计算机系统漏洞自动化利用研究关键技术及进展

doi:10.3969/j.issn.1671-1122.2022.03.005

摘要/Abstract

摘要：

网络空间的安全形势日趋复杂,随着软件迭代的速度加快,安全漏洞的数量也呈爆炸式增长。过去依靠安全专家进行评估的方式在面对隐蔽且数量众多的漏洞时需要耗费巨大的人力物力,因此,如何高效地自动寻找软件漏洞、生成对应的漏洞报告并进行后续利用成为当今的一个热点研究方向。文章旨在对漏洞自动化利用的最新进展进行综述,首先提炼漏洞自动化利用的相关技术,然后介绍主流的漏洞自动化利用系统,最后分析总结了目前存在的问题并对未来的研究进行了展望。

关键词: 网络空间, 软件漏洞, 自动化利用

Abstract:

The security situation of cyberspace is becoming more and more complex. Security vulnerabilities exploded in the past few decades with the acceleration of software iteration. Facing with the challenge of hidden and numerous vulnerabilities, traditional methods relying on security experts to conduct assessments often requires huge manpower and material resources. Thus, how to efficiently find software vulnerabilities automatically, generate corresponding EXP (exploit) and make subsequent usage have become a hot spot which attracts widespread attention. This paper aims to summarize the latest developments in the automated exploitation of vulnerabilities. First, this paper refines the related technologies for software vulnerabilities automated exploiting. Second, this paper reviews mainstream software vulnerability automated exploitation systems. Finally, this paper analyzes and summarize the current problems and prospect the future research.

Key words: cyberspace, software vulnerabilities, automatic exploit

中图分类号:

TP309

冯光升, 张熠哲, 孙嘉钰, 吕宏武. 计算机系统漏洞自动化利用研究关键技术及进展[J]. 信息网络安全, 2022, 22(3): 39-52.

FENG Guangsheng, ZHANG Yizhe, SUN Jiayu, LYU Hongwu. Key Technologies and Advances in the Research on Automated Exploitation of Computer System Vulnerabilities[J]. Netinfo Security, 2022, 22(3): 39-52.

图/表 7

图1

表1

表2

堆栈溢出漏洞的自动利用生成的主要研究成果

研究成果	针对问题	主要贡献
Automated Exploit Generation for Stack Buffer Overflow Vulnerabilities	针对堆栈缓冲区溢出漏洞自动生成利用问题	提出一种基于二进制代码符号执行来评估检测到的错误的方法
Modular Synthesis of Heap Exploits	针对堆漏洞的自动利用生成问题	提出一种基于符号执行的模块化方法
Revery	针对基于堆的漏洞自动利用生成问题	提出一种布局-贡献者有向图数据结构,以表征漏洞的内存布局及其贡献者指令,从而实现许多与漏洞利用相关的分析
SHRIKE	针对分析堆布局操作存在的漏洞自动利用生成问题	设计一个可以在PHP解释器上执行自动堆布局操作的系统,可用于构建控制流劫持漏洞,同时提出一种用于堆布局操作的伪随机黑框搜索算法
HeapHopper	针对堆元数据处理时存在的漏洞进行自动利用生成问题	提出一种基于模型检查和符号执行的自动方法堆处理器,来分析在存在内存漏洞时堆实现的可利用性
Pangr	针对二进制文件中存在的堆栈溢出漏洞	提出基于行为的漏洞检测建模,可以有效地对漏洞进行检测和分类
Gollum	针对解释器中的堆溢出漏洞自动生成利用问题	提出一种纯灰盒方法来利用生成,引入了惰性解决的概念,描述了一种遗传算法来解决堆布局问题
ARCHEAP	针对堆分配器元数据的利用技术自动生成利用问题	总结堆分配器共享的通用设计,并定义了利用的影响,可用于有效评估利用技术
HAEPG	针对堆漏洞的自动利用生成问题	使用混合技术来构建堆交互模型并试图通过多跳方式实现漏洞利用的生成
MAZE	针对堆布局的漏洞自动利用生成问题	提出一种新的自动化堆布局操作解决方案,能够为广泛的堆分配器生成复杂的堆布局,从而促进自动化开发生成
AngErza	针对缓冲区溢出类漏洞的自动利用生成问题	提出一种基于angr的方法,使用动态符号执行来识别代码中的漏洞点,制定约束条件并基于这些约束生成有效利用

