AEG Automatic Exploit Generation Thanassis Avgerinos Sang Kil Cha Brent Lim Tze Hao and - PDF document

codelevel,inpracticethisbugwouldlikelynotbeex-ploitable.Moderncompilerswouldpage-alignthede-claredbuffers,resultinginbothdatastructuresgetting16bytes.Sincethedestinationbufferwouldbe16bytes,the12-bytecopywouldnotbeproblematicandthebugnotexploitable.Whilesourcecodeanalysisisinsufcient,binary-levelanalysisisunscalable.Sourcecodehasabstrac-tions,suchasvariables,buffers,functions,anduser-constructedtypesthatmakeautomatedreasoningeas-ierandmorescalable.Nosuchabstractionsexistatthebinary-level;thereonlystackframes,registers,gotosandagloballyaddressedmemoryregion.Inourapproach,wecombinesource-codelevelanal-ysistoimprovescalabilityinndingbugsandbinaryandruntimeinformationtoexploitprograms.Tothebestofourknowledge,wearethersttocombineanalysisfromthesetwoverydifferentcodeabstractionlevels.B.Findingtheexploitablepathsamonganinnitenumberofpossiblepaths.OurtechniquesforAEGemploysymbolicexecution,aformalvericationtech-niquethatexploresprogrampathsandchecksifeachpathisexploitable.Programshaveloops,whichinturnmeansthattheyhaveapotentiallyinnitenumberofpaths.However,notallpathsareequallylikelytobeexploitable.Whichpathsshouldwecheckrst?Ourmainfocusistodetectexploitablebugs.Ourresultsshow(x8)thatexistingstate-of-the-artsolutionsprovedinsufcienttodetectsuchsecurity-criticalbugsinreal-worldprograms.Toaddressthepathselectionchallenge,wedevel-opedtwonovelcontributionsinAEG.First,wehavedevelopedpreconditionedsymbolicexecution,anoveltechniquewhichtargetspathsthataremorelikelytobeexploitable.Forexample,onechoiceistoexploreonlypathswiththemaximuminputlength,orpathsrelatedtoHTTPGETrequests.Whilepreconditionedsymbolicexecutioneliminatessomepaths,westillneedtoprior-itizewhichpathsweshouldexplorerst.Toaddressthischallenge,wehavedevelopedapriorityqueuepathprioritizationtechniquethatusesheuristicstochooselikelymoreexploitablepathsrst.Forexample,wehavefoundthatifaprogrammermakesamistake—notneces-sarilyexploitable—alongapath,thenitmakessensetoprioritizefurtherexplorationofthepathsinceitismorelikelytoeventuallyleadtoanexploitablecondition.C.Anend-to-endsystem.Weprovidetherstprac-ticalend-to-endsystemforAEGonrealprograms.Anend-to-endsystemrequiresnotonlyaddressingatremendousnumberofscienticquestions,e.g.,binaryprogramanalysisandefcientformalverication,butalsoatremendousnumberofengineeringissues.OurAEGimplementationisasinglecommandlinethatan-alyzessourcecodeprograms,generatessymbolicexe-cutionformulas,solvesthem,performsbinaryanalysis,generatesbinary-levelruntimeconstraints,andformatstheoutputasanactualexploitstringthatcanbefeddi-rectlyintothevulnerableprogram.Avideodemonstrat-ingtheend-to-endsystemisavailableonline[1].Scope.While,inthispaper,wemakeexploitsrobustagainstlocalenvironmentchanges,ourgoalisnottomakeexploitsrobustagainstcommonsecuritydefenses,suchasaddressspacerandomization[25]andwxmemorypages(e.g.,WindowsDEP).Inthiswork,wealwaysrequiresourcecode.AEGonbinary-onlyisleftasfuturework.WealsodonotclaimAEGisa“solved”problem;thereisalwaysopportunitytoimproveperfor-mance,scalability,toworkonalargervarietyofexploitclasses,andtoworkinnewapplicationsettings.2OverviewofAEGThissectionexplainshowAEGworksbysteppingthroughtheentireprocessofbug-ndingandexploitgenerationonarealworldexample.Thetargetappli-cationisthesetuidrootiwconfigutilityfromtheWirelessToolspackage(version26),aprogramconsistingofabout3400linesofCsourcecode.BeforeAEGstartstheanalysis,therearetwoneces-sarypreprocessingsteps:1)WebuildtheprojectwiththeGNUCCompiler(GCC)tocreatethebinarywewanttoexploit,and2)withtheLLVM[17]compiler—toproducebytecodethatourbug-ndinginfrastructureusesforanalysis.Afterthebuild,werunourtool,AEG,andgetacontrolowhijackingexploitinlessthan1second.Providingtheexploitstringtotheiwconfigbinary,asthe1stargument,resultsinarootshell.Wehavepostedademonstrationvideoonline[1].Figure1showsthecodesnippetthatisrelevanttothegeneratedexploit.iwconfighasaclassicstrcpybufferoverowvulnerabilityintheget infofunction(line15),whichAEGspotsandexploitsautomaticallyinlessthan1second.Todoso,oursystemgoesthroughthefollowinganalysissteps:1.AEGsearchesforbugsatthesourcecodelevelbyexploringexecutionpaths.Specically,AEGexecutesiwconfigusingsymbolicarguments(argv)astheinputsources.AEGconsidersavari-etyofinputsources,suchasles,arguments,etc.,bydefault.2.Afterfollowingthepathmain!print info!get info,AEGreachesline15,whereitde-tectsanout-of-boundsmemoryerroronvariable2 fact,inthisspecicexamplethereisnoneedforasolverquery,sincevalidityorinvaliditycanbedeterminedbyasimpleiterationthroughourassumptionsetP^L).Thus,byapplyingthelengthpreconditionweonlyneedasingleinterpretertoexploretheentireloop.Intherestofthesection,weshowhowwecangeneratedifferenttypesofpreconditionstoreducethesearchspace.5.2.1PreconditionsInAEG,wehavedevelopedandimplemented4differentpreconditionsforefcientexploitgeneration:NoneThereisnopreconditionandthestatespaceisexploredasnormal.KnownLengthThepreconditionisthatinputsareofknownmaximumlength,asinthepreviousexam-ple.Weusestaticanalysistoautomaticallydeter-minethisprecondition.KnownPrexThepreconditionisthatthesymbolicin-putshaveaknownprex.ConcolicExecutionConcolicexecution[24]canbeviewedasaspecicformofpreconditionedsym-bolicexecutionwherethepreconditionisspeciedbyasingleprogrampathasrealizedbyanexam-pleinput.Forexample,wemayalreadyhaveaninputthatcrashestheprogram,andweuseitasapreconditiontodetermineiftheexecutedpathisexploitable.Theabovepreconditionsassumevaryingamountsofstaticanalysisoruserinput.Inthefollowing,wefurtherdiscussthesepreconditions,andalsodescribethereduc-tioninthestatespacethatpreconditionedsymbolicex-ecutionoffers.Asummaryofthepreconditions'effectonbranchingisshowninFigure7.None.Preconditionedsymbolicexecutionisequiva-lenttostandardsymbolicexecution.Theinputprecon-ditionistrue(theentirestatespace).InputSpace:ForSsymbolicinputbytes,thesizeoftheinputspaceis256S.TheexampleinFigure7containsN+Msym-bolicbranchesandasymbolicloopwithSmaximumiterations,thusintheworstcase(withoutpruning),weneed2N
S
