TAICHI: Transform Your Secret Exploits Into Mine From a Victim's Perspective

TAICHI: Transform Your Secret Exploits Into Mine From a Victim's Perspective

Acquiring and analyzing exploits, which take advantage of vulnerabilities to conduct malicious actions, are crucial for victims (and defenders) when responding to system compromising incidents. However, exploits are sensitive and valuable assets that are not available to victims. The most common res...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on dependable and secure computing 2023-11, Vol.20 (6), p.1-15
Hauptverfasser: Pei, Zhongyu, Chen, Xingman, Yang, Songtao, Duan, Haixin, Zhang, Chao
Format: Artikel
Sprache:eng
Schlagworte:
Communications traffic
Computer science
Cyberspace
Differential thermal analysis
exploit
Exploitation
Instruments
Knowledge engineering
Monitoring
Production
Prototypes
Taint analysis
traffic replay
vulnerability
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 15
container_issue 6
container_start_page 1
container_title IEEE transactions on dependable and secure computing
container_volume 20
creator Pei, Zhongyu
Chen, Xingman
Yang, Songtao
Duan, Haixin
Zhang, Chao
description Acquiring and analyzing exploits, which take advantage of vulnerabilities to conduct malicious actions, are crucial for victims (and defenders) when responding to system compromising incidents. However, exploits are sensitive and valuable assets that are not available to victims. The most common resource available for victims to investigate is network traffic, which covers the exploitation period. Thus reconstructing exploits from network traffic is demanded. In practice, the reconstruction process is performed manually, thus inefficient and non-scalable. In this paper, we present an automated solution TAICHI to reconstruct exploits from network traffic, able to generate replica exploits and facilitate timely incident analysis. By nature, a working exploit has to satisfy (1) path constraints which ensure the program path same as the original exploit's is explored and the same vulnerability is triggered, and (2) exploit constraints which ensure the same exploitation strategy is applied, e.g., to bypass deployed defenses or to stitch multiple gadgets together. We propose a hybrid solution to this problem by integrating techniques including multi-version execution (MVE), dynamic taint analysis (DTA), and concolic execution. We have implemented a prototype of TAICHI on x86 and x86-64 Linux and tested it on the Cyber Grand Challenge (CGC) dataset, several Capture the Flag (CTF) challenges, and Metasploit exploit modules targeting real world applications. The evaluation results showed that TAICHI could reconstruct exploits efficiently with a high success rate. Moreover, it could be applied to production environments without disrupting running services, and could reconstruct exploits even if only one round of exploitation traffic is available.
doi_str_mv 10.1109/TDSC.2022.3191693
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_ieee_primary_10043784</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10043784</ieee_id><sourcerecordid>2889730518</sourcerecordid><originalsourceid>FETCH-LOGICAL-c294t-80b22790cf1e7c7ce5a2fbe536e724c75198f97546320eaf55850f6b3365a4f43</originalsourceid><addsrcrecordid>eNpNkE1LAzEQhoMoWKs_QPAQ8OBpaz43ibeybe1CRaGr4ClswwS2dD9MtqL_3i3twdPMwPPODA9Ct5RMKCXmsZitswkjjE04NTQ1_AyNqBE0IYTq86GXQibSKHqJrmLcEsKENmKEVsU0z5b5Ey5C2UTfhhp_tvuA1-AC9Hj-0-3aqo84b_oWv1QN4EVoa1zij8r1Vf0Q8RuE2MEwfMM1uvDlLsLNqY7R-2JeZMtk9fqcZ9NV4pgRfaLJhjFliPMUlFMOZMn8BiRPQTHhlKRGe6OkSDkjUHoptSQ-3XCeylJ4wcfo_ri3C-3XHmJvt8PPzXDSMq2N4kRSPVD0SLnQxhjA2y5UdRl-LSX2IM0epNmDNHuSNmTujpkKAP7xRHClBf8Dzy1mQQ</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2889730518</pqid></control><display><type>article</type><title>TAICHI: Transform Your Secret Exploits Into Mine From a Victim's Perspective</title><source>IEEE Electronic Library (IEL)</source><creator>Pei, Zhongyu ; Chen, Xingman ; Yang, Songtao ; Duan, Haixin ; Zhang, Chao</creator><creatorcontrib>Pei, Zhongyu ; Chen, Xingman ; Yang, Songtao ; Duan, Haixin ; Zhang, Chao</creatorcontrib><description>Acquiring and analyzing exploits, which take advantage of vulnerabilities to conduct malicious actions, are crucial for victims (and defenders) when responding to system compromising incidents. However, exploits are sensitive and valuable assets that are not available to victims. The most common resource available for victims to investigate is network traffic, which covers the exploitation period. Thus reconstructing exploits from network traffic is demanded. In practice, the reconstruction process is performed manually, thus inefficient and non-scalable. In this paper, we present an automated solution TAICHI to reconstruct exploits from network traffic, able to generate replica exploits and facilitate timely incident analysis. By nature, a working exploit has to satisfy (1) path constraints which ensure the program path same as the original exploit's is explored and the same vulnerability is triggered, and (2) exploit constraints which ensure the same exploitation strategy is applied, e.g., to bypass deployed defenses or to stitch multiple gadgets together. We propose a hybrid solution to this problem by integrating techniques including multi-version execution (MVE), dynamic taint analysis (DTA), and concolic execution. We have implemented a prototype of TAICHI on x86 and x86-64 Linux and tested it on the Cyber Grand Challenge (CGC) dataset, several Capture the Flag (CTF) challenges, and Metasploit exploit modules targeting real world applications. The evaluation results showed that TAICHI could reconstruct exploits efficiently with a high success rate. Moreover, it could be applied to production environments without disrupting running services, and could reconstruct exploits even if only one round of exploitation traffic is available.</description><identifier>ISSN: 1545-5971</identifier><identifier>EISSN: 1941-0018</identifier><identifier>DOI: 10.1109/TDSC.2022.3191693</identifier><identifier>CODEN: ITDSCM</identifier><language>eng</language><publisher>Washington: IEEE</publisher><subject>Communications traffic ; Computer science ; Cyberspace ; Differential thermal analysis ; exploit ; Exploitation ; Instruments ; Knowledge engineering ; Monitoring ; Production ; Prototypes ; Taint analysis ; traffic replay ; vulnerability</subject><ispartof>IEEE transactions on dependable and secure computing, 2023-11, Vol.20 (6), p.1-15</ispartof><rights>Copyright IEEE Computer Society 2023</rights><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c294t-80b22790cf1e7c7ce5a2fbe536e724c75198f97546320eaf55850f6b3365a4f43</citedby><cites>FETCH-LOGICAL-c294t-80b22790cf1e7c7ce5a2fbe536e724c75198f97546320eaf55850f6b3365a4f43</cites><orcidid>0000-0001-5903-8554 ; 0000-0001-7894-8828 ; 0000-0002-7120-9261 ; 0000-0003-0083-733X ; 0000-0002-6506-1328</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10043784$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,27924,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10043784$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Pei, Zhongyu</creatorcontrib><creatorcontrib>Chen, Xingman</creatorcontrib><creatorcontrib>Yang, Songtao</creatorcontrib><creatorcontrib>Duan, Haixin</creatorcontrib><creatorcontrib>Zhang, Chao</creatorcontrib><title>TAICHI: Transform Your Secret Exploits Into Mine From a Victim's Perspective</title><title>IEEE transactions on dependable and secure computing</title><addtitle>TDSC</addtitle><description>Acquiring and analyzing exploits, which take advantage of vulnerabilities to conduct malicious actions, are crucial for victims (and defenders) when responding to system compromising incidents. However, exploits are sensitive and valuable assets that are not available to victims. The most common resource available for victims to investigate is network traffic, which covers the exploitation period. Thus reconstructing exploits