Identifying Exploitable Memory Objects for Out-of-Bound Write
Vulnerabilities
Runhao Li1, Bin Zhang1, and Chaojing
Tang1
1 National University of Defense Technology,
Changsha, 410072, China
Email: lirunhao@nudt.edu.cn.
Exploit an out-of-bounds write vulnerability in general-purpose
applications has become a current research focus. Given the large scale
of code in programs, selecting appropriate memory objects for
exploitation is challenging. In the letter, we propose a corrupted data
propagation-guided fuzzing method. By tracking the propagation process
of corrupted data among memory objects, we propose a multi-level fuzzing
schedule to search the execution paths. Experimental results show that
our proposed method, EMOFuzz, can effectively identify exploitable
objects under various overflow lengths, significantly enhancing the
efficiency of exploitability analysis.
Introduction: Software vulnerabilities are a crucial area of
study in cybersecurity, with out-of-bound (OOB) write being a
significant component [1,2]. In the process of researching
vulnerabilities, the focus and challenge for researchers are how to
exploit bugs to compromise the target program and gain higher
privileges.
The process of exploiting a vulnerability often relies on the
combination of exploit primitives [3]. Common primitives include
arbitrary address reading (AAR), arbitrary address writing (AAW), and
control flow hijacking (CFH). The exploit process usually involves
combining these primitives to achieve a specific exploitation goal. The
key to constructing an exploit primitive lies in rewriting critical
objects of the program after triggering the vulnerability. For example,
in the statement memcpy(des, src) , if the corrupted data of a
vulnerability controls the des pointer, it becomes possible to
write data to any address, achieving an AAW primitive. Therefore,
researching how to influence critical memory objects in the program
through flawed data, to reach an exploitable state (AAW, AAR, and CFH),
is crucial for vulnerability exploitation [15].
Current methods for identifying exploitable objects of OOB write bugs
primarily focus on the Linux kernel [4, 5]. These approaches
concentrate on certain special objects, such as structures containing
function pointers or objects with variable lengths [6]. However, in
the case of general-purpose applications, which often have a large
amount of code, complex logic, and significant variations in development
styles, no effective analysis method is proposed to identify exploitable
objects for memory vulnerabilities. Therefore, developing a method for
analyzing exploitable objects for general-purpose programs, to assist in
assessing the exploitability of OOB vulnerability, becomes a hot topic
and a challenge in research.
In general-purpose programs within complex execution logic, after a
vulnerability is triggered, it is often difficult to directly influence
a memory object to reach an exploitable state, which makes the
identification of exploitable objects challenging. In most cases, after
rewriting a memory object via triggering bug, the flawed data propagates
and spreads among memory objects, changing the program’s state. For
instance, as shown in Figure 1, after the vulnerability is triggered,
object A is firstly affected, and then object A influences object B,
which in turn affects the pointer des . When the program executes
the statement memcpy(des, B) , AAW occurs. In this process, the
program reaches an exploitable state by rewriting memory object A,
making it an exploitable object. Considering the complexity of corrupted
data propagation due to the program’s complex logic, tracking the
propagation of the flawed data is key to identifying the exploitable
object.
Fig 1 An example of achieving AAW by triggering vulnerability.
This letter adopts a data flow perspective to explore exploitable
objects of OOB write bugs in general-purpose applications, thereby
providing support for exploitability analysis. Initially, the letter
utilizes static value flow tool to instrument the target program,
constructing a weighted value flow graph. Subsequently, we integrate
dynamic taint analysis, and develop a fine-grained model for propagation
process of corrupted data. Following this, a fuzzing method is designed,
using the extent of flawed data spread as a guidance to efficiently
explore the exploitable memory objects. The contributions of this paper
include two parts:
Constructing a hybrid static-dynamic model for fine-grained analysis
of corrupted data propagation, tracking the spread of corrupted data
among memory objects, and evaluating the propagation impact.
Proposing a corrupted data propagation-oriented fuzzing methodology,
which can identify exploitable objects by efficiently explore the
program execution paths.
System Design: The overall framework of our proposed method
EMOFuzz is shown in Figure 2. Initially, we carry out instrumentation
within static analysis tool and generate a Weighted Variable Flow Graph
[7]. Based on that, a taint data propagation model is constructed to
analyze the spreading process of corrupted data. Following this, we
propose a flowed data-oriented fuzzing method. Through a multi-level
fuzzing schedule, it searches for potential exploitable objects in the
target program.