Identifying Exploitable Memory Objects for Out-of-Bound Write Vulnerabilities
Runhao Li1, Bin Zhang1, and Chaojing Tang1
1 National University of Defense Technology, Changsha, 410072, China
Email: lirunhao@nudt.edu.cn.
Exploit an out-of-bounds write vulnerability in general-purpose applications has become a current research focus. Given the large scale of code in programs, selecting appropriate memory objects for exploitation is challenging. In the letter, we propose a corrupted data propagation-guided fuzzing method. By tracking the propagation process of corrupted data among memory objects, we propose a multi-level fuzzing schedule to search the execution paths. Experimental results show that our proposed method, EMOFuzz, can effectively identify exploitable objects under various overflow lengths, significantly enhancing the efficiency of exploitability analysis.
Introduction: Software vulnerabilities are a crucial area of study in cybersecurity, with out-of-bound (OOB) write being a significant component [1,2]. In the process of researching vulnerabilities, the focus and challenge for researchers are how to exploit bugs to compromise the target program and gain higher privileges.
The process of exploiting a vulnerability often relies on the combination of exploit primitives [3]. Common primitives include arbitrary address reading (AAR), arbitrary address writing (AAW), and control flow hijacking (CFH). The exploit process usually involves combining these primitives to achieve a specific exploitation goal. The key to constructing an exploit primitive lies in rewriting critical objects of the program after triggering the vulnerability. For example, in the statement memcpy(des, src) , if the corrupted data of a vulnerability controls the des pointer, it becomes possible to write data to any address, achieving an AAW primitive. Therefore, researching how to influence critical memory objects in the program through flawed data, to reach an exploitable state (AAW, AAR, and CFH), is crucial for vulnerability exploitation [15].
Current methods for identifying exploitable objects of OOB write bugs primarily focus on the Linux kernel [4, 5]. These approaches concentrate on certain special objects, such as structures containing function pointers or objects with variable lengths [6]. However, in the case of general-purpose applications, which often have a large amount of code, complex logic, and significant variations in development styles, no effective analysis method is proposed to identify exploitable objects for memory vulnerabilities. Therefore, developing a method for analyzing exploitable objects for general-purpose programs, to assist in assessing the exploitability of OOB vulnerability, becomes a hot topic and a challenge in research.
In general-purpose programs within complex execution logic, after a vulnerability is triggered, it is often difficult to directly influence a memory object to reach an exploitable state, which makes the identification of exploitable objects challenging. In most cases, after rewriting a memory object via triggering bug, the flawed data propagates and spreads among memory objects, changing the program’s state. For instance, as shown in Figure 1, after the vulnerability is triggered, object A is firstly affected, and then object A influences object B, which in turn affects the pointer des . When the program executes the statement memcpy(des, B) , AAW occurs. In this process, the program reaches an exploitable state by rewriting memory object A, making it an exploitable object. Considering the complexity of corrupted data propagation due to the program’s complex logic, tracking the propagation of the flawed data is key to identifying the exploitable object.
Fig 1 An example of achieving AAW by triggering vulnerability.
This letter adopts a data flow perspective to explore exploitable objects of OOB write bugs in general-purpose applications, thereby providing support for exploitability analysis. Initially, the letter utilizes static value flow tool to instrument the target program, constructing a weighted value flow graph. Subsequently, we integrate dynamic taint analysis, and develop a fine-grained model for propagation process of corrupted data. Following this, a fuzzing method is designed, using the extent of flawed data spread as a guidance to efficiently explore the exploitable memory objects. The contributions of this paper include two parts:
Constructing a hybrid static-dynamic model for fine-grained analysis of corrupted data propagation, tracking the spread of corrupted data among memory objects, and evaluating the propagation impact.
Proposing a corrupted data propagation-oriented fuzzing methodology, which can identify exploitable objects by efficiently explore the program execution paths.
System Design: The overall framework of our proposed method EMOFuzz is shown in Figure 2. Initially, we carry out instrumentation within static analysis tool and generate a Weighted Variable Flow Graph [7]. Based on that, a taint data propagation model is constructed to analyze the spreading process of corrupted data. Following this, we propose a flowed data-oriented fuzzing method. Through a multi-level fuzzing schedule, it searches for potential exploitable objects in the target program.