Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be...
Transcript of Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be...
![Page 1: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/1.jpg)
Automatic Heap Layout Manipulation for Exploitation
Sean Heelan, Tom Melham, Daniel Kroening
University of Oxford
![Page 2: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/2.jpg)
Problem
2
![Page 3: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/3.jpg)
CVE-2013-2110
3
![Page 4: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/4.jpg)
What Gets Corrupted?
4
![Page 5: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/5.jpg)
Finding a Corruption Target
5
![Page 6: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/6.jpg)
Finding a Corruption Target
6
![Page 7: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/7.jpg)
Finding a Corruption Target
7
![Page 8: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/8.jpg)
Finding the Correct Layout
8
![Page 9: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/9.jpg)
Finding the Correct Layout
9
![Page 10: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/10.jpg)
Finding the Correct Layout
10
![Page 11: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/11.jpg)
Finding Heap Manipulating Functions
11
![Page 12: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/12.jpg)
Finding Heap Manipulating Functions
12
![Page 13: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/13.jpg)
Finding Heap Manipulating Functions
13
![Page 14: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/14.jpg)
Using Heap Manipulating Functions
14
![Page 15: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/15.jpg)
Complete Exploit
15
![Page 16: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/16.jpg)
Steps to Exploitation
1. Discover a vulnerability
2. Learn how to allocate sensitive data on the heap (e.g. a pointer)
3. Learn how to interact with the allocator via the program’s API
4. Achieve required heap layout
5. Complete exploit using resulting read/write primitives
16
![Page 17: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/17.jpg)
Our Contributions
1. Discover a vulnerability
2. Learn how to allocate sensitive data on the heap• Dynamic analysis of regression tests
3. Learn how to interact with the allocator via the program’s API• Dynamic analysis + fuzzing of regression tests
4. Achieve required heap layout• Random search over the discovered interaction sequences
5. Complete exploit using resulting read/write primitives• A template-based approach to exploit writing
17
![Page 18: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/18.jpg)
Allocator Design
18
![Page 19: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/19.jpg)
Allocator Design Choices
• Goal• Service runtime requests for memory via the heap or memory mapped pages
• Objectives – differ based on the allocator, e.g.• Minimise fragmentation
• Maximise speed of allocation
• Maximise resilience to accidental errors
• Maximise resilience to purposeful attacks
19
![Page 20: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/20.jpg)
Segregated Free Lists
20
![Page 21: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/21.jpg)
Segregated Storage
21
![Page 22: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/22.jpg)
Heap Layout ManipulationA Brief Introduction
22
![Page 23: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/23.jpg)
Problem: sizeof(S)=8, sizeof(D)=32
23
![Page 24: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/24.jpg)
Attempt #1 – Just Allocate
24
![Page 25: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/25.jpg)
Solution – Hole Filling
25
![Page 26: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/26.jpg)
Noisy Interaction Sequences
• A significant complicating factor can be ‘noise’ in the available allocation sequences
void allocDestination(…)
{
n = malloc(32);
d = malloc(dst);
…
}
26
![Page 27: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/27.jpg)
Attempt #1 – Just Allocate
27
![Page 28: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/28.jpg)
Solution – Hole Creation, Step #1
28
![Page 29: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/29.jpg)
Solution – Hole Creation, Step #2
29
![Page 30: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/30.jpg)
Solution – Hole Creation, Step #3
30
![Page 31: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/31.jpg)
Solution – Hole Creation, Step #4
31
![Page 32: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/32.jpg)
Automating Heap Layout Manipulation
32
![Page 33: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/33.jpg)
Problem Statement
• Objective• Place source and destination buffer adjacent to each other
• Mechanism• Hole filling and creation
• Complicating factors• Diversity of allocator implementations, indirect allocator interaction, noise,
layout constraints imposed by the allocator (e.g. segregated storage)
33
![Page 34: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/34.jpg)
Problem Statement
• Objective• Place source and destination buffer adjacent to each other
• Mechanism• Hole filling and creation
• Complicating factors• Diversity of allocator implementations, indirect allocator interaction, noise,
layout constraints imposed by the allocator (e.g. segregated storage)
• Out of scope• Non-deterministic allocators, unknown heap starting state
34
![Page 35: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/35.jpg)
Random Search
• Random combination of the available interaction sequences• Parameters: Maximum solution length, ratio of allocations to frees
• Could this work?