表2

表3

表4

表5

表6

参考文献 82

[1]	CADAR C, GODEFROID P, KHURSHID S, et al. Symbolic Execution for Software Testing in Practice: Preliminary Assessment [C]// IEEE. 2011 33rd International Conference on Software Engineering (ICSE), May 21-28, 2011, Honolulu, HI, USA. New York: IEEE, 2011: 1066-1071.
[2]	SCHWARTZ E J, AVGERINOS T, BRUMLEY D. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) [C]//IEEE. 2010 IEEE Symposium on Security and Privacy, May 16-19, 2010, Oakland, CA, USA. New York: IEEE, 2010: 317-331.
[3]	YE Zhibin, YAN Bo. Survey of Symbolic Execution[J]. Computer Science, 2018, 45(S1):28-35.
	叶志斌, 严波. 符号执行研究综述[J]. 计算机科学, 2018, 45(S1):28-35.
[4]	CADAR C, DUNBAR D, ENGLER D R. Klee: Unassisted and Automatic Generation of High-coverage Tests for Complex Systems Programs[EB/OL]. https://www.researchgate.net/publication/220851853_KLEE_Unassisted_and_Automatic_Generation_of_High-Coverage_Tests_for_Complex_Systems_Programs, 2008-12-10.
[5]	BURNIM J, SEN K. Heuristics for Scalable Dynamic Test Generation [C]//IEEE. 23rd IEEE/ACM International Conference on Automated Software Engineering (ASE 2008), September 15-19,2008, L'Aquila, Italy. New York: IEEE, 2008: 443-446.
[6]	SEN K, AGHA G. CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-checking Tools [C]//CAV. 18th International Conference on Computer Aided Verification, August 17-20, 2006, Seattle, WA, USA. Heidelberg: Springer, 2006: 419-423.
[7]	BOONSTOPPEL P, CADAR C, ENGLER D. RWset: Attacking Path Explosion in Constraint-based Test Generation [C]//TACAS. 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, March 29-April 6, 2008, Hungary, Budapest. Heidelberg: Springer, 2008: 351-366.
[8]	GODEFROID P. Compositional Dynamic Test Generation [C]//ACM. Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, January 17-19, 2007, Nice, France. New York: ACM, 2007: 47-54.
[9]	KUZNETSOV V, KINDER J, BUCUR S, et al. Efficient State Merging in Symbolic Execution[J]. ACM Sigplan Notices, 2012, 47(6):193-204.
[10]	AVGERINOS T, REBERT A, CHA S K, et al. Enhancing Symbolic Execution with Veritesting [C]//ACM. Proceedings of the 36th International Conference on Software Engineering, May 31- June 7, 2014, Hyderabad, India. New York: ACM, 2014: 1083-1094.
[11]	MARINESCU P D, CADAR C. Make Test-zesti: A Symbolic Execution Solution for Improving Regression Testing [C]//IEEE. 2012 34th International Conference on Software Engineering (ICSE), June 2-9, 2012, Zurich, Switzerland. New York: IEEE, 2012: 716-726.
[12]	ENGLER D, DUNBAR D. Under-constrained Execution: Making Automatic Code Destruction Easy and Scalable [C]//ACM. ISSTA07: Proceedings of the 2007 International Symposium on Software Testing and Analysis, July 9-12, 2007, London, United Kingdom. New York: ACM, 2007: 1-4.
[13]	RAMOS D A, ENGLER D. Under-constrained Symbolic Execution: Correctness Checking for Real Code [C]//USENIX. SEC’15: Proceedings of the 24th USENIX Conference on Security Symposium, August 12-14, 2015, Washington, D.C., USA. Berkeley: USENIX Association, 2015: 49-64.
[14]	ZOU Quanchen, ZHANG Tao, WU Runpu, et al. From Automation to Intelligence: Survey of Research on Vulnerability Discovery Techniques[J]. Journal of Tsinghua University(Science and Technology), 2018, 58(12):1079-1094.
	邹权臣, 张涛, 吴润浦, 等. 从自动化到智能化:软件漏洞挖掘技术进展[J]. 清华大学学报(自然科学版), 2018, 58(12):1079-1094.
[15]	BORRALLERAS C, LUCAS S, OLIVERAS A, et al. SAT Modulo Linear Arithmetic for Solving Polynomial Constraints[J]. Journal of Automated Reasoning, 2012, 48(1):107-131. doi: 10.1007/s10817-010-9196-8 URL
[16]	ARMANDO A, BONACINA M P, RANISE S, et al. New Results on Rewrite-based Satisfiability Procedures[J]. ACM Transactions on Computational Logic (TOCL), 2009, 10(1):1-51.
[17]	CIMATTI A, GRIGGIO A, SCHAAFSMA B J, et al. The MathSat5 SMT Solver [C]//TACAS. Proceedings of the 19th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, March 16-24, 2013, Rome, Italy. Heidelberg: Springer, 2013: 93-107.
[18]	JHA S, LIMAYE R, SESHIA S A. Beaver: Engineering an Efficient SMT Solver for Bit-vector Arithmetic [C]//CAV. 21st International Conference on Computer Aided Verification, June 26-July 2, 2009, Grenoble, France. Heidelberg: Springer, 2009: 668-674.
[19]	KHANH T V, OGAWA M. SMT for Polynomial Constraints on Real Numbers[J]. Electronic Notes in Theoretical Computer Science, 2012, 289(1):27-40. doi: 10.1016/j.entcs.2012.11.004 URL
[20]	SEN K, MARINOV D, AGHA G. CUTE: A Concolic Unit Testing Engine for C[J]. ACM SIGSOFT Software Engineering Notes, 2005, 30(5):263-272. doi: 10.1145/1095430.1081750 URL
[21]	CADAR C, DUNBAR D, ENGLER D R. Klee: Unassisted and Automatic Generation of High-coverage Tests for Complex Systems Programs [C]//OSDI. 8th USENIX Symposium on Operating Systems Design and Implementation, December 8-10, 2008, San Diego, California, USA. New York: ACM, 2008: 209-224.
