rebert dbrumley cmuedu Abstract In this paper we present M AYHEM a new sys tem for automatically 64257nding exploitable bugs in binary ie executable programs Every bug reported by M AYHEM is accompanied by a working shellspawning exploit The working ID: 29778
Download Pdf The PPT/PDF document "Unleashing M AYHEM on Binary Code Sang K..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
383 384 386 394 392 381 390 2012 IEEE Symposium on Security and Privacy1081-6011/12 $26.00 © 2012 IEEEDOI 10.1109/SP.2012.31380 389 385 393 382 388 391 387 worksonrawbinarycode withoutdebugginginformation.Tomakeexploitgeneration possibleatthebinary-level,M AYHEM addressestwomajor technicalchallenges:activelymanagingexecutionpathswithout exhaustingmemory,andreasoningabout symbolicmemory indices ,wherealoadorastoreaddressdependsonuser input.Tothisend,weproposetwonoveltechniques:1)hybrid symbolicexecutionforcombiningonlineandofine(concolic) executiontomaximizethebenetsofbothtechniques,and 2)index-basedmemorymodeling,atechniquethatallows M AYHEM toefcientlyreasonaboutsymbolicmemoryat thebinarylevel.WeusedM executable)programs.M AYHEM producesaworkingcontrol- hijackexploitforeachbugitreports,thusguaranteeingeach bugreportisactionableandsecurity-critical.Byworking withbinarycodeM AYHEM enableseventhosewithoutsource codeaccesstocheckthe(in)securityoftheirsoftware. M AYHEM detectsandgeneratesexploitsbasedonthe basicprinciplesintroducedinourpreviousworkonAEG[ 2 ]. Atahigh-level,M AYHEM ndsexploitablepathsbyaug- mentingsymbolicexecution[ 16 ]withadditionalconstraints atpotentiallyvulnerableprogrampoints.Theconstraints addressesisessentialtoexploitreal-worldbugs.Principle#1 isnecessaryforrunningcomplexapplications,sincemost non-trivialprogramswillcontainapotentiallyinnitenumber ofpathstoexplore. Currentapproachestosymbolicexecution,e.g.,CUTE[ 26 ], BitBlaze[ 5 ],KLEE[ 9 ],SAGE[ 13 ],McVeto[ 27 ],AEG[ 2 ], S2E[ 28 ],andothers[ 3 ],[ 21 ],donotsatisfyallthe abovedesignpoints.Conceptually,currentexecutorscanbe runofthesystemneedstorestartexecutionoftheprogram fromtheverybeginning.Conceptually,thesameinstructions needtobeexecutedrepeatedlyforeveryexecutiontrace.Our experimentalresultsshowthatthisre-executioncanbevery expensive(see § VIII). Onlinesymbolicexecution[ 9 ],[ 28 ]forksateachbranch point.Previousinstructionsareneverre-executed,butthe continuedforkingputsastrainonmemory,slowingdown theexecutionengineasthenumberofbranchesincrease. Theresultisnoforwardprogressandthusprinciples#1 and#3arenotmet.SomeonlineexecutorssuchasKLEE stopforkingtoavoidbeingsloweddownbytheirmemory use.Suchexecutorssatisfyprinciple#1butnotprinciple#3 (interestingpathsarepotentiallyeliminated). M AYHEM combinesthebestofbothworldsbyintroduc- ing hybridsymbolicexecution ,whereexecutionalternates betweenonlineandofinesymbolicexecutionruns.Hybrid executionactslikeamemorymanagerinanOS,except thatitisdesignedto efciently swapoutsymbolicexecution engines.Whenmemoryisunderpressure,thehybridengine picksarunningexecutor,andsavesthecurrentexecution state,andpathformula.Thethreadisrestoredbyrestoringthe formula,concretelyrunningtheprogramuptotheprevious executionstate,andthencontinuing.Cachingthepath formulaspreventsthesymbolicre-executionofinstructions, whichisthebottleneckinofine,whilemanagingmemory moreefcientlythanonlineexecution. M AYHEM alsoproposestechniquesforefcientlyreason- ingaboutsymbolicmemory.Asymbolicmemoryaccess occurswhenaloadorstoreaddressdependsoninput.Sym- bolicpointersareverycommonatthebinarylevel,andbeing abletoreasonaboutthemisnecessarytogeneratecontrol- hijackexploits.Infact,ourexperimentsshowthat40%of thegeneratedexploitswouldhavebeenimpossibledueto concretizationconstraints( § VIII).Toovercomethisproblem, M AYHEM employsanindex-basedmemorymodel( § V)to avoidconstrainingtheindexwheneverpossible. Resultsareencouraging.Whilethereisampleroomfor newresearch,M AYHEM currentlygeneratesexploitsfor severalsecurityvulnerabilities:bufferoverows,function pointeroverwrites,andformatstringvulnerabilitiesfor 29differentprograms.M AYHEM alsodemonstrates2-10 × speedupoverofinesymbolicexecutionwithouthavingthe memoryconstraintsofonlinesymbolicexecution. Overall,M AYHEM makesthefollowingcontributions: 1)Hybridexecution. Weintroduceanewschemeforsym- bolicexecutionwhichwecall hybrid symbolicexecution thatallowsustondabetterbalancebetweenspeedand memoryrequirements.HybridexecutionenablesM AYHEM toexploremultiplepathsfasterthanexistingapproaches (see § IV). 2)Index-basedmemorymodeling. Weproposeindex-based memorymodelasapracticalapproachtodealingwith symbolicindicesatthebinary-level.(see § V). 3)Binary-onlyexploitgeneration. Wepresenttherst end-to-endbinary-onlyexploitablebugndingsystemthat demonstratesexploitabilitybyoutputtingworkingcontrol hijackexploits. II.O VERVIEWOF M AYHEM Inthissectionwedescribetheoverallarchitecture,usage scenario,andchallengesforndingexploitablebugs.Weuse anHTTPserver, orzHttpd [ 1 ]showninFigure1aas anexampletohighlightthemainchallengesandpresenthow M AYHEM works.Notethatweshowsourceforclarityand simplicity;M AYHEM runsonbinarycode. 1 #define BUFSIZE 4096 2 3 typedefstruct { 4 char buf[BUFSIZE]; 5 int used; 6 } STATIC BUFFER t; 7 8 typedefstruct conn { 9STATIC BUFFER tread buf; 10... //omitted 11 } CONN t; 12 13 staticvoid serverlog(LOG TYPE ttype, 14 constchar format,...) 15 { 16... //omitted 17 if (format!=NULL) { 18va start(ap,format); 19vsprintf(buf,format,ap); 20va end(ap); 21 } 22fprintf(log,buf); //vulnerablepoint 23fflush(log); 24 } 25 26HTTP STATE thttp read request(CONN t conn) 27 { 28... //omitted 29 while (conn read buf.used BUFSIZE) { 30sz=static buffer read(conn,&conn read buf); 31 if (sz 0) { 32... 33conn read buf.used+=sz; 34 if (memcmp(&conn read buf.buf[conn read buf.used] 4, \ r \ n \ r \ n,4)== 0) 35 { 36 break ; 37 } 38 } 39 if (conn read buf.used =BUFSIZE) { 40conn status.st= HTTP STATUS 400; 41 return HTTP STATE ERROR; 42 } 43... 44serverlog(ERROR LOG, 45%s \ n, 46conn read buf.buf); 47... 48 } (a)Codesnippet. ... buf ptr log (le pointer) fprintf frame pointer return addr to serverlog ... buf (in serverlog) serverlog frame pointer old ebp ... an exploit generated by Mayhem: \x5c\xca\xff\xbf\x5e\xca\xff \xbf%51832c%17$hn %62847c%18$hn \x90\x90 ... shellcode address High Low (b)Stackdiagramofthevulnerableprogram. Figure1: orzHttpd vulnerability In orzHttpd ,eachHTTPconnectionispassed to http_read_request .Thisroutineinturncalls static_buffer_read aspartofthelooponline29to gettheuserrequeststring.Theuserinputisplacedintothe 4096-bytebuffer conn-read_buf.buf online30.Each readincrementsthevariable conn-read_buf.used by thenumberofbytesreadsofarinordertopreventabuffer overow.Thereadloopcontinuesuntil \ r \ n \ r \ n isfound, checkedonline34.Iftheuserpassesinmorethan4096bytes withoutanHTTPend-of-linecharacter,thereadloopaborts andtheserverreturnsa400errorstatusmessageonline 41.Eachnon-errorrequestgetsloggedviathe serverlog function. Thevulnerabilityitselfisin serverlog ,whichcalls fprintf withauserspeciedformatstring(anHTTP request).Variadicfunctionssuchas fprintf useaformat stringspeciertodeterminehowtowalkthestacklooking forarguments.Anexploitforthisvulnerabilityworksby supplyingformatstringsthatcause fprintf towalkthe stacktouser-controlleddata.Theexploitthenusesadditional formatspecierstowritetothedesiredlocation[ 22 ]. Figure1bshowsthestacklayoutof orzHttpd whenthe formatstringvulnerabilityisdetected.Thereisacallto fprintf andtheformattingargumentisastringofuser- controlledbytes. Wehighlightseveralkeypointsforndingexploitable bugs: Low-leveldetailsmatter: Determiningexploitabilityre- quiresthatwereasonaboutlow-leveldetailslikereturn addressesandstackpointers.Thisisourmotivationfor focusingonbinary-leveltechniques. Thereareanenormousnumberofpaths: Intheexample, thereisanewpathoneveryencounterofan if statement, whichcanleadtoanexponentialpathexplosion.Additionally, thenumberofpathsinmanyportionsofthecodeisrelatedto thesizeoftheinput.Forexample, memcmp unfoldsaloop, creatinganewpathforsymbolicexecutiononeachiteration. Longerinputsmeanmoreconditions,moreforks,andharder scalabilitychallenges.Unfortunatelymostexploitsarenot shortstrings,e.g.,inabufferoverowtypicalexploitsare hundredsorthousandsofbyteslong. Themorecheckedpaths,thebetter: Toreachtheex- ploitable fprintf bugintheexample,M AYHEM needsto reasonthroughtheloop,readinput,forkanewinterpreter foreverypossiblepathandcheckforerrors.Withoutcareful resourcemanagement,anenginecangetboggeddownwith toomanysymbolicexecutionthreadsbecauseofthehuge numberofpossibleexecutionpaths. Executeasmuchnativelyaspossible: Symbolicexecution isslowcomparedtoconcreteexecutionsincethesemantics ofaninstructionaresimulatedinsoftware.In orzHttpd , millionsofinstructionssetupthebasicserverbeforean attackercanevenconnecttoasocket.Wewanttoexecute theseinstructionsconcretelyandthenswitchtosymbolic Test Cases Binary Mayhem Buggy Inputs Taint Tracker (CEC) Concrete Execution Client Symbolic Evaluator Path Selector Checkpoint Manager (SES) Symbolic Execution Server Check Points Dynamic Binary Instrumentator (DBI) Exploits Exploit Generator Virtualization Layer Operating System Hardware Input Spec. Target Machine Figure2:M AYHEM architecture execution. TheM AYHEM architectureforndingexploitablebugsis showninFigure2.TheuserstartsM AYHEM byrunning: mayhem-sym-net80400./orzhttpd Thecommand-linetellsM AYHEM tosymbolicallyexecute orzHttpd ,andopensocketsonport80toreceivesymbolic 400-bytelongpackets.Allremainingstepstocreateanexploit areperformedautomatically. M AYHEM consistsoftwoconcurrentlyrunningprocesses: a ConcreteExecutorClient (CEC),whichexecutescode nativelyonaCPU,anda SymbolicExecutorServer (SES). BothareshowninFigure2.Atahighlevel,theCECrunson atargetsystem,andtheSESrunsonanyplatform,waiting forconnectionsfromtheCEC.TheCECtakesinabinary programalongwiththepotentialsymbolicsources(input specication)asaninput,andbeginscommunicationwith theSES.TheSESthensymbolicallyexecutesblocksthatthe CECsends,andoutputsseveraltypesoftestcasesincluding normaltestcases,crashes,andexploits.Thestepsfollowed byM AYHEM tondthevulnerablecodeandgeneratean exploitare: 1) The --sym-net80400 argumenttellsM AYHEM to performsymbolicexecutionondatareadinfromasocket onport80.Effectivelythisisspecifyingwhichinput sourcesarepotentiallyunderattackercontrol.M AYHEM canhandleattackerinputfromenvironmentvariables,les, andthenetwork. 2) TheCECloadsthevulnerableprogramandconnectsto theSEStoinitializeallsymbolicinputsources.Afterthe initialization,M AYHEM executesthebinaryconcretelyon theCPUintheCEC.Duringexecution,theCECinstru- mentsthecodeandperformsdynamictaintanalysis[ 23 ]. Ourtainttrackingenginechecksifablockcontainstainted instructions,whereablockisasequenceofinstructions thatendswithaconditionaljumporacallinstruction. 3) WhentheCECencountersataintedbranchconditionor jumptarget,itsuspendsconcreteexecution.Atainted jumpmeansthatthetargetmaybedependentonattacker input.TheCECsendstheinstructionstotheSESandthe SESdetermineswhichbranchesarefeasible.TheCEC willlaterreceivethenextbranchtargettoexplorefrom theSES. 4) TheSES,runninginparallelwiththeCEC,receivesa streamoftaintedinstructionsfromtheCEC.TheSES jitstheinstructionstoanintermediatelanguage( § III), andsymbolicallyexecutesthecorrespondingIL.The CECprovidesanyconcretevalueswheneverneeded,e.g., whenaninstructionoperatesonasymbolicoperandand aconcreteoperand.TheSESmaintainstwotypesof formulas: PathFormula: Thepathformulareectstheconstraintsto reachaparticularlineofcode.Eachconditionaljumpadds anewconstraintontheinput.Forexample,lines32-33 createtwonewpaths:onewhichisconstrainedsothatthe readinputendsinan \ r \ n \ r \ n andline35isexecuted, andonewheretheinputdoesnotendin \ r \ n \ r \ n and line28willbeexecuted. ExploitabilityFormula: Theexploitabilityformuladeter- mineswhetheri)theattackercangaincontrolofthe instructionpointer,andii)executeapayload. 5) WhenM AYHEM hitsataintedbranchpoint,theSES decideswhetherweneedtoforkexecutionbyquerying theSMTsolver.Ifweneedtoforkexecution,allthe newforksaresenttothepathselectortobeprioritized. Uponpickingapath,theSESnotiestheCECaboutthe changeandthecorrespondingexecutionstateisrestored. Ifthesystemresourcecapisreached,thenthecheckpoint managerstartsgeneratingcheckpointsinsteadofforking newexecutors( § IV).Attheendoftheprocess,testcases aregeneratedfortheterminatedexecutorsandtheSES informstheCECaboutwhichcheckpointshouldcontinue executionnext. 6) Duringtheexecution,theSESswitchescontextbetween executorsandtheCECcheckpoints/restorestheprovided executionstateandcontinuesexecution.Todoso,theCEC maintainsavirtualizationlayertohandletheprograminter- actionwiththeunderlyingsystemandcheckpoint/restore betweenmultipleprogramexecutionstates( § IV-C). 7) WhenM AYHEM detectsataintedjumpinstruction,it buildsanexploitabilityformula,andqueriesanSMT solvertoseeifitissatisable.Asatisfyinginputwill be,byconstruction,anexploit.Ifnoexploitisfoundon thetaintedbranchinstruction,theSESkeepsexploring executionpaths. 