Techniques for the Automation of the Heap Exploit Synthesis Pipeline

Research output: ThesisDoctoral Thesis

881 Downloads (Pure)


In this thesis, we present a set of motivations for studying security exploits for software vulnerabilities and present numerous techniques for the automated synthesis of portions of the exploit-building pipeline. With cyberspace being increasingly embraced as the 5th domain of warfare, in addition to land, sea, air and space, security exploits are finding their role as important ingredients of cyber weapons. They are instrumental in enabling the violation of fundamental security assumptions in target systems, which, in turn, facilitates the infiltration of an arbitrary payload. We discuss the role that exploits play in offensive cyber scenarios and explore the nature of its supply chain. In particular, we consider the differences in the intelligence requirements for the development, deployment and assessment of physical and cyber weapons and discuss how concepts such as assurance, proliferation and deterrence apply to such weapons. Furthermore, we delve into technical reasons for the manifestation of security bugs and vulnerabilities, and compose custom techniques for automating the exploit writing pipeline for one class of vulnerabilities. Programming errors allowing the corruption of critical portions of program memory, such as stack and heap buffer overflows, remain a prevalent problem. Stack overflows are well-studied and archetypal buffer overflows, with a long history of manual exploitation. Recently, even automated bug-finding tools have succeeded in finding stack vulnerabilities and constructing basic customized exploits according to pre-defined formulas. However, generation of heap exploits has been out of scope for such methods so far. We investigate the problem of automatically generating heap exploits, which, in addition to finding the underlying vulnerability, requires intricate interaction with the heap manager. We identify the challenges involved in automatically finding the right parameters and interaction sequences for such an attack, which traditionally has required manual analysis. To tackle these challenges, we present a modular approach that is designed to minimize the assumptions made about the heap manager used by the target application. Our prototype system is able to find exploit primitives in binary implementations of heap managers and applies these to exploit real-world applications.
Original languageEnglish
Awarding Institution
  • Royal Holloway, University of London
  • Cavallaro, Lorenzo, Supervisor
  • Kinder, Johannes, Supervisor
Thesis sponsors
Award date1 Aug 2020
Publication statusUnpublished - 2020


  • heap
  • exploit
  • synthesis
  • automation
  • symbolic

Cite this