Reversing and Identifying Overwritten Data Structures for Memory-Corruption Exploit Diagnosis

Exploits diagnosis requires great manual effort and desires to be automated as much as possible. In this paper, we investigate how the syntactic format of program inputs, as well as reverse engineering of data structures, could be used to identify overwritten data structures, and propose a binary-level exploit diagnosis approach, deExploit, that is generic to attack types and effective in identifying key attack steps. In details, we design to use a fine-grained dynamic tainting technique to model how the exploit is dynamically processed during program execution, dynamically reverse corresponding data structures of program input and then identify overwritten data structures by detecting the deviation between dynamic processing of exploit and that of benign input. We implement deExploit and perform it to diagnose multiple exploits in the wild. The results show that deExploit works well to diagnose memory corruption exploits.