8) Theabovestepsareperformedateachbranchuntilan exploitablebugisfound,M AYHEM hitsauser-specied maximumruntime,orallpathsareexhausted. III.B ACKGROUND BinaryRepresentationinourlanguage. Basicsymbolic executionisperformedonassemblyinstructionsasthey execute.IntheoverallsystemthestreamcomesfromtheCEC asexplainedearlier;hereweassumetheyaresimplygiven tous.WeleverageBAP[ 15 ],anopen-sourcebinaryanalysis frameworktoconvertx86assemblytoanintermediate languagesuitableforsymbolicexecution.Foreachinstruction executed,thesymbolicexecutorjitstheinstructiontothe BAPIL.TheSESperformssymbolicexecutiondirectlyon theIL,introducesadditionalconstraintsrelatedtospecic attackpayloads,andsendstheformulatoanSMTsolverto checksatisability.Forexample,theILfora ret instruction consistsoftwostatements:onethatloadsanaddressfrom memory,andonethatjumpstothataddress. SymbolicExecutionontheIL. Inconcreteexecution,the programisgivenaconcretevalueasinput,itexecutes statementstoproducenewvalues,andterminateswithnal values.Insymbolicexecutionwedonotrestrictexecutiontoa singlevalue,butinsteadprovideasymbolicinputvariablethat representsthesetofallpossibleinputvalues.Thesymbolic executionengineevaluatesexpressionsforeachstatement intermsoftheoriginalsymbolicinputs.Whensymbolic executionhitsabranch,itconsiderstwopossibleworlds: onewherethetruebranchtargetisfollowedandonewhere thefalsebranchtargetisfollowed.Itdoessobyforkingoff aninterpreterforeachbranchandassertinginthegenerated formulathatthebranchguardmustbesatised.Thenal formulaencapsulatesallbranchconditionsthatmustbemet toexecutethegivenpath,thusiscalledthe pathformula or pathpredicate . InM AYHEM ,eachILstatementtypehasacorresponding symbolicexecutionrule.AssertionsintheILareimmediately appendedtotheformula.Conditionaljumpstatementscreate twoformulas:onewherethebranchguardisassertedtrue andthetruebranchisfollowed,andonewhichassertsthe negationoftheguardandthefalsebranchisfollowed.For example,ifwealreadyhaveformula f andexecute cjmp e 1 , e 2 , e 3 where e 1 isthebranchguardand e 2 and e 3 arejumptargets,thenwecreatethetwoformulas: f e 1 FSE ( path e 2 ) f ¬ e 1 FSE ( path e 3 ) where FSE standsforforwardsymbolicexecutionofthe jumptarget.Duetospace,wegivetheexactsemanticsina companionpaper[15],[24]. IV.H YBRID S YMBOLIC E XECUTION M AYHEM isahybridsymbolicexecutionsystem.Instead ofrunninginpureonlineorofineexecutionmode,M AY - HEM canalternatebetweenmodes.Inthissectionwepresent themotivationandmechanicsofhybridexecution. A.PreviousSymbolicExecutionSystems Ofinesymbolicexecutionasfoundinsystemssuchas SAGE[ 13 ]requirestwoinputs:thetargetprogramandan initialseedinput.Intherststep,ofinesystemsconcretely executetheprogramontheseedinputandrecordatrace.In 1 2 millions of instructions 1 2 3 4 OfineOnline 3 millions of instructions 4 1 2 Hybrid 3 millions of instructions 4 Figure3:Hybridexecutiontriestocombinethespeedof onlineexecutionandthememoryuseofofineexecutionto efcientlyexploretheinputspace. 0 0.2 0.4 0.6 0.8 1 1.2 1.4 5.0 x 10 5 1.0 x 10 6 1.5 x 10 6 2.0 x 10 6 2.5 x 10 6 3.0 x 10 6 Testcase gen. throughput (num/sec.) Memory Use (KBytes) Figure4:Onlineexecutionthroughputversusmemoryuse. thesecondstep,theysymbolicallyexecutetheinstructionsin therecordedtrace.Thisapproachiscalled concolic execution, ajuxtapositionofconcreteandsymbolicexecution.Ofine executionisattractivebecauseofitssimplicityandlow resourcerequirements;weonlyneedtohandleasingle executionpathatatime. Thetop-leftdiagramofFigure3highlightsanimmediate drawbackofthisapproach.Foreveryexploredexecutionpath, weneedtorstre-executea(potentially)verylargenumber ofinstructionsuntilwereachthesymbolicconditionwhere executionforked,andthenbegintoexplorenewinstructions. Onlinesymbolicexecutionavoidsthisre-executioncost byforkingtwointerpretersatbranchpoints,eachonehaving acopyofthecurrentexecutionstate.Thus,toexplorea differentpath,onlineexecutionsimplyneedstoperforma contextswitch totheexecutionstateofasuspendedinterpreter. S2E[ 28 ],KLEE[ 9 ]andAEG[ 2 ]followthisapproachby performingonlinesymbolicexecutiononLLVMbytecode. However,forkingoffanewexecutorateachbranchcan quicklystrainthememory,causingtheentiresystemtogrind toahalt.State-of-the-artonlineexecutorstrytoaddressthis problemwithaggressivecopy-on-writeoptimizations.For example,KLEEhasanimmutablestaterepresentationand S2Esharescommonstatebetweensnapshotsofphysical memoryanddisks.Nonetheless,sinceallexecutionstates arekeptinmemorysimultaneously,eventuallyallonline executorswillreachthememorycap.Theproblemcanbe mitigatedbyusingDFS(Depth-First-Search)however,this isnotaveryusefulstrategyinpractice.Todemonstratethe problem,wedownloadedS2E[ 28 ]andranitonacoreutils application( echo )with2symbolicarguments,eachone 10byteslong.Figure4showshowthesymbolicexecution throughput(numberoftestcasesgeneratedpersecond)is sloweddownasthememoryuseincreases. B.HybridSymbolicExecution M AYHEM introduces hybridsymbolicexecution toactively managememorywithoutconstantlyre-executingthesame instructions.Hybridsymbolicexecutionalternatesbetween onlineandofinemodestomaximizetheeffectivenessof eachmode.M AYHEM startsanalysisinonlinemode.When thesystemreachesamemorycap,itswitchestoofinemode anddoesnotforkanymoreexecutors.Instead,itproduces checkpointstostartnewonlineexecutionslateron.Thecrux ofthesystemistodistributetheonlineexecutiontasksinto subtaskswithoutlosingpotentiallyinterestingpaths.The hybridexecutionalgorithmemployedbyM AYHEM issplit intofourmainphases: 1.Initialization: ThersttimeM AYHEM isinvokedfora program,itinitializesthecheckpointmanager,thecheckpoint database,andtestcasedirectories.Itthenstartsonline executionoftheprogramandmovestothenextphase. 2.OnlineExploration: Duringtheonlinephase,M AYHEM symbolicallyexecutestheprograminanonlinefashion, context-switchingbetweencurrentactiveexecutionstates, andgeneratingtestcases. 3.Checkpointing: Thecheckpointmanagermonitorsonline execution.Wheneverthememoryutilizationreachesacap, orthenumberofrunningexecutorsexceedsathreshold,it willselectandgenerateacheckpointforanactiveexecutor. Acheckpointcontainsthesymbolicexecutionstateofthe suspendedexecutor(pathpredicate,statistics,etc.)andreplay information 1 .Theconcreteexecutionstateisdiscarded.When theonlineexecutioneventuallynishesallactiveexecution paths,M AYHEM movestothenextphase. 4.CheckpointRestoration: Thecheckpointmanagerselects acheckpointbasedonarankingheuristic IV-D andrestores itinmemory.Sincethesymbolicexecutionstatewassaved inthecheckpoint,M AYHEM onlyneedstore-constructthe concreteexecutionstate.Todoso,M AYHEM concretely executestheprogramusingonesatisableassignmentof thepathpredicateasinput,untiltheprogramreachesthe instructionwhentheexecutionstatewassuspended.Atthat point,theconcretestateisrestoredandtheonlineexploration (phase2)restarts.Notethatphase4avoidssymbolicallyre- executinginstructionsduringthecheckpointrestorationphase 1 Notethatthetermcheckpointdiffersfromanofineexecutionseed, whichisjustaconcreteinput. simpliessymbolicexpressionsandformulasbyapplying algebraicsimplications,e.g. x x=0 , x&0=0 , andsoon. Recallfrom § IV-C ,M AYHEM usestaintanalysis[ 11 ], [ 23 ]toselectivelyexecuteinstructionblocksthatdealwith symbolicdata.Thisoptimizationgivesa 8 × speedupon averageoverexecutingallinstructionblocks(see § VIII-G). V.I NDEX - BASED M EMORY M ODELING M AYHEM introducesan index-basedmemorymodel asa practicalapproachtohandlingsymbolicmemoryloads.The index-basedmodelallowsM AYHEM toadaptitstreatment ofsymbolicmemorybasedonthevalueoftheindex.Inthis sectionwepresenttheentirememorymodelofM AYHEM . M AYHEM modelsmemoryasamap µ : I E from32- bitindices( i )toexpressions( e ).Ina load( µ , i ) expression, wesaythatindex i indexes memory µ ,andtheloadedvalue e representsthe contents ofthe i th memorycell.Aloadwith aconcreteindex i isdirectlytranslatedbyM AYHEM into anappropriatelookupin µ (i.e., µ [ i ] ).A store( µ , i , e ) instructionresultsinanewmemory µ [ i e ] where i is mappedto e . A.PreviousWork&SymbolicIndexModeling Asymbolicindexoccurswhentheindexusedinamemory lookupisnotanumber,butanexpressionapatternthat appearsveryfrequentlyinbinarycode.Forexample,aC switch(c) statementiscompileddowntoajump-table lookupwheretheinputcharacter c isusedastheindex. Standardstringconversionfunctions(suchasASCIIto Unicodeandviceversa, to_lower , to_upper ,etc.)are allinthiscategory. Handlingarbitrarysymbolicindicesisnotoriouslyhard, sinceasymbolicindexmay(intheworstcase)reference any cellinmemory.Previousresearchandstate-of-the-arttools indicatethattherearetwomainapproachesforhandlinga symbolicindex:a)concretizingtheindexandb)allowing memorytobefullysymbolic. First,concretizingmeansinsteadofreasoningabout allpossiblevaluesthatcouldbeindexedinmemory,we concretize theindextoasinglespecicaddress.This concretizationcanreducethecomplexityoftheproduced formulasandimprovesolving/explorationtimes.However, constrainingtheindextoasinglevaluemaycauseusto misspathsforinstance,iftheydependonthevalueof theindex.Concretizationisthenaturalchoiceforofine executors,suchasSAGE[ 13 ]orBitBlaze[ 5 ],sinceonlya singlememoryaddressisaccessedduringconcreteexecution. Reasoningaboutallpossibleindicesisalsopossibleby treatingmemoryasfullysymbolic.Forexample,toolssuch asMcVeto[ 27 ],BAP[ 15 ]andBitBlaze[ 5 ]offercapabilities tohandlesymbolicmemory.Themaintradeoffwhen comparedwiththeconcretizationapproachisperformance. Formulasinvolvingsymbolicmemoryaremoreexpressive, thussolving/explorationtimesareusuallyhigher. B.MemoryModelingin M AYHEM TherstimplementationofM AYHEM followedthesimple concretizationapproachandconcretizedallmemoryindices. Thisdecisionprovedtobeseverelylimitinginthatselecting asingleaddressfortheindexusuallydidnotallowusto satisfytheexploitpayloadconstraints.Ourexperimentsshow that40%oftheexamplesrequireustohandlesymbolic memorysimpleconcretizationwasinsufcient(see § VIII). Thealternativeapproachwassymbolicmemory.Toavoid thescalabilityproblemsassociatedwithfullysymbolic memory,M AYHEM modelsmemory partially ,wherewrites arealwaysconcretized,butsymbolicreadsareallowedtobe modeledsymbolically.Intherestofthissectionwedescribe theindex-basedmemorymodelofM AYHEM indetail,as wellassomeofthekeyoptimizations. MemoryObjects. Tomodelsymbolicreads,M AYHEM introduces memoryobjects .Similartotheglobalmemory µ , amemoryobject M isalsoamapfrom32-bitindicesto expressions.Unliketheglobalmemoryhowever,amemory objectisimmutable.Wheneverasymbolicindexisusedto readmemory,M AYHEM generatesafreshmemoryobject M thatcontainsallvaluesthatcouldbeaccessedbythe index M isapartialsnapshotoftheglobalmemory. Usingthememoryobject,M AYHEM canreducethe evaluationofa load( µ , i ) expressionto M [ i ] .Note,that thisissemanticallyequivalenttoreturning µ [ i ] .Thekey differenceisinthesizeofthesymbolicarrayweintroduce intheformula.Inmostcases,thememoryobject M will beordersofmagnitudesmallerthantheentirememory µ . MemoryObjectBoundsResolution. Instantiatingthemem- oryobjectrequiresM AYHEM tondallpossiblevaluesof asymbolicindex i .Intheworstcase,thismayrequireup to 2 32 queriestothesolver(for32-bitmemoryaddresses). TotacklethisproblemM AYHEM exchangessomeaccuracy forscalabilitybyresolvingthebounds [ L , U ] ofthememory regionwhere L isthelowerand U istheupperboundofthe index.Theboundsneedtobeconservative,i.e.,allpossible valuesoftheindexshouldbewithinthe [ L , U ] interval.Note thatthememoryregiondoesnotneedtobecontinuous,for example i mighthaveonlytworealizablevalues( L and U ). ToobtaintheseboundsM AYHEM usesthesolverto performbinarysearchonthevalueoftheindexinthecontext ofthecurrentpathpredicate.Forexample,initiallyforthe lowestboundofa32-bit i : L [0 , 2 32 1] .If i 2 32 1 2 issatisablethen L [0 , 2 32 1 2 1] whileunsatisability indicatesthat L [ 2 32 1 2 , 2 32 1] .Werepeattheprocess untilwerecoverbothbounds.Usingtheboundswecannow instantiatethememoryobject(usingafreshsymbolicarray M )asfollows: i [ L , U ]: M [ i ]= µ [ i ] . Theboundsresolutionalgorithmdescribedaboveis sufcienttogenerateaconservativerepresentationofmemory objectsandallowM AYHEM toreasonaboutsymbolic memoryreads.Intherestofthesectionwedetailthemain memory index value value value ite( n ()) 64 91 memory index 64 91 memory index 64 91 (a) to_lower conversion table(b) Index search tree (c) Linearization ite( n ) L = ite( n )R = ite( n ) Figure5:Figure(a)showsthe to_lower conversiontable,(b)showsthegeneratedIST,and(c)theISTafterlinearization. optimizationtechniquesM AYHEM includestotacklesome ofthecaveatsoftheoriginalalgorithm: Queryingthesolveroneverysymbolicmemoryderefer- enceisexpensive.Evenwithbinarysearch,identifying bothboundsofa32-bitindexrequired 54 querieson average( § VIII)( § V-B1, § V-B2, § V-B3). Thememoryregionmaynotbecontinuous.Eventhough manyvaluesbetweentheboundsmaybeinfeasible,they arestillincludedinthememoryobject,andconsequently, intheformula( § V-B2). Thevalueswithinthememoryobjectmighthavestructure. Bymodelingtheobjectasasinglebytearrayweare missingopportunitiestooptimizeourformulasbasedon thestructure.( § V-B4, § V-B5). Intheworstcase,asymbolicindexmayaccessany possiblelocationinmemory( § V-C). 1)ValueSetAnalysis(VSA): M AYHEM employsanonline versionofVSA[ 4 ]toreducethesolverloadwhenresolving theboundsofasymbolicindex( i ).VSAreturnsastrided intervalforthegivensymbolicindex.Astridedinterval representsasetofvaluesintheform S [ L , U ] ,where S is thestrideand L , U arethebounds.Forexample,theinterval 2[1 , 5] representstheset { 1 , 3 , 5 } .Thestridedintervaloutput byVSAwillbeanover-approximationofallpossiblevalues theindexmighthave.Forinstance, i =(1+ byte ) 1 where byte isasymbolicbytewithaninterval 1[0 , 255] resultsinaninterval: VSA ( i )=2[2 , 512] . ThestridedintervalproducedbyVSAisthenrenedbythe solver(usingthesamebinary-searchstrategy)togetthetight lowerandupperboundsofthememoryobject.Forinstance, ifthepathpredicateassertsthat byte 32 ,thentheinterval fortheindex (1+ byte ) 1 canberenedto 2[2 , 64] . UsingVSAasapreprocessingstephasacascadingeffecton ourmemorymodeling:a)weperform70%lessqueriesto resolvetheexactboundsofthememoryobject( § VIII),b)the stridedintervalcanbeusedtoeliminateimpossiblevalues inthe [ L , U ] region,thusmakingformulassimpler,andc) theeliminationcantriggerotheroptimizations(see § V-B5). 