2Minterpreterstoexplorethestatespace.KnownLength.Thepreconditionisthatallinputsshouldbeofmaximumlength.Forexample,ifthein-putdataisoftypestring,weaddthepreconditionthateachbyteofinputuptothemaximuminputlengthisnotNULL,i.e.,(strlen(input)=len)orequiva-lentlyinlogic(input[0]6=0)^(input[1]6=0)^:::^(input[len�1]6=0)^(input[len]=0).Inputspace:Theinputspaceofastringoflengthlenwillbe255len.Notethatforlen=S,thismeansa0.4%decreaseofthein-putspaceforeachbyte.Savings:Thelengthprecondi-tiondoesnotaffecttheN+MsymbolicbranchesoftheexampleinFigure7.However,thesymbolicstrcpywillbeconvertedintoastraight-lineconcretecopy—sinceweknowthelengthandpruningisenabled,weneednotconsidercopyingstringsofallpossiblelengths.Thus,weneed2N+Minterpreterstoexploretheentirestatespace.Overall,thelengthpreconditiondecreasestheinputspaceslightly,butcanconcretizestrcpy-likeloops—acommonpatternfordetectingbufferover-ows.KnownPrex.Thepreconditionconstrainsaprexoninputbytes,e.g.,anHTTPGETrequestalwaysstartswith“GET”,orthataspecicheadereldneedstobewithinacertainrangeofvalues,e.g.,theprotocoleldintheIPheader.Weuseaprexpreconditiontotar-getoursearchtowardsinputsthatstartwiththatspecicprex.Forexample,supposethatwewishtoexploreonlyPNGimagesonanimage-processingutility.ThePNGstandardspeciesthatallimagesmuststartwithastandard8-byteheaderPNG H,thussimplybyspec-ifyingaprexprecondition(input[0]=PNG H[0])^:::^(input[7]=PNG H[7]),wecanfocusoursearchtoPNGimagesalone.Notethatprexpreconditionsneednotonlyconsistofexactequalities;theycanalsospec-ifyarangeoranenumerationofvaluesforthesymbolicbytes.Inputspace:ForSsymbolicbytesandanexactprexoflengthP(PNS),thesizeoftheinputspacewillbe256S�P.Savings:FortheexampleshowninFigure7,theprexpreconditioneffectivelyconcretizestherstPbranchesaswellastherstPiterationsofthesymbolicstrcpy,thusreducingthenumberofrequiredinter-preterstoS
2N+M�P.Aprexpreconditioncanhavearadicaleffectonthestatespace,butisnopanacea.Forexample,byconsideringonlyvalidprexeswearepo-tentiallymissingexploitscausedbymalformedheaders.ConcolicExecution.Thedualofspecifyingnopre-conditionisspecifyingthepreconditionthatallin-putbyteshaveaspecicvalue.Specifyingallin-putbyteshaveaspecicvalueisequivalenttocon-colicexecution[24].Mathematically,wespecify8i:V(input[i]=concrete input[i]):InputSpace:Thereisasingleconcreteinput.Savings:Asingleinterpreterisneededtoexploretheprogram,andbecauseofstatepruning,weareconcretelyexecut-ingtheexecutionpathforthegiveninput.Thus,es-peciallyforconcolicexecution,itismuchmoreusefultodisablestatepruninganddropthepreconditioncon-straintswheneverweforkanewinterpreter.Notethat,inthiscase,AEGbehavesasaconcolicfuzzer,where8 1charptr=malloc(100);2charbuf[100];3strcpy(buf,input);//overflow4strcpy(ptr,buf);//ptrdereference5return;Figure8:Whenstackcontentsaregarbledbystackoverow,aprogramcanfailbeforethereturnin-struction.ablefunctionreturns,simplyoverwritingthestackwillnotalwaysproduceavalidexploit.SupposeanattackertriestoexploittheprogramshowninFigure8usingthestrcpybufferoverowvulnerability.Inthiscase,ptrislocatedbetweenthereturnaddressandthebufbuffer.Notethatptrisdereferencedafterthestackoverowattack.Sinceptrisalsoonthestack,thecontentsofptraregarbledbythestackoverow,andmightcausetheprogramtocrashbeforethereturninstruction.Thus,asophisticatedattackmustconsidertheabovecasebyoverwritingavalidmemorypointertothestack.AEGproperlyhandlesthissituationbyexaminingtheentirestackspaceduringDBA,andpassingtheinformation(m)toEXPLOIT-GEN.6.2Exploit­GenEXPLOIT-GENtakesintwoinputstoproduceanex-ploit:theunsafeprogramstatecontainingthepathcon-straints(Pbug)andlow-levelruntimeinformationR,i.e.,thevulnerablebuffer'saddress(bufaddr),theaddressofthevulnerablefunction'sreturnaddress(&retaddr),andtheruntimestackmemorycontents(m).Usingthatinformation,EXPLOIT-GENgeneratesexploitfor-mulas(Pbug^Pexploit)forfourtypesofexploits:1)stack-overowreturn-to-stack,2)stack-overowreturn-to-libc,3)format-stringreturn-to-stack,4)format-stringreturn-to-libc.Inthispaper,wepresentthefullalgo-rithmonlyfor1.Thefullalgorithmsfortherestofourexploitationtechniquescanbefoundonourwebsite[2].Inordertogenerateexploits,AEGperformstwoma-jorsteps.First,AEGdeterminestheclassofattacktoperformandformulatesPexploitforcontrolhijack.Forexample,inastack-overowreturn-to-stackattack,Pexploitmusthavetheconstraintthattheaddressofthereturnaddress(&retaddr)shouldbeoverwrittentocon-taintheaddressoftheshellcode—asprovidedbyDBA.Further,theexploitpredicatePexploitmustalsocontainconstraintsthatshellcodemustbewrittenonthetargetbuffer.ThegeneratedpredicateisusedinconjunctionwithPbugtoproducethenalconstraints(theexploitformulaPbug^Pexploit)thatcanbesolvedtoproduce Algorithm2:Stack-OverowReturn-to-StackEx-ploitPredicateGenerationAlgorithm input:(bufaddr,&retaddr,m)=Routput:Pexploit1fori=1tolen(m)do 2exp str[i] m[i];//stackrestoration3offset &retaddr-bufaddr;4jmp target offset+8;//oldebp+retaddr=85exp str[offset] jmp target;//eiphijack6fori=1tolen(shellcode)do 7exp str[offset+i] shellcode[i];8return(Mem[bufaddr]==exp str[1])^:::^(Mem[bufaddr+len(m)�1]==exp str[len(m)]);//Pexploit anexploit.Algorithm2showshowtheexploitpredicate(Pexploit)isgeneratedforstack-overowreturn-to-stackattacks.6.2.1ExploitsAEGproducestwotypesofexploits:return-to-stack[21]andreturn-to-libc[10],bothofwhicharethemostpop-ularclassiccontrolhijackattacktechniques.AEGcur-rentlycannothandlestate-of-the-artprotectionschemes,butwediscusspossibledirectionsinx9.Additionally,ourreturn-to-libcattackisdifferentfromtheclassiconeinthatwedonotneedtoknowtheaddressofa“/bin/sh”stringinthebinary.Thistechniqueallowsbypassingstackrandomization(butnotlibcrandomization).Return-to-stackExploit.Thereturn-to-stackexploitoverwritesthereturnaddressofafunctionsothattheprogramcounterpointsbacktotheinjectedinput,e.g.,user-providedshellcode.Togeneratetheexploit,AEGndstheaddressofthevulnerablebuffer(bufaddr)intowhichaninputstringcanbecopied,andtheaddresswherethereturnaddressofavulnerablefunctionislo-catedat.Usingthetwoaddresses,AEGcalculatesthejumptargetaddresswheretheshellcodeislocated.Al-gorithm2describeshowtogenerateanexploitpredicateforastackoverowvulnerabilityinthecaseofareturn-to-stackexploitwheretheshellcodeisplacedafterthereturnaddress.Return-to-libcExploit.Intheclassicreturn-to-libcattack,anattackerusuallychangesthereturnaddresstopointtotheexecvefunctioninlibc.However,tospawnashell,theattackermustknowtheaddressofa“/bin/sh”stringinthebinary,whichisnotcommoninmostprograms.Inourreturn-to-libcattack,wecreateasymboliclinkto/bin/shandforthelinknameweuseanarbitrarystringwhichresidesinlibc.Forexam-11 