Research on Automatic Verification Method of Tcache Poisoning Heap Vulnerability Based on Symbolic Execution

doi:10.19678/j.issn.1000-3428.0064958

Abstract

Abstract: Tcache Poisoning is a kind of heap poisoning exploitation method for heap management.The existing automatic exploitation methods do not consider the impact of this new mechanism and can not be applied for exploiting heap vulnerabilities under higher versions of Glibc.To overcome these drawbacks，an in-depth analysis on Tcache mechanism and its verification method are presented and an automatic Tcache Poisoning exploitation method is proposed based on symbolic execution.This method defines multiple groups to formally describe the state of the heap chunk. By hooking up the key API，the state information of the heap chunk is collected during program operation，and symbolic variables are introduced to symbolize the external input data in order to acquire key information.This method detects the triggering of heap vulnerabilities through state monitoring and gradually generates Tcache Poisoning attack constraints and attack payload constraints according to the Tcache Poisoning heap vulnerability automatic exploit model. Finally，the vulnerability exploit code is generated through constraint solution.Based on the S2E symbolic execution platform，the automatic exploitation system TPAEG is implemented and 10 test programs are tested. TPAEG generates verification code for five of the seven test programs using the Tcache Poisoning method. The experimental results show that TPAEG can effectively detect heap overflow vulnerabilities and use-after-free vulnerabilities，and it can automatically perform exploitation according to different scenarios of Tcache Poisoning attacks，complete control flow hijacking，and generate exploit code.

Key words: heap vulnerability, Tcache Poisoning method, symbolic execution, vulnerability automatic verification, constraint construction

摘要： Tcache Poisoning是面向堆管理机制的一种堆漏洞利用方法，现有的堆漏洞自动验证工作未考虑Tcache带来的影响，无法适用于高版本Glibc堆漏洞自动验证。分析Tcache机制以及Tcache Poisoning验证方法的原理，提出一种基于符号执行的Tcache Poisoning堆漏洞自动验证方法。定义多元组对堆块的状态进行形式化描述，通过对关键API函数的挂钩，在程序运行过程中收集堆块的状态信息，并引入符号变元将外部输入数据符号化，实现关键信息的获取。通过状态监控检测堆漏洞触发，依据Tcache Poisoning堆漏洞自动验证模型，逐步生成Tcache Poisoning攻击约束和攻击载荷约束，最后通过约束求解生成漏洞验证代码。基于S2E符号执行平台实现自动验证系统TPAEG，并对10个测试程序进行测试，其中在Tcache Poisoning方法的7个测试程序中有5个生成了验证代码。实验结果表明，TPAEG可有效地检测堆溢出漏洞和释放后重用漏洞，并能够针对符合Tcache Poisoning攻击特征的场景实现自动验证，完成控制流的劫持并生成验证代码。

关键词: 堆漏洞, Tcache Poisoning方法, 符号执行, 漏洞自动验证, 约束构建

CLC Number:

TP309

ZHANG Liqun, PAN Zulie, HUANG Hui, WANG Ruipeng, LI Yang. Research on Automatic Verification Method of Tcache Poisoning Heap Vulnerability Based on Symbolic Execution[J]. Computer Engineering, 2023, 49(6): 24-33.

张利群, 潘祖烈, 黄晖, 王瑞鹏, 李阳. 基于符号执行的Tcache Poisoning堆漏洞自动验证方法研究[J]. 计算机工程, 2023, 49(6): 24-33.

