可控内存写漏洞自动利用生成方法

doi:10.11959/j.issn.1000-436x.2022003

Abstract

Abstract:

To solve the problem that the current vulnerability automatic exploitation generation methods cannot automatically generate control-flow-hijacking exploitation from write-what-where, a method of automatic exploitation generation for write-what-where was proposed.First, the write-what-where vulnerability was detected based on the memory address control strength dynamic taint analysis method.Then, the vulnerability exploitation elements were searched based on the vulnerability exploitation modes, and the exploitation of write-what-where vulnerability was generated automatically by constraint solving.The experimental results show that the proposed method can effectively detect write-what-where vulnerability, search exploitation elements, and automatically generate the control-flow-hijacking exploitation from write-what-where.

Key words: write-what-where, control flow hijacking, dynamic taint analysis, vulnerability exploitation element, auto-matic exploitation generation

CLC Number:

TP311

Huafeng HUANG, Purui SU, Yi YANG, Xiangkun JIA. Automatic exploitation generation method of write-what-where vulnerability[J]. Journal on Communications, 2022, 43(1): 83-95.

Figures/Tables 17

References 17

[1]	孙鸿宇, 何远, 王基策 ,等. 人工智能技术在安全漏洞领域的应用[J]. 通信学报, 2018,39(8): 1-17.
	UN H Y , HE Y , WANG J C ,et al. Application of artificial intelligence technology in the field of security vulnerability[J]. Journal on Communications, 2018,39(8): 1-17.
[2]	SONG J , ALVES-FOSS J , . The DARPA cyber grand challenge:a competitor’s perspective[J]. IEEE Security ＆ Privacy, 2015,13(6): 72-76.
[3]	BRUMLEY D , POOSANKAM P , SONG D ,et al. Automatic patch-based exploit generation is possible:techniques and implications[C]// Proceedings of 2008 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2008: 143-157.
[4]	AVGERINOS T , CHA S K , HAO B L T ,et al. AEG:automatic exploit generation[C]// Network and Distributed System Security Symposium. San Diego:DBLP, 2011: 1-18.
[5]	AVGERINOS T , CHA S K , REBERT A ,et al. Automatic exploit generation[J]. Communications of the ACM, 2014,57(2): 74-84.
[6]	CHA S K , AVGERINOS T , REBERT A ,et al. Unleashing mayhem on binary code[C]// 2012 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2012: 380-394.
[7]	WANG M H , SU P R , LI Q ,et al. Automatic polymorphic exploit generation for software vulnerabilities[C]// Security and Privacy in Communication Networks. Cham:Springer, 2013: 216-233.
[8]	HUANG S K , HUANG M H , HUANG P Y ,et al. CRAX:software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations[C]// Proceedings of 2012 IEEE Sixth International Conference on Software Security and Reliability. Piscataway:IEEE Press, 2012: 78-87.
[9]	HE L , CAI Y , HU H ,et al. Automatically assessing crashes from heap overflows[C]// Proceedings of 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). Piscataway:IEEE Press, 2017: 274-279.
[10]	WANG Y , ZHANG C , XIANG X B ,et al. Revery:from proof-of-concept to exploitable[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1914-1927.
[11]	WU W , CHEN Y , XU J ,et al. FUZE:towards facilitating exploit generation for kernel use-after-free vulnerabilities[C]// Proceedings of the 27th USENIX Security Symposium. Berkeley:USENIX Association, 2018: 781-797.
[12]	方皓, 吴礼发, 吴志勇 . 基于符号执行的 Return-to-dl-resolve 利用代码自动生成方法[J]. 计算机科学, 2019,46(2): 127-132.
	FANG H , WU L F , WU Z Y . Automatic return-to-dl-resolve exploit generation method based on symbolic execution[J]. Computer Science, 2019,46(2): 127-132.
[13]	HU H , CHUA Z L , ADRIAN S ,et al. Automatic generation of data-oriented exploits[C]// Proceedings of the 24th USENIX Security Symposium. Berkeley:USENIX Association, 2015: 177-192.
[14]	HU H , SHINDE S , ADRIAN S ,et al. Data-oriented programming:on the expressiveness of non-control data attacks[C]// Proceedings of 2016 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2016: 969-986.
[15]	ISPOGLOU K K , ALBASSAM B , JAEGER T ,et al. Block oriented programming:automating data-only attacks[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1868-1882.
[16]	SCHWARTZ E J , AVGERINOS T , BRUMLEY D ,et al. Q:exploit hardening made easy[C]// Proceedings of the 20th USENIX Security Symposium. Berkeley:USENIX Association, 2011:25.
[17]	黄桦烽, 王嘉捷, 杨轶 ,等. 有限资源条件下的软件漏洞自动挖掘与利用[J]. 计算机研究与发展, 2019,56(11): 2299-2314.
	HUANG H F , WANG J J , YANG Y ,et al. Automatic software vulnerability discovery and exploit under the limited resource conditions[J]. Journal of Computer Research and Development, 2019,56(11): 2299-2314.