aconcreteworkingexploit,i.e.,anexploitthatspawnsashell,or?,ifAEGfailstogeneratetheexploit.VER-IFYrstsolvestheexploitconstraintstogetaconcreteexploit.Iftheexploitisalocalattack,itrunstheexe-cutablewiththeexploitastheinputandchecksifashellhasbeenspawned.Iftheexploitisaremoteattack,AEGspawnsthreeprocesses.Therstprocessrunstheexe-cutable.Thesecondprocessrunsnctosendtheexploittotheexecutable.Thethirdprocesschecksthataremoteshellhasbeenspawnedatport31337.Notethat,inFigure5,wehaveshownastraight-lineowfromPRE-PROCESStoVERIFYforsimplic-ity.However,intheactualsystem,VERIFYprovidesfeedbacktoEXPLOIT-GENiftheconstraintscannotbesolved.ThisisacueforEXPLOIT-GENtoselectadif-ferentshellcode.7ImplementationAEGiswritteninamixtureofC++andPythonandconsistsof4majorcomponents:symbolicexecu-tor(BUG-FIND),dynamicbinaryevaluator(DBA),ex-ploitgenerator(EXPLOIT-GEN),andconstraintsolver(VERIFY).WechoseKLEE[5]asourbackendsym-bolicexecutor,andaddedabout5000linesofcodetoimplementourtechniquesandheuristicsaswellastoaddinsupportforotherinputsources(suchassocketsandsymbolicenvironmentvariables).Ourdynamicbi-naryevaluatorwaswritteninPython,usingawrapperfortheGNUdebugger[22].WeusedSTPforconstraintsolving[12].8EvaluationThefollowingsectionspresentourexperimentalworkontheAEGchallenge.Werstdescribetheenvironmentinwhichweconductedourexperiments.Then,weshowtheeffectivenessofAEGbypresent-ing16exploitsgeneratedbyAEGfor14real-worldap-plications.Next,wehighlighttheimportanceofoursearchheuristics—includingpreconditionedsymbolicexecution—inidentifyingexploitablebugs.Inaddition,wepresentseveralexamplesillustratingtheexploitationtechniquesalreadyimplementedinAEG.Last,weeval-uatethereliabilityofthegeneratedexploits.Foracom-pleteexplanationofeachgeneratedexploitandmoreex-perimentalresults,wereferthereadertoourwebsite[2].8.1ExperimentalSetupWeevaluatedouralgorithmsandAEGonamachinewitha2.4GHzIntel(R)Core2DuoCPUand4GBofRAMwith4MBL2Cache.Allexperimentswereper-formedunderDebianLinux2.6.26-2.WeusedLLVM-GCC2.7tocompileprogramstoruninoursource-basedAEGandGCC4.2.4tobuildbinaryexecutables.Allprogramspresentedinthepaperareunmodiedopen-sourceapplicationsthatpeopleuseandcanbedown-loadedfromtheInternet.Timemeasurementsareper-formedwiththeUnixtimecommand.Thebuggy-path-rstandloopexhaustionsearchheuristicselaboratedinx5.3wereturnedonbydefaultforalltheexperiments.8.2ExploitsbyAEGTable1showsthelistofvulnerabilitiesthatAEGsuc-cessfullyexploits.Wefoundthese14programsfromavarietyofpopularadvisories:CommonVulnerabili-tiesandExposures(CVE),OpenSourceVulnerabilityDatabase(OSVDB),andExploit-DB(EDB)anddown-loadedthemtotestonAEG.NotonlydidAEGreproducetheexploitsprovidedintheCVEs,itfoundandgener-atedworkingexploitsfor2additionalvulnerabilities—1forexpect-5.43and1forhtget-0.93.Weorderthetablebythekindofpathexplorationtechniqueusedtondthebug,orderedfromtheleasttomostamountofinformationgiventothealgorithmit-self.4exploitsrequirednopreconditionatallandpathswereexploredusingonlyourpathprioritizationtech-niques(x5.3).WenotethatalthoughwebuildontopofKLEE[5],inourexperimentsKLEEonlydetectedtheiwconfigexploitablebug.6oftheexploitsweregeneratedonlyafterinferringthepossiblemaximumlengthsofsymbolicinputsusingourstaticanalysis(theLengthrows).Withoutthemax-imuminputlengthAEGfailedmostoftenbecausesym-bolicexecutionwouldendupconsideringallpossibleinputlengthsuptosomemaximumbuffersize,whichwasusuallyverylarge(e.g.,512bytes).Sincelengthisautomaticallyinferred,these6combinedwiththepre-vious4meanthat10totalexploitswereproducedauto-maticallywithnoadditionaluserinformation.5exploitsrequiredthattheuserspecifyaprexontheinputspacetoexplore.Forexample,xmail'svulner-ableprogrampathisonlytriggeredwithvalidaemailaddress.Therefore,weneededtospecifytoAEGthattheinputincludedan“@”signtotriggerthevulnerablepath.Corehttpistheonlyvulnerabilitythatrequiredcon-colicexecution.Theinputweprovidedwas"A"x(repeats880times)+nrnnnrnn.WithoutspecifyingthecompleteGETrequest,symbolicexecu-tiongotstuckonexploringwheretoplacewhite-spacesandEOL(end-of-line)characters.GenerationTime.Column5inTable1showstheto-taltimetogenerateworkingexploits.Thequickestwegeneratedanexploitwas0.5sforiwcong(withalength13 Figure9:Comparisonofpreconditionedsymbolicexecutiontechniques.andthustheeffectivenessofAEG.Forexample,bypro-vidingalengthpreconditionwealmosttripledthenum-berofexploitablebugsthatAEGcoulddetectwithinthetimelimit.However,theamountofinformationsupplieddidnottremendouslychangehowquicklyanexploitisgenerated,whenitsucceedsatall.8.3.2Buggy-Path-First:ConsecutiveBugDetectionRecallfromx5.3thepathprioritizationheuristictocheckbuggypathsrst.tipxdandhtgetareexam-pleapplicationswherethisprioritizationheuristicpaysoff.Inbothcasesthereisanon-exploitablebugfol-lowedbyanexploitablebuginthesamepath.Fig-ure10showsasnippetfromtipxd,wherethereisaninitialnon-exploitablebugonline1(itshouldbe“malloc(strlen(optarg)+1)”fortheNULLbyte).AEGrecognizesthatthebugisnon-exploitableandprioritizesthatpathhigherforcontinuedexplo-ration.Lateronthepath,AEGdetectsaformatstringvul-nerabilityonline10.Sincetheconfig filenameissetfromthecommandlineargumentoptarginline5,wecanpassanarbitraryformatstringtothesyslogfunctioninline10viathevariablelog entry.AEGrecognizestheformatstringvulnerabilityandgeneratesaformatstringattackbycraftingasuitablecommandlineargument.8.4MixedBinaryandSourceAnalysisInx1,wearguethatsourcecodeanalysisaloneisinsufcientforexploitgenerationbecauselow-levelruntimedetailslikestacklayoutmatter.Theaspell,htget,corehttp,xserverareex-1intProcessURL(charTheURL,charHostname,charFilename,charActualFilename,unsignedPort)f2charBufferURL[MAXLEN];3charNormalURL[MAXLEN];4strcpy(BufferURL,TheURL);5...6strncpy(Hostname,NormalURL,I);Figure11:Codesnippetofhtgetamplesofthisaxiom.Forexample,Figure11showsacodesnippetfromhtget.Thestackframewheninvokingthisfunc-tionhasthefunctionargumentsatthetopofthestack,thenthereturnaddressandsavedebp,followedbythelocalbuffersBufferURLandNormalURL.Thestrcpyonline4isexploitablewhereTheURLcanbemuchlongerthanBufferURL.However,wemustbecarefulintheexploittoonlyoverwriteuptothere-turnaddress,e.g.,ifweoverwritethereturnaddressandHostname,theprogramwillsimplycrashwhenHostnameisdereferenced(beforereturning)online6.Sinceourtechniqueperformsdynamicanalysis,wecanreasonaboutruntimedetailssuchastheexactstacklayout,exactlyhowmanybytesthecompilerallocatedtoabuffer,etc,veryprecisely.Fortheaboveprogramsthisprecisionisessential,e.g.,inhtgetthepredicateassertsthatweoverwriteuptothereturnaddressbutnofurther.Ifthereisnotenoughspacetoplacethepayloadbeforethereturnaddress,AEGcanstillgenerateanex-15 1if(!