2)RenementCache: EveryVSAintervalisrenedusing solverqueries.Therenementprocesscanstillbeexpensive (forinstance,theover-approximationreturnedbyVSAmight betoocoarse).Toavoidrepeatingtheprocessforthesame intervals,M AYHEM keepsacachemappingintervalsto potentialrenements.Wheneverwegetacachehit,wequery thesolvertocheckwhetherthecachedrenementisaccurate forthecurrentsymbolicindex,beforeresortingtobinary- searchforrenement.Therenementcachecanreducethe numberofbounds-resolutionqueriesby82%( § VIII). 3)LemmaCache: Checkinganentryoftherenement cachestillrequiressolverqueries.M AYHEM usesanother levelofcachingtoavoidrepeatedlyquerying -equivalent formulas,i.e.,formulasthatarestructurallyequivalentup tovariablerenaming.Todoso,M AYHEM convertsqueried formulastoacanonicalrepresentation(F)andcachesthe queryresults(Q)intheformofa lemma : F Q .The answerforanyformulamappingtothesamecanonical representationisretrievedimmediatelyfromthecache.The lemmacachecanreducethenumberofbounds-resolution queriesbyupto96%( § VIII).Theeffectivenessofthiscache dependsontheindependentformulasoptimization § IV-E .The pathpredicatehastoberepresentedasasetofindependent formulas,otherwiseanynewformulaadditiontothecurrent pathpredicatewouldinvalidateallpreviousentriesofthe lemmacache. 4)IndexSearchTrees(ISTs): Anyvalueloadedfrom amemoryobject M issymbolic.Toresolveconstraints involvingaloadedvalue( M [ i ] ),thesolverneedstoboth ndanentryintheobjectthatsatisestheconstraints and ensurethattheindextotheobjectentryisrealizable.To lightentheburdenonthesolver,M AYHEM replacesmemory objectlookupexpressionswith indexsearchtrees(ISTs) .An ISTisabinarysearchtreewherethesymbolicindexisthe keyandtheleafnodescontaintheentriesoftheobject.The entiretreeisencodedintheformularepresentationofthe loadexpression. Moreconcretely,givena(sortedbyaddress)listof entries E withinamemoryobject M ,abalancedIST forasymbolicindex i isdenedas: IST ( E )= ite ( i addr ( E right ) ,E left ,E right )) ,where ite representsanif- then-elseexpression, E left ( E right )representstheleft(right) halfoftheinitialentries E ,and addr ( · ) returnsthelowest addressofthegivenentries.ForasingleentrytheISTreturns theentrywithoutconstructingany ite expressions. Notethattheabovedenitionconstructsabalanced IST.WecouldinsteadconstructtheISTwithnested ite expressionsmakingtheformuladepth O ( n ) inthenum- berofobjectentriesinsteadof O (log n ) .However,our experimentalresultsshowthatabalancedISTis 4 × faster thananestedIST( § VIII).Figure5showshowM AYHEM constructstheISTwhengiventheentriesofamemoryobject (the to_lower conversiontable)withasinglesymbolic characterastheindex. 5)BucketizationwithLinearFunctions: TheISTgener- ationalgorithmcreatesaleafnodeforeachentryinthe memoryobject.Toreducethenumberofentries,M AYHEM performsanextrapreprocessingstepbeforepassingtheobject totheIST.Theideaisthatwecanusethememoryobject structuretocombinemultipleentriesintoasingle bucket .A bucketisanindex-parameterizedexpressionthatreturnsthe valueofthememoryobjectforeveryindexwithinarange. M AYHEM useslinearfunctionstogeneratebuckets.Specif- ically,M AYHEM sweepsallentrieswithinamemoryobject andjoinsconsecutivepoints( index,value tuples)into lines,aprocesswecall linearization .Anytwopointscanform aline y = x + .Follow-uppoints i i ,v i willbeincluded inthesamelineif u i = i i + .Attheendoflinearization, thememoryobjectissplitintoalistofbuckets,whereeach bucketiseitheralineoranisolatedpoint.Thelistofbuckets cannowbepassedtotheISTalgorithm.Figure5showsthe to_lower ISTafterapplyinglinearization.Linearization effectivelyreducesthenumberofleafnodesfrom256to3. Theideaofusinglinearfunctionstosimplifymemory lookupscomesfromasimpleobservation:linear-likepatterns appearfrequentlyforseveraloperationsatthebinarylevel. Forexample,jumptablesgeneratedbyswitchstatements, conversionandtranslationtables(e.g.,ASCIItoUnicode andviceversa)allcontainvaluesthatarescalinglinearly withtheindex. C.PrioritizedConcretization. Modelingasymbolicloadusingamemoryobjectis benecialwhenthesizeofthememoryobjectissignicantly smallerthantheentirememory( |M|| µ | ).Thus,the aboveoptimizationsareonlyactivatedwhenthesizeof thememoryobject,approximatedbytherange,isbelowa threshold( |M| 1024 inourexperiments). Wheneverthememoryobjectsizeexceedsthethreshold, M AYHEM willconcretizetheindexusedtoaccessit. However,insteadofpickingasatisfyingvalueatrandom, M AYHEM attemptsto prioritize thepossibleconcretization 1 typedefstruct { 2 int value; 3 char bar; 4 } foo; 5 int vulnerable( char input) 6 { 7 foo ptr=init; 8 buffer[100]; 9 strcpy(buffer,input); 10 buffer[0]=ptr bar[0]; 11 return 0; 12 } bar * ptr * value symbolic region 1 buffer symbolic region 2 symbolic region 3 Figure6:M AYHEM reconstructingsymbolicdatastructures. values.Specically,foreverysymbolicpointer,M AYHEM performsthreechecks: 1) Checkifitispossibletoredirectthepointertounmapped memoryunderthecontextofthecurrentpathpredicate. Iftrue,M AYHEM willgenerateacrashtestcaseforthe satisfyingvalue. 2) Checkifitispossibletoredirectthesymbolicpointer tosymbolicdata.Ifitis,M AYHEM willredirect(and concretize)thepointertotheleastconstrainedregionof thesymbolicdata.Byredirectingthepointertowardsthe leastconstrainedregion,M AYHEM triestoavoidloading overconstrainedvalues,thuseliminatingpotentiallyinter- estingpathsthatdependonthesevalues.Toidentifythe leastconstrainedregion,M AYHEM splitsmemoryinto symbolicregions,andsortsthembasedonthecomplexity ofconstraintsassociatedwitheachregion. 3) Ifalloftheabovechecksfail,M AYHEM concretizesthe indextoavalidmemoryaddressandcontinuesexecution. Theabovestepsinferwhetherasymbolicexpressionisa pointer,andifso,whetheritisvalidornot(e.g.,NULL). Forexample,Figure6containsabufferoverowatline 9.However,anattackerisnotguaranteedtohijackcontrol evenif strcpy overwritesthereturnaddress.Theprogram needstoreachthereturninstructiontoactuallytransfer control.However,atline10theprogramperformstwo dereferencesbothofwhichneedtosucceed(i.e.,avoid crashingtheprogram)toreachline11(notethatpointer ptr isalreadyoverwrittenwithuserdata).M AYHEM augmented withprioritizedconcretizationwillgenerate3distincttest cases:1)acrashtestcaseforaninvaliddereferenceofpointer ptr ,2)acrashtestcasewheredereferencingpointer bar failsaftersuccessfullyredirecting ptr tosymbolicdata,and 3)anexploittestcase,wherebothdereferencessucceedand userinputhijackscontroloftheprogram.Figure6shows thememorylayoutforthethirdtestcase. VI.E XPLOIT G ENERATION M AYHEM checksfortwoexploitableproperties:asym- bolic(tainted)instructionpointer,andasymbolicformat string.Eachpropertycorrespondstoabufferoverowand formatstringattackrespectively.Wheneveranyofthetwo Program ExploitType Input Source Symbolic InputSize Symb. Mem. Precondition AdvisoryID. ExploitGen. Time(s) Linux A2ps StackOverow Env.Vars 550 crashing EDB-ID-816 189 Aeon StackOverow Env.Vars 1000 length CVE-2005-1019 10 Aspell StackOverow Stdin 750 crashing CVE-2004-0548 82 Atphttpd StackOverow Network 800 crashing CVE-2000-1816 209 FreeRadius StackOverow Env. 9000 length Zero-Day 133 GhostScript StackOverow Arg. 2000 prex CVE-2010-2055 18 Glftpd StackOverow Arg. 300 length OSVDB-ID-16373 4 Gnugol StackOverow Env. 3200 length Zero-Day 22 Htget StackOverow Env.vars 350 length N/A 7 Htpasswd StackOverow Arg. 400 prex OSVDB-ID-10068 4 Iwcong StackOverow Arg. 400 length CVE-2003-0947 2 Mbse-bbs StackOverow Env.vars 4200 length CVE-2007-0368 362 nCompress StackOverow Arg. 1400 length CVE-2001-1413 11 OrzHttpd FormatString Network 400 length OSVDB-ID-60944 6 PSUtils StackOverow Arg. 300 length EDB-ID-890 46 Rsync StackOverow Env.Vars 100 length CVE-2004-2093 8 SharUtils FormatString Arg. 300 prex OSVDB-ID-10255 17 Socat FormatString Arg. 600 prex CVE-2004-1484 47 SquirrelMail StackOverow Arg. 150 length CVE-2004-0524 2 Tipxd FormatString Arg. 250 length OSVDB-ID-12346 10 xGalaga StackOverow Env.Vars 300 length CVE-2003-0454 3 Xtokkaetama StackOverow Arg. 100 crashing OSVDB-ID-2343 10 Windows Coolplayer StackOverow Files 210 crashing CVE-2008-3408 164 Destiny StackOverow Files 2100 crashing OSVDB-ID-53249 963 Dizzy StackOverow(SEH) Arg. 519 crashing EDB-ID-15566 13,260 GAlan StackOverow Files 1500 prex OSVDB-ID-60897 831 GSPlayer StackOverow Files 400 crashing OSVDB-ID-69006 120 Muse StackOverow Files 250 crashing OSVDB-ID-67277 481 Soritong StackOverow(SEH) Files 1000 crashing CVE-2009-1643 845 TableI:ListofprogramsthatM AYHEM demonstratedasexploitable. executionreachesthemaximumnumberofliveinterpreters andstartsterminatingexecutionpaths.Atthispoint,the memorykeepsincreasinglinearlyasthepathsweexplore becomedeeper.Notethatatthebeginning,hybridexecution consumesasmuchmemoryasonlineexecutionwithout exceedingthememorythreshold,andutilizesmemory resourcesmoreaggressivelythanofineexecutionthroughout theexecution.Ofineexecutionrequiresmuchlessmemory (lessthan500KBonaverage),butataperformancecost,as demonstratedbelow. FasterthanOfineExecution. Figure8showstheexplo- rationtimefor /bin/echo usingdifferentlimitsonthe maximumnumberofrunningexecutors.Forthisexperiment, weuse6bytesofsymbolicargumentstoexploretheentire inputspaceinareasonableamountoftime.Whenthe maximumnumberofrunningexecutorsis1,itmeans 0 200 400 600 800 1000 1200 1400 1 2 4 8 16 32 64 128 Time to cover all paths (sec.) Maximum number of running executors Re-execution Time Exploration Time Figure8:Explorationtimesfordifferentlimitsonthe maximumnumberofrunningexecutors. M AYHEM willproduceadiskcheckpointtheaverage checkpointsizewas30KBforeverysymbolicbranch, AEG M AYHEM Program Time LLVM Time ASM TaintedASM TainedIL iwcong 0.506s 10,876 1.90s 394,876 2,200 12,893 aspell 8.698s 87,056 24.62s 696,275 26,647 133,620 aeon 2.188s 18,539 9.67s 623,684 7,087 43,804 htget 0.864s 12,776 6.76s 576,005 2,670 16,391 tipxd 2.343s 82,030 9.91s 647,498 2,043 19,198 ncompress 5.511s 60,860 11.30s 583,330 8,778 71,195 TableIV:AEGcomparison:binary-onlyexecutionrequires moreinstructions. 0 500 1000 1500 2000 2500 3000 3500 50 60 70 80 90 100 Exploit generation time (sec.) Normalized precondition size (%) timeout xtokkaetama sharutils ghostscript socat htpasswd a2ps Figure10:Exploitgenerationtimeversuspreconditionsize. utility.TheresultsareshowninFigure9. Weusedthe21toolswiththesmallestcodesize,and4 biggertoolsthatweselected.M AYHEM achieveda97.56% averagecoverageperapplicationandgot100%coverageon 13tools.Forcomparison,KLEEachieved100%coverage on12coreutilswithoutsimulatedsystemcallfailures(to havethesamecongurationasM AYHEM ).Thus,M AYHEM seemstobecompetitivewithKLEEforthisdataset.Note thatM AYHEM isnotdesignedspecicallyformaximizing codecoverage.However,ourexperimentsprovidearough comparisonpointagainstothersymbolicexecutors. F.ComparisonagainstAEG Wepicked8differentprogramsfromtheAEGworking examples[ 2 ]andranbothtoolstocompareexploitgeneration timesoneachofthoseprogramsusingthesameconguration (TableIV).M AYHEM wasonaverage3.4 × slowerthanAEG. AEGusessourcecode,thushastheadvantageofoperatingat ahigher-levelofabstraction.Atthebinarylevel,thereareno typesandhigh-levelstructuressuchasfunctions,variables, buffersandobjects.Thenumberofinstructionsexecuted (TableIV)isanotherfactorthathighlightsthedifference betweensourceandbinary-onlyanalysis.Consideringthis, webelievethisisapositiveandcompetitiveresultfor M AYHEM . PreconditionSize. Asanadditionalexperiment,wemea- suredhowthepresenceofapreconditionaffectsexploit generationtimes.Specically,wepicked6programsthat requireacrashinginputtondanexploitablebugand startedtoiterativelydecreasethesizeofthepreconditionand 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 Number of tainted instructions (%) 24 different Linux applications Figure12:Taintedinstructions(%)for24Linuxapplications. measuredexploitgenerationtimes.Figure10summarizes ourresultsintermsofnormalizedpreconditionsizesfor example,anormalizedpreconditionof70%fora100-byte crashinginputmeansthatweprovide70bytesofthecrashing inputasapreconditiontoM AYHEM .Whilethebehavior appearedtobeprogram-dependent,inmostoftheprograms weobservedasuddenphase-transition,wheretheremoval ofasinglecharactercouldcauseM AYHEM tonotdetectthe exploitablebugwithinthetimelimit.Webelievethistobe aninterestingtopicforfutureworkinthearea. G.PerformanceTuning FormulaOptimizations. Recallfrom § IV-E M AYHEM uses variousoptimizationtechniquestomakesolverqueriesfaster. TocompareagainstouroptimizedversionofM AYHEM ,we turnedoffsomeoralloftheseoptimizations. Wechose15Linuxprogramstoevaluatethespeedup obtainedwithdifferentlevelsofoptimizationsturnedon. Figure11showsthehead-to-headcomparison(inexploit ndingandgenerationtimes)between4differentformula optimizationoptions.Algebraicsimplicationsusuallyspeed upouranalysisandofferanaveragespeedupof10%for the15testprograms.Signicantspeedupsoccurwhenthe independentformulaoptimizationisturnedonalongwith simplications,offeringspeedupsof10-100 × . Z3supportsincrementalsolving,soasanadditional experiment,wemeasuredtheexploitgenerationtimewith Z3inincrementalmode.Inmostcasessolvingtimesfor incrementalformulasarecomparabletothetimesweobtain