[22]	VISSER W, GELDENHUYS J, DWYER M B. Green: Reducing, Reusing and Recycling Constraints in Program Analysis [C]//ACM. Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, November 11-16, 2012, Cary, North Carolina, USA. New York: ACM, 2012: 1-11.
[23]	AQUINO A, BIANCHI F A, CHEN M, et al. Reusing Constraint Proofs in Program Analysis [C]//SIGSOFT. Proceedings of the 2015 International Symposium on Software Testing and Analysis, July 13-17, 2015, Baltimore, MD, USA. New York: ACM, 2015: 305-315.
[24]	JIA Xiangyang, GHEZZI C, YING Shi. Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution [C]//ACM. Proceedings of the 2015 International Symposium on Software Testing and Analysis, July 13-17, 2015, Baltimore, MD, USA. New York: ACM, 2015: 177-187.
[25]	YANG Guowei, JIA Xiangyang, PĂSĂREANU C S, KHURSHID S. Memoized Symbolic Execution [C]//ACM. Proceedings of the 2012 International Symposium on Software Testing and Analysis, July 15-20, 2012, Minneapolis, MN, USA. New York: ACM, 2012: 144-154.
[26]	ZHANG Xiong, LI Zhoujun. Survey of Fuzz Testing Technology[J]. Computer Science, 2016, 43(5):1-8, 26. doi: 10.1063/1.31301 URL
	张雄, 李舟军. 模糊测试技术研究综述[J]. 计算机科学, 2016, 43(5):1-8,26.
[27]	LI Jun, ZHAO Bodong, ZHANG Chao. Fuzzing: A Survey[J]. Cybersecurity, 2018, 1(1):1-13. doi: 10.1186/s42400-018-0005-8 URL
[28]	SU Y K, CHA S, BAE D H. Automatic and Lightweight Grammar Generation for Fuzz Testing[J]. Computers & Security, 2013, 36(6):1-11. doi: 10.1016/j.cose.2013.02.001 URL
[29]	DE RUITER J, POLL E. Protocol State Fuzzing of TLS Implementations [C]//USENIX. SEC’15: Proceedings of the 24th USENIX Conference on Security Symposium, August 12-14, 2015, Washington, D.C., USA. Berkeley: USENIX Association, 2015: 193-206.
[30]	MCNALLY R, YIU K, GROVE D, et al. Fuzzing: the State of the Art[R]. Edinburgh (Australia): Defence Science and Technology Organisation Edinburgh, DSTO-TN-1043, 2012.
[31]	JIN Tong. Optimization Strategy Based on Directed Fuzzing[J]. Digital Technology & Application, 2021, 39(3):81-83.
	金童. 基于导向性漏洞挖掘的优化策略[J]. 数字技术与应用, 2021, 39(3):81-83.
[32]	WANG Chenxin, KANG Shunyao. ADFL: an Improved Algorithm for American Fuzzy Lop in Fuzz Testing [C]//ACM. International Conference on Cloud Computing and Security, June 8-10, 2018, Haikou, China. Heidelberg: Springer, 2018: 27-36.
[33]	BOEHME M, CADAR C, ROYCHOUDHURY A. Fuzzing: Challenges and Reflections[J]. IEEE Software, 2021, 38(3):79-86. doi: 10.1109/MS.2020.3016773 URL
[34]	CHAO W C, LIN S C, CHEN Y H, et al. Design and Implement Binary Fuzzing Based on Libfuzzer [C]//IEEE. 2018 IEEE Conference on Dependable and Secure Computing (DSC), December 10-13, 2018, Kaohsiung, Taiwan, China. New York: IEEE, 2018: 1-2.
[35]	GAN Shuitao, ZHANG Chao, QIN Xiaojun, et al. CollAFL: Path Sensitive Fuzzing [C]//IEEE. 2018 IEEE Symposium on Security and Privacy (SP), May 20-24, 2018, San Francisco, CA, USA. New York: IEEE, 2018: 679-696.
[36]	RAWAT S, JAIN V, KUMAR A, et al. VUzzer: Application-aware Evolutionary Fuzzing [C]//NDSS. The Network and Distributed System Security (NDSS) Symposium 2017, February 26-March 1, 2017, San Diego, California, USA. San Diego: NDSS, 2017: 1-14.
[37]	BIYANI A, SHARMA G, AGHAV J, et al. Extension of SPIKE for Encrypted Protocol Fuzzing [C]//IEEE. 2011 Third International Conference on Multimedia Information Networking and Security, November 4-6, 2011, Shanghai, China. New York: IEEE, 2011: 343-347.
[38]	HODOVÁN R, KISS Á, GYIMÓTHY T. Grammarinator: a Grammar-based Open Source Fuzzer [C]//ACM. Proceedings of the 9th ACM SIGSOFT International Workshop on Automating TEST Case Design, Selection, and Evaluation, November 5, 2018, Lake Buena Vista, FL, USA. New York: ACM, 2018: 45-48.
[39]	ZHANG Hua, ZHANG Zhao, TANG Wen. Improve Peach: Making Network Protocol Fuzz Testing More Precisely[EB/OL]// https://www.scientific.net/AMM.551.642, 2014-05-10.
[40]	WANG Junjie, CHEN Bihuan, WEI Lei, et al. Skyfire: Data-driven Seed Generation for Fuzzing [C]//IEEE. 2017 IEEE Symposium on Security and Privacy (SP), May 22-26, 2017, San Jose, CA, USA. New York: IEEE, 2017: 579-594.
[41]	REN Yuzhu, ZHANG Youwei, AI Chengwei. Survey on Taint Analysis Technology[J]. Journal of Computer Applications, 2019, 39(8):2302-2309.
	任玉柱, 张有为, 艾成炜. 污点分析技术研究综述[J]. 计算机应用, 2019, 39(8):2302-2309.
[42]	WANG Lei, LI Feng, LI Lian, et al. Principle and Practice of Taint Analysis[J]. Journal of Software, 2017, 28(4):860-882.
	王蕾, 李丰, 李炼, 等. 污点分析技术的原理和实践应用[J]. 软件学报, 2017, 28(4):860-882.
[43]	NI Yuandong, ZHANG Chao, YIN Tingting. A Survey of Smart Contract Vulnerability Research[J]. Journal of Cyber Security, 2020, 5(3):78-99.
