Title :
Unleashing Mayhem on Binary Code
Author :
Sang Kil Cha ; Avgerinos, T. ; Rebert, A. ; Brumley, D.
Author_Institution :
Carnegie Mellon Univ., Pittsburgh, PA, USA
Abstract :
In this paper we present Mayhem, a new system for automatically finding exploitable bugs in binary (i.e., executable) programs. Every bug reported by Mayhem is accompanied by a working shell-spawning exploit. The working exploits ensure soundness and that each bug report is security-critical and actionable. Mayhem works on raw binary code without debugging information. To make exploit generation possible at the binary-level, Mayhem addresses two major technical challenges: actively managing execution paths without exhausting memory, and reasoning about symbolic memory indices, where a load or a store address depends on user input. To this end, we propose two novel techniques: 1) hybrid symbolic execution for combining online and offline (concolic) execution to maximize the benefits of both techniques, and 2) index-based memory modeling, a technique that allows Mayhem to efficiently reason about symbolic memory at the binary level. We used Mayhem to find and demonstrate 29 exploitable vulnerabilities in both Linux and Windows programs, 2 of which were previously undocumented.
Keywords :
binary codes; program debugging; Linux programs; Mayhem; Windows programs; active managing execution paths; binary programs; binary-level; bug report; concolic execution; executable programs; exploit generation; hybrid symbolic execution; offline execution; online execution; raw binary code; symbolic memory indices; working shell-spawning exploit; Binary codes; Computer bugs; Concrete; Engines; Memory management; Servers; Switches; exploit generation; hybrid execution; index-based memory modeling; symbolic memory;
Conference_Titel :
Security and Privacy (SP), 2012 IEEE Symposium on
Conference_Location :
San Francisco, CA
Print_ISBN :
978-1-4673-1244-8
Electronic_ISBN :
1081-6011