withtheindependentformulasoptimization.Infact,inhalfof ourexamples(7outof15)incrementalformulasoutperform independentformulas.Incontrasttopreviousresults,this impliesthatusingthesolverinincrementalmodecanalleviate theneedformanyformulasimplicationsandoptimizations. Adownsideofusingthesolverinincrementalmodewas thatitmadeoursymbolicexecutionstatemutableandthus waslessmemoryefcientduringourlong-runningtests. TaintedInstructions. Onlytaintedinstructionblocksare evaluatedsymbolicallybyM AYHEM allotherblocksare executednatively.Figure12showsthepercentageoftainted instructionsfor24programs(takenfromTableI).Morethan 95%ofinstructionswerenottaintedinoursampleprograms, andthisoptimizationgaveabout 8 × speeduponaverage. XI.C ONCLUSION WepresentedM AYHEM ,atoolforautomaticallynding exploitablebugsinbinary(i.e.,executable)programsinan efcientandscalableway.Tothisend,M AYHEM introduces anovelhybridsymbolicexecutionschemethatcombines thebenetsofexistingsymbolicexecutiontechniques(both onlineandofine)intoasinglesystem.Wealsopresentindex- basedmemorymodeling,atechniquethatallowsM AYHEM todiscovermoreexploitablebugsatthebinary-level.We usedM AYHEM toanalyze29applicationsandautomatically identiedanddemonstrated29exploitablevulnerabilities. XII.A CKNOWLEDGEMENTS Wethankourshepherd,CristianCadarandtheanonymous reviewersfortheirhelpfulcommentsandfeedback.This researchwassupportedbyaDARPAgranttoCyLabat CarnegieMellonUniversity(N11AP20005/D11AP00262),a NSFCareergrant(CNS0953751),andpartialCyLabARO supportfromgrantDAAD19-02-1-0389andW911NF-09-1- 0273.Thecontentoftheinformationdoesnotnecessarily reectthepositionorthepolicyoftheGovernment,andno ofcialendorsementshouldbeinferred. R EFERENCES [1] Orzhttpd,asmallandhighperformancehttpserver, http://code.google.com/p/orzhttpd/. [2] T.Avgerinos,S.K.Cha,B.L.T.Hao,andD.Brumley,AEG: Automaticexploitgeneration,in Proc.oftheNetworkand DistributedSystemSecuritySymposium ,Feb.2011. [3] D.Babi ´ c,L.Martignoni,S.McCamant,andD.Song, Statically-DirectedDynamicAutomatedTestGeneration,in InternationalSymposiumonSoftwareTestingandAnalysis . NewYork,NY,USA:ACMPress,2011,pp.12 22. [4] G.BalakrishnanandT.Reps,Analyzingmemoryaccesses inx86executables.in Proc.oftheInternationalConference onCompilerConstruction ,2004. [5] BitBlazebinaryanalysisproject, http://bitblaze.cs.berkeley.edu,2007. [6]BitTurner,BitTurner,http://www.bitturner.com. [7] D.Brumley,P.Poosankam,D.Song,andJ.Zheng,Automatic patch-basedexploitgenerationispossible:Techniquesand implications,in Proc.oftheIEEESymposiumonSecurity andPrivacy ,May2008. [8] J.Caballero,P.Poosankam,S.McCamant,D.Babic,and D.Song,Inputgenerationviadecompositionandre-stitching: Findingbugsinmalware,in Proc.oftheACMConferenceon ComputerandCommunicationsSecurity ,Chicago,IL,October 2010. [9] C.Cadar,D.Dunbar,andD.Engler,KLEE:Unassisted andautomaticgenerationofhigh-coveragetestsforcomplex systemsprograms,in Proc.oftheUSENIXSymposiumon OperatingSystemDesignandImplementation ,Dec.2008. [10] M.Costa,M.Castro,L.Zhou,L.Zhang,andM.Peinado, Bouncer:Securingsoftwarebyblockingbadinput,in SymposiumonOperatingSystemsPrinciples ,Oct.2007. [11] J.R.CrandallandF.Chong,Minos:Architecturalsupport forsoftwaresecuritythroughcontroldataintegrity,in Proc. oftheInternationalSymposiumonMicroarchitecture ,Dec. 2004. [12] L.M.deMouraandN.Bjørner,Z3:Anefcientsmtsolver, in TACAS ,2008,pp.337 340. [13] P.Godefroid,M.Levin,andD.Molnar,Automatedwhitebox fuzztesting,in Proc.oftheNetworkandDistributedSystem SecuritySymposium ,Feb.2008. [14] S.Heelan,AutomaticGenerationofControlFlowHijacking ExploitsforSoftwareVulnerabilities,OxfordUniversity,Tech. Rep.MScThesis,2002. [15] I.Jager,T.Avgerinos,E.J.Schwartz,andD.Brumley,BAP: Abinaryanalysisplatform,in Proc.oftheConferenceon ComputerAidedVerication ,2011. [16]J.King,Symbolicexecutionandprogramtesting, Commu- nicationsoftheACM ,vol.19,pp.386 394,1976. [17] Launchpad,https://bugs.launchpad.net/ubuntu,openbugsin Ubuntu.Checked03/04/12. [18] C.-K.Luk,R.Cohn,R.Muth,H.Patil,A.Klauser,G.Lowney, S.Wallace,V.J.Reddi,andK.Hazelwood,Pin:Building customizedprogramanalysistoolswithdynamicinstrumen- tation,in Proc.oftheACMConferenceonProgramming LanguageDesignandImplementation ,Jun.2005. [19] R.MajumdarandK.Sen,Hybridconcolictesting,in Proc. oftheACMConferenceonSoftwareEngineering ,2007,pp. 416 426. [20] L.Martignoni,S.McCamant,P.Poosankam,D.Song,and P.Maniatis,Path-explorationlifting:Hi-testsforlo-emula- tors,in Proc.oftheInternationalConferenceonArchitectural SupportforProgrammingLanguagesandOperatingSystems , London,UK,Mar.2012. [21] A.Moser,C.Kruegel,andE.Kirda,Exploringmultiple executionpathsformalwareanalysis,in Proc.oftheIEEE SymposiumonSecurityandPrivacy ,2007. [22] T.Newsham,Formatstringattacks,Guardent,Inc.,Tech. Rep.,2000. [23] J.NewsomeandD.Song,Dynamictaintanalysisfor automaticdetection,analysis,andsignaturegenerationof exploitsoncommoditysoftware,in Proc.oftheNetworkand DistributedSystemSecuritySymposium ,Feb.2005. [24] E.J.Schwartz,T.Avgerinos,andD.Brumley,Allyouever wantedtoknowaboutdynamictaintanalysisandforward symbolicexecution(butmighthavebeenafraidtoask),in Proc.oftheIEEESymposiumonSecurityandPrivacy ,May 2010,pp.317 331. [25] E.J.Schwartz,T.Avgerinos,andD.Brumley,Q:Exploit hardeningmadeeasy,in Proc.oftheUSENIXSecurity Symposium ,2011. [26] K.Sen,D.Marinov,andG.Agha,CUTE:Aconcolicunit testingengineforC,in Proc.oftheACMSymposiumonthe FoundationsofSoftwareEngineering ,2005. [27] A.V.Thakur,J.Lim,A.Lal,A.Burton,E.Driscoll,M.Elder, T.Andersen,andT.W.Reps,Directedproofgenerationfor machinecode,in CAV ,2010,pp.288 305. [28] G.C.VitalyChipounov,VolodymyrKuznetsov,S2E:A platformforin-vivomulti-pathanalysisofsoftwaresystems, in Proc.oftheInternationalConferenceonArchitectural SupportforProgrammingLanguagesandOperatingSystems , 2011,pp.265 278. XI.CWepresentedMAYHEM,atoolforautomaticallyndingexploitablebugsinbinary(i.e.,executable)programsinanefcientandscalableway.Tothisend,MAYHEManovelhybridsymbolicexecutionschemethatcombinesthebenetsofexistingsymbolicexecutiontechniques(bothonlineandofine)intoasinglesystem.Wealsopresentindex-basedmemorymodeling,atechniquethatallowsMAYHEMtodiscovermoreexploitablebugsatthebinary-level.WeusedMAYHEMtoanalyze29applicationsandautomaticallyidentiedanddemonstrated29exploitablevulnerabilities.XII.ACKNOWLEDGEMENTSWethankourshepherd,CristianCadarandtheanonymousreviewersfortheirhelpfulcommentsandfeedback.ThisresearchwassupportedbyaDARPAgranttoCyLabatCarnegieMellonUniversity(N11AP20005/D11AP00262),aNSFCareergrant(CNS0953751),andpartialCyLabAROsupportfromgrantDAAD19-02-1-0389andW911NF-09-1-0273.ThecontentoftheinformationdoesnotnecessarilyreectthepositionorthepolicyoftheGovernment,andnoofcialendorsementshouldbeinferred.inferred.Orzhttpd,asmallandhighperformancehttpserver,T.Avgerinos,S.K.Cha,B.L.T.Hao,andD.Brumley,AEG:Automaticexploitgeneration,inProc.oftheNetworkandDistributedSystemSecuritySymposium,Feb.2011.2011.D.Babic,L.Martignoni,S.McCamant,andD.Song,Statically-DirectedDynamicAutomatedTestGeneration,inInternationalSymposiumonSoftwareTestingandAnalysisNewYork,NY,USA:ACMPress,2011,pp.12 22.12 22.G.BalakrishnanandT.Reps,Analyzingmemoryaccessesinx86executables.inProc.oftheInternationalConferenceonCompilerConstruction,2004.2004.BitBlazebinaryanalysisproject,http://bitblaze.cs.berkeley.edu,2007.[6]BitTurner,BitTurner,http://www.bitturner.com..com.D.Brumley,P.Poosankam,D.Song,andJ.Zheng,Automaticpatch-basedexploitgenerationispossible:Techniquesandimplications,inProc.oftheIEEESymposiumonSecurityandPrivacy,May2008.2008.J.Caballero,P.Poosankam,S.McCamant,D.Babic,andD.Song,Inputgenerationviadecompositionandre-stitching:Findingbugsinmalware,inProc.oftheACMConferenceonComputerandCommunicationsSecurity,Chicago,IL,OctoberOctoberC.Cadar,D.Dunbar,andD.Engler,KLEE:Unassistedandautomaticgenerationofhigh-coveragetestsforcomplexsystemsprograms,inProc.oftheUSENIXSymposiumonOperatingSystemDesignandImplementation,Dec.2008.2008.M.Costa,M.Castro,L.Zhou,L.Zhang,andM.Peinado,Bouncer:Securingsoftwarebyblockingbadinput,inSymposiumonOperatingSystemsPrinciples,Oct.2007.2007.J.R.CrandallandF.Chong,Minos:Architecturalsupportforsoftwaresecuritythroughcontroldataintegrity,inProc.oftheInternationalSymposiumonMicroarchitecture,Dec.Dec.L.M.deMouraandN.Bjørner,Z3:Anefcientsmtsolver,TACAS,2008,pp.337 340.337 340.P.Godefroid,M.Levin,andD.Molnar,Automatedwhiteboxfuzztesting,inProc.oftheNetworkandDistributedSystemSecuritySymposium,Feb.2008.2008.S.Heelan,AutomaticGenerationofControlFlowHijackingExploitsforSoftwareVulnerabilities,OxfordUniversity,Tech.Rep.MScThesis,2002.2002.I.Jager,T.Avgerinos,E.J.Schwartz,andD.Brumley,BAP:Abinaryanalysisplatform,inProc.oftheConferenceonComputerAidedVerication,2011.[16]J.King,Symbolicexecutionandprogramtesting,nicationsoftheACM,vol.19,pp.386 394,1976.1976.Launchpad,https://bugs.launchpad.net/ubuntu,openbugsinUbuntu.Checked03/04/12.03/04/12.C.-K.Luk,R.Cohn,R.Muth,H.Patil,A.Klauser,G.Lowney,S.Wallace,V.J.Reddi,andK.Hazelwood,Pin:Buildingcustomizedprogramanalysistoolswithdynamicinstrumen-tation,inProc.oftheACMConferenceonProgrammingLanguageDesignandImplementation,Jun.2005.2005.R.MajumdarandK.Sen,Hybridconcolictesting,inProc.oftheACMConferenceonSoftwareEngineering,2007,pp.pp.L.Martignoni,S.McCamant,P.Poosankam,D.Song,andP.Maniatis,Path-explorationlifting:Hi-testsforlo-emula-tors,inProc.oftheInternationalConferenceonArchitecturalSupportforProgrammingLanguagesandOperatingSystemsLondon,UK,Mar.2012.2012.A.Moser,C.Kruegel,andE.Kirda,Exploringmultipleexecutionpathsformalwareanalysis,inProc.oftheIEEESymposiumonSecurityandPrivacy,2007.2007.T.Newsham,Formatstringattacks,Guardent,Inc.,Tech.Rep.,2000.2000.J.NewsomeandD.Song,Dynamictaintanalysisforautomaticdetection,analysis,andsignaturegenerationofexploitsoncommoditysoftware,inProc.oftheNetworkandDistributedSystemSecuritySymposium,Feb.2005.2005.E.J.Schwartz,T.Avgerinos,andD.Brumley,Allyoueverwantedtoknowaboutdynamictaintanalysisandforwardsymbolicexecution(butmighthavebeenafraidtoask),inProc.oftheIEEESymposiumonSecurityandPrivacy,May2010,pp.317 331.317 331.E.J.Schwartz,T.Avgerinos,andD.Brumley,Q:Exploithardeningmadeeasy,inProc.oftheUSENIXSecurity,2011.2011.K.Sen,D.Marinov,andG.Agha,CUTE:AconcolicunittestingengineforC,inProc.oftheACMSymposiumontheFoundationsofSoftwareEngineering,2005.2005.A.V.Thakur,J.Lim,A.Lal,A.Burton,E.Driscoll,M.Elder,T.Andersen,andT.W.Reps,Directedproofgenerationformachinecode,inCAV,2010,pp.288 305.288 305.G.C.VitalyChipounov,VolodymyrKuznetsov,S2E:Aplatformforin-vivomulti-pathanalysisofsoftwaresystems,Proc.oftheInternationalConferenceonArchitecturalSupportforProgrammingLanguagesandOperatingSystems2011,pp.265 278. 394 1 10 100 1000 10000 iwconfig squirrel mail xgalaga glftpd orzhttpd aeon ncompress tipxd ghostscript xtokkaetama sharutils aspell socat psutils atphttpd Exploit Gen. Time (sec. in logscale)Indep. Formula + Simplification Inc. Formula + Simplification Indep. Formula Simplification Timeout Figure11:ExploitgenerationtimeofMAYHEMfordifferentoptimizations.IX.DMostoftheworkpresentedinthispaperfocusesonexploitablebugnding.However,webelievethatthemaintechniquescanbeadaptedtootherapplicationdomainsunderthecontextofsymbolicexecution.Wealsobelievethatourhybridsymbolicexecutionandindex-basedmemorymodelingrepresentnewpointsinthedesignspaceofsymbolicexecution.WestressthattheintentionofMAYHEMisinformingauserthatanexploitablebugexists.Theexploitproducedisintendedtodemonstratetheseverityoftheproblem,andtohelpdebugandaddresstheunderlyingissue.MAYHEMmakesnoefforttobypassOSdefensessuchasASLRandDEP,whichwilllikelyprotectsystemsagainstexploitswegenerate.However,ourpreviousworkonQ[]showsthatabrokenexploit(thatnolongerworksbecauseofASLRandDEP),canbeautomaticallytransformedwithhighprobabilityintoanexploitthatbypassesbothdefensesonmodernOSes.WhilewecouldfeedtheexploitsgeneratedbyAYHEMdirectlyintoQ,wedonotexplorethispossibilityinthispaper.AYHEMdoesnothavemodelsforallsystem/librarycalls.Thecurrentimplementationmodelsabout30systemcallsinLinux,and12librarycallsinWindows.Toanalyzelargerandmorecomplicatedprograms,moresystemcallsneedtobemodeled.Thisisanartifactofperformingper-processsymbolicexecution.Whole-systemsymbolicexecutorssuchasS2E[]orBitBlaze[]canexecutebothuserandkernelcode,andthusdonothavethislimitation.Thedown-sideisthatwhole-systemanalysiscanbemuchmoreexpensive,becauseofthehigherstaterestorationcostandthetimespentanalyzingkernelcode.AnotherlimitationisthatMAYHEMcancurrentlyanalyzeonlyasingleexecutionthreadoneveryrun.MAYHEMhandlemulti-threadedprogramswhenthreadsinteractwitheachother(throughmessage-passingorsharedmemory).Last,MAYHEMexecutesonlytaintedinstructions,thusitissubjecttoallthepitfallsoftaintanalysis,includingundertainting,overtaintingandimplicitows[24].FutureWork:OurexperimentsshowthatMAYHEMgenerateexploitsforstandardvulnerabilitiessuchasstack-basedbufferoverowsandformatstrings.AninterestingfuturedirectionistoextendMAYHEMtohandlemoreadvancedexploitationtechniquessuchasexploitingheap-basedbufferoverows,use-after-freevulnerabilities,andinformationdisclosureattacks.Atahighlevel,itshouldbepossibletodetectsuchattacksusingsafetypropertiessimilartotheonesMAYHEMcurrentlyemploys.However,itisstillanopenquestionhowthesametechniquescanscaleanddetectsuchexploitsinbiggerprograms.X.RELATEDBrumleyetal.