TY - GEN
T1 - CRAX
T2 - 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012
AU - Huang, Shih-Kun
AU - Huang, Min Hsiang
AU - Huang, Po Yen
AU - Lai, Chung Wei
AU - Lu, Han Lin
AU - Leong, Wai Meng
PY - 2012/10/1
Y1 - 2012/10/1
N2 - We present a simple framework capable of automatically generating attacks that exploit control flow hijacking vulnerabilities. We analyze given software crashes and perform symbolic execution in concolic mode, using a whole system environment model. The framework uses an end-to-end approach to generate exploits for various applications, including 16 medium scale benchmark programs, and several large scale applications, such as Mplayer (a media player), Unrar (an archiver) and Foxit(a pdf reader), with stack/heap overflow, off-by-one overflow, use of uninitialized variable, format string vulnerabilities. Notably, these applications have been typically regarded as fuzzing preys, but still require a manual process with security knowledge to produce mitigation-hardened exploits. Using our system to produce exploits is a fully automated and straightforward process for crashed software without source. We produce the exploits within six minutes for medium scale of programs, and as long as 80 minutes for mplayer (about 500,000 LOC), after constraint reductions. Our results demonstrate that the link between software bugs and security vulnerabilities can be automatically bridged.
AB - We present a simple framework capable of automatically generating attacks that exploit control flow hijacking vulnerabilities. We analyze given software crashes and perform symbolic execution in concolic mode, using a whole system environment model. The framework uses an end-to-end approach to generate exploits for various applications, including 16 medium scale benchmark programs, and several large scale applications, such as Mplayer (a media player), Unrar (an archiver) and Foxit(a pdf reader), with stack/heap overflow, off-by-one overflow, use of uninitialized variable, format string vulnerabilities. Notably, these applications have been typically regarded as fuzzing preys, but still require a manual process with security knowledge to produce mitigation-hardened exploits. Using our system to produce exploits is a fully automated and straightforward process for crashed software without source. We produce the exploits within six minutes for medium scale of programs, and as long as 80 minutes for mplayer (about 500,000 LOC), after constraint reductions. Our results demonstrate that the link between software bugs and security vulnerabilities can be automatically bridged.
KW - Automatic exploit generation
KW - Bug forensics
KW - Software crash analysis
KW - Symbolic execution
KW - Taint analysis
UR - http://www.scopus.com/inward/record.url?scp=84866709206&partnerID=8YFLogxK
U2 - 10.1109/SERE.2012.20
DO - 10.1109/SERE.2012.20
M3 - Conference contribution
AN - SCOPUS:84866709206
SN - 9780769547428
T3 - Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012
SP - 78
EP - 87
BT - Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012
Y2 - 20 June 2012 through 22 June 2012
ER -