{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T23:29:28Z","timestamp":1740180568674,"version":"3.37.3"},"reference-count":29,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2024,7,18]],"date-time":"2024-07-18T00:00:00Z","timestamp":1721260800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,7,18]],"date-time":"2024-07-18T00:00:00Z","timestamp":1721260800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The exploitable heap layouts are used to determine the exploitability of heap vulnerabilities in general-purpose applications. Prior studies have focused on using fuzzing-based methods to generate more exploitable heap layouts. However, the exploitable heap layout cannot fully demonstrate the exploitability of a vulnerability, as it is uncertain whether the attacker can control the data covered by the overflow. In this paper, we propose the Heap Overflow Exploitability Evaluator (<jats:sc>Hoee<\/jats:sc>), a new approach to automatically reveal the exploitability of heap buffer overflow vulnerabilities by evaluating proof-of-concepts (PoCs) generated by fuzzers. <jats:sc>Hoee<\/jats:sc> leverages several techniques to collect dynamic information at runtime and recover heap object layouts in a fine-grained manner. The overflow context is carefully analyzed to determine whether the sensitive pointer is corrupted, tainted, or critically used. We evaluate <jats:sc>Hoee<\/jats:sc> on 34 real-world CVE vulnerabilities from 16 general-purpose programs. The results demonstrate that <jats:sc>Hoee<\/jats:sc> accurately identifies the key factors for developing exploits in vulnerable contexts and correctly recognizes the behavior of overflow.<\/jats:p>","DOI":"10.1186\/s42400-024-00244-6","type":"journal-article","created":{"date-parts":[[2024,7,18]],"date-time":"2024-07-18T04:01:37Z","timestamp":1721275297000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Revealing the exploitability of heap overflow through PoC analysis"],"prefix":"10.1186","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-9671-6120","authenticated-orcid":false,"given":"Qintao","family":"Shen","sequence":"first","affiliation":[]},{"given":"Guozhu","family":"Meng","sequence":"additional","affiliation":[]},{"given":"Kai","family":"Chen","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,7,18]]},"reference":[{"unstructured":"AFL. https:\/\/lcamtuf.coredump.cx\/afl\/","key":"244_CR1"},{"doi-asserted-by":"crossref","unstructured":"B\u00f6hme M, Pham V-T, Nguyen M-D, Roychoudhury A (2017) Directed greybox fuzzing. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 2329\u20132344","key":"244_CR2","DOI":"10.1145\/3133956.3134020"},{"doi-asserted-by":"crossref","unstructured":"Chen Y, Lin Z, Xing X (2020) A systematic study of elastic objects in kernel exploitation. In: Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, pp 1165\u20131184","key":"244_CR3","DOI":"10.1145\/3372297.3423353"},{"doi-asserted-by":"crossref","unstructured":"Chen Y, Xing X (2019) Slake: facilitating slab manipulation for exploiting vulnerabilities in the Linux kernel. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp 1707\u20131722","key":"244_CR4","DOI":"10.1145\/3319535.3363212"},{"doi-asserted-by":"crossref","unstructured":"Chen H, Xue Y, Li Y, Chen B, Xie X, Wu X, Liu Y (2018) Hawkeye: towards a desired directed grey-box fuzzer. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pp 2095\u20132108","key":"244_CR5","DOI":"10.1145\/3243734.3243849"},{"unstructured":"Chen W, Zou X, Li G, Qian Z (2020) KOOBE: towards facilitating exploit generation of kernel Out-Of-Bounds write vulnerabilities. In: 29th USENIX security symposium (USENIX security 20), pp 1093\u20131110","key":"244_CR6"},{"issue":"3","key":"244_CR7","doi-asserted-by":"publisher","first-page":"265","DOI":"10.1145\/1961296.1950396","volume":"46","author":"V Chipounov","year":"2011","unstructured":"Chipounov V, Kuznetsov V, Candea G (2011) S2e: a platform for in-vivo multi-path analysis of software systems. ACM SIGPLAN Not 46(3):265\u2013278","journal-title":"ACM SIGPLAN Not"},{"unstructured":"Daniel M, Honoroff J, Miller C (2008)Engineering heap overflow exploits with JavaScript. In: Boneh D, Garfinkel T, Song D (eds) Proceedings of the 2nd USENIX workshop on offensive technologies, WOOT\u201908, San Jose, CA, USA, July 28, 2008 (2008)","key":"244_CR8"},{"unstructured":"Exiv2: CVE-2017-12955. https:\/\/github.com\/Exiv2\/exiv2\/issues\/58","key":"244_CR9"},{"unstructured":"Google: Syzkaller. https:\/\/github.com\/google\/syzkaller","key":"244_CR10"},{"unstructured":"Heelan S, Melham T, Kroening D (2018)Automatic heap layout manipulation for exploitation. In: 27th USENIX security symposium (USENIX security 18), pp 763\u2013779","key":"244_CR11"},{"doi-asserted-by":"crossref","unstructured":"Heelan S, Melham T, Kroening D (2019) Gollum: modular and greybox exploit generation for heap overflows in interpreters. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp 1689\u20131706","key":"244_CR12","DOI":"10.1145\/3319535.3354224"},{"doi-asserted-by":"crossref","unstructured":"Jiang Z, Gan S, Herrera A, Toffalini F, Romerio L, Tang C, Egele M, Zhang C, Payer M (2022) Evocatio: conjuring bug capabilities from a single POC. In: Proceedings of the 2022 ACM SIGSAC conference on computer and communications security, pp 1599\u20131613","key":"244_CR13","DOI":"10.1145\/3548606.3560575"},{"unstructured":"Kiriansky V, Waldspurger C (2018) Speculative buffer overflows: attacks and defenses. arXiv preprint arXiv:1807.03757","key":"244_CR14"},{"unstructured":"Lee G, Shim W, Lee B (2021) Constraint-guided directed greybox fuzzing. In: 30th USENIX security symposium (USENIX security 21), pp 3559\u20133576","key":"244_CR15"},{"doi-asserted-by":"crossref","unstructured":"Lin Z, Chen Y, Wu Y, Mu D, Yu C, Xing X, Li K (2022) Grebe: unveiling exploitation potential for Linux kernel bugs. In: 2022 IEEE symposium on security and privacy (SP). IEEE, pp 2078\u20132095","key":"244_CR16","DOI":"10.1109\/SP46214.2022.9833683"},{"doi-asserted-by":"crossref","unstructured":"Lin Z, Wu Y, Xing X (2022) Dirtycred: escalating privilege in linux kernel. In: Proceedings of the 2022 ACM SIGSAC conference on computer and communications security, pp 1963\u20131976","key":"244_CR17","DOI":"10.1145\/3548606.3560585"},{"issue":"6","key":"244_CR18","doi-asserted-by":"publisher","first-page":"190","DOI":"10.1145\/1064978.1065034","volume":"40","author":"C-K Luk","year":"2005","unstructured":"Luk C-K, Cohn R, Muth R, Patil H, Klauser A, Lowney G, Wallace S, Reddi VJ, Hazelwood K (2005) Pin: building customized program analysis tools with dynamic instrumentation. ACM SIGPLAN Not 40(6):190\u2013200","journal-title":"ACM SIGPLAN Not"},{"unstructured":"Saudel F, Salwan J (2015) Triton: Concolic execution framework. In: Symposium sur la S\u00e9curit\u00e9 des Technologies de L\u2019information et des communications (SSTIC)","key":"244_CR19"},{"unstructured":"Serebryany K (2017) OSS-Fuzz-Google\u2019s continuous fuzzing service for open source software","key":"244_CR20"},{"doi-asserted-by":"crossref","unstructured":"Shoshitaishvili Y, Wang R, Salls C, Stephens N, Polino M, Dutcher A, Grosen J, Feng S, Hauser C, Kruegel C, Vigna G (2016) SoK: (state of) the art of war: offensive techniques in binary analysis. In: IEEE symposium on security and privacy","key":"244_CR21","DOI":"10.1109\/SP.2016.17"},{"doi-asserted-by":"crossref","unstructured":"Wang Y, Zhang C, Xiang X, Zhao Z, Li W, Gong X, Liu B, Chen K, Zou W (2018) Revery: from proof-of-concept to exploitable. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security. CCS \u201918. Association for Computing Machinery, New York, pp 1914\u20131927 (2018)","key":"244_CR22","DOI":"10.1145\/3243734.3243847"},{"unstructured":"Wang Y, Zhang C, Zhao Z, Zhang B, Gong X, Zou W (2021) MAZE: towards automated heap Feng Shui. In: 30th USENIX security symposium (USENIX security 21), pp 1647\u20131664","key":"244_CR23"},{"unstructured":"Wu W, Chen Y, Xing X, Zou W (2019) KEPLER: facilitating control-flow hijacking primitive evaluation for Linux kernel vulnerabilities. In: 28th USENIX security symposium (USENIX security 19), pp 1187\u20131204","key":"244_CR24"},{"unstructured":"Wu W, Chen Y, Xu J, Xing X, Gong X, Zou W (2018) FUZE: towards facilitating exploit generation for kernel Use-After-Free vulnerabilities. In: 27th USENIX security symposium (USENIX security 18). USENIX Association, Baltimore, pp 781\u2013797","key":"244_CR25"},{"unstructured":"Yun I, Kapil D, Kim T (2020) Automatic techniques to systematically discover new heap exploitation primitives. In: 29th USENIX security symposium (USENIX security 20), pp 1111\u20131128","key":"244_CR26"},{"unstructured":"Zhang B, Chen J, Li R, Feng C, Li R, Tang C (2023) Automated exploitable heap layout generation for heap overflows through manipulation Distance-Guided fuzzing. In: 32nd USENIX security symposium (USENIX security 23), pp 4499\u20134515","key":"244_CR27"},{"unstructured":"Zong P, Lv T, Wang D, Deng Z, Liang R, Chen K (2020) FuzzGuard: filtering out unreachable inputs in directed grey-box fuzzing through deep learning. In: 29th USENIX security symposium (USENIX security 20), pp 2255\u20132269","key":"244_CR28"},{"unstructured":"Zou X, Li G, Chen W, Zhang H, Qian Z (2022)SyzScope: revealing high-risk security impacts of Fuzzer-exposed bugs in Linux kernel. In: 31st USENIX security symposium (USENIX security 22), pp 3201\u20133217","key":"244_CR29"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00244-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-024-00244-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00244-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,18]],"date-time":"2024-07-18T04:09:02Z","timestamp":1721275742000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-024-00244-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,18]]},"references-count":29,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2024,12]]}},"alternative-id":["244"],"URL":"https:\/\/doi.org\/10.1186\/s42400-024-00244-6","relation":{},"ISSN":["2523-3246"],"issn-type":[{"type":"electronic","value":"2523-3246"}],"subject":[],"published":{"date-parts":[[2024,7,18]]},"assertion":[{"value":"20 October 2023","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"10 April 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"18 July 2024","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"47"}}