摘要
在本文中,我们提出BAEG,一个自动寻找二进制程序漏洞利用的系统.BAEG为发现的每一个漏洞产生一个控制流劫持的利用,因此保证了它所发现的漏洞都是安全相关并且可利用的.BAEG针对输入造成程序崩溃的情况进行分析,面临的挑战主要有两点:1)如何重现崩溃路径,获取崩溃状态;2)如何自动生成控制流劫持利用.对于第一点,本论文提出路径导向算法,将崩溃输入作为符号值,重现崩溃路径.对于第二点,我们总结多种控制流劫持的利用原理,建立对应的利用产生模型.此外,对于非法符号读、写操作,BAEG还可以让程序从崩溃点继续执行,探索程序深层次代码,检测崩溃路径逻辑深处是否还有利用点.
In this paper we present BAEG, a system to automatically look for exploitable bugs in the binary program.Every bug reported by BAEG is accompanied by the control flow hijacking exploit. The working exploits ensure robustness that each bug report is security-critical and exploitable. Giving BAEG a vulnerable program and an input crash, the challenges are: 1) how to replay crash and get the state of crash; 2) how to automatically generate exploit. For the first challenge, we present a path-guided algorithm, take crash input as symbolic data, and replay crash path. For the second challenge, we summarize the principles of multiple control-flow hijack and establish the corresponding exploit generation model. Besides, BAEG can explore deep code especially for invalid symbolic read and symbolic write, which can help us decide whether there still are exploits at deeper code.
作者
万云鹏
邓艺
石东辉
程亮
张阳
WAN Yun-Peng DENG Yi SHI Dong-Hui CHENG Liang ZHANG Yang(University of Chinese Academy of Sciences, Beijing 100049, China Insfitute of Software, Chinese Academy of Sciences, Beijing 100190, China Shenzhen Audencia Business School, Shenzhen University, Shenzhen 518060, China)
出处
《计算机系统应用》
2017年第10期44-52,共9页
Computer Systems & Applications
基金
国家自然科学基金(61471344)
国家242信息安全计划(2016A086)
关键词
自动利用生成
符号执行
路径追踪
符号内存
automatic exploit generation
symbolic execution
path tracing
symbolic memory
