The Community for Technology Leaders
2012 IEEE Symposium on Security and Privacy (2012)
San Francisco, CA USA
May 20, 2012 to May 23, 2012
ISSN: 1081-6011
ISBN: 978-0-7695-4681-0
pp: 380-394
T. Avgerinos , Carnegie Mellon Univ., Pittsburgh, PA, USA
A. Rebert , Carnegie Mellon Univ., Pittsburgh, PA, USA
D. Brumley , Carnegie Mellon Univ., Pittsburgh, PA, USA
Sang Kil Cha , Carnegie Mellon Univ., Pittsburgh, PA, USA
ABSTRACT
In this paper we present Mayhem, a new system for automatically finding exploitable bugs in binary (i.e., executable) programs. Every bug reported by Mayhem is accompanied by a working shell-spawning exploit. The working exploits ensure soundness and that each bug report is security-critical and actionable. Mayhem works on raw binary code without debugging information. To make exploit generation possible at the binary-level, Mayhem addresses two major technical challenges: actively managing execution paths without exhausting memory, and reasoning about symbolic memory indices, where a load or a store address depends on user input. To this end, we propose two novel techniques: 1) hybrid symbolic execution for combining online and offline (concolic) execution to maximize the benefits of both techniques, and 2) index-based memory modeling, a technique that allows Mayhem to efficiently reason about symbolic memory at the binary level. We used Mayhem to find and demonstrate 29 exploitable vulnerabilities in both Linux and Windows programs, 2 of which were previously undocumented.
INDEX TERMS
Concrete, Computer bugs, Engines, Servers, Binary codes, Switches, Memory management, exploit generation, hybrid execution, symbolic memory, index-based memory modeling
CITATION
T. Avgerinos, A. Rebert, D. Brumley, Sang Kil Cha, "Unleashing Mayhem on Binary Code", 2012 IEEE Symposium on Security and Privacy, vol. 00, no. , pp. 380-394, 2012, doi:10.1109/SP.2012.31
181 ms
(Ver 3.3 (11022016))