Software crash analysis for automatic exploit generation on binary programs

Shih-Kun Huang, Min Hsiang Huang, Po Yen Huang, Han Lin Lu, Chung Wei Lai

Research output: Contribution to journalArticlepeer-review

30 Scopus citations


This paper presents a new method, capable of automatically generating attacks on binary programs from software crashes. We analyze software crashes with a symbolic failure model by performing concolic executions following the failure directed paths, using a whole system environment model and concrete address mapped symbolic memory in S2E. We propose a new selective symbolic input method and lazy evaluation on pseudo symbolic variables to handle symbolic pointers and speed up the process. This is an end-to-end approach able to create exploits from crash inputs or existing exploits for various applications, including most of the existing benchmark programs, and several large scale applications, such as a word processor (Microsoft office word), a media player (mpalyer), an archiver (unrar), or a pdf reader (foxit). We can deal with vulnerability types including stack and heap overflows, format string, and the use of uninitialized variables. Notably, these applications have become software fuzz testing targets, but still require a manual process with security knowledge to produce mitigation-hardened exploits. Using this method to generate exploits is an automated process for software failures without source code. The proposed method is simpler, more general, faster, and can be scaled to larger programs than existing systems. We produce the exploits within one minute for most of the benchmark programs, including mplayer. We also transform existing exploits of Microsoft office word into new exploits within four minutes. The best speedup is 7,211 times faster than the initial attempt. For heap overflow vulnerability, we can automatically exploit the unlink() macro of glibc, which formerly requires sophisticated hacking efforts.

Original languageEnglish
Article number6717039
Pages (from-to)270-289
Number of pages20
JournalIEEE Transactions on Reliability
Issue number1
StatePublished - 1 Jan 2014


  • Automatic exploit generation
  • bug forensics
  • software crash analysis
  • symbolic execution
  • taint analysis


Dive into the research topics of 'Software crash analysis for automatic exploit generation on binary programs'. Together they form a unique fingerprint.

Cite this