Attacker Control and Bug Prioritization

TL;DR

This paper introduces a novel method for bug prioritization based on attacker control over vulnerability parameters, utilizing symbolic execution to improve differentiation of vulnerabilities and automate evaluation processes.

Contribution

We propose a new approach focusing on feasible value sets called domains of control, with an efficient algorithm to extract and analyze them for better exploitability assessment.

Findings

Our method distinguishes vulnerabilities that previous methods could not.

It automates the extraction of control metrics from path constraints.

Experiments demonstrate high efficiency and precision of the approach.

Abstract

As bug-finding methods improve, bug-fixing capabilities are exceeded, resulting in an accumulation of potential vulnerabilities. There is thus a need for efficient and precise bug prioritization based on exploitability. In this work, we explore the notion of control of an attacker over a vulnerability's parameters, which is an often overlooked factor of exploitability. We show that taint as well as straightforward qualitative and quantitative notions of control are not enough to effectively differentiate vulnerabilities. Instead, we propose to focus analysis on feasible value sets, which we call domains of control, in order to better take into account threat models and expert insight. Our new Shrink and Split algorithm efficiently extracts domains of control from path constraints obtained with symbolic execution and renders them in an easily processed, human-readable form. This in turn allows to automatically compute more complex control metrics, such as weighted Quantitative Control, which factors in the varying threat levels of different values. Experiments show that our method is both efficient and precise. In particular, it is the only one able to distinguish between vulnerabilities such as cve-2019-14192 and cve-2022-30552, while revealing a mistake in the human evaluation of cve-2022-30790. The high degree of automation of our tool also brings us closer to a fully-automated evaluation pipeline.