An Exploitability Analysis Technique for Binary Vulnerability Based on Automatic Exception Suppression

<table class="algorithm-group"><tr><td><table class="algorithm" id="alg4"><tr><td colspan="2">(1)<b> Input:</b> real trace <svg height="8.02022pt" id="M42" style="vertical-align:-0.2063999pt" version="1.1" viewbox="-0.0498162 -7.81382 4.54925 8.02022" width="4.54925pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M324 430H196L233 583L223 592L145 529L120 430H54L29 396L31 388H111L56 126C33 15 54 -12 77 -12C137 -12 214 57 250 95L233 119C208 92 155 59 138 59C126 59 120 70 131 125L186 390L298 394L324 430Z" id="g113-117"></path></g></svg></td></tr><tr><td colspan="2">(2) <b>Output: </b>None</td></tr><tr><td colspan="2">(3) <b>while </b><svg height="11.9316pt" id="M43" style="vertical-align:-3.2957pt" version="1.1" viewbox="-0.0498162 -8.6359 38.4559 11.9316" width="38.4559pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M686 28C612 35 607 44 591 112C563 234 541 360 519 489L489 666L457 658L147 121C100 40 89 36 24 28L17 0H240L250 28C168 34 159 41 190 101L262 237H482C495 180 503 137 510 91C517 47 514 35 441 28L433 0H677L686 28ZM475 280H285L429 541H431L475 280Z" id="g113-66"></path></g><g transform="matrix(.0091,0,0,-0.0091,10.244,3.132)"><path d="M396 114C349 71 317 59 274 59C216 59 123 104 123 241C123 342 180 400 246 400C283 400 317 386 348 359C355 352 361 348 366 348C378 348 401 371 402 394C402 405 398 413 385 424C369 437 337 451 294 451H293C254 451 193 434 141 394C73 342 39 277 39 198C39 90 114 -12 243 -12C303 -12 371 31 415 90L396 114Z" id="g58-97"></path></g><g transform="matrix(.0091,0,0,-0.0091,14.248,3.132)"><path d="M527 54L498 55C459 56 451 63 451 114V445C436 442 413 438 384 435C353 432 318 430 291 429V402L328 396C361 390 370 387 370 331V101C336 70 300 54 262 54C217 54 173 78 173 166V300C173 361 173 412 176 445C160 442 132 438 105 434C77 431 52 430 29 429V402L59 395C83 390 92 385 92 331V141C92 30 150 -12 218 -12C246 -12 266 -4 295 13C324 29 346 47 370 64V-6L376 -12C396 -7 421 1 448 8C476 15 504 21 527 24V54Z" id="g58-115"></path></g><g transform="matrix(.0091,0,0,-0.0091,19.171,3.132)"><path d="M185 344V453C137 433 92 421 41 413V386C100 378 104 375 104 310V106C104 41 97 35 33 30V0H268V30C190 35 185 41 185 107V283C206 340 240 371 267 371C282 371 296 364 310 351C316 344 325 343 336 348C357 357 369 378 369 399C369 424 345 451 310 451C262 451 219 397 187 344H185Z" id="g58-112"></path></g><g transform="matrix(.0091,0,0,-0.0091,22.693,3.132)"><path d="M185 344V453C137 433 92 421 41 413V386C100 378 104 375 104 310V106C104 41 97 35 33 30V0H268V30C190 35 185 41 185 107V283C206 340 240 371 267 371C282 371 296 364 310 351C316 344 325 343 336 348C357 357 369 378 369 399C369 424 345 451 310 451C262 451 219 397 187 344H185Z" id="g58-112"></path></g><g transform="matrix(.0091,0,0,-0.0091,26.042,3.132)"><path d="M384 109C349 76 310 59 268 59C197 59 123 113 120 245C240 248 367 259 384 262C403 266 407 275 407 296C407 376 338 451 254 451H253C201 451 148 425 105 378C65 334 39 272 39 203C39 88 112 -12 235 -12C266 -12 339 5 402 84L384 109ZM230 411C285 411 319 365 319 313C319 298 313 293 294 293C236 291 180 290 125 290C141 370 185 411 230 411Z" id="g58-99"></path></g><g transform="matrix(.0091,0,0,-0.0091,29.991,3.132)"><path d="M532 0V30C473 38 467 38 467 107V298C467 395 416 451 336 451C307 451 279 439 251 420C226 404 205 389 185 374V453C142 