from network traffic is demanded. In practice, the reconstruction process is performed manually, thus inefficient and non-scalable. In this paper, we present an automated solution TAICHI to reconstruct exploits from network traffic, able to generate replica exploits and facilitate timely incident analysis. By nature, a working exploit has to satisfy (1) path constraints which ensure the program path same as the original exploit's is explored and the same vulnerability is triggered, and (2) exploit constraints which ensure the same exploitation strategy is applied, e.g., to bypass deployed defenses or to stitch multiple gadgets together. We propose a hybrid solution to this problem by integrating techniques including multi-version execution (MVE), dynamic taint analysis (DTA), and concolic execution. We have implemented a prototype of TAICHI on x86 and x86-64 Linux and tested it on the Cyber Grand Challenge (CGC) dataset, several Capture the Flag (CTF) challenges, and Metasploit exploit modules targeting real world applications. The evaluation results showed that TAICHI could reconstruct exploits efficiently with a high success rate. Moreover, it could be applied to production environments without disrupting running services, and could reconstruct exploits even if only one round of exploitation traffic is available.</description><subject>Communications traffic</subject><subject>Computer science</subject><subject>Cyberspace</subject><subject>Differential thermal analysis</subject><subject>exploit</subject><subject>Exploitation</subject><subject>Instruments</subject><subject>Knowledge engineering</subject><subject>Monitoring</subject><subject>Production</subject><subject>Prototypes</subject><subject>Taint analysis</subject><subject>traffic replay</subject><subject>vulnerability</subject><issn>1545-5971</issn><issn>1941-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpNkE1LAzEQhoMoWKs_QPAQ8OBpaz43ibeybe1CRaGr4ClswwS2dD9MtqL_3i3twdPMwPPODA9Ct5RMKCXmsZitswkjjE04NTQ1_AyNqBE0IYTq86GXQibSKHqJrmLcEsKENmKEVsU0z5b5Ey5C2UTfhhp_tvuA1-AC9Hj-0-3aqo84b_oWv1QN4EVoa1zij8r1Vf0Q8RuE2MEwfMM1uvDlLsLNqY7R-2JeZMtk9fqcZ9NV4pgRfaLJhjFliPMUlFMOZMn8BiRPQTHhlKRGe6OkSDkjUHoptSQ-3XCeylJ4wcfo_ri3C-3XHmJvt8PPzXDSMq2N4kRSPVD0SLnQxhjA2y5UdRl-LSX2IM0epNmDNHuSNmTujpkKAP7xRHClBf8Dzy1mQQ</recordid><startdate>20231101</startdate><enddate>20231101</enddate><creator>Pei, Zhongyu</creator><creator>Chen, Xingman</creator><creator>Yang, Songtao</creator><creator>Duan, Haixin</creator><creator>Zhang, Chao</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>JQ2</scope><orcidid>https://orcid.org/0000-0001-5903-8554</orcidid><orcidid>https://orcid.org/0000-0001-7894-8828</orcidid><orcidid>https://orcid.org/0000-0002-7120-9261</orcidid><orcidid>https://orcid.org/0000-0003-0083-733X</orcidid><orcidid>https://orcid.org/0000-0002-6506-1328</orcidid></search><sort><creationdate>20231101</creationdate><title>TAICHI: Transform Your Secret Exploits Into Mine From a Victim's Perspective</title><author>Pei, Zhongyu ; Chen, Xingman ; Yang, Songtao ; Duan, Haixin ; Zhang, Chao</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c294t-80b22790cf1e7c7ce5a2fbe536e724c75198f97546320eaf55850f6b3365a4f43</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Communications traffic</topic><topic>Computer science</topic><topic>Cyberspace</topic><topic>Differential thermal analysis</topic><topic>exploit</topic><topic>Exploitation</topic><topic>Instruments</topic><topic>Knowledge engineering</topic><topic>Monitoring</topic><topic>Production</topic><topic>Prototypes</topic><topic>Taint analysis</topic><topic>traffic replay</topic><topic>vulnerability</topic><toplevel>online_resources</toplevel><creatorcontrib>Pei, Zhongyu</creatorcontrib><creatorcontrib>Chen, Xingman</creatorcontrib><creatorcontrib>Yang, Songtao</creatorcontrib><creatorcontrib>Duan, Haixin</creatorcontrib><creatorcontrib>Zhang, Chao</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Computer Science Collection</collection><jtitle>IEEE