Tunter: Assessing Exploitability of Vulnerabilities with Taint-Guided Exploitable States Exploration

Assessing the exploitability of vulnerabilities is critical for defenders. But the vulnerability-triggering samples available for analysts often do not trigger exploitable states, making it hard to accurately assess whether the underlying vulnerabilities are exploitable. Several customized fuzzing solutions have been proposed to address this problem, by searching for new vulnerability-triggering test cases that can enter exploitable program states. However, such solutions are inefficient and in general take an overwhelmingly long time to find exploitable states, due to the large number of program paths to explore and complicated path constraints to satisfy. In this paper, we present a new automated solution to assess the exploitability of vulnerabilities. It could explore exploitable program states and generate working exploits, even if only non-exploitable vulnerability-triggering samples are given. It adopts two novel techniques: (1) a procedure to explore candidate exploitable states; and (2) a to prune unwanted states for exploitation to alleviate the state explosion issue faced by symbolic execution. We have implemented a prototype of and evaluated it on 14 capture-the-flag (CTF) programs and two real-world applications. The experimental results demonstrate that it has significant performance than state-of-the-art solution Revery (Wang et al., 2018). Specifically, it finds exploitable states for these 16 programs with a 75% recall and an 88.9% precision, and eventually generates working exploits for 11 out of these 16 programs. Moreover, is 41.02 times faster than Revery.