434 94 422 43 413V386C98 378 104 373 104 309V107C104 41 100 38 31 30V0H251V30C191 35 185 40 185 107V337C216 364 255 389 295 389C360 389 386 347 386 276V110C386 44 380 35 321 30V0H532Z" id="g58-108"></path></g><g transform="matrix(.0091,0,0,-0.0091,34.877,3.132)"><path d="M303 37L293 66C280 59 256 49 231 49S173 63 173 143V396H281C294 404 298 428 287 439H173V575L158 577L92 509V439H46L17 408L22 396H92V107C92 27 128 -12 192 -12C203 -12 218 -9 237 2L303 37Z" id="g58-114"></path></g></svg>! = <span class="nowrap"><svg height="11.439pt" id="M44" style="vertical-align:-2.15067pt" version="1.1" viewbox="-0.0498162 -9.28833 27.8543 11.439" width="27.8543pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M324 430H196L233 583L223 592L145 529L120 430H54L29 396L31 388H111L56 126C33 15 54 -12 77 -12C137 -12 214 57 250 95L233 119C208 92 155 59 138 59C126 59 120 70 131 125L186 390L298 394L324 430Z" id="g113-117"></path></g><g transform="matrix(.013,0,0,-0.013,4.433,0)"><path d="M290 -163V-135C183 -126 181 -122 181 -44V583C181 662 184 666 290 675V703H120V-163H290Z" id="g113-92"></path></g><g transform="matrix(.013,0,0,-0.013,8.918,0)"><path d="M372 352C427 368 507 407 507 502C507 548 486 592 451 616C420 638 376 650 301 650H44V622C124 616 128 610 128 527V123C128 40 122 34 36 28V0H257C336 0 402 12 453 40C512 72 548 124 548 191C548 291 471 335 372 350V352ZM213 362V558C213 591 216 602 226 608C235 614 258 618 282 618C377 618 415 558 415 490C415 406 369 362 260 362H213ZM213 328H258C380 328 450 283 450 181C450 76 377 35 296 34C231 34 213 53 213 125V328Z" id="g121-64"></path></g><g transform="matrix(.013,0,0,-0.013,16.562,0)"><path d="M152 404V712C115 698 54 683 7 677V654C71 648 73 642 73 579V24C128 -2 179 -12 220 -12C353 -12 471 92 471 238C471 357 381 449 274 449C262 449 249 446 233 439L152 404ZM152 374C170 384 202 393 230 393C313 393 382 326 382 213C382 97 330 26 246 26C194 26 165 62 158 81C154 91 152 101 152 116V374Z" id="g121-96"></path></g><g transform="matrix(.013,0,0,-0.013,23.166,0)"><path d="M226 -163V703H56V676C162 667 165 662 165 584V-43C165 -122 162 -126 56 -136V-163H226Z" id="g113-94"></path></g></svg>:</span></td></tr><tr><td colspan="2">(4)  <b>If</b> is_hooked(current_addr)</td></tr><tr><td colspan="2">(5)   <b>while</b> addr_in_plt(<svg height="11.439pt" id="M45" style="vertical-align:-2.15067pt" version="1.1" viewbox="-0.0498162 -9.28833 27.8543 11.439" width="27.8543pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M324 430H196L233 583L223 592L145 529L120 430H54L29 396L31 388H111L56 126C33 15 54 -12 77 -12C137 -12 214 57 250 95L233 119C208 92 155 59 138 59C126 59 120 70 131 125L186 390L298 394L324 430Z" id="g113-117"></path></g><g transform="matrix(.013,0,0,-0.013,4.433,0)"><path d="M290 -163V-135C183 -126 181 -122 181 -44V583C181 662 184 666 290 675V703H120V-163H290Z" id="g113-92"></path></g><g transform="matrix(.013,0,0,-0.013,8.918,0)"><path d="M372 352C427 368 507 407 507 502C507 548 486 592 451 616C420 638 376 650 301 650H44V622C124 616 128 610 128 527V123C128 40 122 34 36 28V0H257C336 0 402 12 453 40C512 72 548 124 548 191C548 291 471 335 372 350V352ZM213 362V558C213 591 216 602 226 608C235 614 258 618 282 618C377 618 415 558 415 490C415 406 369 362 260 362H213ZM213 328H258C380 328 450 283 450 181C450 76 377 35 296 34C231 34 213 53 213 125V328Z" id="g121-64"></path></g><g transform="matrix(.013,0,0,-0.013,16.562,0)"><path