Metrics

Recommended 0

No Suggested Reading articles found!

研究工作	①	②	③	④	⑤	⑥	⑦	⑧
APEG	√
AEG					√
Mayhem					√
PolyAEG					√
CRAX					√
HCSIFTER								√
Revery		√	√
FUZE					√
R2dlAEG						√
FlowStitch						√	√
DOP						√	√
BOP						√	√

指令	规则说明
add	单字节独立计算污点状态，不考虑低字节对高字节的进位污染，考虑了进位只能影响1 bit，不能控制大范围地址
sub	单字节独立计算污点状态，不考虑低字节对高字节的借位污染，考虑了借位只能影响1 bit，不能控制大范围地址
lea	单字节独立计算污点状态，不考虑低字节对高字节的进位污染，考虑了进位只能影响1 bit，不能控制大范围地址
and	与运算的非污点字节如果比特数超过6 bit为0对该字节漂白，通常用于内存页对齐，失去了可控计算的能力
or	或运算的非污点字节如果比特数超过6 bit为1对该字节漂白
shl	左移位数超过6 bit的低字节漂白，通常用于内存页地址对其，失去了可控计算的能力

pwn样本集编号	判定情况	统计数/个
01,02,04,05,07,10,13,18,22,24,25, 26,27,30,31,34, 37,38,45,48,49,50	控制流劫持	22
09,14,15,17,19,20,21,23, 28,35,36,39,40,41,42,46,	可控内存写	16
32	命令注入	1
03,06,08,11,12,16,29,33, 43,44,47	未能判定	11

样本	格式化函数	能否检测	利用方式
Pwn06	sprintf	能	溢出ret
Pwn11	snprintf	能	可控内存写
Pwn16	printf、sprintf	能	溢出ret
Pwn29	printf	能	信息泄露覆盖ret
Pwn33	printf	能	可控内存写
Pwn43	printf	能	可控内存写
Pwn47	snprintf	能	可控内存写

实例程序	版本	“可控内存写”告警数量
实例程序	版本	告警数/个	误报数/个	漏报数/个
PLC WinNT	V2.4.7.52	2	1	0
Media Player Classic	1.3.1249.0	1	0	0
DirectShow Player GUI	V1.0	1	0	0
WinWord	14.0.4760.1000	0	0	0
VUPlayer	2.49	0	0	0
Float Ftp	1.0	0	0	0

Automatic exploitation generation method of write-what-where vulnerability

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 17

References 17

Related Articles 3

Metrics

Recommended 0

实例程序	版本	函数表利用要素统计
实例程序	版本	UW/个	AW/个	UAW/个
PLC WinNT	V2.4.7.52	1 067	81	54
Media Player Classic	1.3.1249.0	2 507	925	17
DirectShow Player GUI	V1.0	707	954	26
WinWord	14.0.4760.1000	3 969	1 012	1
VUPlayer	2.49	162	11	10
Float Ftp	1.0	637	334	27

测试用例	利用点	构造情况
Pwn09	0x407ffedc	失败
Pwn11	0x080ec4f0	失败
Pwn14	0x080ec4f0	call劫持
Pwn15	0x080f14f0	失败
Pwn17	0x080ed4f0	失败
Pwn19	0x080ec4f0	call劫持
Pwn20	0x080ec4f0	call劫持
Pwn21	0x080ec4f0	call劫持
Pwn23	0x407ffdcc	失败
Pwn28	0x080ec4f0	call劫持
Pwn33	0x080ecb60	失败
Pwn35	0x080ec4f0	call劫持
Pwn36	0x407ffedc	ret劫持
Pwn39	0x80f1b80	call劫持
Pwn40	0x080ec810	call劫持
Pwn41	0x080ec4f0	call劫持
Pwn42	0x080eb4d8	失败
Pwn43	0x080ed650	失败
Pwn46	0x080ede60	call劫持
Pwn47	0x080ec4f0	call劫持

[1]	Zheng HONG,Zhen-ji ZHOU,Li-fa WU,Fan PAN. Protocol format extraction at semantic level [J]. Journal on Communications, 2013, 34(10): 162-173.
[2]	. Protocol format extraction at semantic level [J]. Journal on Communications, 2013, 34(10): 19-173.
[3]	Yu LIU,Mei-ning NIE,Pu-rui SU,Deng-guo FENG. Attack signature generation by traceable dynamic taint analysis [J]. Journal on Communications, 2012, 33(5): 21-28.