LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR

Address space layout randomization (ASLR) is a binary protection technique that randomizes a binary's loaded base addresses in every execution. It hardens binaries against exploitation by preventing attackers from reusing identified resources (e.g., code gadgets or stack buffers found at specific memory locations) in subsequent executions. As most modern compilers and operating systems enable ASLR by default, an effective automated exploit generation (AEG) system should be resilient to ASLR when constructing exploits. However, previ-ously proposed AEG systems either assume the absence of ASLR or only bypass it under limited circumstances, and thus cannot reliably exploit binaries running on modern operating systems. With the aim of improving AEG's practicality by developing an ASLR-resilient AEG system, we designed and implemented leak-based AEG (LAEG), a system that can recover randomized base addresses by leaking additional information at runtime. Specifically, given a proof-of-crash input, LAEG uses dynamic taint analysis to analyze the black-box binary, and identifies the input and output states relevant to the base address information. By doing so, LAEG can efficiently recover base addresses from uninitialized buffers and use them to construct an exploit that is resilient to ASLR. Moreover, our tests established that LAEG could successfully construct exploits that bypass state-of-the-art types of binary protection, including not only ASLR but PIE, NX, and stack canary. Besides that, LAEG exhibited better performance than an open-source AEG solution, Zeratool; and was between 6.46x and 45.15x faster at exploit generation than human experts were.