| To quickly verify and fix vulnerabilities,it is necessary to judge the exploitability of the massive crash generated by the automated vulnerability mining tool.While the current manual analysis of the crash process is inefficient and time consuming,the existing automated tools can only handle execute exceptions and some write exceptions but cannot handle common read exceptions.To address this problem,we propose a method of determining the exploitability based on the exception type suppression.This method enables the program to continue to execute until an exploitable exception is triggered.The method performs a symbolic replay of the crash sample,constructing and reusing data gadget,to bypass the complex exception,thereby improving the efficiency and accuracy of vulnerability exploitability analysis.The testing of typical CGC/RHG binary software shows that this method can automatically convert a crash that cannot be judged by existing analysis tools into a different crash type and judge the exploitability successfully.Formatting string vulnerabilities is a kind of ubiquitous but critical vulnerability,however,there is no specific research to determine its exploitability.In order to solve this problem,we propose a vulnerability exploitability judgment method of formatting string vulnerabilities on heap based on generating the exploit code automatically.Our method can finish the exploitability judgement of formatting string vulnerabilities on heap automatically,which filled in the gap in vulnerability research and the research on this issue. |
PDF Full Text Request