/ / Recommend / Download Citations

URL: http://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0064958

http://www.ecice06.com/EN/Y2023/V49/I6/24

Figures/Tables 14

References

[1] 刘剑,苏璞睿,杨珉,等.软件与网络安全研究综述[J].软件学报,2018,29(1):42-68.LIU J,SU P R,YANG M,et al.Software and cyber security:a survey[J].Journal of Software,2018,29(1):42-68.(in Chinese)
[2] 张婧,周安民,刘亮,等.Crash可利用性分析方法研究综述[J].计算机科学,2018,45(5):8-14,23.ZHANG J,ZHOU A M,LIU L,et al.Review of Crash exploitability analysis methods[J].Computer Science,2018,45(5):8-14,23.(in Chinese)
[3] 苏璞睿,黄桦烽,余媛萍,等.软件漏洞自动利用研究综述[J].广州大学学报(自然科学版),2019,18(3):52-58.SU P R,HUANG H F,YU Y P,et al.Summary of research on software vulnerability auto exploit[J].Journal of Guangzhou University (Natural Science Edition),2019,18(3):52-58.(in Chinese)
[4] DELORIE D.Malloc per-thread cache:benchmarks[EB/OL].[2022-05-06].https://sourceware.org/ml/libc-alpha/2017-01/msg00452.html.
[5] 裴中煜,张超,段海新.GLibc堆利用的若干方法[J].信息安全学报,2018,3(1):1-15.PEI Z Y,ZHANG C,DUAN H X.Several methods of exploiting GLibc heap[J].Journal of Cyber Security,2018,3(1):1-15.(in Chinese)
[6] CHIPOUNOV V,KUZNETSOV V,CANDEA G.S2E:a platform for in-vivo multi-path analysis of software systems[J].ACM SIGPLAN Notices,2011,46(3):265-278.
[7] CHIPOUNOV V,KUZNETSOV V,CANDEA G.The S2E platform:design,implementation,and applications[J].ACM Transactions on Computer Systems,2012,30(1):1-49.
[8] 王学,李学新,周智鹏,等.S2E测试平台及并行性能分析[J].信息网络安全,2012(7):16-19.WANG X,LI X X,ZHOU Z P,et al.Analysis of the software testing platform:S2E[J].Netinfo Security,2012(7):16-19.(in Chinese)
[9] BRUMLEY D,POOSANKAM P,SONG D,et al.Automatic patch-based exploit generation is possible:techniques and implications[C]//Proceedings of IEEE Symposium on Security and Privacy.Washington D.C.,USA:IEEE Press,2008:143-157.
[10] AVGERINOS T,CHA S K,LIM B,et al.AEG:automatic exploit generation[C]//Proceedings of IEEE Conference on Network & Distributed System Security.Washington D.C.,USA:IEEE Press,2011:213-226.
[11] AVGERINOS T,CHA S K,REBERT A,et al.Automatic exploit generation[J].Communications of the ACM,2014,57(2):74-84.
[12] CHA S K,AVGERINOS T,REBERT A,et al.Unleashing mayhem on binary code[C]//Proceedings of IEEE Symposium on Security and Privacy.Washington D.C.,USA:IEEE Press,2012:380-394.
[13] WANG M H,SU P R,LI Q,et al.Automatic polymorphic exploit generation for software vulnerabilities[C]//Proceedings of International Conference on Security and Privacy in Communication Systems.Berlin,Germany:Springer,2013:216-233.
[14] HE L,CAI Y,HU H,et al.Automatically assessing crashes from heap overflows[C]//Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering.Washington D.C.,USA:IEEE Press,2017:274-279.
[15] WANG Y,ZHANG C,XIANG X B,et al.Revery:from proof-of-concept to exploitable[C]//Proceedings of 2018 ACM SIGSAC Conference on Computer and Communications Security.New York,USA:ACM Press,2018:365-379.
[16] HEELAN S,MELHAM T,KROENING D.Automatic heap layout manipulation for exploitation[C]//Proceedings of the 27th USENIX Conference on Security Symposium.New York,USA:ACM Press,2018:763-779.
[17] 黄宁,黄曙光,梁智超.基于符号执行的Unlink攻击检测方法[J].华南理工大学学报(自然科学版),2018,46(8):81-87.HUANG N,HUANG S G,LIANG Z C.Detection of unlink attack based on symbolic execution[J].Journal of South China University of Technology (Natural Science Edition),2018,46(8):81-87.(in Chinese)
[18] 张超,潘祖烈,樊靖.基于符号执行的堆溢出fastbin攻击检测方法[J].计算机工程,2020,46(10):151-158.ZHANG C,PAN Z L,FAN J.Detection method for heap overflow fastbin attack based on symbolic execution[J].Computer Engineering,2020,46(10):151-158.(in Chinese)
[19] 张超,潘祖烈,樊靖.面向堆内存漏洞的double free攻击方法检测[J].计算机应用研究,2020,37(S1):275-278.ZHANG C,PAN Z L,FAN J.Detection of double free attack method for heap memory vulnerabilities[J].Computer Application Research,2020,37(S1):275-278.(in Chinese)
[20] MYERS J.Sourceware.org.Fix assertion in malloc.c:tcache_get[EB/OL].[2022-05-03].https://sourceware.org/git/?p=glibc.git;a=commit;h=77dc0d8643aa99c92bf671352b0a8adde705896f.
[21] The one-gadget in glibc[EB/OL].[2022-05-03].https://david942j.blogspot.com/2017/02/project-one-gadget-in-glibc.html.
[22] BELLARD F.QEMU,a fast and portable dynamic translator[C]//Proceedings of Annual Conference on USENIX Annual Technical Conference.New York,USA:ACM Press,2005:41.
[23] CADAR C,DUNBAR D,ENGLER D.KLEE:unassisted and automatic generation of high-coverage tests for complex systems programs[EB/OL].[2022-05-03].https://blog.csdn.net/cutedog2012/article/details/79537942.
[24] DE MOURA L,BJØRNER N.Z3:an efficient SMT solver[C]//Proceedings of International Conference on Tools and Algorithms for the Construction and Analysis of Systems.Berlin,Germany:Springer,2008:337-340.
[25] HUANG S K,HUANG M H,HUANG P Y,et al.CRAX:software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations[C]//Proceedings of the 6th IEEE International Conference on Software Security and Reliability.Washington D.C.,USA:IEEE Press,2012:78-87.
[26] ZENGK L.Shellphish's automated exploitation engine[EB/OL].[2022-05-03].https://github.com/angr/rex.
[27] ZANARDI V.Shellphish pursues the joy of hacking[EB/OL].[2022-05-03].https://shellphish.net/index.html.
[28] YAN S.A powerful and user-friendly binary analysis platform![EB/OL].[2022-05-03].https://github.com/angr/angr.
[29] ZENG K L.Shellphish.tcache_poisoning.c[EB/OL].[2022- 05-06].https://github.com/shellphish/how2heap/blob/master/glibc_2.31/Tcache_poisoning.c.
[30] DELORIE D J.Sourceware.org.malloc:tcache double free check[EB/OL].[2022-05-03].https://sourceware.org/git/?p=glibc.git;a=commit;h=bcdaad21d4635931d1bd3b54a7894276925.
[31] ZENG K L.Tcache_stashing_unlink_attack.c[EB/OL].[2022-05-03].https://github.com/shellphish/how2heap/blob/master/glibc_2.31/Tcache_stashing_unlink_attack.c.

Please choose a citation manager

Content to export