CRAX: Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations

Shih-Kun Huang*, Min Hsiang Huang, Po Yen Huang, Chung Wei Lai, Han Lin Lu, Wai Meng Leong

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

32 Scopus citations

Abstract

We present a simple framework capable of automatically generating attacks that exploit control flow hijacking vulnerabilities. We analyze given software crashes and perform symbolic execution in concolic mode, using a whole system environment model. The framework uses an end-to-end approach to generate exploits for various applications, including 16 medium scale benchmark programs, and several large scale applications, such as Mplayer (a media player), Unrar (an archiver) and Foxit(a pdf reader), with stack/heap overflow, off-by-one overflow, use of uninitialized variable, format string vulnerabilities. Notably, these applications have been typically regarded as fuzzing preys, but still require a manual process with security knowledge to produce mitigation-hardened exploits. Using our system to produce exploits is a fully automated and straightforward process for crashed software without source. We produce the exploits within six minutes for medium scale of programs, and as long as 80 minutes for mplayer (about 500,000 LOC), after constraint reductions. Our results demonstrate that the link between software bugs and security vulnerabilities can be automatically bridged.

Original languageEnglish
Title of host publicationProceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012
Pages78-87
Number of pages10
DOIs
StatePublished - 1 Oct 2012
Event2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012 - Gaithersburg, MD, United States
Duration: 20 Jun 201222 Jun 2012

Publication series

NameProceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012

Conference

Conference2012 IEEE 6th International Conference on Software Security and Reliability, SERE 2012
CountryUnited States
CityGaithersburg, MD
Period20/06/1222/06/12

Keywords

  • Automatic exploit generation
  • Bug forensics
  • Software crash analysis
  • Symbolic execution
  • Taint analysis

Fingerprint Dive into the research topics of 'CRAX: Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations'. Together they form a unique fingerprint.

Cite this