摘要
自动生成漏洞利用样本(AEG)已成为评估漏洞的最重要的方式之一,但现有方案在目标系统部署有漏洞缓解机制时受到很大阻碍.当前主流的操作系统默认部署多种漏洞缓解机制,包括数据执行保护(DEP)和地址空间布局随机化(ASLR)等,而现有AEG方案仍无法面对所有漏洞缓解情形.提出了一种自动化方案EoLeak,可以利用堆漏洞实现自动化的信息泄露,进而同时绕过数据执行保护和地址空间布局随机化防御.EoLeak通过动态分析漏洞触发样本(POC)的程序执行迹,对执行迹中的内存布局进行画像并定位敏感数据(如代码指针),进而基于内存画像自动构建泄漏敏感数据的原语,并在条件具备时生成完整的漏洞利用样本.实现了EoLeak原型系统,并在一组夺旗赛(CTF)题目和多个实际应用程序上进行了实验验证.实验结果表明,该系统具有自动化泄露敏感信息和绕过DEP及ASLR缓解机制的能力.
Automated exploit generation(AEG) has become one of the most important ways to demonstrate the exploitability of vulnerabilities. However, state-of-the-art AEG solutions in general assume that the target system has no mitigations deployed, which is not true in modern operating systems since they often deploy mitigations like data execution prevention(DEP) and address space layout randomization(ASLR). This paper presents an automated solution EoLeak, able to exploit heap vulnerabilities to leak sensitive data and bypass ASLR and DEP at the same time. At a high level, EoLeak analyzes the program execution trace of the POC input that triggers the heap vulnerability, characterizes the memory profile from the trace and locates important data(e.g., code pointers), constructs leak primitives that discloses sensitive data, and generates exploits for the entire process when possible. A prototype of EoLeakis implemented and it is evaluated on a set of CTF binary programs and several real-world applications. Evaluation results show that EoLeak is effective in terms of leaking data and generating exploits.
作者
杨松涛
陈凯翔
王准
张超
YANG Song-Tao;CHEN Kai-Xiang;WANG Zhun;ZHANG Chao(Department of Computer Science and Technology,Tsinghua University,Beijing 100084,China;Institute for Network Science and Cyberspace,Tsinghua University,Beijing 100084,China)
出处
《软件学报》
EI
CSCD
北大核心
2022年第6期2082-2096,共15页
Journal of Software
基金
国家重点研发计划(2021YFB2701000)
国家自然科学基金(61972224,U1736209)。
关键词
信息泄漏
自动生成漏洞利用样本
动态分析
污点分析
内存画像
information leakage
automated exploit generation
dynamic analysis
taint analysis
memory profiling