(sysinfo.config filename=malloc(strlen(optarg))))f2fprintf(stderr,”Could not allocate memory for filename storagenn”);3exit(1);4g5strcpy((char)sysinfo.config filename,optarg);6tipxd log(LOG INFO,”Config file is %snn”,sysinfo.config filename);7...8voidtipxd log(intpriority,charformat,...)f9vsnprintf(log entry,LOG ENTRY SIZE�1,format,ap);10syslog(priority,log entry);Figure10:Codesnippetoftipxd.ploitbyapplyingstackrestoration(presentedinx6.1),wherethelocalvariablesandfunctionargumentsareoverwritten,butweimposeconstraintsthattheirvaluesshouldremainunchanged.Todoso,AEGagainreliesonourdynamicanalysiscomponenttoretrievetheruntimevaluesofthelocalvariablesandarguments.8.5ExploitVariantsWheneveranexploitablebugisfound,AEGgener-atesanexploitformula(Pbug^Pexploit)andproducesanexploitbyndingasatisfyinganswer.However,thisdoesnotmeanthatthereisasinglesatisfyinganswer(exploit).Infact,weexpectedthatthereishugenumberofinputsthatsatisfytheformula.Toverifyourexpecta-tions,weperformedanadditionalexperimentwhereweconguredAEGtogenerateexploitvariants—differentexploitsproducedbythesameexploitformula.Table2showsthenumberofexploitvariantsgeneratedbyAEGwithinanhourfor5sampleprograms.8.6AdditionalSuccessAEGalsohadananecdotalsuccess.OurresearchgroupenteredsmpCTF2010[27],atime-limitedinter-nationalcompetitionwhereteamscompeteagainsteachotherbysolvingsecuritychallenges.Oneofthechal-lengeswastoexploitagivenbinary.OurteamrantheHex-raysdecompilertoproducesource,whichwasthenfedintoAEG(withafewtweakstoxsomeincorrectdecompilationfromtheHex-raystool).AEGreturnedanexploitinunder60seconds.9DiscussionandFutureWorkAdvancedExploits.Inourexperimentswefocusedonstackbufferoverowsandformatstringvulnerabili-ties.InordertoextendAEGtohandleheap-basedover-owswewouldlikelyneedtoextendthecontrolowreasoningtoalsoconsiderheapmanagementstructures.Integeroverowsaremorecomplicatedhowever,astyp- Program#ofexploits iwconfig3265ncompress576aeon612htget939glftpd2201 Table2:NumberofexploitvariantsgeneratedbyAEGwithinanhour.icallyanintegeroverowisnotproblematicbyitself.Security-criticalproblemsusuallyappearwhentheover-owedintegerisusedtoindexorallocatememory.Weleaveaddingsupportforthesetypesofvulnerabilitiesasfuturework.OtherExploitClasses.Whileourdenitionin-cludesthemostpopularbugsexploitedtoday,e.g.,inputvalidationbugs,suchasinformationdisclosure,bufferoverows,heapoverows,andsoon,itdoesnotcaptureallsecurity-criticalvulnerabilities.Forexample,ourformulationleavesout-of-scopetimingattacksagainstcrypto,whicharenotreadilycharacterizedassafetyproblems.WeleaveextendingAEGtothesetypesofvulnerabilitiesasfuturework.SymbolicInputSize.Ourcurrentapproachper-formssimplestaticanalysisanddeterminesthatsym-bolicinputvariablesshouldbe10%largerinsizethanthelargeststaticallyallocatedbuffer.WhilethisisanimprovementoverKLEE(KLEErequiredauserspec-ifythesize),andwassufcientforourexamples,itissomewhatsimplistic.Moresophisticatedanalysiswouldprovidegreaterprecisionforexactlywhatmaybeex-ploitable,e.g.,byconsideringstacklayout,andmaybenecessaryformoreadvancedexploits,e.g.,heapover-owswherebuffersaredynamicallyallocated.16 DependableandSecureComputing,5(4):224–241,Oct.2008.[4]D.Brumley,P.Poosankam,D.Song,andJ.Zheng.Automaticpatch-basedexploitgenerationispossible:Techniquesandimplications.InProceedingsoftheIEEESymposiumonSecurityandPrivacy,May2008.[5]C.Cadar,D.Dunbar,andD.Engler.Klee:Unas-sistedandautomaticgenerationofhigh-coveragetestsforcomplexsystemsprograms.InProceedingsoftheUSENIXSymposiumonOperatingSystemDesignandImplementation,2008.