[]introducedtheautomaticpatch-basedexploitgeneration(APEG)challenge.APEGusedthepatchtopointoutthelocationofthebugandthenusedslicingtoconstructaformulaforcodepathsfrominputsourcetovulnerableline.MAYHEMndsvulnerabilitiesandvulnerablecodepathsitself.Inaddition,APEGsnotionofanexploitismoreabstract:anyinputthatviolateschecksintroducedbythepathareconsideredexploits.Hereweconsiderspecicallycontrolowhijackexploits,whichwerenotautomaticallygeneratedbyAPEG.Heelan[]wasthersttodescribeatechniquethattakesinacrashinginputforaprogram,alongwithajumpregister,andautomaticallygeneratesanexploit.Ourresearchexploresthestatespacetondsuchcrashinginputs.AEG[]wastherstsystemtotackletheproblemofbothidentifyingexploitablebugsandautomaticallygeneratingexploits.AEGworkedsolelyonsourcecodeandintroducedpreconditionedsymbolicexecutionasawaytofocussym-bolicexecutiontowardsaparticularpartofthesearchspace.AYHEMisalogicalextensionofAEGtobinarycode.Inpractice,workingonbinarycodeopensupautomaticexploitgenerationtoawiderclassofprogramsandscenarios.Thereareseveralbinary-onlysymbolicexecutionframe-workssuchasBouncer[],BitFuzz[],BitTurner[FuzzBall[],McVeto[],SAGE[],andS2E[whichhavebeenusedinavarietyofapplicationdomains.ThemainquestionwetackleinMAYHEMisscalingtondanddemonstrateexploitablebugs.Thehybridsymbolicexecutiontechniquewepresentinthispaperiscompletelydifferentfromhybridconcolictesting[],whichinterleavesrandomtestingwithconcolicexecutiontoachievebettercodecoverage. 393 AEG AYHEM Program Time LLVM Time ASM TaintedASM TainedIL iwcong 0.506s 10,876 1.90s 394,876 2,200 12,893 aspell 8.698s 87,056 24.62s 696,275 26,647 133,620 aeon 2.188s 18,539 9.67s 623,684 7,087 43,804 htget 0.864s 12,776 6.76s 576,005 2,670 16,391 tipxd 2.343s 82,030 9.91s 647,498 2,043 19,198 ncompress 5.511s 60,860 11.30s 583,330 8,778 71,195 TableIV:AEGcomparison:binary-onlyexecutionrequiresmoreinstructions. 0 500 1000 1500 2000 2500 3000 3500 50 60 70 80 90 100 Exploit generation time (sec.)Normalized precondition size (%)timeoutxtokkaetama sharutils ghostscript socat htpasswd a2ps Figure10:Exploitgenerationtimeversuspreconditionsize.utility.TheresultsareshowninFigure9.Weusedthe21toolswiththesmallestcodesize,and4biggertoolsthatweselected.MAYHEMachieveda97.56%averagecoverageperapplicationandgot100%coverageon13tools.Forcomparison,KLEEachieved100%coverageon12coreutilswithoutsimulatedsystemcallfailures(tohavethesamecongurationasMAYHEM).Thus,MAYHEMseemstobecompetitivewithKLEEforthisdataset.NotethatMAYHEMisnotdesignedspecicallyformaximizingcodecoverage.However,ourexperimentsprovidearoughcomparisonpointagainstothersymbolicexecutors.F.ComparisonagainstAEGWepicked8differentprogramsfromtheAEGworkingexamples[]andranbothtoolstocompareexploitgenerationtimesoneachofthoseprogramsusingthesameconguration(TableIV).MAYHEMwasonaverage3.4slowerthanAEG.AEGusessourcecode,thushastheadvantageofoperatingatahigher-levelofabstraction.Atthebinarylevel,therearenotypesandhigh-levelstructuressuchasfunctions,variables,buffersandobjects.Thenumberofinstructionsexecuted(TableIV)isanotherfactorthathighlightsthedifferencebetweensourceandbinary-onlyanalysis.Consideringthis,webelievethisisapositiveandcompetitiveresultforAYHEMPreconditionSize.Asanadditionalexperiment,wemea-suredhowthepresenceofapreconditionaffectsexploitgenerationtimes.Specically,wepicked6programsthatrequireacrashinginputtondanexploitablebugandstartedtoiterativelydecreasethesizeofthepreconditionand 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 Number of tainted instructions (%)24 different Linux applications Figure12:Taintedinstructions(%)for24Linuxapplications.measuredexploitgenerationtimes.Figure10summarizesourresultsintermsofnormalizedpreconditionsizesforexample,anormalizedpreconditionof70%fora100-bytecrashinginputmeansthatweprovide70bytesofthecrashinginputasapreconditiontoMAYHEM.Whilethebehaviorappearedtobeprogram-dependent,inmostoftheprogramsweobservedasuddenphase-transition,wheretheremovalofasinglecharactercouldcauseMAYHEMtonotdetecttheexploitablebugwithinthetimelimit.Webelievethistobeaninterestingtopicforfutureworkinthearea.G.PerformanceTuningFormulaOptimizations.RecallfromIV-EAYHEMvariousoptimizationtechniquestomakesolverqueriesfaster.TocompareagainstouroptimizedversionofMAYHEM,weturnedoffsomeoralloftheseoptimizations.Wechose15Linuxprogramstoevaluatethespeedupobtainedwithdifferentlevelsofoptimizationsturnedon.Figure11showsthehead-to-headcomparison(inexploitndingandgenerationtimes)between4differentformulaoptimizationoptions.Algebraicsimplicationsusuallyspeedupouranalysisandofferanaveragespeedupof10%forthe15testprograms.Signicantspeedupsoccurwhentheindependentformulaoptimizationisturnedonalongwithsimplications,offeringspeedupsof10-100Z3supportsincrementalsolving,soasanadditionalexperiment,wemeasuredtheexploitgenerationtimewithZ3inincrementalmode.Inmostcasessolvingtimesforincrementalformulasarecomparabletothetimesweobtainwiththeindependentformulasoptimization.Infact,inhalfofourexamples(7outof15)incrementalformulasoutperformindependentformulas.Incontrasttopreviousresults,thisimpliesthatusingthesolverinincrementalmodecanalleviatetheneedformanyformulasimplicationsandoptimizations.Adownsideofusingthesolverinincrementalmodewasthatitmadeoursymbolicexecutionstatemutableandthuswaslessmemoryefcientduringourlong-runningtests.TaintedInstructions.OnlytaintedinstructionblocksareevaluatedsymbolicallybyMAYHEMallotherblocksareexecutednatively.Figure12showsthepercentageoftaintedinstructionsfor24programs(takenfromTableI).Morethan95%ofinstructionswerenottaintedinoursampleprograms,andthisoptimizationgaveaboutspeeduponaverage. 392 LHits RHits Misses #Queries Time(sec) Noopt. N/A N/A N/A 217,179 1,841 +VSA N/A N/A N/A 49,424 437 +Rcache N/A 3996 7 10,331 187 +Lcache 3940 56 7 242 77 TableII:Effectivenessofboundsresolutionoptimizations.TheLandRcachesarerespectivelytheLemmaandRenementcachesasdenedinthusisequivalenttoofineexecution.Whenthemaximumnumberofrunningexecutorswas128orabove,MAYHEMdidnothavetocheckpointtodisk,thusisequivalenttoanonlineexecutor.Asaresult,onlineexecutiontookaround25secondstoexploretheinputspacewhileofineexecutionneeded1,400seconds.Onlinewas56fasterthanofineinthisexperiment.Weidentiedtwomajorreasonsforthisperformanceboost.First,there-executioncostishigherthancontext-switchingbetweentwoexecutionstates(IV-B).MAYHEMspentmorethan25%ofthetimere-executingpreviouspathsintheofinescheme.Fortheonlinecase,2%ofthetimewasspentcontext-switching.Second,onlineismorecache-efcientthanofineexecutioninourimplementation.Specically,onlineexecutionmakesmoreefcientuseofthePincodecache[]byswitchingbetweenpathsin-memoryduringasingleexecution.Asaresult,thecodecachemadeonlineexecution40fasterthanofineexecution.Additionally,weranaWindowsGUIprogram)tocomparethethroughputbetweenofineandhybridexecution.Wechosethisprogrambecauseitdoesnotrequireuserinteraction(e.g.,mouseclick),tostartsymbolicexecution.Werantheprogramfor1hourforeachexecutionmode.Hybridexecutionwas10fasterthanofineexecution.D.HandlingSymbolicMemoryinReal-WorldApplicationsRecallfromV,index-basedmemorymodelingenablesAYHEMtoreasonaboutsymbolicindices.OurexperimentsfromTableIshowthatmorethan40%oftheprogramsrequiredsymbolicmemorymodeling(column6)toexploit.Inotherwords,MAYHEMafterseveralhoursofanalysiswasunabletogenerateexploitsfortheseprogramswithoutindex-basedmemorymodeling.Tounderstandwhy,weevaluatedourindex-basedmemorymodelingoptimizationsontheserver.BoundsResolutionTableIIshowsthetimetakenbyAYHEMtondavulnerabilityinatphttpdusingdifferentlevelsofoptimizationsfortheboundsresolutionalgorithm.Thetimesincludeexploitdetectionbutnotexploitgenerationtime(sinceitisnotaffectedbytheboundsresolutionalgorithm).Row3showsthatVSAreducestheaveragenumberofqueriestotheSMTsolverfrom54to FormulaRepresentation Time(sec.) Unbalancedbinarytree 1,754 Balancedbinarytree 425 Balancedbinarytree+Linearization 192 TableIII:PerformancecomparisonfordifferentISTrepre- 0 20 40 60 80 100 0 500 1000 1500 2000 2500 3000 3500 Code Coverage (%)Time (sec.) Figure9:CodecoverageachievedbyMAYHEMastimeprogressesfor25coreutilsapplications.queriespersymbolicmemoryaccess,andreducesthetotaltimeby75%.Row4showsshowsthenumberofquerieswhentherenementcache(Rcache)isenabledontopofVSA.TheRcachereducesthenumberofnecessarybinarysearchestofrom4003to7,resultingina57%speedup.Thelastrowshowstheeffectofthelemmacache(Lcache)ontopoftheotheroptimizations.TheLcachetakesmostoftheburdenofftheRcache,thusresultinginanadditional59%speedup.WedonotexpecttheLcachetoalwaysbethatefcient,sinceitreliesheavilyontheindependenceofformulasinthepathpredicate.Thecumulativespeedupwas96%.IndexSearchTreeRepresentation.RecallfromV-BAYHEMmodelssymbolicmemoryloadsasISTs.Toshowtheeffectivenessofthisoptimizationweranthreedifferentformularepresentations(showninTableIII).ThebalancedISTwasmorethanfasterthantheunbalancedbinarytreerepresentation,andwithlinearizationoftheformulaweobtainedacumulativespeedup.Note,thatwithsymbolicarrays(noISTs)wewereunabletodetectanexploitwithinthetimelimit.AYHEMCoverageComparisonToevaluateMAYHEMsabilitytocovernewpaths,wedownloadedanopen-sourcesymbolicexecutor(KLEE)tocomparetheperformanceagainstMAYHEM.NoteKLEErunsonsource,whileMAYHEMonbinary.Wemeasuredthecodecoverageof25coreutilsapplicationsasafunctionoftime.MAYHEMranforonehour,atmost,oneachofthoseapplications.WeusedthegeneratedtestcasestomeasurethecodecoverageusingtheGNUgcov 391 Program ExploitType InputSource InputSize Symb. Precondition AdvisoryID. ExploitGen.Time(s) Linux A2ps StackOverow Env.Vars 550 crashing EDB-ID-816 189 Aeon StackOverow Env.Vars 1000 length CVE-2005-1019 10 Aspell StackOverow Stdin 750 crashing CVE-2004-0548 82 Atphttpd StackOverow Network 800 crashing CVE-2000-1816 209 FreeRadius StackOverow Env. 9000 length Zero-Day 133 GhostScript StackOverow Arg. 2000 prex CVE-2010-2055 18 Glftpd StackOverow Arg. 300 length OSVDB-ID-16373 4 Gnugol StackOverow Env. 3200 length Zero-Day 22 Htget StackOverow Env.vars 350 length N/A 7 Htpasswd StackOverow Arg. 400 prex OSVDB-ID-10068 4 Iwcong StackOverow Arg. 400 length CVE-2003-0947 2 Mbse-bbs StackOverow Env.vars 4200 length CVE-2007-0368 362 nCompress StackOverow Arg. 1400 length CVE-2001-1413 11 OrzHttpd FormatString Network 400 length OSVDB-ID-60944 6 PSUtils StackOverow Arg. 300 length EDB-ID-890 46 Rsync StackOverow Env.Vars 100 length CVE-2004-2093 8 SharUtils FormatString Arg. 300 prex OSVDB-ID-10255 17 Socat FormatString Arg. 600 prex CVE-2004-1484 47 SquirrelMail StackOverow Arg. 150 length CVE-2004-0524 2 Tipxd FormatString Arg. 250 length OSVDB-ID-12346 10 xGalaga StackOverow Env.Vars 300 length CVE-2003-0454 3 Xtokkaetama StackOverow Arg. 100 crashing OSVDB-ID-2343 10 Windows Coolplayer StackOverow Files 210 crashing CVE-2008-3408 164 Destiny StackOverow Files 2100 crashing OSVDB-ID-53249 963 Dizzy StackOverow(SEH) Arg. 519 crashing EDB-ID-15566 13,260 GAlan StackOverow Files 1500 prex OSVDB-ID-60897 831 GSPlayer StackOverow Files 400 crashing OSVDB-ID-69006 120 Muse StackOverow Files 250 crashing OSVDB-ID-67277 481 Soritong StackOverow(SEH) Files 1000 crashing CVE-2009-1643 845 TableI:ListofprogramsthatMAYHEMdemonstratedasexploitable.executionreachesthemaximumnumberofliveinterpretersandstartsterminatingexecutionpaths.Atthispoint,thememorykeepsincreasinglinearlyasthepathsweexplorebecomedeeper.Notethatatthebeginning,hybridexecutionconsumesasmuchmemoryasonlineexecutionwithoutexceedingthememorythreshold,andutilizesmemoryresourcesmoreaggressivelythanofineexecutionthroughouttheexecution.Ofineexecutionrequiresmuchlessmemory(lessthan500KBonaverage),butataperformancecost,asdemonstratedbelow.FasterthanOfineExecution.Figure8showstheexplo-rationtimeforusingdifferentlimitsonthemaximumnumberofrunningexecutors.Forthisexperiment,weuse6bytesofsymbolicargumentstoexploretheentireinputspaceinareasonableamountoftime.Whenthemaximumnumberofrunningexecutorsis1,itmeans 0 200 400 600 800 1000 1200 1400 1 2 4 8 16 32 64 128 Time to cover all paths (sec.)Maximum number of running executorsRe-execution Time Exploration Time Figure8:Explorationtimesfordifferentlimitsonthemaximumnumberofrunningexecutors.AYHEMwillproduceadiskcheckpointtheaveragecheckpointsizewas30KBforeverysymbolicbranch, 390 exploitablepoliciesareviolated,MAYHEMgeneratesanexploitabilityformulaandtriestondasatisfyinganswer,i.e.,anexploit.AYHEMcangeneratebothlocalandremoteattacks.Ourgenericdesignallowsustohandlebothtypesofattackssimilarly.ForWindows,MAYHEMdetectsoverwrittenStructuredExceptionHandler(SEH)onthestackwhenanexceptionoccurs,andtriestocreateanSEH-basedexploit.BufferOverows:AYHEMgeneratesexploitsforanypossibleinstruction-pointeroverwrite,commonlytriggeredbyabufferoverow.WhenMAYHEMndsasymbolicinstructionpointer,itrsttriestogeneratejump-to-registerexploits,similartopreviouswork[].Forthistypeofexploit,theinstructionpointershouldpointtoatrampoline,jmp%eax,andtheregister,e.g.,shouldpointtoaplaceinmemorywherewecanplaceourshellcode.Byencodingthoseconstraintsintotheformula,MAYHEMisabletoquerythesolverforasatisfyinganswer.Ifananswerexists,weprovedthatthebugisexploitable.Ifwecantgenerateajump-to-registerexploit,wetrytogenerateasimplerexploitbymakingtheinstructionpointerpointdirectlytoaplaceinmemorywherewecanplaceshellcode.FormatStringAttacks:Toidentifyandgenerateformatstringattacks,MAYHEMcheckswhethertheformatargumentofformatstringfunctions,e.g.,,containsanysymbolicbytes.Ifanysymbolicbytesaredetected,ittriestoplaceaformatstringpayloadwithintheargumentthatwilloverwritethereturnaddressoftheformattingfunction.VII.IMPLEMENTATIONAYHEMconsistsofabout27,000linesofC/C++andOCamlcode.OurbinaryinstrumentationframeworkwasbuiltonPin[]andallthehooksformodeledsystemandAPIcallswerewritteninC/C++.ThesymbolicexecutionengineiswrittensolelyinOCamlandconsistsofabout10,000linesofcode.WerelyonBAP[]toconvertassemblyinstructionstotheIL.WeuseZ3[]asourdecisionprocedure,forwhichwebuiltdirectOCamlbindings.Toallowforremotecom-municationbetweenthetwocomponentsweimplementedourowncross-platform,light-weightRPCprotocol(bothinC++andOCaml).Additionally,tocomparebetweendifferentsymbolicexecutionmodes,weimplementedallthree:online,ofineandhybrid.VIII.EVALUATIONA.ExperimentalSetupWeevaluatedoursystemon2virtualmachinesrunningonadesktopwitha3.40GHzIntel(R)Corei7-2600CPUand16GBofRAM.EachVMhad4GBRAMandwasrunningDebianLinux(Squeeze)VMandWindowsXPSP3respectively. 