[44]	AVGERINOS T, CHA S K, REBERT A, et al. Automatic Exploit Generation[J]. Communications of the ACM, 2014, 57(2):74-84.
[45]	HUANG S K, HUANG M H, HUANG P Y, et al. Crax: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations [C]//IEEE. 2012 IEEE Sixth International Conference on Software Security and Reliability Companion, June 20-22, 2012, Gaithersburg, MD, USA. New York: IEEE, 2012: 78-87.
[46]	CHA S K, AVGERINOS T, REBERT A, et al. Unleashing Mayhem on Binary Code [C]//IEEE. Proceedings of the 2012 IEEE Symposium on Security and Privacy, May 20-25, 2012, Washington, D.C., USA. New York: IEEE Computer Society, 2012: 380-394.
[47]	LI Minglei, LU Yuliang, HUANG Hui, et al. Research on Automatic Exploitation of House of Spirit Heap Overflow Vulnerability [C]//IEEE. 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), June 12-14, 2020, Chongqing, China. New York: IEEE, 2020: 751-757.
[48]	WANG Minghua, SU Purui, LI Qi, et al. Automatic Polymorphic Exploit Generation for Software Vulnerabilities [C]//Springer. International Conference on Security and Privacy in Communication Systems, September 25-28, 2013, Sydney, NSW, Australia. Heidelberg: Springer, 2013: 216-233.
[49]	HU H, CHUA Z L, ADRIAN S, et al. Automatic Generation of Data-oriented Exploits [C]//ACM. Proceedings of the 24th USENIX Conference on Security Symposium, August 12-14, 2015, Washington, D.C., USA. New York: USENIX Association, 2015: 177-192.
[50]	YILMAZ F, SRIDHAR M, CHOI W. Guide Me to Exploit: Assisted ROP Exploit Generation for ActionScript Virtual Machine [C]//ACM. Annual Computer Security Applications Conference, December 7-11, 2020, Austin, Texas, USA. New York: ACM, 2020: 386-400.
[51]	PADARYAN V A, KAUSHAN V V, FEDOTOV A N. Automated Exploit Generation for Stack Buffer Overflow Vulnerabilities[J]. Programming and Computer Software, 2015, 41(6):373-380. doi: 10.1134/S0361768815060055 URL
[52]	CHEN Yueqi, LIN Zhenpeng, XING Xinyu. A Systematic Study of Elastic Objects in Kernel Exploitation [C]//ACM. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, November 9-13, 2020, Virtual Event, USA. New York: ACM, 2020: 1165-1184.
[53]	WANG Yan, ZHANG Chao, XIANG Xiaobo, et al. Revery: From Proof-of-concept to Exploitable [C]//ACM. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, October 15-19, 2018, Toronto, Ontario, Canada. New York: ACM, 2018: 1914-1927.
[54]	HEELAN S, MELHAM T, KROENING D. Automatic Heap Layout Manipulation for Exploitation [C]//USENIX. Proceedings of the 27th USENIX Conference on Security Symposium, August 15-17, 2018, Baltimore, MD, USA. Berkeley: USENIX Association, 2018: 763-779.
[55]	ECKERT M, BIANCHI A, WANG R, et al. HEAPHOPPER: Bringing Bounded Model Checking to Heap Implementation Security [C]//USENIX. Proceedings of the 27th USENIX Conference on Security Symposium, August 15-17, 2018, Baltimore, MD, USA. Berkeley: USENIX Association, 2018: 99-116.
[56]	LIU Danjun, WANG Jingyuan, RONG Zeling, et al. Pangr: A Behavior-based Automatic Vulnerability Detection and Exploitation Framework [C]//IEEE. 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE), August 1-3, 2018, New York, NY, USA. New York: IEEE, 2018: 705-712.
[57]	HEELAN S, MELHAM T, KROENING D. Gollum: Modular and Greybox Exploit Generation for Heap Overflows in Interpreters [C]//ACM. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, November 11-15, 2019, London, United Kingdom. New York: ACM, 2019: 1689-1706.
[58]	YUN I, KAPIL D, KIM T. Automatic Techniques to Systematically Discover New Heap Exploitation Primitives [C]//USENIX. 29th USENIX Security Symposium, August 12-14, 2020, Virtual Event, USA. New York: ACM, 2020: 1111-1128.
[59]	ZHAO Zixuan, WANG Yan, GONG Xiaorui. HAEPG: An Automatic Multi-hop Exploitation Generation Framework [C]//German Informatics Society (GI). International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, June 24-26, 2020, Lisbon, Portugal. Heidelberg: Springer, 2020: 89-109.
[60]	WANG Yan, ZHANG Chao, ZHAO Zixuan, et al. MAZE: Towards Automated Heap Feng Shui[EB/OL]. https://www.usenix.net/system/files/sec21fall-wang-yan.pdf, 2021-08-12.
[61]	DIXIT S, GEETHNA T K, JAYARAMAN S, et al. AngErza: Automated Exploit Generation [C]//IEEE. 2021 12th International Conference on Computing Communication and Networking Technologies (ICCCNT), July 6-8, 2021, Kharagpur, India. New York: IEEE, 2021: 1-6.
[62]	WU Wei, CHEN Yueqi, XU Jun, et al. FUZE: Towards Facilitating Exploit Generation for Kernel Use-after-free Vulnerabilities [C]//USENIX. 27th USENIX Security Symposium, August 15-17, 2018, Baltimore, MD, USA. New York: ACM, 2018: 781-797.
