面向缓解机制评估的自动化信息泄露方法

自动生成漏洞利用样本(AEG)已成为评估漏洞的最重要的方式之一,但现有方案在目标系统部署有漏洞缓解机制时受到很大阻碍.当前主流的操作系统默认部署多种漏洞缓解机制,包括数据执行保护(DEP)和地址空间布局随机化(ASLR)等,而现有AEG方案仍无法面对所有漏洞缓解情形.提出了一种自动化方案EoLeak,可以利用堆漏洞实现自动化的信息泄露,进而同时绕过数据执行保护和地址空间布局随机化防御.EoLeak通过动态分析漏洞触发样本(POC)的程序执行迹,对执行迹中的内存布局进行画像并定位敏感数据(如代码指针),进而基于内存画像自动构建泄漏敏感数据的原语,并在条件具备时生成完整的漏洞利用样本.实现了EoLeak原型系统,并在一组夺旗赛(CTF)题目和多个实际应用程序上进行了实验验证.实验结果表明,该系统具有自动化泄露敏感信息和绕过DEP及ASLR缓解机制的能力.

Exploit-oriented Automated Information Leakage

Automated exploit generation (AEG) has become one of the most important ways to demonstrate the exploitability of vulnerabilities. However, state-of-the-art AEG solutions in general assume the target system has no mitigations deployed, which is not true in modern operating systems since they often deploy mitigations like DEP (data execution prevention) and ASLR (address space layout randomization). This paper presents an automated solution EoLeak, able to exploit heap vulnerabilities to leak sensitive data and bypass ASLR and DEP at the same time. At a high level, EoLeak analyzes the program execution trace of the POC input that triggers the heap vulnerability, characterizes the memory profile from the trace and locates important data (e.g., code pointers), constructs leak primitives that discloses sensitive data, and generates exploits for the entire process when possible. We have implemented a prototype of EoLeak and evaluated it on a set of CTF binary programs and several real-world applications. Evaluation results showed that, EoLeak is effective at leaking data and generating exploits.