Automatic Exploit Generation for Cross-Language Attacks

Memory corruption is an essential component of most computer exploits. At the same time, a significant portion of legacy system software is written in C/C++, which are known to be memory-unsafe. This has led to an arms race between attackers devising ever clever ways to execute memory corruption and developers engineering mitigation techniques to either prevent or raise the alarm when memory is corrupted. This has come to be known as “The Eternal War in Memory”. Recently, however, software programmers have shifted to using programming languages that are memory-safe by design like Go and Rust. These languages are specially favorable because they provide an easy interface that allows them to interact with the widely established C/C++ based infrastructure. Underlying this design approach is the assumption that replacing parts of a largely memory-unsafe software program with memory safe code will raise the overall security of the program. Recent work has however showed this assumption is flawed. In fact, mixing sections with different threat models into one program can lead to attacks that would not have been possible in the two sections individually. These attacks are called Cross-Language Attacks (CLA). On the other hand, analyzing large binary programs to construct CLA exploits is a tedious process. In this thesis, we present ACLEG which automatically generates CLA for the case of double-free exploits. ACLEG can help researchers and engineers understand the extent of CLA vulnerabilities in commercially deployed software programs. Moreover, it can help find bugs in software programs before they are deployed as part of the debugging toolset.