Detecting Exploit Primitives Automatically for Heap Vulnerabilities on Binary Programs

TL;DR

This paper introduces DEPA, a novel method for automatically detecting exploit primitives in heap vulnerabilities of binary programs, improving over prior fuzzing and symbolic execution techniques.

Contribution

DEPA employs a primitive-crucial-behavior model with pointer dependence analysis and exploit primitive determination, advancing automatic exploit primitive detection for heap vulnerabilities.

Findings

Successfully detects exploit primitives in 10 out of 11 real-world programs.

Outperforms state-of-the-art tools in identifying heap object internal overflow primitives.

Accurately identifies arbitrary write and jump exploit primitives.

Abstract

Automated Exploit Generation (AEG) is a well-known difficult task, especially for heap vulnerabilities. Previous works first detected heap vulnerabilities and then searched for exploitable states by using symbolic execution and fuzzing techniques on binary programs. However, it is not always easy to discovery bugs using fuzzing or symbolic technologies and solvable for internal overflow of heap objects. In this paper, we present a solution DEPA to detect exploit primitives based on primitive-crucial-behavior model for heap vulnerabilities. The core of DEPA contains two novel techniques, 1) primitive-crucial-behavior identification through pointer dependence analysis, and 2) exploit primitive determination method which includes triggering both vulnerabilities and exploit primitives. We evaluate DEPA on eleven real-world CTF(capture the flag) programs with heap vulnerabilities and DEPA can discovery arbitrary write and arbitrary jump exploit primitives for ten programs except for program multi-heap. Results showed that primitive-crucial-behavior identification and determining exploit primitives are accurate and effective by using our approach. In addition, DEPA is superior to the state-of-the-art tools in determining exploit primitives for the heap object internal overflow