0.0 x 100 2.0 x 105 4.0 x 105 6.0 x 105 8.0 x 105 1.0 x 106 1.2 x 106 1.4 x 106 1.6 x 106 1.8 x 106 2.0 x 106 0 500 1000 1500 2000 2500 3000 Memory Use (Bytes)Time (sec.)online hybrid offline Figure7:Memoryuseinonline,ofine,andhybridmode.B.ExploitableBugDetectionWedownloaded29differentvulnerableprogramstochecktheeffectivenessofMAYHEM.TableIsummarizesourresults.ExperimentswereperformedonstrippedunmodiedbinariesonbothLinuxandWindows.OneoftheWindowsapplicationsMAYHEMexploited()wasapackedbinary.Column3showsthetypeofexploitsthatMAYHEMdetectedaswedescribedinVI.Column4showsthesymbolicsourcesthatweconsideredforeachprogram.ThereareexamplesfromallthesymbolicinputsourcesthatMAYHEMsupports,includingcommand-linearguments(Arg.),environmentvariables(Env.Vars),networkpackets(Network)andsymbolicles(Files).Column5isthesizeofeachsymbolicinput.Column6describesthepreconditiontypesthatweprovidedtoMAYHEM,foreachofthe29programs.Theyaresplitintothreecategories:length,prexandcrashinginputasdescribedinIV-D.Column7showstheadvisoryreportsforallthedemonstratedexploits.Infact,MAYHEMfound2zero-dayexploitsfortwoLinuxapplications,bothofwhichwereportedtothedevelopers.ThelastcolumncontainstheexploitgenerationtimefortheprogramsthatMAYHEManalyzed.Wemeasuredtheexploitgenerationtimeasthetimetakenfromthestartofanalysisuntilthecreationoftherstworkingexploit.Thetimerequiredvariesgreatlywiththecomplexityoftheapplicationandthesizeofsymbolicinputs.ThefastestprogramtoexploitwastheLinuxwirelesscongurationin1.90secondsandthelongestwastheWindowsprogram,whichtookabout4hours.C.ScalabilityofHybridSymbolicExecutionWemeasuredtheeffectivenessofhybridsymbolicexecu-tionacrosstwoscalingdimensions:memoryuseandspeed.LessMemory-HungrythanOnlineExecution.Figure7showstheaveragememoryuseofMAYHEMovertimewhileanalyzingautilityincoreutils()withonline,ofineandhybridexecution.Afterafewminutes,online 389 withinamemoryobject,abalancedISTforasymbolicindexisdenedas:ISTrightleftright,whererepresentsanif-then-elseexpression,leftright)representstheleft(right)halfoftheinitialentries,andreturnsthelowestaddressofthegivenentries.ForasingleentrytheISTreturnstheentrywithoutconstructinganyexpressions.NotethattheabovedenitionconstructsabalancedIST.WecouldinsteadconstructtheISTwithnestedexpressionsmakingtheformuladepthinthenum-berofobjectentriesinsteadof.However,ourexperimentalresultsshowthatabalancedISTisfasterthananestedIST(VIII).Figure5showshowMAYHEMconstructstheISTwhengiventheentriesofamemoryobjectconversiontable)withasinglesymboliccharacterastheindex.5)BucketizationwithLinearFunctions:TheISTgener-ationalgorithmcreatesaleafnodeforeachentryinthememoryobject.Toreducethenumberofentries,MAYHEMperformsanextrapreprocessingstepbeforepassingtheobjecttotheIST.Theideaisthatwecanusethememoryobjectstructuretocombinemultipleentriesintoasinglebucketbucketisanindex-parameterizedexpressionthatreturnsthevalueofthememoryobjectforeveryindexwithinarange.AYHEMuseslinearfunctionstogeneratebuckets.Specif-ically,MAYHEMsweepsallentrieswithinamemoryobjectandjoinsconsecutivepoints(index,valuetuples)intolines,aprocesswecall.Anytwopointscanformaline.Follow-uppointswillbeincludedinthesamelineif.Attheendoflinearization,thememoryobjectissplitintoalistofbuckets,whereeachbucketiseitheralineoranisolatedpoint.ThelistofbucketscannowbepassedtotheISTalgorithm.Figure5showstheISTafterapplyinglinearization.Linearizationeffectivelyreducesthenumberofleafnodesfrom256to3.Theideaofusinglinearfunctionstosimplifymemorylookupscomesfromasimpleobservation:linear-likepatternsappearfrequentlyforseveraloperationsatthebinarylevel.Forexample,jumptablesgeneratedbyswitchstatements,conversionandtranslationtables(e.g.,ASCIItoUnicodeandviceversa)allcontainvaluesthatarescalinglinearlywiththeindex.C.PrioritizedConcretization.Modelingasymbolicloadusingamemoryobjectisbenecialwhenthesizeofthememoryobjectissignicantlysmallerthantheentirememory(|M||).Thus,theaboveoptimizationsareonlyactivatedwhenthesizeofthememoryobject,approximatedbytherange,isbelowathreshold(inourexperiments).Wheneverthememoryobjectsizeexceedsthethreshold,AYHEMwillconcretizetheindexusedtoaccessit.However,insteadofpickingasatisfyingvalueatrandom,AYHEMattemptstothepossibleconcretizationtypedefstructvalue;bar;foo;vulnerable(input)ptr=init;buffer[100];strcpy(buffer,input);buffer[0]=ptrbar[0]; bar * ptr * value symbolicregion 1 buffer Figure6:MAYHEMreconstructingsymbolicdatastructures.values.Specically,foreverysymbolicpointer,MAYHEMperformsthreechecks:Checkifitispossibletoredirectthepointertounmappedmemoryunderthecontextofthecurrentpathpredicate.Iftrue,MAYHEMwillgenerateacrashtestcaseforthesatisfyingvalue.Checkifitispossibletoredirectthesymbolicpointertosymbolicdata.Ifitis,MAYHEMwillredirect(andconcretize)thepointertotheleastconstrainedregionofthesymbolicdata.Byredirectingthepointertowardstheleastconstrainedregion,MAYHEMtriestoavoidloadingoverconstrainedvalues,thuseliminatingpotentiallyinter-estingpathsthatdependonthesevalues.Toidentifytheleastconstrainedregion,MAYHEMsplitsmemoryintosymbolicregions,andsortsthembasedonthecomplexityofconstraintsassociatedwitheachregion.Ifalloftheabovechecksfail,MAYHEMconcretizestheindextoavalidmemoryaddressandcontinuesexecution.Theabovestepsinferwhetherasymbolicexpressionisapointer,andifso,whetheritisvalidornot(e.g.,NULL).Forexample,Figure6containsabufferoverowatline9.However,anattackerisnotguaranteedtohijackcontrolevenifoverwritesthereturnaddress.Theprogramneedstoreachthereturninstructiontoactuallytransfercontrol.However,atline10theprogramperformstwodereferencesbothofwhichneedtosucceed(i.e.,avoidcrashingtheprogram)toreachline11(notethatpointerisalreadyoverwrittenwithuserdata).MAYHEMwithprioritizedconcretizationwillgenerate3distincttestcases:1)acrashtestcaseforaninvaliddereferenceofpointer,2)acrashtestcasewheredereferencingpointerfailsaftersuccessfullyredirectingtosymbolicdata,and3)anexploittestcase,wherebothdereferencessucceedanduserinputhijackscontroloftheprogram.Figure6showsthememorylayoutforthethirdtestcase.VI.EENERATIONAYHEMchecksfortwoexploitableproperties:asym-bolic(tainted)instructionpointer,andasymbolicformatstring.Eachpropertycorrespondstoabufferoverowandformatstringattackrespectively.Wheneveranyofthetwo 388 memory indexvalue value value ite( n ()) 6491memory index 6491memory index 6491(a) to_lower conversion table(b) Index search tree(c) Linearization L = ite( n )R = ite( n ) Figure5:Figure(a)showstheconversiontable,(b)showsthegeneratedIST,and(c)theISTafterlinearization.optimizationtechniquesMAYHEMincludestotacklesomeofthecaveatsoftheoriginalalgorithm:Queryingthesolveroneverysymbolicmemoryderefer-enceisexpensive.Evenwithbinarysearch,identifyingbothboundsofa32-bitindexrequiredqueriesonaverage(VIII)(V-B1,V-B2,V-B3).Thememoryregionmaynotbecontinuous.Eventhoughmanyvaluesbetweentheboundsmaybeinfeasible,theyarestillincludedinthememoryobject,andconsequently,intheformula(V-B2).Thevalueswithinthememoryobjectmighthavestructure.Bymodelingtheobjectasasinglebytearraywearemissingopportunitiestooptimizeourformulasbasedonthestructure.(V-B4,V-B5).Intheworstcase,asymbolicindexmayaccessanypossiblelocationinmemory(V-C).1)ValueSetAnalysis(VSA):AYHEMemploysanonlineversionofVSA[]toreducethesolverloadwhenresolvingtheboundsofasymbolicindex().VSAreturnsastridedintervalforthegivensymbolicindex.AstridedintervalrepresentsasetofvaluesintheformformL,U],wherethestrideandarethebounds.Forexample,theintervalal,5]representstheset.ThestridedintervaloutputbyVSAwillbeanover-approximationofallpossiblevaluestheindexmighthave.Forinstance,=(1+bytebyteisasymbolicbytewithanintervalal,255]resultsinaninterval:VSA)=2[2ThestridedintervalproducedbyVSAisthenrenedbythesolver(usingthesamebinary-searchstrategy)togetthetightlowerandupperboundsofthememoryobject.Forinstance,ifthepathpredicateassertsthatbyte,thentheintervalfortheindex(1+bytecanberenedtoto,64].UsingVSAasapreprocessingstephasacascadingeffectonourmemorymodeling:a)weperform70%lessqueriestoresolvetheexactboundsofthememoryobject(VIII),b)thestridedintervalcanbeusedtoeliminateimpossiblevaluesinthetheL,U]region,thusmakingformulassimpler,andc)theeliminationcantriggerotheroptimizations(seeV-B5).2)RenementCache:EveryVSAintervalisrenedusingsolverqueries.Therenementprocesscanstillbeexpensive(forinstance,theover-approximationreturnedbyVSAmightbetoocoarse).Toavoidrepeatingtheprocessforthesameintervals,MAYHEMkeepsacachemappingintervalstopotentialrenements.Wheneverwegetacachehit,wequerythesolvertocheckwhetherthecachedrenementisaccurateforthecurrentsymbolicindex,beforeresortingtobinary-searchforrenement.Therenementcachecanreducethenumberofbounds-resolutionqueriesby82%(3)LemmaCache:Checkinganentryoftherenementcachestillrequiressolverqueries.MAYHEMusesanotherlevelofcachingtoavoidrepeatedlyquerying-equivalentformulas,i.e.,formulasthatarestructurallyequivalentuptovariablerenaming.Todoso,MAYHEMconvertsqueriedformulastoacanonicalrepresentation(F)andcachesthequeryresults(Q)intheformofa.Theanswerforanyformulamappingtothesamecanonicalrepresentationisretrievedimmediatelyfromthecache.Thelemmacachecanreducethenumberofbounds-resolutionqueriesbyupto96%(VIII).TheeffectivenessofthiscachedependsontheindependentformulasoptimizationIV-E.Thepathpredicatehastoberepresentedasasetofindependentformulas,otherwiseanynewformulaadditiontothecurrentpathpredicatewouldinvalidateallpreviousentriesofthelemmacache.4)IndexSearchTrees(ISTs):Anyvalueloadedfromamemoryobjectissymbolic.Toresolveconstraintsinvolvingaloadedvalue((i]),thesolverneedstobothndanentryintheobjectthatsatisestheconstraintsensurethattheindextotheobjectentryisrealizable.Tolightentheburdenonthesolver,MAYHEMreplacesmemoryobjectlookupexpressionswithindexsearchtrees(ISTs).AnISTisabinarysearchtreewherethesymbolicindexisthekeyandtheleafnodescontaintheentriesoftheobject.Theentiretreeisencodedintheformularepresentationoftheloadexpression.Moreconcretely,givena(sortedbyaddress)listof 387 simpliessymbolicexpressionsandformulasbyapplyingalgebraicsimplications,e.g.andsoon.RecallfromIV-CAYHEMusestaintanalysis[[23]toselectivelyexecuteinstructionblocksthatdealwithsymbolicdata.Thisoptimizationgivesaspeeduponaverageoverexecutingallinstructionblocks(seeV.IBASEDEMORYAYHEMintroducesanindex-basedmemorymodelasapracticalapproachtohandlingsymbolicmemoryloads.Theindex-basedmodelallowsMAYHEMtoadaptitstreatmentofsymbolicmemorybasedonthevalueoftheindex.InthissectionwepresenttheentirememorymodelofMAYHEMAYHEMmodelsmemoryasamapfrom32-bitindices()toexpressions().Inaexpression,wesaythatindexindexes,andtheloadedvaluerepresentstheofthememorycell.AloadwithaconcreteindexisdirectlytranslatedbyMAYHEManappropriatelookupinini]).Ainstructionresultsinanewmemorymemoryie]whereiismappedtoA.PreviousWork&SymbolicIndexModelingAsymbolicindexoccurswhentheindexusedinamemorylookupisnotanumber,butanexpressionapatternthatappearsveryfrequentlyinbinarycode.Forexample,aCstatementiscompileddowntoajump-tablelookupwheretheinputcharacterisusedastheindex.Standardstringconversionfunctions(suchasASCIItoUnicodeandviceversa,,etc.)areallinthiscategory.Handlingarbitrarysymbolicindicesisnotoriouslyhard,sinceasymbolicindexmay(intheworstcase)referencecellinmemory.Previousresearchandstate-of-the-arttoolsindicatethattherearetwomainapproachesforhandlingasymbolicindex:a)concretizingtheindexandb)allowingmemorytobefullysymbolic.First,concretizingmeansinsteadofreasoningaboutallpossiblevaluesthatcouldbeindexedinmemory,weconcretizetheindextoasinglespecicaddress.Thisconcretizationcanreducethecomplexityoftheproducedformulasandimprovesolving/explorationtimes.However,constrainingtheindextoasinglevaluemaycauseustomisspathsforinstance,iftheydependonthevalueoftheindex.Concretizationisthenaturalchoiceforofineexecutors,suchasSAGE[]orBitBlaze[],sinceonlyasinglememoryaddressisaccessedduringconcreteexecution.Reasoningaboutallpossibleindicesisalsopossiblebytreatingmemoryasfullysymbolic.Forexample,toolssuchasMcVeto[],BAP[]andBitBlaze[]offercapabilitiestohandlesymbolicmemory.Themaintradeoffwhencomparedwiththeconcretizationapproachisperformance.Formulasinvolvingsymbolicmemoryaremoreexpressive,thussolving/explorationtimesareusuallyhigher.B.MemoryModelinginAYHEMTherstimplementationofMAYHEMfollowedthesimpleconcretizationapproachandconcretizedallmemoryindices.Thisdecisionprovedtobeseverelylimitinginthatselectingasingleaddressfortheindexusuallydidnotallowustosatisfytheexploitpayloadconstraints.Ourexperimentsshowthat40%oftheexamplesrequireustohandlesymbolicmemorysimpleconcretizationwasinsufcient(seeThealternativeapproachwassymbolicmemory.Toavoidthescalabilityproblemsassociatedwithfullysymbolicmemory,MAYHEMmodelsmemory,wherewritesarealwaysconcretized,butsymbolicreadsareallowedtobemodeledsymbolically.Intherestofthissectionwedescribetheindex-basedmemorymodelofMAYHEMindetail,aswellassomeofthekeyoptimizations.MemoryObjects.Tomodelsymbolicreads,MAYHEMmemoryobjects.Similartotheglobalmemoryamemoryobjectisalsoamapfrom32-bitindicestoexpressions.Unliketheglobalmemoryhowever,amemoryobjectisimmutable.Wheneverasymbolicindexisusedtoreadmemory,MAYHEMgeneratesafreshmemoryobjectthatcontainsallvaluesthatcouldbeaccessedbytheindexisapartialsnapshotoftheglobalmemory.Usingthememoryobject,MAYHEMcanreducetheevaluationofaexpressiontotoi].Note,thatthisissemanticallyequivalenttoreturningreturningi].Thekeydifferenceisinthesizeofthesymbolicarrayweintroduceintheformula.Inmostcases,thememoryobjectbeordersofmagnitudesmallerthantheentirememoryMemoryObjectBoundsResolution.Instantiatingthemem-oryobjectrequiresMAYHEMtondallpossiblevaluesofasymbolicindex.Intheworstcase,thismayrequireupqueriestothesolver(for32-bitmemoryaddresses).TotacklethisproblemMAYHEMexchangessomeaccuracyforscalabilitybyresolvingtheboundsboundsL,U]ofthememoryregionwhereisthelowerandistheupperboundoftheindex.Theboundsneedtobeconservative,i.e.,allpossiblevaluesoftheindexshouldbewithinthetheL,U]interval.Notethatthememoryregiondoesnotneedtobecontinuous,forexamplemighthaveonlytworealizablevalues(ToobtaintheseboundsMAYHEMusesthesolvertoperformbinarysearchonthevalueoftheindexinthecontextofthecurrentpathpredicate.Forexample,initiallyforthelowestboundofa32-bit32-bit,2321].If