AEG
Automatic Exploit Generation
Shih-Kun Huang
skhuang@cs.nctu.edu.tw
Information Technology Service Center
National Chiao Tung University
About Me: Shih-Kun Huang
- 1991~1996 system administrator, CS, NCTU
- Inspired by Mafalda 24 years ago for insecure software
- innbbsd, Internet BBS-NetNews Gateway
- 1996~2004, IIS, Academia Sinica
- Software Engineering Group
- Openfoundry
- 2004~2019, started SQLab in CS, NCTU
- Software Quality Lab
About SQLab
- Security is Bugs
- Current Goals
- CTF
- 0xddaa, atdog, jeffxx, lucus
- CGC (automatic attack and defense)
- CTF
Why AEG ?
- Exploit writing process
- technique
Symbolic Execution
- Symbolic Evaluation and Concrete Execution
E=mc2
Concolic Execution
Text
AEG Requirement
- End-to-End
- Binary AEG
- Symbolic Pointer
End-to-End
- Symbolic Environment
Environment Model
- Symbolic Stdin
- Symbolic File (local)
- Symbolic Socket (remote)
- Symbolic Sensor
Binary AEG
- Symbolic Memory
- concrete symbolic memory
- abstract symbolic memory
Symbolic Pointer
- Value is symbolic
- Address is symbolic
- Bullet Three
CRAX: if the Crash is exploitable
- Bullet One
- Bullet Two
- Bullet Three
Environment Model
- Symbolic Stdin
- Symbolic File (local)
- Symbolic Socket (remote)
- Symbolic Sensor
Symbolic Pointer
Text
AEG: Automatic Exploit Generation
By Shih-Kun Huang
AEG: Automatic Exploit Generation
Can symbolic execution be useful in CTF ?