Abstract
As control-flow hijacking is getting harder due to increasingly sophisticated CFI solutions, recent work has instead focused on automatically building data-only attacks, typically using symbolic execution, simplifying assumptions that do not always match the attacker's goals, manual gadget chaining, or all of the above. As a result, the practical adoption of such methods is minimal. In this work, we abstract away unnecessary complexities and instead use a lightweight approach that targets the vulnerabilities that are both the most tractable for analysis, and the most promising for an attacker. In particular, we present EINSTEIN, a data-only attack exploitation pipeline that uses dynamic taint analysis policies to: (i) scan for chains of vulnerable system calls (e.g., to execute code or corrupt the filesystem), and (ii) generate exploits for those that take unmodified attacker data as input. EINSTEIN discovers thousands of vulnerable syscalls in common server applications-well beyond the reach of existing approaches. Moreover, using nginx as a case study, we use EINSTEIN to generate 944 exploits, and we discuss two such exploits that bypass state-of-the-art mitigations.
| Original language | English |
|---|---|
| Title of host publication | 33rd USENIX Security Symposium 2024: Philadelphia, PA, USA |
| Subtitle of host publication | [Proceedings] |
| Editors | Davide Balzarotti, Wenyuan Xu |
| Publisher | USENIX Association |
| Pages | 1401-1418 |
| Number of pages | 18 |
| ISBN (Electronic) | 9781939133441 |
| Publication status | Published - 2024 |
| Event | 33rd USENIX Security Symposium, USENIX Security 2024 - Philadelphia, United States Duration: 14 Aug 2024 → 16 Aug 2024 |
Conference
| Conference | 33rd USENIX Security Symposium, USENIX Security 2024 |
|---|---|
| Country/Territory | United States |
| City | Philadelphia |
| Period | 14/08/24 → 16/08/24 |
Bibliographical note
Publisher Copyright:© USENIX Security Symposium 2024.All rights reserved.