deExploit: Identifying misuses of input data to diagnose memory-corruption exploits at the binary level

Memory-corruption exploits are one of the major threats to the Internet security. Once an exploit has been detected, exploit diagnosis techniques can be used to identify the unknown vulnerability and attack vector. In the security landscape, exploit diagnosis is always performed by third-party security experts who cannot access the source code. This makes binary-level exploit diagnosis a time-consuming and error-prone process. Despite considerable efforts to defend against exploits, automatic exploit diagnosis remains a significant challenge. In this paper, we propose a novel insight for detecting memory corruption at the binary level by identifying the misuses of input data and present an exploit diagnosis approach called deExploit. Our approach requires no knowledge of the source code or debugging information. For exploit diagnosis, deExploit is generic in terms of the detection of both control-flow-hijack and data-oriented exploits. In addition, deExploit automatically provides precise information regarding the corruption point, the memory operation that causes the corruption, and the key attack steps used to bypass existing defense mechanisms. We implement deExploit and perform it to diagnose multiple realistic exploits. The results show that deExploit is able to diagnose memory-corruption exploits.