issatisablethen whileunsatisabilityindicatesthat .Werepeattheprocessuntilwerecoverbothbounds.Usingtheboundswecannowinstantiatethememoryobject(usingafreshsymbolicarray)asfollows:ws:L,U]:M[i]=µ[i].TheboundsresolutionalgorithmdescribedaboveissufcienttogenerateaconservativerepresentationofmemoryobjectsandallowMAYHEMtoreasonaboutsymbolicmemoryreads.Intherestofthesectionwedetailthemain 386 (unlikestandardconcolicexecution),andthere-executionhappensconcretely.Figure3showstheintuitionbehindhybridexecution.Weprovideadetailedcomparisonbetweenonline,ofine,andhybridexecutioninC.DesignandImplementationoftheCECTheCECtakesinthebinaryprogram,alistofinputsourcestobeconsideredsymbolic,andanoptionalcheck-pointinputthatcontainsexecutionstateinformationfromapreviousrun.TheCECconcretelyexecutestheprogram,hooksinputsourcesandperformstaintanalysisoninputvariables.EverybasicblockthatcontainstaintedinstructionsissenttotheSESforsymbolicexecution.Asaresponse,theCECreceivestheaddressofthenextbasicblocktobeexecutedandwhethertosavethecurrentstateasarestorationpoint.Wheneveranexecutionpathiscomplete,theCECcontext-switchestoanunexploredpathselectedbytheSESandcontinuesexecution.TheCECterminatesonlyifallpossibleexecutionpathshavebeenexploredorathresholdisreached.Ifweprovideacheckpoint,theCECrstexecutestheprogramconcretelyuntilthecheckpointandthencontinuesexecutionasbefore.VirtualizationLayer.Duringanonlineexecutionrun,theCEChandlesmultipleconcreteexecutionstatesoftheanalyzedprogramsimultaneously.Eachconcreteexecutionstateincludesthecurrentregistercontext,memoryandOSstate(theOSstatecontainsasnapshotofthevirtuallesystem,networkandkernelstate).UndertheguidanceoftheSESandthepathselector,theCECcontextswitchesbetweendifferentconcreteexecutionstatesdependingonthesymbolicexecutorthatiscurrentlyactive.ThevirtualizationlayermediatesallsystemcallstothehostOSandemulatesthem.KeepingseparatecopiesoftheOSstateensurestherearenoside-effectsacrossdifferentexecutions.Forinstance,ifoneexecutorwritesavaluetoale,thismodicationwillonlybevisibletothecurrentexecutionstateallotherexecutorswillhaveaseparateinstanceofthesamele.EfcientStateSnapshot.Takingafullsnapshotoftheconcreteexecutionstateateveryforkisveryexpensive.Tomitigatetheproblem,CECsharesstateacrossexecutionstates similartoothersystems[],[].Wheneverexecutionforks,thenewexecutionstatereusesthestateoftheparentexecution.Subsequentmodicationstothestatearerecordedinthecurrentexecution.D.DesignandImplementationoftheSESTheSESmanagesthesymbolicexecutionenvironmentanddecideswhichpathsareexecutedbytheCEC.Theenvironmentconsistsofasymbolicexecutorforeachpath,apathselectorwhichdetermineswhichfeasiblepathtorunnext,andacheckpointmanager.TheSEScapsthenumberofsymbolicexecutorstokeepinmemory.Whenthecapisreached,MAYHEMstopsgeneratingnewinterpretersandproducescheckpoints;executionstatesthatwillexploreprogrampathsthatMAYHEMwasunabletoexploreintherstrunduetothememorycap.EachcheckpointisprioritizedandusedbyMAYHEMtocontinueexplorationofthesepathsatasubsequentrun.Thus,whenallpendingexecutionpathsterminate,MAYHEMselectsanewcheckpointandcontinuesexecutionuntilallcheckpointsareconsumedandMAYHEMexits.Eachsymbolicexecutormaintainstwocontexts(asstate):avariablecontextcontainingallsymbolicregistervaluesandtemporaries,andamemorycontextkeepingtrackofallsymbolicdatainmemory.Wheneverexecutionforks,theSESclonesthecurrentsymbolicstate(tokeepmemorylow,wekeeptheexecutionstateimmutabletotakeadvantageofcopy-on-writeoptimizationssimilartopreviouswork[[28])andaddsanewsymbolicexecutortoapriorityqueue.Thispriorityqueueisregularlyupdatedbyourpathselectortoincludethelatestchanges(e.g.,whichpathswereexplored,instructionscovered,andsoon).PreconditionedSymbolicExecution:AYHEMmentspreconditionedsymbolicexecutionasinAEG[Inpreconditionedsymbolicexecution,ausercanoptionallygiveapartialspecicationoftheinput,suchasaprexorlengthoftheinput,toreducetherangeofsearchspace.Ifauserdoesnotprovideaprecondition,thenSEStriestoexploreallfeasiblepaths.Thiscorrespondstotheuserprovidingtheminimumamountofinformationtothesystem.PathSelection:AYHEMappliespathprioritizationheuristicsasfoundinsystemssuchasSAGE[]andKLEE[]todecidewhichpathshouldbeexplorednext.Currently,MAYHEMusesthreeheuristicrankingrules:a)executorsexploringnewcode(e.g.,insteadofexecutingknowncodemoretimes)havehighpriority,b)executorsthatidentifysymbolicmemoryaccesseshavehigherpriority,andc)executionpathswheresymbolicinstructionpointersaredetectedhavethehighestpriority.Theheuristicsaredesignedtoprioritizepathsthataremostlikelytocontainabug.Forinstance,therstheuristicreliesontheassumptionthatpreviouslyexploredcodeislesslikelytocontainabugthannewcode.E.PerformanceTuningAYHEMemploysseveraloptimizationstospeed-upsymbolicexecution.Wepresentthreeoptimizationsthatweremosteffective:1)independentformula,2)algebraicsimplications,and3)taintanalysis.SimilartoKLEE[],MAYHEMsplitsthepathpredicatetoindependentformulastooptimizesolverqueries.AsmallimplementationdifferencecomparedtoKLEEisthatAYHEMkeepsamapfrominputvariablestoformulasatalltimes.Itisnotconstructedonlyforqueryingthesolver(thisrepresentationallowsmoreoptimizationsV).MAYHEMappliesotherstandardoptimizationsasproposedbyprevioussystemssuchastheconstraintsubsumptionoptimization[acounter-examplecache[]andothers.MAYHEM 385 12 millions of instructions12 3 4OfineOnline 3 millions of instructions4 12Hybrid 3 millions of instructions4 Figure3:Hybridexecutiontriestocombinethespeedofonlineexecutionandthememoryuseofofineexecutiontoefcientlyexploretheinputspace. 0 0.2 0.4 0.6 0.8 1 1.2 1.4 5.0 x 105 1.0 x 106 1.5 x 106 2.0 x 106 2.5 x 106 3.0 x 106 Testcase gen. throughput (num/sec.)Memory Use (KBytes) Figure4:Onlineexecutionthroughputversusmemoryuse.thesecondstep,theysymbolicallyexecutetheinstructionsintherecordedtrace.Thisapproachiscalledexecution,ajuxtapositionofconcreteandsymbolicexecution.Ofineexecutionisattractivebecauseofitssimplicityandlowresourcerequirements;weonlyneedtohandleasingleexecutionpathatatime.Thetop-leftdiagramofFigure3highlightsanimmediatedrawbackofthisapproach.Foreveryexploredexecutionpath,weneedtorstre-executea(potentially)verylargenumberofinstructionsuntilwereachthesymbolicconditionwhereexecutionforked,andthenbegintoexplorenewinstructions.Onlinesymbolicexecutionavoidsthisre-executioncostbyforkingtwointerpretersatbranchpoints,eachonehavingacopyofthecurrentexecutionstate.Thus,toexploreadifferentpath,onlineexecutionsimplyneedstoperformacontextswitchtotheexecutionstateofasuspendedinterpreter.S2E[],KLEE[]andAEG[]followthisapproachbyperformingonlinesymbolicexecutiononLLVMbytecode.However,forkingoffanewexecutorateachbranchcanquicklystrainthememory,causingtheentiresystemtogrindtoahalt.State-of-the-artonlineexecutorstrytoaddressthisproblemwithaggressivecopy-on-writeoptimizations.Forexample,KLEEhasanimmutablestaterepresentationandS2Esharescommonstatebetweensnapshotsofphysicalmemoryanddisks.Nonetheless,sinceallexecutionstatesarekeptinmemorysimultaneously,eventuallyallonlineexecutorswillreachthememorycap.TheproblemcanbemitigatedbyusingDFS(Depth-First-Search)however,thisisnotaveryusefulstrategyinpractice.Todemonstratetheproblem,wedownloadedS2E[]andranitonacoreutilsapplication()with2symbolicarguments,eachone10byteslong.Figure4showshowthesymbolicexecutionthroughput(numberoftestcasesgeneratedpersecond)issloweddownasthememoryuseincreases.B.HybridSymbolicExecutionAYHEMhybridsymbolicexecutiontoactivelymanagememorywithoutconstantlyre-executingthesameinstructions.Hybridsymbolicexecutionalternatesbetweenonlineandofinemodestomaximizetheeffectivenessofeachmode.MAYHEMstartsanalysisinonlinemode.Whenthesystemreachesamemorycap,itswitchestoofinemodeanddoesnotforkanymoreexecutors.Instead,itproducescheckpointstostartnewonlineexecutionslateron.Thecruxofthesystemistodistributetheonlineexecutiontasksintosubtaskswithoutlosingpotentiallyinterestingpaths.ThehybridexecutionalgorithmemployedbyMAYHEMissplitintofourmainphases:1.Initialization:ThersttimeMAYHEMisinvokedforaprogram,itinitializesthecheckpointmanager,thecheckpointdatabase,andtestcasedirectories.Itthenstartsonlineexecutionoftheprogramandmovestothenextphase.2.OnlineExploration:Duringtheonlinephase,MAYHEMsymbolicallyexecutestheprograminanonlinefashion,context-switchingbetweencurrentactiveexecutionstates,andgeneratingtestcases.3.Checkpointing:Thecheckpointmanagermonitorsonlineexecution.Wheneverthememoryutilizationreachesacap,orthenumberofrunningexecutorsexceedsathreshold,itwillselectandgenerateacheckpointforanactiveexecutor.Acheckpointcontainsthesymbolicexecutionstateofthesuspendedexecutor(pathpredicate,statistics,etc.)andreplay.Theconcreteexecutionstateisdiscarded.Whentheonlineexecutioneventuallynishesallactiveexecutionpaths,MAYHEMmovestothenextphase.4.CheckpointRestoration:ThecheckpointmanagerselectsacheckpointbasedonarankingheuristicIV-Dandrestoresitinmemory.Sincethesymbolicexecutionstatewassavedinthecheckpoint,MAYHEMonlyneedstore-constructtheconcreteexecutionstate.Todoso,MAYHEMexecutestheprogramusingonesatisableassignmentofthepathpredicateasinput,untiltheprogramreachestheinstructionwhentheexecutionstatewassuspended.Atthatpoint,theconcretestateisrestoredandtheonlineexploration(phase2)restarts.Notethatphase4avoidssymbolicallyre-executinginstructionsduringthecheckpointrestorationphaseNotethatthetermcheckpointdiffersfromanofineexecutionseed,whichisjustaconcreteinput. 384 input.TheCECsendstheinstructionstotheSESandtheSESdetermineswhichbranchesarefeasible.TheCECwilllaterreceivethenextbranchtargettoexplorefromtheSES.TheSES,runninginparallelwiththeCEC,receivesastreamoftaintedinstructionsfromtheCEC.TheSESjitstheinstructionstoanintermediatelanguage(andsymbolicallyexecutesthecorrespondingIL.TheCECprovidesanyconcretevalueswheneverneeded,e.g.,whenaninstructionoperatesonasymbolicoperandandaconcreteoperand.TheSESmaintainstwotypesofPathFormula:Thepathformulareectstheconstraintstoreachaparticularlineofcode.Eachconditionaljumpaddsanewconstraintontheinput.Forexample,lines32-33createtwonewpaths:onewhichisconstrainedsothatthereadinputendsinanandline35isexecuted,andonewheretheinputdoesnotendinline28willbeexecuted.ExploitabilityFormula:Theexploitabilityformuladeter-mineswhetheri)theattackercangaincontroloftheinstructionpointer,andii)executeapayload.WhenMAYHEMhitsataintedbranchpoint,theSESdecideswhetherweneedtoforkexecutionbyqueryingtheSMTsolver.Ifweneedtoforkexecution,allthenewforksaresenttothepathselectortobeprioritized.Uponpickingapath,theSESnotiestheCECaboutthechangeandthecorrespondingexecutionstateisrestored.Ifthesystemresourcecapisreached,thenthecheckpointmanagerstartsgeneratingcheckpointsinsteadofforkingnewexecutors(IV).Attheendoftheprocess,testcasesaregeneratedfortheterminatedexecutorsandtheSESinformstheCECaboutwhichcheckpointshouldcontinueexecutionnext.Duringtheexecution,theSESswitchescontextbetweenexecutorsandtheCECcheckpoints/restorestheprovidedexecutionstateandcontinuesexecution.Todoso,theCECmaintainsavirtualizationlayertohandletheprograminter-actionwiththeunderlyingsystemandcheckpoint/restorebetweenmultipleprogramexecutionstates(IV-C).WhenMAYHEMdetectsataintedjumpinstruction,itbuildsanexploitabilityformula,andqueriesanSMTsolvertoseeifitissatisable.Asatisfyinginputwillbe,byconstruction,anexploit.Ifnoexploitisfoundonthetaintedbranchinstruction,theSESkeepsexploringexecutionpaths.Theabovestepsareperformedateachbranchuntilanexploitablebugisfound,MAYHEMhitsauser-speciedmaximumruntime,orallpathsareexhausted.III.BACKGROUNDBinaryRepresentationinourlanguage.Basicsymbolicexecutionisperformedonassemblyinstructionsastheyexecute.IntheoverallsystemthestreamcomesfromtheCECasexplainedearlier;hereweassumetheyaresimplygiventous.WeleverageBAP[],anopen-sourcebinaryanalysisframeworktoconvertx86assemblytoanintermediatelanguagesuitableforsymbolicexecution.Foreachinstructionexecuted,thesymbolicexecutorjitstheinstructiontotheBAPIL.TheSESperformssymbolicexecutiondirectlyontheIL,introducesadditionalconstraintsrelatedtospecicattackpayloads,andsendstheformulatoanSMTsolvertochecksatisability.Forexample,theILforaconsistsoftwostatements:onethatloadsanaddressfrommemory,andonethatjumpstothataddress.SymbolicExecutionontheIL.Inconcreteexecution,theprogramisgivenaconcretevalueasinput,itexecutesstatementstoproducenewvalues,andterminateswithnalvalues.Insymbolicexecutionwedonotrestrictexecutiontoasinglevalue,butinsteadprovideasymbolicinputvariablethatrepresentsthesetofallpossibleinputvalues.Thesymbolicexecutionengineevaluatesexpressionsforeachstatementintermsoftheoriginalsymbolicinputs.Whensymbolicexecutionhitsabranch,itconsiderstwopossibleworlds:onewherethetruebranchtargetisfollowedandonewherethefalsebranchtargetisfollowed.Itdoessobyforkingoffaninterpreterforeachbranchandassertinginthegeneratedformulathatthebranchguardmustbesatised.Thenalformulaencapsulatesallbranchconditionsthatmustbemettoexecutethegivenpath,thusiscalledthepathformulapathpredicateInMAYHEM,eachILstatementtypehasacorrespondingsymbolicexecutionrule.AssertionsintheILareimmediatelyappendedtotheformula.Conditionaljumpstatementscreatetwoformulas:onewherethebranchguardisassertedtrueandthetruebranchisfollowed,andonewhichassertsthenegationoftheguardandthefalsebranchisfollowed.Forexample,ifwealreadyhaveformulaandexecuteisthebranchguardandarejumptargets,thenwecreatethetwoformulas:FSEFSEFSEstandsforforwardsymbolicexecutionofthejumptarget.Duetospace,wegivetheexactsemanticsinacompanionpaper[15],[24].IV.HAYHEMisahybridsymbolicexecutionsystem.Insteadofrunninginpureonlineorofineexecutionmode,Mcanalternatebetweenmodes.Inthissectionwepresentthemotivationandmechanicsofhybridexecution.A.PreviousSymbolicExecutionSystemsOfinesymbolicexecutionasfoundinsystemssuchasSAGE[]requirestwoinputs:thetargetprogramandaninitialseedinput.Intherststep,ofinesystemsconcretelyexecutetheprogramontheseedinputandrecordatrace.In 