The Community for Technology Leaders
2012 IEEE Symposium on Security and Privacy (2012)
San Francisco, CA USA
May 20, 2012 to May 23, 2012
ISSN: 1081-6011
ISBN: 978-0-7695-4681-0
pp: 380-394
T. Avgerinos , Carnegie Mellon Univ., Pittsburgh, PA, USA
A. Rebert , Carnegie Mellon Univ., Pittsburgh, PA, USA
D. Brumley , Carnegie Mellon Univ., Pittsburgh, PA, USA
Sang Kil Cha , Carnegie Mellon Univ., Pittsburgh, PA, USA
ABSTRACT
In this paper we present Mayhem, a new system for automatically finding exploitable bugs in binary (i.e., executable) programs. Every bug reported by Mayhem is accompanied by a working shell-spawning exploit. The working exploits ensure soundness and that each bug report is security-critical and actionable. Mayhem works on raw binary code without debugging information. To make exploit generation possible at the binary-level, Mayhem addresses two major technical challenges: actively managing execution paths without exhausting memory, and reasoning about symbolic memory indices, where a load or a store address depends on user input. To this end, we propose two novel techniques: 1) hybrid symbolic execution for combining online and offline (concolic) execution to maximize the benefits of both techniques, and 2) index-based memory modeling, a technique that allows Mayhem to efficiently reason about symbolic memory at the binary level. We used Mayhem to find and demonstrate 29 exploitable vulnerabilities in both Linux and Windows programs, 2 of which were previously undocumented.
INDEX TERMS
Concrete, Computer bugs, Engines, Servers, Binary codes, Switches, Memory management, exploit generation, hybrid execution, symbolic memory, index-based memory modeling
CITATION

T. Avgerinos, A. Rebert, D. Brumley and Sang Kil Cha, "Unleashing Mayhem on Binary Code," 2012 IEEE Symposium on Security and Privacy(SP), San Francisco, CA USA, 2012, pp. 380-394.
doi:10.1109/SP.2012.31
92 ms
(Ver 3.3 (11022016))