transactions on dependable and secure computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Pei, Zhongyu</au><au>Chen, Xingman</au><au>Yang, Songtao</au><au>Duan, Haixin</au><au>Zhang, Chao</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>TAICHI: Transform Your Secret Exploits Into Mine From a Victim's Perspective</atitle><jtitle>IEEE transactions on dependable and secure computing</jtitle><stitle>TDSC</stitle><date>2023-11-01</date><risdate>2023</risdate><volume>20</volume><issue>6</issue><spage>1</spage><epage>15</epage><pages>1-15</pages><issn>1545-5971</issn><eissn>1941-0018</eissn><coden>ITDSCM</coden><abstract>Acquiring and analyzing exploits, which take advantage of vulnerabilities to conduct malicious actions, are crucial for victims (and defenders) when responding to system compromising incidents. However, exploits are sensitive and valuable assets that are not available to victims. The most common resource available for victims to investigate is network traffic, which covers the exploitation period. Thus reconstructing exploits from network traffic is demanded. In practice, the reconstruction process is performed manually, thus inefficient and non-scalable. In this paper, we present an automated solution TAICHI to reconstruct exploits from network traffic, able to generate replica exploits and facilitate timely incident analysis. By nature, a working exploit has to satisfy (1) path constraints which ensure the program path same as the original exploit's is explored and the same vulnerability is triggered, and (2) exploit constraints which ensure the same exploitation strategy is applied, e.g., to bypass deployed defenses or to stitch multiple gadgets together. We propose a hybrid solution to this problem by integrating techniques including multi-version execution (MVE), dynamic taint analysis (DTA), and concolic execution. We have implemented a prototype of TAICHI on x86 and x86-64 Linux and tested it on the Cyber Grand Challenge (CGC) dataset, several Capture the Flag (CTF) challenges, and Metasploit exploit modules targeting real world applications. The evaluation results showed that TAICHI could reconstruct exploits efficiently with a high success rate. Moreover, it could be applied to production environments without disrupting running services, and could reconstruct exploits even if only one round of exploitation traffic is available.</abstract><cop>Washington</cop><pub>IEEE</pub><doi>10.1109/TDSC.2022.3191693</doi><tpages>15</tpages><orcidid>https://orcid.org/0000-0001-5903-8554</orcidid><orcidid>https://orcid.org/0000-0001-7894-8828</orcidid><orcidid>https://orcid.org/0000-0002-7120-9261</orcidid><orcidid>https://orcid.org/0000-0003-0083-733X</orcidid><orcidid>https://orcid.org/0000-0002-6506-1328</orcidid></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1545-5971
ispartof IEEE transactions on dependable and secure computing, 2023-11, Vol.20 (6), p.1-15
issn 1545-5971
1941-0018
language eng
recordid cdi_ieee_primary_10043784
source IEEE Electronic Library (IEL)
subjects Communications traffic
Computer science
Cyberspace
Differential thermal analysis
exploit
Exploitation
Instruments
Knowledge engineering
Monitoring
Production
Prototypes
Taint analysis
traffic replay
vulnerability
title TAICHI: Transform Your Secret Exploits Into Mine From a Victim's Perspective
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-22T13%3A54%3A36IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=TAICHI:%20Transform%20Your%20Secret%20Exploits%20Into%20Mine%20From%20a%20Victim's%20Perspective&rft.jtitle=IEEE%20transactions%20on%20dependable%20and%20secure%20computing&rft.au=Pei,%20Zhongyu&rft.date=2023-11-01&rft.volume=20&rft.issue=6&rft.spage=1&rft.epage=15&rft.pages=1-15&rft.issn=1545-5971&rft.eissn=1941-0018&rft.coden=ITDSCM&rft_id=info:doi/10.1109/TDSC.2022.3191693&rft_dat=%3Cproquest_RIE%3E2889730518%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2889730518&rft_id=info:pmid/&rft_ieee_id=10043784&rfr_iscdi=true