{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,1,7]],"date-time":"2025-01-07T05:04:44Z","timestamp":1736226284543,"version":"3.32.0"},"reference-count":32,"publisher":"Oxford University Press (OUP)","issue":"11","license":[{"start":{"date-parts":[[2024,10,12]],"date-time":"2024-10-12T00:00:00Z","timestamp":1728691200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/academic.oup.com\/pages\/standard-publication-reuse-rights"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024,11,20]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>The format string vulnerability is a common software vulnerability. A well-constructed format string can read and modify arbitrary memory addresses, causing serious system problems. Existing automated exploit generation solutions for format string vulnerability are unable to cope with the limitations imposed by the vulnerability defense mechanism Address Space Layout Randomization (ASLR) and the program itself on vulnerability exploitation. In this paper, to address the above challenges, we propose FormatAEG, the first automatic exploitation framework for format string vulnerabilities that can bypass ASLR defense and the program's own constraints. Specifically, we first proposed an arbitrary address reading and writing method based on a format string vulnerability, which can modify the target address data by directly arranging the target address or automatically searching and utilizing the pointer chain in the stack. Then, we propose a vulnerability reentry method based on global offset table (GOT) hijacking, which hijacks the program control flow by modifying function addresses in the GOT, making the vulnerability reentrant. In the experimental section, we evaluated FormatAEG using 20 Capture The Flag programs from top international tournaments and two real-world programs with format string vulnerabilities. The evaluation results show that with ASLR defense turned on, FormatAEG successfully detects format string vulnerability in 19 of these programs and generates exploit code for 15 of them. Compared with existing tools, FormatAEG detected 11 more format string vulnerabilities and generated 13 more exploit codes.<\/jats:p>","DOI":"10.1093\/comjnl\/bxae069","type":"journal-article","created":{"date-parts":[[2024,10,13]],"date-time":"2024-10-13T06:34:32Z","timestamp":1728801272000},"page":"3056-3066","source":"Crossref","is-referenced-by-count":0,"title":["FormatAEG: a framework for bypassing ASLR defense and automated exploitation of format string vulnerability"],"prefix":"10.1093","volume":"67","author":[{"given":"Shenglin","family":"Xu","sequence":"first","affiliation":[{"name":"School of Computer, National University of Defense Technology , No. 137 Yanwachi Street, Changsha, Hunan 410073 ,","place":["P. R. China"]}]},{"given":"Zhiyuan","family":"Jiang","sequence":"additional","affiliation":[{"name":"School of Computer, National University of Defense Technology , No. 137 Yanwachi Street, Changsha, Hunan 410073 ,","place":["P. R. China"]}]},{"given":"Yongjun","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Computer, National University of Defense Technology , No. 137 Yanwachi Street, Changsha, Hunan 410073 ,","place":["P. R. China"]}]},{"given":"Peidai","family":"Xie","sequence":"additional","affiliation":[{"name":"School of Computer, National University of Defense Technology , No. 137 Yanwachi Street, Changsha, Hunan 410073 ,","place":["P. R. China"]}]}],"member":"286","published-online":{"date-parts":[[2024,10,12]]},"reference":[{"key":"2025010523425880300_ref1","first-page":"143","article-title":"Automatic patch-based exploit generation is possible: Techniques and implications","volume-title":"IEEE Symposium on Security and Privacy, Oakland, CA, 18-21 May","author":"Brumley","year":"2008"},{"key":"2025010523425880300_ref2","doi-asserted-by":"crossref","first-page":"423","DOI":"10.1002\/spe.515","article-title":"Buffer overflow and format string overflow vulnerabilities","volume":"33","author":"Lhee","year":"2003","journal-title":"Softw Pract Exp"},{"year":"2023","author":"Corporation","article-title":"Cve related to format string vulnerability","key":"2025010523425880300_ref3"},{"year":"2022","author":"ZyXel","key":"2025010523425880300_ref4"},{"key":"2025010523425880300_ref5","first-page":"44","article-title":"Automatic exploit generation system based on symbolic execution","volume":"26","author":"Wan","year":"2017","journal-title":"Comput Syst Appl"},{"key":"2025010523425880300_ref6","first-page":"705","article-title":"Pangr: A behavior-based automatic vulnerability detection and exploitation framework","volume-title":"17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), New York, 1-3 August","author":"Liu","year":"2018"},{"key":"2025010523425880300_ref7","first-page":"2464","article-title":"Automatic detection and test cases generation of format string vulnerability based on symbol execution","volume":"36","author":"Zhao","year":"2019","journal-title":"Appl Res Comput"},{"key":"2025010523425880300_ref8","first-page":"82","article-title":"Research on automatic exploit generation method of format string vulnerability based on symbolic execution","volume":"22","author":"Wang","year":"2021","journal-title":"Journal Of Air Force Engineering University (Natural Science Edition)"},{"volume-title":"J Comput Secur.","key":"2025010523425880300_ref9"},{"key":"2025010523425880300_ref10","first-page":"744","article-title":"Survey on malware evasion techniques: State of the art and challenges","volume-title":"14th International Conference on Advanced Communication Technology (ICACT), PyeongChang, Korea (South), 19-22 February","author":"Marpaung","year":"2012"},{"key":"2025010523425880300_ref11","doi-asserted-by":"crossref","first-page":"9727","DOI":"10.3390\/app11209727","article-title":"Aemb: An automated exploit mitigation bypassing solution","volume":"11","author":"Wang","year":"2021","journal-title":"Appl