Skip to content

The exploit generator CRAX++ is CRAX with a plugin system, s2e 2.0 upgrade, dynamic ROP, code selection, and I/O states (HITCON 2022)

License

Notifications You must be signed in to change notification settings

SQLab/CRAXplusplus

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CRAXplusplus (CRAX++)

current version: 0.2.1

Being inspired by AFL++, the exploit generator CRAX++ is CRAX with x86_64 ROP techniques, s2e 2.0 upgrade, code selection, I/O states, dynamic ROP, and more. Given a x86_64 binary program and a PoC input, our system leverages dynamic symbolic execution (i.e. concolic execution) to collect the path constraints determined by the PoC input, add exploit constraints to the crashing states, and query the constraint solver for exploit script generation. Our system supports custom exploitation techniques and modules with the aim of maximizing its extensibility. We implement several binary exploitation techniques in our system, and design two ROP payload chaining algorithms to build ROP payload from multiple techniques.

Conference Talk

System Architecture

Evaluation

Experimental Environment

  • Binaries are compiled as 64-bit x86_64 ELF with gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
  • Binaries are concolically executed in S2E guest (Debian 9.2.1 x86_64, 4.9.3-s2e) using libc/ld 2.24
  • All generated exploit scripts are verified in host (Ubuntu 20.04.1 x86_64, 5.11.0-46-generic) using libc/ld 2.24

Quick Start [WIP]

Introduction

  • Building CRAX++
  • Usage
  • Reproducing experiments from the examples directory
  • What is a Module?
  • What is a Technique?

Extending CRAX++

Special Thanks (Listed Lexicographically)

This project is impossible without:

Reference

[1] Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. “S2E: A platform for in-vivo multi-path analysis of software systems”. Acm Sigplan Notices 46.3 (2011), pp. 265–278. [Paper] [Repo] [Docs]

[2] Shih-Kun Huang et al. “Crax: Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations”. In: 2012 IEEE Sixth International Conference on Software Security and Reliability. IEEE. 2012, pp. 78–87. [Paper] [Repo] [Article]

[3] W.-L. Mow, S.-K. Huang, H.-C. Hsiao. "LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR". In The 6th International Workshop on Privacy, data Assurance, Security Solutions for Internet of Things, June 2022. [Paper]

[4] Wang Guan-Zhong and Huang Shih-Kun. "CRAXplusplus: Modular Exploit Generator using Symbolic Execution" (2022). [Thesis] [Slides]

License

Licensed under MIT. Copyright 2021-2022 Software Quality Laboratory, NYCU.

About

The exploit generator CRAX++ is CRAX with a plugin system, s2e 2.0 upgrade, dynamic ROP, code selection, and I/O states (HITCON 2022)

Topics

Resources

License

Stars

Watchers

Forks

Contributors 3

  •  
  •  
  •