Full Program »
Guide Me to Exploit: Assisted ROP Exploit Generation for ActionScript Virtual Machine
Automatic exploit generation (AEG) is the challenge of determining the exploitability of a given vulnerability by exploring all possible execution paths that can result from triggering the vulnerability. Since typical AEG implementations might need to explore an infinite number of execution paths, they usually utilize a fuzz tester and a symbolic execution tool to facilitate this task.
However, in the case of an application space such as AEG for the ActionScript Virtual Machine (AVM), AEG implementations cannot leverage fuzz testers or symbolic execution tools for generating the exploit script, since: (1) fuzz testers cannot efficiently generate grammatically correct executables for the AVM due to the improbability of generating random highly-structured executables that follow the complex grammar rules that the AVM enforces and (2) symbolic execution tools encounter the well-known program-state-explosion problem due to the enormous number of control paths in early processing stages of binaries executed by the AVM.
This paper presents G\textsc{uidE\textsc{xp}}, a guided (semi-automatic) exploit generation tool for AVM vulnerabilities. G\textsc{uid}E\textsc{xp} synthesizes (and produces) an exploit script that exploits a given ActionScript vulnerability. Unlike other AEG implementations, G\textsc{uid}E\textsc{xp} leverages exploit deconstruction, a technique of splitting the exploit script into many smaller code snippets. G\textsc{uid}E\textsc{xp} receives hints from security experts and uses them to determine places where the exploit script is split. Thus, G\textsc{uid}E\textsc{xp} can concentrate on synthesizing these smaller code snippets in sequence to obtain the exploit script instead of synthesizing the entire exploit script at once. G\textsc{uid}E\textsc{xp} does not rely on fuzz testers or symbolic execution tools, and adopts four optimization techniques to facilitate the AEG process, including: (1) exploit deconstruction, (2) operand stack verification, (3) instruction tiling, and (4) feedback from the AVM. A running example highlights how G\textsc{uid}E\textsc{xp} synthesizes the exploit script for a real-world AVM use-after-free vulnerability. In addition, G\textsc{uid}E\textsc{xp} successful generation of exploits for ten other AVM vulnerabilities is reported.