LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR

Wei-Loon Mow, Shih-Kun Huang, H. Hsiao
{"title":"LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR","authors":"Wei-Loon Mow, Shih-Kun Huang, H. Hsiao","doi":"10.1109/DSC54232.2022.9888796","DOIUrl":null,"url":null,"abstract":"Address space layout randomization (ASLR) is a binary protection technique that randomizes a binary's loaded base addresses in every execution. It hardens binaries against exploitation by preventing attackers from reusing identified resources (e.g., code gadgets or stack buffers found at specific memory locations) in subsequent executions. As most modern compilers and operating systems enable ASLR by default, an effective automated exploit generation (AEG) system should be resilient to ASLR when constructing exploits. However, previ-ously proposed AEG systems either assume the absence of ASLR or only bypass it under limited circumstances, and thus cannot reliably exploit binaries running on modern operating systems. With the aim of improving AEG's practicality by developing an ASLR-resilient AEG system, we designed and implemented leak-based AEG (LAEG), a system that can recover randomized base addresses by leaking additional information at runtime. Specifically, given a proof-of-crash input, LAEG uses dynamic taint analysis to analyze the black-box binary, and identifies the input and output states relevant to the base address information. By doing so, LAEG can efficiently recover base addresses from uninitialized buffers and use them to construct an exploit that is resilient to ASLR. Moreover, our tests established that LAEG could successfully construct exploits that bypass state-of-the-art types of binary protection, including not only ASLR but PIE, NX, and stack canary. Besides that, LAEG exhibited better performance than an open-source AEG solution, Zeratool; and was between 6.46x and 45.15x faster at exploit generation than human experts were.","PeriodicalId":368903,"journal":{"name":"2022 IEEE Conference on Dependable and Secure Computing (DSC)","volume":"86 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-06-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE Conference on Dependable and Secure Computing (DSC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSC54232.2022.9888796","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Address space layout randomization (ASLR) is a binary protection technique that randomizes a binary's loaded base addresses in every execution. It hardens binaries against exploitation by preventing attackers from reusing identified resources (e.g., code gadgets or stack buffers found at specific memory locations) in subsequent executions. As most modern compilers and operating systems enable ASLR by default, an effective automated exploit generation (AEG) system should be resilient to ASLR when constructing exploits. However, previ-ously proposed AEG systems either assume the absence of ASLR or only bypass it under limited circumstances, and thus cannot reliably exploit binaries running on modern operating systems. With the aim of improving AEG's practicality by developing an ASLR-resilient AEG system, we designed and implemented leak-based AEG (LAEG), a system that can recover randomized base addresses by leaking additional information at runtime. Specifically, given a proof-of-crash input, LAEG uses dynamic taint analysis to analyze the black-box binary, and identifies the input and output states relevant to the base address information. By doing so, LAEG can efficiently recover base addresses from uninitialized buffers and use them to construct an exploit that is resilient to ASLR. Moreover, our tests established that LAEG could successfully construct exploits that bypass state-of-the-art types of binary protection, including not only ASLR but PIE, NX, and stack canary. Besides that, LAEG exhibited better performance than an open-source AEG solution, Zeratool; and was between 6.46x and 45.15x faster at exploit generation than human experts were.
LAEG:基于泄漏的AEG,使用动态二进制分析来击败ASLR
地址空间布局随机化(ASLR)是一种二进制保护技术,它在每次执行中随机化二进制的加载基址。它通过防止攻击者在随后的执行中重用已识别的资源(例如,在特定内存位置找到的代码小工具或堆栈缓冲区)来防止二进制文件被利用。由于大多数现代编译器和操作系统默认支持ASLR,因此在构建漏洞时,一个有效的自动漏洞生成(AEG)系统应该能够适应ASLR。然而,以前提出的AEG系统要么假设没有ASLR,要么只在有限的情况下绕过它,因此不能可靠地利用在现代操作系统上运行的二进制文件。为了提高AEG的实用性,我们设计并实现了一种基于泄漏的AEG (LAEG)系统,该系统可以通过在运行时泄漏附加信息来恢复随机基址。具体来说,给定一个崩溃证明输入,LAEG使用动态污点分析来分析黑盒二进制文件,并识别与基址信息相关的输入和输出状态。通过这样做,LAEG可以有效地从未初始化的缓冲区中恢复基址,并使用它们构建对ASLR具有弹性的攻击。此外,我们的测试表明,LAEG可以成功构建绕过最先进的二进制保护类型的漏洞,不仅包括ASLR,还包括PIE、NX和堆栈金丝鸟。此外,LAEG表现出比开源AEG解决方案Zeratool更好的性能;在生成漏洞方面比人类专家快6.46到45.15倍。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信