35
![Page 36: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/36.jpg)
Evaluation – Benchmark Configuration (SIEVE)
• Allocators• tcmalloc (v2.6.1), dlmalloc (v2.8.6), avrlibc (v2.0)
• Starting states• Ruby, Python, PHPx2
• Source and destination sizes • The cross product of 8, 64, 512, 4096, 16384, 65536
• 2592 benchmarks
• Search allowed 500,000 candidates per benchmark
36
![Page 37: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/37.jpg)
Evaluation - Random Search
37
![Page 38: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/38.jpg)
Evaluation - Random Search
38
![Page 39: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/39.jpg)
Evaluation - Random Search
39
![Page 40: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/40.jpg)
Evaluation - Random Search
40
![Page 41: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/41.jpg)
Evaluation - Random Search
41
![Page 42: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/42.jpg)
Summary
• Random search performs very well when there is no noise, and no segregated storage
• If all runs of the benchmarks are considered, 78% are solved at least once
• With appropriate computational resources random search can be pretty effective
42
![Page 43: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/43.jpg)
End-to-End Automation of Heap Layout Manipulation
43
![Page 44: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/44.jpg)
Working with Real Programs
• For evaluation we chose the PHP language interpreter• Open bug tracker, interpreter and language are featureful but easy to work
with
• Hypothetical threat model: hardened interpreter in which we can run arbitrary PHP code but want to execute native code
44
![Page 45: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/45.jpg)
High Level Algorithm
1. Discover how to interact with the allocator via the program’s API
2. Randomly combine API calls to manipulate the heap
3. Check if source and destination are adjacent, if not go to step 2, if yes then end
45
![Page 46: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/46.jpg)
Fragmentation
<?php
$image = imagecreatetruecolor(180, 30);
imagestring($image, 5, 10, 8, ‘Text', 0x00ff00);
$gaussian = array(
array(1.0, 2.0, 1.0),
array(2.0, 4.0, 2.0)
);
var_dump(imageconvolution($image, $gaussian, 16, 0));
?>
46
![Page 47: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/47.jpg)
Fragmentation
<?php
$image = imagecreatetruecolor(180, 30);
imagestring($image, 5, 10, 8, ‘Text', 0x00ff00);
$gaussian = array(
array(1.0, 2.0, 1.0),
array(2.0, 4.0, 2.0)
);
var_dump(imageconvolution($image, $gaussian, 16, 0));
?>
47
imagecreatetruecolor(180, 30)imagestring($image, 5, 10, 8, ‘Text’, 0x00ff00)array(array(1.0, 2.0, 1.0), array(2.0, 4.0, 2.0))array(1.0, 2.0, 1.0)array(2.0, 4.0, 2.0)var_dump(imageconvolution($image, $gaussian, 16, 0))
![Page 48: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/48.jpg)
Fragmentation + Fuzzing
<?php
$image = imagecreatetruecolor(180, 30);
imagestring($image, 5, 10, 8, ‘Text', 0x00ff00);
$gaussian = array(
array(1.0, 2.0, 1.0),
array(2.0, 4.0, 2.0)
);
var_dump(imageconvolution($image, $gaussian, 16, 0));
?>
48
imagecreatetruecolor(180, 30)imagestring($image, 5, 10, 8, ‘Text’, 0x00ff00)array(array(1.0, 2.0, 1.0), array(2.0, 4.0, 2.0))array(1.0, 2.0, 1.0)array(2.0, 4.0, 2.0)var_dump(imageconvolution($image, $gaussian, 16, 0))
imagecreatetruecolor(1, 1)imagecreatetruecolor(1, 2)imagecreatetruecolor(1, 3)imagecreatetruecolor(1, 4)
![Page 49: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/49.jpg)
High Level Algorithm
1. Discover how to interact with the allocator via the program’s API
2. Randomly combine API calls to manipulate the heap
3. Check if source and destination are adjacent, if not go to step 2, if yes then end
49
![Page 50: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/50.jpg)
Randomly Produced Sequence
50
![Page 51: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/51.jpg)
High Level Algorithm
1. Discover how to interact with the allocator via the program’s API
2. Randomly combine API calls to manipulate the heap
3. Check if source and destination are adjacent, if not go to step 2, if yes then end
51
![Page 52: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/52.jpg)
Evaluation
• 3 vulnerabilities x 10 target data structures = 30 experiments• Max run time: 12 hours
• 40 concurrent analysis processes
• 21/30 (70%) success rate• Average time: 9m30s, Min. time: < 1s, Max. time: 1h10m
• Average number of candidates before success: 720k
52
![Page 53: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/53.jpg)
Exploit Templates
53
![Page 54: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/54.jpg)
Exploit Templates
54
![Page 55: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/55.jpg)
Completed Template
55
![Page 56: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/56.jpg)
Demo
• CVE-2013-2110
• Exploit developer provides template • Partial exploit with holes
• SHRIKE completes the exploit by solving the layout problems
56
![Page 57: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/57.jpg)
Automatically Completing a Partial Exploit
57
https://www.youtube.com/watch?v=MOOvhckRoww
![Page 58: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/58.jpg)
Takeaways
• Heap layout manipulation can be automated, end-to-end• Future work: New types of software, improved discovery and use of
interaction sequences, other heap-based vulnerability types
58
![Page 59: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/59.jpg)
Takeaways
• Heap layout manipulation can be automated, end-to-end• Future work: New types of software, improved discovery and use of
interaction sequences, other heap-based vulnerability types
• Random search is an effective mechanism for automatic heap layout manipulation • Future work: Better search, relaxing constraints on non-determinism and
starting state
59
![Page 60: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/60.jpg)
Takeaways
• Heap layout manipulation can be automated, end-to-end• Future work: New types of software, improved discovery and use of
interaction sequences, other heap-based vulnerability types
• Random search is an effective mechanism for automatic heap layout manipulation • Future work: Better search, relaxing constraints on non-determinism and
starting state
• Exploit templates allow us to combine the creativity of an exploit developer with the power of a machine• Future work: Automating other aspects and integration with template-based
exploit development
60
![Page 61: Automatic Heap Layout Manipulation for Exploitation...Takeaways •Heap layout manipulation can be automated, end-to-end •Future work: New types of software, improved discovery and](https://reader030.fdocuments.us/reader030/viewer/2022040904/5e77d669191629489170c271/html5/thumbnails/61.jpg)
Takeaways
• Heap layout manipulation can be automated, end-to-end• Future work: New types of software, improved discovery and use of interaction
sequences, other heap-based vulnerability types
• Random search is an effective mechanism for automatic heap layout manipulation • Future work: Better search, relaxing constraints on non-determinism and starting
state
• Exploit templates allow us to combine the creativity of an exploit developer with the power of a machine• Future work: Automating other aspects and integration with template-based exploit
development
• SHRIKE is a PoC system implementing end-to-end heap layout manipulation and integrating with exploit development via a template system. Code available!
61