Computer Science ›› 2019, Vol. 46 ›› Issue (2): 127-132.doi: 10.11896/j.issn.1002-137X.2019.02.020

• Information Security • Previous Articles     Next Articles

Automatic Return-to-dl-resolve Exploit Generation Method Based on Symbolic Execution

FANG Hao, WU Li-fa, WU Zhi-yong   

  1. Institute of Command and Control Engineering,Army Engineering University of PLA,Nanjing 210000,China
  • Received:2018-01-24 Online:2019-02-25 Published:2019-02-25

Abstract: Return-to-dl-resolve is a general exploit technology to bypass complicated protection mechanism,but the efficiency of manual shell-code’ construction is very low.The thesis studies the core concept of ASLR,NX and Return-to-dl-resolve,and then set up a Return-to-dl-resolve model.The proposed model provides symbolic execution environment for ELF binary program,and generates exploit by constraint solving.It also inplements a control-flow hijacking exploit generation system named R2dlAEG.The experiment results show that R2dlAEG generates exploits in acceptable time,and the exploits can bypass both NX and ASLR.

Key words: Exploit, Exploit code, Security mechanism, Symbolic execution

CLC Number: 

  • TP309
[1]LIU J,SU P R,YANG M,et al.Software and Cyber Security—A Survey[J].Journal of Software,2017,28(7):42-68.(in Chinese)
刘剑,苏普睿,杨珉,等.软件与网络安全研究综述[J].软件学报,2017,28(7):42-68.
[2]BRUMLEY D,POOSANKAM P,SONG D,et al.Automatic Patch-Based Exploit Generation is Possible:Techniques and Implications[C]∥IEEE Symposium on Security & Privacy.2008.
[3]AVGERINOS T,SANG K C,HAO B L T,et al.AEG:Automatic Exploit Generation[J].Internet Society,2011,57(2):74-84.
[4]SANG K C,AVGERINOS T,REBERT A,et al.Unleashing Mayhem on Binary Code[C]∥Security and Privacy.IEEE,2012:380-394.
[5]STEPHENS N,GROSEN J,SALLS C,et al.Driller:Augmenting Fuzzing Through Selective Symbolic Execution[C]∥ Network and Distributed System Security Symposium.2016.
[6]FEDERICO A D,CAMA A,YAN S,et al.How the ELF ruined Christmas[C]∥ Usenix Conference on Security Symposium.USENIX Association,2015:643-658.
[7]SCHWARTZ E J,AVGERINOS T,BRUMLEY D.Q:exploit hardening made easy[C]∥ Usenix Conference on Security.USENIX Association,2011:25.
[8]WANG M,SU P,LI Q,et al.Automatic Polymorphic Exploit Generation for Software Vulnerabilities[M]∥Security and Privacy in Communication Networks.Springer International Publishing,2013:216-233.
[9]王清,张东辉,周浩.Oday安全:软件漏洞分析技术[M].北京:电子工业出版社,2011.
[10]俞甲子.程序员的自我修养[M].北京:电子工业出版社,2009:90-132.
[11]ORACLE.SYMBOLS[EB/OL].
[2017-12-27].https://docs.oracle.com/cd/E26926_01/html/E25910/chapter6-79797.html.
[12]BARTHOLOMEW D.QEMU:a multihost,multitarget emula- tor[M].Belltown Media,2006.
[13]YAN S,WANG R,SALLS C,et al.SOK:(State of) The Art of War:Offensive Techniques in Binary Analysis[C]∥ Security and Privacy.IEEE,2016:138-157.
[14]SHEN L,DAI K,WANG Z Y.The Non-Sequential Instruction Prefetching Based on Basic Blocks[J].Computer Engineering & Science,2003,25(4):94-98.(in Chinese)
沈立,戴葵,王志英.以基本块为单位的非顺序指令预取[J].计算机工程与科学,2003,25(4):94-98.
[15]MOURA L D,BJØRNER N.Z3:An Efficient SMT Solver[M]∥ Tools and Algorithms for the Construction and Analysis of Systems.Springer Berlin Heidelberg,2008:337-340.
[1] ZHANG Jia-neng, LI Hui, WU Hao-lin, WANG Zhuang. Exploration and Exploitation Balanced Experience Replay [J]. Computer Science, 2022, 49(5): 179-185.
[2] SHANG Xi-xue, HAN Hai-ting, ZHU Zheng-zhou. Mechanism Design of Right to Earnings of Data Utilization Based on Evolutionary Game Model [J]. Computer Science, 2021, 48(3): 144-150.
[3] ZHOU Sheng-yi, ZENG Hong-wei. Program Complexity Analysis Method Combining Evolutionary Algorithm with Symbolic Execution [J]. Computer Science, 2021, 48(12): 107-116.
[4] ZHANG Xin-ming, LI Shuang-qian, LIU Yan, MAO Wen-tao, LIU Shang-wang, LIU Guo-qi. Coyote Optimization Algorithm Based on Information Sharing and Static Greed Selection [J]. Computer Science, 2020, 47(5): 217-224.
[5] HUANG Zhao,HUANG Shu-guang,DENG Zhao-kun,HUANG Hui. Automatic Vulnerability Detection and Test Cases Generation Method for Vulnerabilities Caused by SEH [J]. Computer Science, 2019, 46(7): 133-138.
[6] YE Zhi-bin,YAN Bo. Survey of Symbolic Execution [J]. Computer Science, 2018, 45(6A): 28-35.
[7] LI Hang, ZANG Lie, GAN Lu. Search of Speculative Symbolic Execution Path Based on Ant Colony Algorithm [J]. Computer Science, 2018, 45(6): 145-150.
[8] ZHANG Jing, ZHOU An-min, LIU Liang, JIA Peng and LIU Lu-ping. Review of Crash Exploitability Analysis Methods [J]. Computer Science, 2018, 45(5): 5-14.
[9] DENG Wei and LI Zhao-peng. State Merging for Symbolic Execution Engine with Shape Analysis [J]. Computer Science, 2017, 44(2): 209-215.
[10] CHEN Yong and XU Chao. Symbolic Execution and Human-Machine Interaction Based Auto Vectorization Method [J]. Computer Science, 2016, 43(Z6): 461-466.
[11] ZHANG Xiong and LI Zhou-jun. Survey of Fuzz Testing Technology [J]. Computer Science, 2016, 43(5): 1-8.
[12] LIANG Jia-biao, LI Zhao-peng, ZHU Ling and SHEN Xian-fei. Symbolic Execution Engine with Shape Analysis [J]. Computer Science, 2016, 43(3): 193-198.
[13] LI Hua, XING Yi and ZHANG Yu-rong. Modeling OpenStack Single Plane Network Based on Token Selection [J]. Computer Science, 2016, 43(11): 66-70.
[14] WANG Zhi-wen,HUANG Xiao-long,WANG Hai-jun,LIU Ting and YU Le-chen. Program Slicing-guied Test Case Generation System [J]. Computer Science, 2014, 41(9): 71-74.
[15] ZHANG Ya-jun,LI Zhou-jun,LIAO Xiang-ke,JIANG Rui-cheng and LI Hai-feng. Survey of Automated Whitebox Fuzz Testing [J]. Computer Science, 2014, 41(2): 7-10.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!