d="M152 404V712C115 698 54 683 7 677V654C71 648 73 642 73 579V24C128 -2 179 -12 220 -12C353 -12 471 92 471 238C471 357 381 449 274 449C262 449 249 446 233 439L152 404ZM152 374C170 384 202 393 230 393C313 393 382 326 382 213C382 97 330 26 246 26C194 26 165 62 158 81C154 91 152 101 152 116V374Z" id="g121-96"></path></g><g transform="matrix(.013,0,0,-0.013,23.166,0)"><path d="M226 -163V703H56V676C162 667 165 662 165 584V-43C165 -122 162 -126 56 -136V-163H226Z" id="g113-94"></path></g></svg>):</td></tr><tr><td colspan="2">(6)    Bb += 1</td></tr><tr><td colspan="2">(7)  <svg height="8.8423pt" id="M46" style="vertical-align:-0.2064009pt" version="1.1" viewbox="-0.0498162 -8.6359 6.25863 8.8423" width="6.25863pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M449 634C442 637 425 643 405 650C376 660 341 666 307 666C181 666 98 590 98 485C98 400 170 343 215 310L246 288C307 243 343 204 343 147C343 67 291 18 219 18C104 18 61 124 51 202L23 199C28 124 27 71 27 47C47 22 122 -16 204 -16C324 -16 428 60 428 174C428 256 379 309 307 360L276 382C223 419 179 455 179 516C179 576 221 632 293 632C379 632 410 564 418 487L448 490C446 536 446 592 449 634Z" id="g113-84"></path></g></svg> = <svg height="11.439pt" id="M47" style="vertical-align:-2.15067pt" version="1.1" viewbox="-0.0498162 -9.28833 27.8543 11.439" width="27.8543pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M324 430H196L233 583L223 592L145 529L120 430H54L29 396L31 388H111L56 126C33 15 54 -12 77 -12C137 -12 214 57 250 95L233 119C208 92 155 59 138 59C126 59 120 70 131 125L186 390L298 394L324 430Z" id="g113-117"></path></g><g transform="matrix(.013,0,0,-0.013,4.433,0)"><path d="M290 -163V-135C183 -126 181 -122 181 -44V583C181 662 184 666 290 675V703H120V-163H290Z" id="g113-92"></path></g><g transform="matrix(.013,0,0,-0.013,8.918,0)"><path d="M372 352C427 368 507 407 507 502C507 548 486 592 451 616C420 638 376 650 301 650H44V622C124 616 128 610 128 527V123C128 40 122 34 36 28V0H257C336 0 402 12 453 40C512 72 548 124 548 191C548 291 471 335 372 350V352ZM213 362V558C213 591 216 602 226 608C235 614 258 618 282 618C377 618 415 558 415 490C415 406 369 362 260 362H213ZM213 328H258C380 328 450 283 450 181C450 76 377 35 296 34C231 34 213 53 213 125V328Z" id="g121-64"></path></g><g transform="matrix(.013,0,0,-0.013,16.562,0)"><path d="M152 404V712C115 698 54 683 7 677V654C71 648 73 642 73 579V24C128 -2 179 -12 220 -12C353 -12 471 92 471 238C471 357 381 449 274 449C262 449 249 446 233 439L152 404ZM152 374C170 384 202 393 230 393C313 393 382 326 382 213C382 97 330 26 246 26C194 26 165 62 158 81C154 91 152 101 152 116V374Z" id="g121-96"></path></g><g transform="matrix(.013,0,0,-0.013,23.166,0)"><path d="M226 -163V703H56V676C162 667 165 662 165 584V-43C165 -122 162 -126 56 -136V-163H226Z" id="g113-94"></path></g></svg> − <svg height="11.1095pt" id="M48" style="vertical-align:-3.29568pt" version="1.1" viewbox="-0.0498162 -7.81382 18.4732 11.1095" width="18.4732pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M324 430H196L233 583L223 592L145 529L120 430H54L29 396L31 388H111L56 126C33 15 54 -12 77 -12C137 -12 214 57 250 95L233 119C208 92 155 59 138 59C126 59 120 70 131 125L186 390L298 394L324 430Z" id="g113-117"></path></g><g transform="matrix(.0091,0,0,-0.0091,4.368,3.132)"><path d="M526 56L493 58C457 61 448 68 448 119V710C411 697 344 682 288 675V646C362 641 367 639 367 573V439C344 448 315 451 