Guide Me to Exploit: Assisted ROP Exploit Generation for ActionScript Virtual Machine

Yilmaz, Fadi; Sridhar, Meera

doi:10.1145/3427228.3427568

Cited by 5 publications

(1 citation statement)

References 66 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In our previous work [55], we presented G E , the rst guided (semi-automatic) exploit generation tool that does not rely on fuzzers or symbolic execution engines. While typical AEG implementations synthesize a whole exploit script whose execution path reaches one of prede ned exploited program states, G E leverages exploit deconstruction, a technique of splitting the execution path into many shorter paths, to reach the exploit program state.…”

Section: Introductionmentioning

confidence: 99%

Experimental Analysis & Refinement of a Guided Exploit Generation Technique for Language Virtual Machines

Yilmaz¹,

Sridhar²

2020

Proceedings 2020 Learning From Authoritative Security Experiment Results Workshop

Self Cite

View full text Add to dashboard Cite

Background: We discussed G E , a semi-automatic exploit generation tool, in our paper at ACSAC 2020. G E generates an exploit script for a given ActionScript vulnerability. Unlike the other exploit generators, G E does not use fuzzing or a symbolic execution; rather, it relies on human expertise to guide it in successfully discovering vulnerable execution paths. This paper augments our ACSAC paper and provides more details on the experiments we conducted. Aim: We sought to show that G E can generate working exploit scripts for real-world vulnerabilities in open-and closedsource ActionScript Virtual Machine (AVM) implementations. Data: We used community artifacts as G E inputs: a ROP gadget sequence, used to generate a G E sub-goal; a proofof-concept (PoC) exploit script for CVE-2015-5119; and vulnerable AVM implementations. Method: We conducted a series of experiments, where the results of each informed the development of the next. First, we tested G E on an open-source AVM using a single ActionScript vulnerability (CVE-2015-5119). We measured the number of candidate slices generated by G E , the number of candidate slices executed successfully, and the time required to achieve each exploit subgoal. We then implemented G E optimization techniques based on what we learned and repeated the same experiment using the optimizations. Next, we ran the experiment using eleven di erent vulnerabilities in a closed-source AVM. Finally, we ran the original experiment using a larger search space to understand how less accurate human guidance might impact G E 's performance. Results: Using an optimal search space (expert human guidance), G E generated a successful exploit script for CVE-2015-5119 in an open-sourced AVM in just over 14 minutes. When the search space was increased to by a factor of 2, the time increased to just over 59 hours. G E generated successful exploit scripts for 11 vulnerabilities in closed-source Flash Player v11.2.202.262, with the longest completion time being just under 14 hours when using an optimal search space. * The work reported herein was performed while at UNC Charlotte.

show abstract

Section: Introductionmentioning

confidence: 99%