383 ,eachHTTPconnectionispassed.Thisroutineinturncallsaspartofthelooponline29togettheuserrequeststring.Theuserinputisplacedintothe4096-bytebufferonline30.Eachreadincrementsthevariablethenumberofbytesreadsofarinordertopreventabufferoverow.Thereadloopcontinuesuntilisfound,checkedonline34.Iftheuserpassesinmorethan4096byteswithoutanHTTPend-of-linecharacter,thereadloopabortsandtheserverreturnsa400errorstatusmessageonline41.Eachnon-errorrequestgetsloggedviatheThevulnerabilityitselfisin,whichcallswithauserspeciedformatstring(anHTTPrequest).Variadicfunctionssuchasuseaformatstringspeciertodeterminehowtowalkthestacklookingforarguments.Anexploitforthisvulnerabilityworksbysupplyingformatstringsthatcausetowalkthestacktouser-controlleddata.Theexploitthenusesadditionalformatspecierstowritetothedesiredlocation[Figure1bshowsthestacklayoutofwhentheformatstringvulnerabilityisdetected.Thereisacalltoandtheformattingargumentisastringofuser-controlledbytes.Wehighlightseveralkeypointsforndingexploitablebugs:Low-leveldetailsmatter:Determiningexploitabilityre-quiresthatwereasonaboutlow-leveldetailslikereturnaddressesandstackpointers.Thisisourmotivationforfocusingonbinary-leveltechniques.Thereareanenormousnumberofpaths:Intheexample,thereisanewpathoneveryencounterofanwhichcanleadtoanexponentialpathexplosion.Additionally,thenumberofpathsinmanyportionsofthecodeisrelatedtothesizeoftheinput.Forexample,unfoldsaloop,creatinganewpathforsymbolicexecutiononeachiteration.Longerinputsmeanmoreconditions,moreforks,andharderscalabilitychallenges.Unfortunatelymostexploitsarenotshortstrings,e.g.,inabufferoverowtypicalexploitsarehundredsorthousandsofbyteslong.Themorecheckedpaths,thebetter:Toreachtheex-bugintheexample,MAYHEMneedstoreasonthroughtheloop,readinput,forkanewinterpreterforeverypossiblepathandcheckforerrors.Withoutcarefulresourcemanagement,anenginecangetboggeddownwithtoomanysymbolicexecutionthreadsbecauseofthehugenumberofpossibleexecutionpaths.Executeasmuchnativelyaspossible:Symbolicexecutionisslowcomparedtoconcreteexecutionsincethesemanticsofaninstructionaresimulatedinsoftware.Inmillionsofinstructionssetupthebasicserverbeforeanattackercanevenconnecttoasocket.Wewanttoexecutetheseinstructionsconcretelyandthenswitchtosymbolic Test Binary Mayhem BuggyInputs Taint Tracker SymbolicEvaluator Path Selector CheckpointManager(SES)Symbolic Execution Server CheckPoints Dynamic Binary Instrumentator(DBI) Exploits Exploit Generator Virtualization Operating System Hardware InputSpec. Target Figure2:MAYHEMexecution.TheMAYHEMarchitectureforndingexploitablebugsisshowninFigure2.TheuserstartsMAYHEMbyrunning:mayhem-sym-net80400./orzhttpdThecommand-linetellsMAYHEMtosymbolicallyexecute,andopensocketsonport80toreceivesymbolic400-bytelongpackets.Allremainingstepstocreateanexploitareperformedautomatically.AYHEMconsistsoftwoconcurrentlyrunningprocesses:ConcreteExecutorClient(CEC),whichexecutescodenativelyonaCPU,andaSymbolicExecutorServerBothareshowninFigure2.Atahighlevel,theCECrunsonatargetsystem,andtheSESrunsonanyplatform,waitingforconnectionsfromtheCEC.TheCECtakesinabinaryprogramalongwiththepotentialsymbolicsources(inputspecication)asaninput,andbeginscommunicationwiththeSES.TheSESthensymbolicallyexecutesblocksthattheCECsends,andoutputsseveraltypesoftestcasesincludingnormaltestcases,crashes,andexploits.ThestepsfollowedbyMAYHEMtondthevulnerablecodeandgenerateanexploitare:--sym-net80400argumenttellsMAYHEMperformsymbolicexecutionondatareadinfromasocketonport80.Effectivelythisisspecifyingwhichinputsourcesarepotentiallyunderattackercontrol.MAYHEMcanhandleattackerinputfromenvironmentvariables,les,andthenetwork.TheCECloadsthevulnerableprogramandconnectstotheSEStoinitializeallsymbolicinputsources.Aftertheinitialization,MAYHEMexecutesthebinaryconcretelyontheCPUintheCEC.Duringexecution,theCECinstru-mentsthecodeandperformsdynamictaintanalysis[Ourtainttrackingenginechecksifablockcontainstaintedinstructions,whereablockisasequenceofinstructionsthatendswithaconditionaljumporacallinstruction.WhentheCECencountersataintedbranchconditionorjumptarget,itsuspendsconcreteexecution.Ataintedjumpmeansthatthetargetmaybedependentonattacker 382 use.Suchexecutorssatisfyprinciple#1butnotprinciple#3(interestingpathsarepotentiallyeliminated).AYHEMcombinesthebestofbothworldsbyintroduc-hybridsymbolicexecution,whereexecutionalternatesbetweenonlineandofinesymbolicexecutionruns.HybridexecutionactslikeamemorymanagerinanOS,exceptthatitisdesignedtoefcientlyswapoutsymbolicexecutionengines.Whenmemoryisunderpressure,thehybridenginepicksarunningexecutor,andsavesthecurrentexecutionstate,andpathformula.Thethreadisrestoredbyrestoringtheformula,concretelyrunningtheprogramuptothepreviousexecutionstate,andthencontinuing.Cachingthepathformulaspreventsthesymbolicre-executionofinstructions,whichisthebottleneckinofine,whilemanagingmemorymoreefcientlythanonlineexecution.AYHEMalsoproposestechniquesforefcientlyreason-ingaboutsymbolicmemory.Asymbolicmemoryaccessoccurswhenaloadorstoreaddressdependsoninput.Sym-bolicpointersareverycommonatthebinarylevel,andbeingabletoreasonaboutthemisnecessarytogeneratecontrol-hijackexploits.Infact,ourexperimentsshowthat40%ofthegeneratedexploitswouldhavebeenimpossibleduetoconcretizationconstraints(VIII).Toovercomethisproblem,AYHEMemploysanindex-basedmemorymodel(V)toavoidconstrainingtheindexwheneverpossible.Resultsareencouraging.Whilethereisampleroomfornewresearch,MAYHEMcurrentlygeneratesexploitsforseveralsecurityvulnerabilities:bufferoverows,functionpointeroverwrites,andformatstringvulnerabilitiesfor29differentprograms.MAYHEMalsodemonstrates2-10speedupoverofinesymbolicexecutionwithouthavingthememoryconstraintsofonlinesymbolicexecution.Overall,MAYHEMmakesthefollowingcontributions:1)Hybridexecution.Weintroduceanewschemeforsym-bolicexecutionwhichwecallsymbolicexecutionthatallowsustondabetterbalancebetweenspeedandmemoryrequirements.HybridexecutionenablesMAYHEMtoexploremultiplepathsfasterthanexistingapproaches2)Index-basedmemorymodeling.Weproposeindex-basedmemorymodelasapracticalapproachtodealingwithsymbolicindicesatthebinary-level.(see3)Binary-onlyexploitgeneration.Wepresenttherstend-to-endbinary-onlyexploitablebugndingsystemthatdemonstratesexploitabilitybyoutputtingworkingcontrolhijackexploits.II.OVERVIEWOFAYHEMInthissectionwedescribetheoverallarchitecture,usagescenario,andchallengesforndingexploitablebugs.WeuseanHTTPserver,,1]showninFigure1aasanexampletohighlightthemainchallengesandpresenthowAYHEMworks.Notethatweshowsourceforclarityandsimplicity;MAYHEMrunsonbinarycode.#definetypedefstructbuf[BUFSIZE];used; BUFFER typedefstruct9STATIC BUFFER tread buf;10...//omitted staticvoidserverlog(LOG TYPE ttype,constcharformat,...)16...//omitted(format!=NULL)18va start(ap,format);19vsprintf(buf,format,ap);20va end(ap);22fprintf(log,buf);//vulnerablepoint23fflush(log);26HTTP STATE thttp read request(CONN conn)28...//omitted(conn buf.usedBUFSIZE)30sz=static buffer read(conn,&conn buf);(sz32...33conn buf.used+=sz;(memcmp(&conn buf.buf[conn buf.used]4,n,4)==(conn buf.used=BUFSIZE)40connstatus.st= STATUS 400; STATE ERROR;43...44serverlog(ERROR LOG,%sn,46 buf.buf);47...(a)Codesnippet. ... buf ptr log (le pointer) fprintf frame pointer return addr to serverlog ... buf (in serverlog) serverlog frame pointer old ebp ... \x5c\xca\xff\xbf\x5e\xca\xff (b)Stackdiagramofthevulnerableprogram.Figure1: 381 UnleashingMAYHEMonBinaryCodeSangKilCha,ThanassisAvgerinos,AlexandreRebertandDavidBrumleyCarnegieMellonUniversityPittsburgh,PAsangkilc,thanassis,alexandre.rebert,dbrumleyInthispaperwepresentMAYHEM,anewsys-temforautomaticallyndingexploitablebugsinbinary(i.e.,executable)programs.EverybugreportedbyMAYHEMaccompaniedbyaworkingshell-spawningexploit.Theworkingexploitsensuresoundnessandthateachbugreportissecurity-criticalandactionable.MAYHEMworksonrawbinarycodewithoutdebugginginformation.Tomakeexploitgenerationpossibleatthebinary-level,MAYHEMaddressestwomajortechnicalchallenges:activelymanagingexecutionpathswithoutexhaustingmemory,andreasoningaboutsymbolicmemory,wherealoadorastoreaddressdependsonuserinput.Tothisend,weproposetwonoveltechniques:1)hybridsymbolicexecutionforcombiningonlineandofine(concolic)executiontomaximizethebenetsofbothtechniques,and2)index-basedmemorymodeling,atechniquethatallowsAYHEMtoefcientlyreasonaboutsymbolicmemoryatthebinarylevel.WeusedMAYHEMtondanddemonstrate29exploitablevulnerabilitiesinbothLinuxandWindowsprograms,2ofwhichwerepreviouslyundocumented.Keywords-hybridexecution,symbolicmemory,index-basedmemorymodeling,exploitgenerationI.INTRODUCTIONBugsareplentiful.Forexample,theUbuntuLinuxbugmanagementdatabasecurrentlylistsover90,000openbugs[].However,bugsthatcanbeexploitedbyattackersaretypicallythemostserious,andshouldbepatchedrst.Thus,acentralquestionisnotwhetheraprogramhasbugs,butwhichbugsareexploitable.InthispaperwepresentMAYHEM,asoundsystemforautomaticallyndingexploitablebugsinbinary(i.e.,executable)programs.MAYHEMproducesaworkingcontrol-hijackexploitforeachbugitreports,thusguaranteeingeachbugreportisactionableandsecurity-critical.ByworkingwithbinarycodeMAYHEMenableseventhosewithoutsourcecodeaccesstocheckthe(in)securityoftheirsoftware.AYHEMdetectsandgeneratesexploitsbasedonthebasicprinciplesintroducedinourpreviousworkonAEG[Atahigh-level,MAYHEMndsexploitablepathsbyaug-mentingsymbolicexecution[]withadditionalconstraintsatpotentiallyvulnerableprogrampoints.Theconstraintsincludedetailssuchaswhetheraninstructionpointercanberedirected,whetherwecanpositionattackcodeinmemory,andultimately,whetherwecanexecuteattackerscode.Iftheresultingformulaissatisable,thenanexploitispossible.Amainchallengeinexploitgenerationisexploringenoughofthestatespaceofanapplicationtondexploitablepaths.Inordertotacklethisproblem,MAYHEMsdesignisbasedonfourmainprinciples:1)thesystemshouldbeabletomakeforwardprogressforarbitrarilylongtimesideallyrunforeverwithoutexceedingthegivenresources(especiallymemory),2)inordertomaximizeperformance,thesystemshouldnotrepeatwork,3)thesystemshouldnotthrowawayanyworkpreviousanalysisresultsofthesystemshouldbereusableonsubsequentruns,and4)thesystemshouldbeabletoreasonaboutsymbolicmemorywherealoadorstoreaddressdependsonuserinput.Handlingmemoryaddressesisessentialtoexploitreal-worldbugs.Principle#1isnecessaryforrunningcomplexapplications,sincemostnon-trivialprogramswillcontainapotentiallyinnitenumberofpathstoexplore.Currentapproachestosymbolicexecution,e.g.,CUTE[BitBlaze[],KLEE[],SAGE[],McVeto[],AEG[S2E[],andothers[],[],donotsatisfyalltheabovedesignpoints.Conceptually,currentexecutorscanbedividedintotwomaincategories:ofineexecutorswhichconcretelyrunasingleexecutionpathandthensymbolicallyexecuteit(alsoknownastrace-basedorexecutors,e.g.,SAGE),andonlineexecutorswhichtrytoexecuteallpossiblepathsinasinglerunofthesystem(e.g.,S2E).Neitheronlinenorofineexecutorssatisfyprinciples#1-#3.Inaddition,mostsymbolicexecutionenginesdonotreasonaboutsymbolicmemory,thusdonotmeetprinciple#4.Ofinesymbolicexecutors[],[]reasonaboutasingleexecutionpathatatime.Principle#1issatisedbyiterativelypickingnewpathstoexplore.Further,everyrunofthesystemisindependentfromtheothersandthusresultsofpreviousrunscanbeimmediatelyreused,satisfyingprinciple#3.However,ofinedoesnotsatisfyprinciple#2.Everyrunofthesystemneedstorestartexecutionoftheprogramfromtheverybeginning.Conceptually,thesameinstructionsneedtobeexecutedrepeatedlyforeveryexecutiontrace.Ourexperimentalresultsshowthatthisre-executioncanbeveryexpensive(seeOnlinesymbolicexecution[],[]forksateachbranchpoint.Previousinstructionsareneverre-executed,butthecontinuedforkingputsastrainonmemory,slowingdowntheexecutionengineasthenumberofbranchesincrease.Theresultisnoforwardprogressandthusprinciples#1and#3arenotmet.SomeonlineexecutorssuchasKLEEstopforkingtoavoidbeingsloweddownbytheirmemory 2012 IEEE Symposium on Security and PrivacyDOI 10.1109/SP.2012.31380