIAN S , et al . Data-oriented programming:on the expressiveness of non-control data attacks [C ] // Proceedings of 2016 IEEE Symposium on Security and Privacy . Piscataway:IEEE Press , 2016 : 969 - 986 .

ISPOGLOU K K , ALBASSAM B , JAEGER T , et al . Block oriented programming:automating data-only attacks [C ] // Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2018 : 1868 - 1882 .

SCHWARTZ E J , AVGERINOS T , BRUMLEY D , et al . Q:exploit hardening made easy [C ] // Proceedings of the 20th USENIX Security Symposium . Berkeley:USENIX Association , 2011 :25.

黄桦烽 , 王嘉捷 , 杨轶 , 等 . 有限资源条件下的软件漏洞自动挖掘与利用 [J ] . 计算机研究与发展 , 2019 , 56 ( 11 ): 2299 - 2314 .

HUANG H F , WANG J J , YANG Y , et al . Automatic software vulnerability discovery and exploit under the limited resource conditions [J ] . Journal of Computer Research and Development , 2019 , 56 ( 11 ): 2299 - 2314 .

Views

1679

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Protocol format extraction at semantic level

Attack signature generation by traceable dynamic taint analysis

Related Author

Zheng HONG

Zhen-ji ZHOU

Li-fa WU

Fan PAN

Yu LIU

Mei-ning NIE

Pu-rui SU

Deng-guo FENG

Related Institution

College of Command Information System,PLA University of Science and Technology

State Key Laboratory of Information Security,Institution of Software,Chinese Academy of Sciences

AI问答

⁰