Automatic generation of data-oriented exploits

Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, Zhenkai Liang

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    83 Scopus citations

    Abstract

    As defense solutions against control-flow hijacking attacks gain wide deployment, control-oriented exploits from memory errors become difficult. As an alternative, attacks targeting non-control data do not require diverting the application’s control flow during an attack. Although it is known that such data-oriented attacks can mount significant damage, no systematic methods to automatically construct them from memory errors have been developed. In this work, we develop a new technique called data-flow stitching, which systematically finds ways to join data flows in the program to generate data-oriented exploits. We build a prototype embodying our technique in a tool called FLOWSTITCH that works directly on Windows and Linux binaries. In our experiments, we find that FLOWSTITCH automatically constructs 16 previously unknown and three known data-oriented attacks from eight real-world vulnerable programs. All the automatically-crafted exploits respect fine-grained CFI and DEP constraints, and 10 out of the 19 exploits work with standard ASLR defenses enabled. The constructed exploits can cause significant damage, such as disclosure of sensitive information (e.g., passwords and encryption keys) and escalation of privilege.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 24th USENIX Security Symposium
    PublisherUSENIX Association
    Pages177-192
    Number of pages16
    ISBN (Electronic)9781931971232
    StatePublished - 2015
    Event24th USENIX Security Symposium - Washington, United States
    Duration: Aug 12 2015Aug 14 2015

    Publication series

    NameProceedings of the 24th USENIX Security Symposium

    Conference

    Conference24th USENIX Security Symposium
    CountryUnited States
    CityWashington
    Period8/12/158/14/15

    All Science Journal Classification (ASJC) codes

    • Computer Networks and Communications
    • Information Systems
    • Safety, Risk, Reliability and Quality

    Fingerprint Dive into the research topics of 'Automatic generation of data-oriented exploits'. Together they form a unique fingerprint.

    Cite this