300 451C164 451 40 342 40 202C40 61 147 -12 227 -12C239 -12 266 -7 305 16L367 53V-12C427 10 505 21 526 26V56ZM367 88C342 69 306 54 271 54C207 54 133 111 133 229C133 373 219 409 264 409C301 409 342 394 367 359V88Z" id="g58-98"></path></g><g transform="matrix(.0091,0,0,-0.0091,9.264,3.132)"><path d="M138 535C169 535 191 560 191 589C191 620 168 644 139 644S85 620 85 589C85 560 110 535 138 535ZM257 0V30C192 35 185 43 185 109V453C142 435 94 422 40 414V386C101 378 104 372 104 311V109C104 41 97 35 33 30V0H257Z" id="g58-103"></path></g><g transform="matrix(.0091,0,0,-0.0091,11.766,3.132)"><path d="M100 439H52L25 408L28 396H100V106C100 41 92 35 31 30V0H250V29C188 37 181 41 181 106V396H372V107C372 40 365 37 309 29V0H537V29C461 37 453 40 453 106V396H564C576 403 579 428 574 439H453V469C452 558 462 604 474 623S500 656 527 656C562 656 589 634 608 615C619 604 628 607 639 615C647 622 658 633 661 641C666 653 664 664 656 674C637 696 609 708 572 710C528 703 483 682 439 638C418 661 380 685 320 688C269 683 230 666 190 633C139 593 122 550 113 525S100 476 100 451V439ZM372 439H181V461C181 530 194 571 211 598C226 621 248 643 287 643C343 643 379 607 400 578C391 561 384 546 381 529C376 510 372 486 372 457V439Z" id="g58-26"></path></g></svg></td></tr><tr><td colspan="2">(8)  <svg height="11.9316pt" id="M49" style="vertical-align:-3.2957pt" version="1.1" viewbox="-0.0498162 -8.6359 38.4559 11.9316" width="38.4559pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M686 28C612 35 607 44 591 112C563 234 541 360 519 489L489 666L457 658L147 121C100 40 89 36 24 28L17 0H240L250 28C168 34 159 41 190 101L262 237H482C495 180 503 137 510 91C517 47 514 35 441 28L433 0H677L686 28ZM475 280H285L429 541H431L475 280Z" id="g113-66"></path></g><g transform="matrix(.0091,0,0,-0.0091,10.244,3.132)"><path d="M396 114C349 71 317 59 274 59C216 59 123 104 123 241C123 342 180 400 246 400C283 400 317 386 348 359C355 352 361 348 366 348C378 348 401 371 402 394C402 405 398 413 385 424C369 437 337 451 294 451H293C254 451 193 434 141 394C73 342 39 277 39 198C39 90 114 -12 243 -12C303 -12 371 31 415 90L396 114Z" id="g58-97"></path></g><g transform="matrix(.0091,0,0,-0.0091,14.248,3.132)"><path d="M527 54L498 55C459 56 451 63 451 114V445C436 442 413 438 384 435C353 432 318 430 291 429V402L328 396C361 390 370 387 370 331V101C336 70 300 54 262 54C217 54 173 78 173 166V300C173 361 173 412 176 445C160 442 132 438 105 434C77 431 52 430 29 429V402L59 395C83 390 92 385 92 331V141C92 30 150 -12 218 -12C246 -12 266 -4 295 13C324 29 346 47 370 64V-6L376 -12C396 -7 421 1 448 8C476 15 504 21 527 24V54Z" id="g58-115"></path></g><g transform="matrix(.0091,0,0,-0.0091,19.171,3.132)"><path d="M185 344V453C137 433 92 421 41 413V386C100 378 104 375 104 310V106C104 41 97 35 33 30V0H268V30C190 35 185 41 185 107V283C206 340 240 371 267 371C282 371 296 364 310 351C316 344 325 343 336 348C357 357 369 378 369 399C369 424 345 451 310 451C262 451 219 397 187 344H185Z" id="g58-112"></path></g><g transform="matrix(.0091,0,0,-0.0091,22.693,3.132)"><path d="M185 344V453C137 433 92 421 41 413V386C100 378 104 375 104 310V106C104 41 97 35 33 30V0H268V30C190 35 185 41 185 107V283C206 340 240 371 267 371C282 371 296 364 310 351C316 344 325 343 336 348C357 357 369 378 369 399C369 424 345 451 310 451C262 451 219 397 187 344H185Z" id="g58-112"></path></g><g transform="matrix(.0091,0,0,-0.0091,26.042,3.132)"><path d="M384 109C349 