DEPA: Determining Exploit Primitives Automatically for Interactive Programs

Abstract

Automated Exploit Generation (AEG) is a well-known difficult task, especially for heap vulnerabilities. The premise of this task is the determination of exploit primitives, and prior research efforts for exploit primitive determination are usually based on vulnerability identification. However, it is not always easy to discovery bugs using fuzzing or symbolic technologies for some programs. In this paper, we present a solution DEPA to determine exploit primitives based on primitive-crucial-behavior model for heap vulnerabilities. The core of DEPA contains two novel techniques, 1) primitive-crucial-behavior identification through pointer dependence analysis, and 2) exploit primitive determination method which includes triggering both vulnerabilities and exploit primitives. We evaluate DEPA on real-world CTF (capture the flag) programs with heap vulnerabilities and DEPA can discovery arbitrary write and arbitrary jump exploit primitives for some programs except for program multi-heap. Results showed that primitive-crucial-behavior identification and determining exploit primitives are accurate and effective by using our approach. In addition, DEPA is superior to the state-of-the-art tools in determining exploit primitives for the heap internal overflow vulnerability.