Sci"},{"year":"2022","author":"ChrisTheCoolHut","article-title":"Zeratool: A tool for automated exploitation of format string vulnerability","key":"2025010523425880300_ref12"},{"key":"2025010523425880300_ref13","first-page":"995","article-title":"Secgot: Secure global offset tables in elf executables","volume-title":"Conference of the 2nd International Conference on Computer Science and Electronics Engineering (ICCSEE 2013), HangZhou, China, 22-23 March","author":"Zhang","year":"2013"},{"key":"2025010523425880300_ref14","doi-asserted-by":"crossref","first-page":"385","DOI":"10.1145\/360248.360252","article-title":"Symbolic execution and program testing","volume":"19","author":"King","year":"1976","journal-title":"Commun ACM"},{"key":"2025010523425880300_ref15","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3182657","article-title":"A survey of symbolic execution techniques","volume":"51","author":"Baldoni","year":"2018","journal-title":"ACM Comput Surv"},{"year":"2022","author":"david942j","article-title":"Onegadget: A tool for searching rce code in glibc","key":"2025010523425880300_ref16"},{"key":"2025010523425880300_ref17","doi-asserted-by":"crossref","first-page":"138","DOI":"10.1109\/SP.2016.17","article-title":"Sok:(state of) the art of war: Offensive techniques in binary analysis","volume-title":"2016 IEEE symposium on security and privacy (SP), San Jose, CA, 23-25 May","author":"Shoshitaishvili","year":"2016"},{"year":"2021","author":"qilingframework","article-title":"Qiling: An advanced binary emulation framework","key":"2025010523425880300_ref18"},{"volume-title":"Ctftime","year":"2011","author":"team, C","key":"2025010523425880300_ref19"},{"volume-title":"Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities","year":"2009","author":"Heelan","key":"2025010523425880300_ref20"},{"key":"2025010523425880300_ref21","first-page":"283","article-title":"Aeg: Automatic exploit generation","volume-title":"NDSS, San Diego, CA, 6-9 February","author":"Avgerinos","year":"2011"},{"key":"2025010523425880300_ref22","doi-asserted-by":"crossref","first-page":"380","DOI":"10.1109\/SP.2012.31","article-title":"Unleashing mayhem on binary code","volume-title":"2012 IEEE Symposium on Security and Privacy, San Francisco, CA, 20-23 May","author":"Cha","year":"2012"},{"key":"2025010523425880300_ref23","first-page":"78","article-title":"Crax: Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations","volume-title":"2012 IEEE Sixth International Conference on Software Security and Reliability, Gaithersburg, MD, 20-22 June","author":"Huang","year":"2012"},{"key":"2025010523425880300_ref24","doi-asserted-by":"crossref","first-page":"373","DOI":"10.1134\/S0361768815060055","article-title":"Automated exploit generation for stack buffer overflow vulnerabilities","volume":"41","author":"Padaryan","year":"2015","journal-title":"Program Comput Softw"},{"key":"2025010523425880300_ref25","doi-asserted-by":"crossref","first-page":"463","DOI":"10.1109\/QRS-C.2018.00085","article-title":"Automatic exploit generation for buffer overflow vulnerabilities","volume-title":"2018 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C), Lisbon, Portugal, 16-20 July","author":"Xu","year":"2018"},{"key":"2025010523425880300_ref26","first-page":"1","article-title":"Angerza: Automated exploit generation","volume-title":"2021 12th International Conference on Computing Communication and Networking Technologies (ICCCNT), Kharagpur, India, 6-8 July","author":"Dixit","year":"2021"},{"key":"2025010523425880300_ref27","first-page":"1","article-title":"Bofaeg: Automated stack buffer overflow vulnerability detection and exploit generation based on symbolic execution and dynamic analysis","volume":"2022","author":"Xu","year":"2022","journal-title":"Secur Commun Netw"},{"key":"2025010523425880300_ref28","doi-asserted-by":"crossref","first-page":"25","DOI":"10.1145\/3139337.3139346","article-title":"Modular synthesis of heap exploits","volume-title":"Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security, Dallas, Texas, 30 October","author":"Repel","year":"2017"},{"key":"2025010523425880300_ref29","first-page":"1914","article-title":"Revery: From proof-of-concept to exploitable","volume-title":"Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, Canada, 15-19, October","author":"Wang","year":"2018"},{"key":"2025010523425880300_ref30","first-page":"99","article-title":"$ \\{$HeapHopper$ \\}$: Bringing bounded model checking to heap implementation security","volume-title":"27th USENIX Security Symposium, Baltimore, MD, 15-17 August","author":"Eckert","year":"2018"},{"key":"2025010523425880300_ref31","first-page":"89","article-title":"Haepg: An automatic multi-hop exploitation generation framework","volume-title":"International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Online, 24-26 June","author":"Zhao","year":"2020"},{"key":"2025010523425880300_ref32","first-page":"1111","article-title":"Automatic techniques to systematically discover new heap exploitation primitives","volume-title":"29th USENIX Security Symposium, Online, 12-14 August","author":"Yun","year":"2020"}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/67\/11\/3056\/59730914\/bxae069.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/67\/11\/3056\/59730914\/bxae069.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,1,6]],"date-time":"2025-01-06T04:31:08Z","timestamp":1736137868000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/article\/67\/11\/3056\/7819323"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,10,12]]},"references-count":32,"journal-issue":{"issue":"11","published-online":{"date-parts":[[2024,10,12]]},"published-print":{"date-parts":[[2024,11,20]]}},"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxae069","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"type":"print","value":"0010-4620"},{"type":"electronic","value":"1460-2067"}],"subject":[],"published-other":{"date-parts":[[2024,11]]},"published":{"date-parts":[[2024,10,12]]}}}