76 310 59 268 59C197 59 123 113 120 245C240 248 367 259 384 262C403 266 407 275 407 296C407 376 338 451 254 451H253C201 451 148 425 105 378C65 334 39 272 39 203C39 88 112 -12 235 -12C266 -12 339 5 402 84L384 109ZM230 411C285 411 319 365 319 313C319 298 313 293 294 293C236 291 180 290 125 290C141 370 185 411 230 411Z" id="g58-99"></path></g><g transform="matrix(.0091,0,0,-0.0091,29.991,3.132)"><path d="M532 0V30C473 38 467 38 467 107V298C467 395 416 451 336 451C307 451 279 439 251 420C226 404 205 389 185 374V453C142 434 94 422 43 413V386C98 378 104 373 104 309V107C104 41 100 38 31 30V0H251V30C191 35 185 40 185 107V337C216 364 255 389 295 389C360 389 386 347 386 276V110C386 44 380 35 321 30V0H532Z" id="g58-108"></path></g><g transform="matrix(.0091,0,0,-0.0091,34.877,3.132)"><path d="M303 37L293 66C280 59 256 49 231 49S173 63 173 143V396H281C294 404 298 428 287 439H173V575L158 577L92 509V439H46L17 408L22 396H92V107C92 27 128 -12 192 -12C203 -12 218 -9 237 2L303 37Z" id="g58-114"></path></g></svg> = the address after symbolic execution with step size <svg height="8.8423pt" id="M50" style="vertical-align:-0.2064009pt" version="1.1" viewbox="-0.0498162 -8.6359 6.25863 8.8423" width="6.25863pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M449 634C442 637 425 643 405 650C376 660 341 666 307 666C181 666 98 590 98 485C98 400 170 343 215 310L246 288C307 243 343 204 343 147C343 67 291 18 219 18C104 18 61 124 51 202L23 199C28 124 27 71 27 47C47 22 122 -16 204 -16C324 -16 428 60 428 174C428 256 379 309 307 360L276 382C223 419 179 455 179 516C179 576 221 632 293 632C379 632 410 564 418 487L448 490C446 536 446 592 449 634Z" id="g113-84"></path></g></svg></td></tr><tr><td colspan="2">(9)  <b>endwhile</b></td></tr><tr><td colspan="2">(10) <b>End</b></td></tr></table></td></tr></table>

<div>Make symbolic trace <svg height="11.1049pt" id="M40" style="vertical-align:-3.29108pt" version="1.1" viewbox="-0.0498162 -7.81382 8.46224 11.1049" width="8.46224pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M324 430H196L233 583L223 592L145 529L120 430H54L29 396L31 388H111L56 126C33 15 54 -12 77 -12C137 -12 214 57 250 95L233 119C208 92 155 59 138 59C126 59 120 70 131 125L186 390L298 394L324 430Z" id="g113-117"></path></g><g transform="matrix(.0091,0,0,-0.0091,4.368,3.132)"><path d="M357 391C357 416 325 451 270 451C241 451 179 431 146 400C109 365 97 334 97 307C97 248 143 213 196 180C250 146 261 123 261 101C261 75 237 40 190 40C153 40 110 72 86 109C81 116 68 119 55 112C37 102 24 87 24 66C24 30 85 -12 137 -12C229 -12 331 62 331 140C331 189 304 218 236 260C197 284 164 309 164 346C164 381 194 400 220 400C259 400 282 380 304 350C310 342 321 339 330 344C347 353 357 372 357 391Z" id="g50-116"></path></g></svg> consistent with real trace <span class="nowrap"><svg height="8.02022pt" id="M41" style="vertical-align:-0.2063999pt" version="1.1" viewbox="-0.0498162 -7.81382 4.54925 8.02022" width="4.54925pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M324 430H196L233 583L223 592L145 529L120 430H54L29 396L31 388H111L56 126C33 15 54 -12 77 -12C137 -12 214 57 250 95L233 119C208 92 155 59 138 59C126 59 120 70 131 125L186 390L298 394L324 430Z" id="g113-117"></path></g></svg>.</span></div>

Security and Communication Networks

alg4

Algorithm 2

Algorithm 2: An Exploitability Analysis Technique for Binary Vulnerability Based on Automatic Exception Suppression 