Automatic Patch-based Exploit Generation (completed)

Starting Date:
Will results be assigned to University: No

When a vulnerability is found, it generally goes through a responsible disclosure process. This means that the vendor will be contacted to write a fix before the vulnerability is made public. The patch will be pushed to its users and the vulnerability details become public. In theory, this is a safe process for vulnerability exposure as the issue is fixed before anyone can abuse it.

Unfortunately, updating a system is not always as straightforward in practice, opening up a window of opportunity for an attacker. This can start with the patch that commonly looks like a small change in the code (e.g. adding a sanity check). The vulnerability is blocked by the sanity check in the newer version, but the old version is still vulnerable and the new code shows us exactly what to trigger in the old version.

The project aims to build a system to automatically find these trigger-conditions in security-patches, and to gather as much information as possible. This is a step towards automatically generating an exploit, given a patch (sometimes referred to as the APEG problem – Automatic Patch-based Exploit Generation). Although the name is common, this has never been completely solved and contains a number of avenues for future research.

This project is looking for a skilled candidate with experience in Python3, C and assembly (x86/x86-64) on Linux-based executables. The basis for the project will be a python-based binary analysis framework called angr[1]. Other useful skills include DWARF debug information and/or static/dynamic analysis techniques, and other programming languages (e.g. C++). Supervision will be provided throughout the project.