LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR

Wei Loon Mow, Shih Kun Huang, Hsu Chun Hsiao

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

6 Scopus citations

Abstract

Address space layout randomization (ASLR) is a binary protection technique that randomizes a binary's loaded base addresses in every execution. It hardens binaries against exploitation by preventing attackers from reusing identified resources (e.g., code gadgets or stack buffers found at specific memory locations) in subsequent executions. As most modern compilers and operating systems enable ASLR by default, an effective automated exploit generation (AEG) system should be resilient to ASLR when constructing exploits. However, previ-ously proposed AEG systems either assume the absence of ASLR or only bypass it under limited circumstances, and thus cannot reliably exploit binaries running on modern operating systems. With the aim of improving AEG's practicality by developing an ASLR-resilient AEG system, we designed and implemented leak-based AEG (LAEG), a system that can recover randomized base addresses by leaking additional information at runtime. Specifically, given a proof-of-crash input, LAEG uses dynamic taint analysis to analyze the black-box binary, and identifies the input and output states relevant to the base address information. By doing so, LAEG can efficiently recover base addresses from uninitialized buffers and use them to construct an exploit that is resilient to ASLR. Moreover, our tests established that LAEG could successfully construct exploits that bypass state-of-the-art types of binary protection, including not only ASLR but PIE, NX, and stack canary. Besides that, LAEG exhibited better performance than an open-source AEG solution, Zeratool; and was between 6.46x and 45.15x faster at exploit generation than human experts were.

Original languageEnglish
Title of host publication5th IEEE Conference on Dependable and Secure Computing, DSC 2022 and SECSOC 2022 Workshop, PASS4IoT 2022 Workshop SICSA International Paper/Poster Competition in Cybersecurity
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781665421416
DOIs
StatePublished - 2022
Event5th IEEE Conference on Dependable and Secure Computing, DSC 2022 - Edinburgh, United Kingdom
Duration: 22 Jun 202224 Jun 2022

Publication series

Name5th IEEE Conference on Dependable and Secure Computing, DSC 2022 and SECSOC 2022 Workshop, PASS4IoT 2022 Workshop SICSA International Paper/Poster Competition in Cybersecurity

Conference

Conference5th IEEE Conference on Dependable and Secure Computing, DSC 2022
Country/TerritoryUnited Kingdom
CityEdinburgh
Period22/06/2224/06/22

Keywords

  • Address Space Layout Randomization
  • Automated Exploit Generation
  • Dynamic Taint Analysis

Fingerprint

Dive into the research topics of 'LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR'. Together they form a unique fingerprint.

Cite this