[63]	WU Wei, CHEN Yueqi, XING Xinyu, et al. KEPLER: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities [C]//USENIX. Proceedings of the 28th USENIX Conference on Security Symposium, August 14-16, Santa Clara, CA, USA. Berkeley: USENIX Association, 2019: 1187-1204.
[64]	CHEN Yueqi, XING Xinyu. Slake: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel [C]//ACM. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, November 11-15, 2019, London, United Kingdom. New York: ACM, 2019: 1707-1722.
[65]	CHEN Weiteng, ZOU Xiaocheng, LI Guoren, et al. KOOBE: Towards Facilitating Exploit Generation of Kernel Out-of-bounds Write Vulnerabilities[C]//USENIX. 29th USENIX Security Symposium, August 12-14, 2020, Virtual Event, USA. New York: ACM, 2020: 1093-1110.
[66]	SHEN Shuaiqi, ZHANG Kuan, ZHOU Yi, et al. Security in Edge-assisted Internet of Things: Challenges and Solutions[J]. Science China Information Sciences, 2020, 63(12):1-14.
[67]	FALANA O J, EBO I O, TINUBU C O, et al. Detection of Cross-site Scripting Attacks Using Dynamic Analysis and Fuzzy Inference System [C]//IEEE. 2020 International Conference in Mathematics, Computer Engineering and Computer Science (ICMCECS), March 18-21, 2020, Ayobo, Nigeria. New York: IEEE, 2020: 1-6.
[68]	ZHANG Bing, LI Jingyue, REN Jiadong, et al. Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review[EB/OL]. https://dl.acm.org/doi/10.1145/3474553, 2021-10-08.
[69]	HUANG S K, LU H L, LEONG W M, et al. Craxweb: Automatic Web Application Testing and Attack Generation [C]//IEEE. Proceedings of the 2013 IEEE 7th International Conference on Software Security and Reliability, June 18-20, 2013, Gaithersburg, MD, USA. New York: IEEE, 2013: 208-217.
[70]	ALHUZALI A, ESHETE B, GJOMEMO R, et al. Chainsaw: Chained Automated Workflow-based Exploit Generation [C]//ACM. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, October 24-28, 2016, Vienna, Austria. New York: ACM, 2016: 641-652.
[71]	JAN S, PANICHELLA A, ARCURI A, et al. Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications[J]. IEEE Transactions on Software Engineering, 2017, 45(4):335-362. doi: 10.1109/TSE.32 URL
[72]	GARMANY B, STOFFEL M, GAWLIK R, et al. Towards Automated Generation of Exploitation Primitives for Web Browsers [C]//ACSAC. Proceedings of the 34th Annual Computer Security Applications Conference, December 3-7, 2018, San Juan, PR, USA. New York: ACM, 2018: 300-312.
[73]	ALHUZALI A, GJOMEMO R, ESHETE B, et al. NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications [C]//USENIX. Proceedings of the 27th USENIX Conference on Security Symposium, August 15-17, 2018, Baltimore, MD, USA. Berkeley: USENIX Association, 2018: 377-392.
[74]	GARCIA J, HAMMAD M, GHORBANI N, et al. Automatic Generation of Inter-component Communication Exploits for Android Applications [C]//ACM. Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, September 4-8, 2017, Paderborn, Germany. New York: ACM, 2017: 661-671.
[75]	LUO Lannan, ZENG Qiang, CAO Chen, et al. System Service Call-oriented Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation [C]//ACM. Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services, June 19-23, 2017, Niagara Falls, New York, USA. New York: ACM, 2017: 225-238.
[76]	YANG Guangliang, HUANG J, GU Guofei. Automated Generation of Event-oriented Exploits in Android Hybrid Apps[EB/OL]. https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_04B-3_Yang_paper.pdf, 2018-02-20.
[77]	ZHOU Mingsong, ZENG Fanping, ZHANG Yu, et al. Automatic Generation of Capability Leaks’ Exploits for Android Applications [C]//IEEE. 2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW), April 22-23, 2019, Xi’an, China. New York: IEEE, 2019: 291-295.
[78]	SU Purui, HUANG Huafeng, YU Yuanping, et al. Summary of Research on Software Vulnerability Auto Exploit[J]. Journal of Guangzhou University (Natural Science Edition), 2019, 18(3):52-58.
	苏璞睿, 黄桦烽, 余媛萍, 等. 软件漏洞自动利用研究综述[J]. 广州大学学报(自然科学版), 2019, 18(3):52-58.
[79]	SCHWARTZ E J, AVGERINOS T, BRUMLEY D. Q: Exploit Hardening Made Easy[EB/OL]. https://www.usenix.org/legacy/event/sec11/tech/full_papers/Schwartz.pdf, 2011-08-08.
[80]	HU Hong, SHINDE S, ADRIAN S, et al. Data-oriented Programming: on the Expressiveness of Non-control Data Attacks [C]//IEEE. 2016 IEEE Symposium on Security and Privacy (SP), May 22-26, 2016, San Jose, CA, USA. New York: IEEE, 2016: 969-986.
[81]	ISPOGLOU K K, ALBASSAM B, JAEGER T, et al. Block Oriented Programming: Automating Data-only Attacks [C]//ACM. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, October 15-19, 2018, Toronto, Ontario, Canada. New York: ACM, 2018: 1868-1882.
[82]	FANG Hao, FEN Wenbo, FU Menglin. An Automatic Exploit Generation Method Based on Symbolic Execution [C]//IMCCC. 2018 Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC), July 19-21, 2018, Harbin, China. New York: IEEE, 2018: 437-444.

