Ewap: Using Symbolic Execution to Exploit Windows Applications

In this pager we describe a new approach using symbolic execution to exploit windows applications, and the approach is implemented in the tool Ewap. Instead of fuzzing applications with randomly or semi-randomly constructed input, Ewap generates new inputs automatically to steer applications to follow different execution paths and detects security violations dynamically, which maximizes the code coverage and improves the exploiting efficiency. Based on a Dynamic Binary Monitor Platform (DBMP), Ewap analyzes and instruments the binary codes of target applications dynamically. During the execution process, the instrumented code traces data flows with an improved taint analysis mechanism and accomplishes two tasks: 1) generating path constraints used for symbolic execution, 2) detecting security violations. During the implementing of Ewap, the key technologies including IR-based instrumentation, taint analysis mechanism, symbolic execution and violations detection are introduced and adopted. We implement some experiments on several benchmarks, and the experimental data demonstrate that Ewap is reasonable in overhead and improves the code coverage and exploiting efficiency.