Runhao Li (National University of Defense Technology), Bin Zhang (National University of Defense Technology), Jiongyi Chen (National University of Defense Technology), Wenfeng Lin (National University of Defense Technology), Chao Feng (National University of Defense Technology), Chaojing Tang (National University of Defense Technology)

A critical challenge in automatic exploit generation is to find out whether an exploitable state can be constructed by manipulating the heap layout. This is usually achieved by re-arranging the objects in heap memory according to an orchestrated strategy that utilizes the program's heap operations. However, hindered by the difficulty in strategically coordinating the use of heap operations given the complexity in the program logic and heap allocation mechanisms, the goal of precise heap layout manipulation for general-purpose programs has not been accomplished.

In this paper, we present BAGUA, an innovative solution towards automatically and precisely manipulating heap layouts for general-purpose programs. Specifically, BAGUA first precisely identifies the primitives of heap layout manipulation using the heap operation dependence graph and thoroughly analyzes their dependencies and capabilities. On this basis, it models the heap layout manipulation as an integer linear programming problem and solves the constraints, in order to identify the sequence of primitives that achieves a desired heap layout. By triggering the primitives in such an order, we are able to construct new proof-of-concept inputs of target programs to achieve an exploitable heap layout. Highlights of our research include a set of new techniques that address the specific challenges of analyzing general-purpose programs, such as eliminating the side effect of heap allocators and extending the capability in manipulating heap layouts. We implemented a prototype of BAGUA and evaluated it on 27 publicly-known bugs in real-world programs. With BAGUA's strength in pinpointing primitives and handling the side effect of heap allocators, it successfully generates desired heap layouts for 23 of the bugs, which is way beyond what prior research can achieve.

View More Papers

Securing Federated Sensitive Topic Classification against Poisoning Attacks

Tianyue Chu (IMDEA Networks Institute), Alvaro Garcia-Recuero (IMDEA Networks Institute), Costas Iordanou (Cyprus University of Technology), Georgios Smaragdakis (TU Delft), Nikolaos Laoutaris (IMDEA Networks Institute)

Read More

Short: Rethinking Secure Pairing in Drone Swarms

Muslum Ozgur Ozmen, Habiba Farrukh, Hyungsub Kim, Antonio Bianchi, Z. Berkay Celik (Purdue University)

Read More

Operationalizing Cybersecurity Research Ethics Review: From Principles and Guidelines...

Dennis Reidsma, Jeroen van der Ham, and Andrea Continella (University of Twente)

Read More

Cybersecurity of COSPAS-SARSAT and EPIRB: threat and attacker models,...

Andrei Costin, Hannu Turtiainen, Syed Khandkher and Timo Hamalainen (Faculty of Information Technology, University of Jyvaskyla, Finland) Presenter: Andrei Costin

Read More