研究成果	针对问题	主要贡献
APEG	针对如何自动搜索已发布补丁的程序中存在的漏洞问题	提出一种基于补丁的自动漏洞利用生成程序
AEG	针对如何自动发现漏洞并对漏洞生成相关利用问题	提出一种全自动的端到端的自动生成利用方法,开发了一种新的预处理符号执行技术和路径优先级算法
CRAX	针对AEG产生的exp可能会由于漏洞点和触发exp点的传播距离过远而失效问题	提出一种构建在新的符号执行平台上的自动化漏洞利用生成框架
Mayhem	针对自动查找二进制程序中可利用漏洞问题	提出一种以高效且可扩展的方式自动查找二进制程序中可利用漏洞的工具,引入了一种新的混合符号执行方案,将现有符号执行技术（在线和离线）的优点结合到一个系统中,还介绍了基于索引的内存建模方法
AXGEN	针对利用缓冲区溢出漏洞生成自动利用问题	提出第一种使用源自软件验证和程序分析的方法进行漏洞利用生成的工具
PolyAEG	针对二进制程序中控制流劫持类漏洞的自动利用生成问题	提出一种通过多样化跳转指令和shellcode的组合来产生漏洞的方法
FlowStitch	针对如何面向数据流生成自动利用问题	将数据流拼接概念化,提出一种通过一个内存错误将良性数据流组合到一个应用程序中从而系统化地构建面向数据的攻击方法
GuidExp	针对语言虚拟机中漏洞的自动利用生成问题	构建一个引导（半自动）开发生成工具,其目标是语言虚拟机实现中的漏洞

