Nicolas Bailluet, Univ Rennes, Inria, CNRS, IRISA; Emmanuel Fleury, Univ Bordeaux, CNRS, LaBRI; Isabelle Puaut and Erven Rohou, Univ Rennes, Inria, CNRS, IRISA
Automating gadget chaining is a challenge that has attracted significant attention since the introduction of code-reuse attacks. Influenced by the primitives offered by stack-overflow vulnerabilities, several approaches were proposed that required the attacker to control the stack. Since then, most proposed approaches have had strong requirements on the capabilities of the attacker. However, during the last decade, a plethora of new attack primitives have emerged – e.g. use-after-free, heap-overflow – often breaking the requirements of existing approaches – e.g. controlling the stack. This paper presents a new approach to synthesizing code-reuse gadget chains that supports arbitrary exploitation primitives and layouts. We thoroughly compare the performance of our approach to the state-of-the-art. We show its ability to outperform its competitors by supporting intricate exploitation primitives and layouts that other approaches cannot. Especially, we demonstrate its real-world applicability by synthesizing gadget chains for ten real-world vulnerabilities with diverse exploitation primitives that competing tools struggle with. Among them is our case study: CVE-2022-46152 – which targets a widely used trusted execution environment.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
