Explore the intricacies of automatic exploit generation in binary programs through this IEEE Symposium on Security & Privacy presentation. Delve into the innovative Mayhem system, designed to uncover exploitable bugs and generate working shell-spawning exploits in executable programs without debugging information. Learn about two groundbreaking techniques: hybrid symbolic execution and index-based memory modeling, which address challenges in managing execution paths and reasoning about symbolic memory indices. Discover how Mayhem successfully identified 29 exploitable vulnerabilities across Linux and Windows programs, including two previously undocumented issues. Gain insights into the system's architecture, symbolic execution process, safety policies, and optimization techniques for efficient vulnerability detection and exploit generation in binary code.
Overview
Syllabus
Intro
Automatic Exploit Generation Challenge
Ghostscript v8.62 Bug
Generating Exploits
Unleashing Mayhem
How Mayhem Works: Symbolic Execution
Path Predicate = II
Safety Policy in Mayhem
Challenges
Current Resource Management in Symbolic Execution
Offline Execution
Online Execution
Mayhem: Hybrid Execution
Symbolic Indices
Another Cause: Table Lookups
Method 1: Concretization
Method 2: Fully Symbolic
Step 1 - Find Bounds
Step 2 - Index Search Tree Construction
Fully Symbolic vs. Index-based Memory Modeling Time
Index Search Tree Optimization: Piecewise Linear Approximation
Conclusion
Taught by
IEEE Symposium on Security and Privacy