研究成果	针对问题	主要贡献
FUZE	针对内核释放后使用（UAF）漏洞自动利用生成问题	设计一种在Linux系统中利用内核融合和符号执行来促进内核UAF利用生成的框架
KEPLER	针对Linux内核使用控制流劫持原语创建漏洞问题	提出一种新的代码重用利用技术,将单一不适合的控制流劫持原语转换为任意ROP有效负载执行
SLAKE	针对Linux内核的复杂性以及slab内存分配算法的不确定性问题	对常用的内核开发方法进行建模,设计一种利用静态/动态分析来识别对内核开发有用的内核对象和系统调用的方法
KOOBE	针对Linux内核OOB漏洞自动生成利用问题	归纳利用Linux内核OOB漏洞的关键挑战,并设计一个有效的分析框架,提取该类型漏洞的内在特征

研究成果	针对问题	主要贡献
QED	针对XSS和SQL注入的自动利用生成问题	提出一种目标导向的模型检查系统,可利用大型 Java Web 应用程序中的基于污点的漏洞能力自动生成攻击
ARDILLA	针对Web应用程序中的安全漏洞自动利用生成问题	提出一种用于创建SQLI和XSS攻击向量的全自动技术,同时提出一种象征性地跟踪数据库中受污染数据流的新方法
WAPTEC	针对参数篡改漏洞的自动利用生成问题	提出一种将形式逻辑和约束求解、符号评估和动态分析相结合的方法
CRAXWeb	针对Web应用程序中的自动利用生成问题	提出一种基于S²E测试方法的动态符号执行,同时提出了单路径并行模式及一些优化
CHAINSAW	针对Web注入漏洞的识别和自动利用生成的改进问题	提出一种应用程序工作流、数据库模式和本地函数的精确模型,实现了高质量的利用自动生成
SUT	针对SOAP通信的XML注入自动利用生成问题	比较4种不同的搜索算法,即标准遗传算法（SGA）、实编码遗传算法（RGA）、爬山算法（HC）和随机搜索算法（RS）并提出一种元启发式搜索算法
PrimGen	针对网络浏览器的漏洞自动利用生成问题	提出一种方法来自动执行使浏览器崩溃的输入,以执行不同的利用原语
NAVEX	针对Web应用程序的动态特性的利用自动生成问题	提出一种结合了由静态分析技术指导的动态分析方法,以自动识别漏洞并构建利用

