At first glance, releasing a patch that addresses a vulnerability can only benefit security. However, a new patch reveals some information, and having early access to a patch may confer advantages to an attacker.
The automatic patch-based exploit generation (APEG) problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this work, we propose new techniques for automatic patch-based exploit generation, and demonstrate that one can automatically generate exploits from the patched binary, sometimes, in only a few minutes.
We target input-validation vulnerabilities where the set of inputs accepted by P' is a superset of the safe inputs for P. Our approach to APEG is based on the observation that input-validation bugs are usually fixed by adding the missing sanitization checks. Our goal is to identify the checks added to P', and automatically generate inputs which fail the added checks at a specified line of code. Although generating inputs that execute a line of code was previously studied in automatic test case generation, the existing techniques may not scale when there are many different possible program paths. We propose a new technique based upon a mix of dynamic and static analysis to handle such cases.