[6]C.Cadar,V.Ganesh,P.Pawlowski,D.Dill,andD.En-gler.EXE:Asystemforautomaticallygeneratinginputsofdeathusingsymbolicexecution.InProceedingsoftheACMConferenceonComputerandCommunicationsSe-curity,Oct.2006.[7]S.K.Cha,B.Pak,D.Brumley,andR.J.Lipton.Platform-independentprograms.InProceedingsoftheACMConferenceonComputerandCommunicationsSe-curity,2010.[8]M.Costa,M.Castro,L.Zhou,L.Zhang,andM.Peinado.Bouncer:Securingsoftwarebyblockingbadinput.InProceedingsoftheACMSymposiumonOperatingSystemPrinciples,Oct.2007.[9]M.Costa,J.Crowcroft,M.Castro,A.Rowstron,L.Zhou,L.Zhang,andP.Barham.Vigilante:End-to-endcontainmentofinternetworms.InProceedingsoftheACMSymposiumonOperatingSystemPrinciples,2005.[10]S.Designer.“return-to-libc”attack.Bugtraq,Aug.1997.[11]D.EnglerandD.Dunbar.Under-constrainedexecution:makingautomaticcodedestructioneasyandscalable.InInternationalSymposiumonSoftwareTestingandAnal-ysis,pages1–4,2007.[12]V.GaneshandD.L.Dill.Adecisionprocedureforbit-vectorsandarrays.InProceedingsontheConferenceonComputerAidedVerication,volume4590ofLectureNotesinComputerScience,pages524–536,July2007.[13]S.Heelan.AutomaticGenerationofControlFlowHi-jackingExploitsforSoftwareVulnerabilities.TechnicalReportMScThesis,OxfordUniversity,2002.[14]I.JagerandD.Brumley.Efcientdirectionlessweakestpreconditions.TechnicalReportCMU-CyLab-10-002,CarnegieMellonUniversity,CyLab,Feb.2010.[15]R.JohnsonandD.Wagner.Findinguser/kernelpointerbugswithtypeinference.InProceedingsoftheUSENIXSecuritySymposium,2004.[16]J.King.Symbolicexecutionandprogramtesting.Com-municationsoftheACM,19:386–394,1976.[17]C.Lattner.LLVM:Acompilationframeworkforlife-longprogramanalysisandtransformation.InProceed-ingsoftheSymposiumonCodeGenerationandOpti-mization,2004.[18]V.B.LivshitsandM.S.Lam.Findingsecurityvulnera-bilitiesinjavaapplicationswithstaticanalysis.InPro-ceedingsoftheUSENIXSecuritySymposium,2005.[19]B.Miller,L.Fredriksen,andB.So.AnempiricalstudyofthereliabilityofUNIXutilities.CommunicationsoftheAssociationforComputingMachinery,33(12):32–44,1990.[20]J.NewsomeandD.Song.Dynamictaintanalysisforau-tomaticdetection,analysis,andsignaturegenerationofexploitsoncommoditysoftware.InProceedingsoftheNetworkandDistributedSystemSecuritySymposium,Feb.2005.[21]A.One.Smashingthestackforfunandprot.Phrack,7(49),1996.File14/16.[22]PyGDB.Pythonwrapperforgdb.http://code.google.com/p/pygdb/.[23]E.J.Schwartz,T.Avgerinos,andD.Brumley.Allyoueverwantedtoknowaboutdynamictaintanalysisandforwardsymbolicexecution(butmighthavebeenafraidtoask).InProceedingsoftheIEEESymposiumonSe-curityandPrivacy,pages317–331,May2010.[24]K.Sen,D.Marinov,andG.Agha.CUTE:AconcolicunittestingengineforC.InProceedingsoftheACMSymposiumontheFoundationsofSoftwareEngineering,2005.[25]H.Shacham,M.Page,B.Pfaff,E.-J.Goh,N.Modadugu,andD.Boneh.Ontheeffective-nessofaddress-spacerandomization.InProceedingsoftheACMConferenceonComputerandCommunicationsSecurity,pages298–307,2004.[26]U.Shankar,K.Talwar,J.Foster,andD.Wagner.Detect-ingformat-stringvulnerabilitieswithtypequaliers.InProceedingsoftheUSENIXSecuritySymposium,2001.[27]smpCTF.smpctf2010.http://ctf2010.smpctf.com/.[28]G.E.Suh,J.Lee,andS.Devadas.Secureprogramexe-cutionviadynamicinformationowtracking.InPro-ceedingsoftheInternationalConferenceonArchitec-turalSupportforProgrammingLanguagesandOperat-ingSystems,2004.18