研究成果	针对问题	主要贡献
LetterBomb	针对Android应用程序中漏洞的自动利用生成问题	提出一种自动生成Android应用程序漏洞利用的方法,采用依赖于组合的基于路径敏感的符号执行的静态分析,以及软件检测技术和测试预言机
CENTAUR	针对Android应用程序漏洞的分析与自动利用生成问题	提出一种基于Android系统构建符号执行器的创新架构,设计一个强大的算法,将执行上下文信息从Android迁移到符号执行器
EOEDroid	针对Android系统中集成的嵌入浏览器中存在的漏洞的自动利用生成问题	提出一种新的方法,可以使用选择性符号执行和静态分析来自动检查给定的混合应用程序中的事件处理程序
Mingsong Zhou等	针对Android程序的功能泄露的自动利用生成问题	提出一种基于路径敏感符号执行的工具,它可以自动生成功能泄露的静态分析和测试

研究成果	针对问题	主要贡献
Q	针对数据执行保护和地址随机化导致的漏洞利用困难问题	针对控制流劫持类漏洞,提出了一种通过从少量非随机代码中自动创建ROP有效负载的新技术
DOP	针对内存中非控制数据流的自动利用生成问题	提出了一种面向数据的编程（DOP）方法,这是一种针对脆弱程序构建图灵完全非控制数据攻击的通用方法
BOPC	针对高级CFI和影子堆栈等控制流劫持防御的自动利用生成问题	提出了SPL,一种可以访问虚拟寄存器的语言,以及一个用于调用操作系统和其他库函数的API,适用于编写漏洞利用负载,开发了一个跟踪模块,允许使用目标二进制文件的代码执行以SPL编写的任意有效负载
R2dlAEG	针对Return-to-dl-resolve方法需要手工生成漏洞利用问题	提出了一种基于符号执行的Return-to-dl-resolve自动化实现方法