Closed Hanseltu closed 1 year ago
Thanks for your concern on our paper and code. Firstly, as has been stated in the paper, our work starts from a crash input that triggers and could generate an input which could achieve a desired heap layout before triggering the vulnerability. Secondly, we will give an example using normal mode for manipulation soon to help you better understand our implementation.
Hi,
Thanks for your inspired and impressive work. I have read your paper and some of the code you have released, but some points in the paper and code are not clear to me. Could you help clarify them? Thanks!
sudo
program, achieve the desired heap layout when executing thesudo
program by combing the primitive sequence and crashing input? As Section V.F(2) mentioned,we launch new fuzzing campaigns to generate concrete inputs and leverage symbolic execution to facilitate input byte inference when the fuzzer is stuck. The test cases from the fuzzing campaigns in §V-A that trigger desired primitives in the sequence are kept as the initial seeds for the new fuzzing campaigns.
, I am not sure how to consume it. From my current understanding, does this mean instead of using the initial crash input (the one that can trigger the vulnerability), BAGUA adopts fuzzing and symbolic execution to construct a new input that can both trigger the vulnerability and the expected primitive sequence so that the heap layout insudo
program can be expected during its execution? Is my understanding correct? Thanks.split
andnormal
occupy_mode inhplayout_generator.py
. I can runhplayout_generator.py
in my machine now after your fixing on #3 (thanks for your help again!), and the exampleExim
involvesdo_split_generate
that uses asplit
mode to generate the expected heap layout. Since I am more interested in using normal mode (within basic capability) for the occupation to analyze some programs, can anormal
occupation be used to generate a heap layout for the currentExim
example? (I enforced to set theoccupy_mode
tonormal
, but I got errors because the size of the target hole and TO is pretty large). Since you may still work on the code cleaning for the final release, can you provide a simple example that can run thenormal
occupation mode for studying purposes?Thank you very much for your time and help!
Best regards, Haoxin