publications

2024

1. Operation Mango: Scalable Discovery of Taint-Style Vulnerabilities in Binary Firmware Services

   Wil Gibbs, Arvind S Raj, Jayakrishna Menon Vadayath, and 12 more authors

   In 33rd USENIX Security Symposium (USENIX Security 24), Aug 2024
2. ’Watching over the shoulder of a professional’: Why hackers make mistakes and how they fix them

   Irina Ford, Ananta Soneji, Faris Bugra Kokulu, and 8 more authors

   In 45th IEEE Symposium on Security and Privacy (S&P 24), May 2024

2023

1. Greenhouse: Single-Service Rehosting of Linux-Based Firmware Binaries in User-Space Emulation

   Hui Jun Tay, Kyle Zeng, Jayakrishna Menon Vadayath, and 11 more authors

   In 32nd USENIX Security Symposium (USENIX Security 23), Aug 2023

2022

1. Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs

   Jayakrishna Vadayath, Moritz Eckert, Kyle Zeng, and 9 more authors

   In 31st USENIX Security Symposium (USENIX Security 22), Aug 2022

   Abs PDF Slides

   In spite of their effectiveness in the context of vulnerability discovery, current state-of-the-art binary program analysis approaches are limited by inherent trade-offs between accuracy and scalability. In this paper, we identify a set of vulnerability properties that can aid both static and dynamic vulnerability detection techniques, improving the precision of the former and the scalability of the latter. By carefully integrating static and dynamic techniques, we detect vulnerabilities that exhibit these properties in real-world programs at a large scale. We implemented our technique, making several advancements in the analysis of binary code, and created a prototype called ARBITER. We demonstrate the effectiveness of our approach with a large-scale evaluation on four common vulnerability classes: CWE-131 (Incorrect Calculation of Buffer Size), CWE-252 (Unchecked Return Value), CWE-134 (Uncontrolled Format String), and CWE-337 (Predictable Seed in Pseudo-Random Number Generator). We evaluated our approach on more than 76,516 x86-64 binaries in the Ubuntu repositories and discovered new vulnerabilities, including a flaw inserted into programs during compilation.

2019

1. Sleak: Automating Address Space Layout Derandomization

   Christophe Hauser, Jayakrishna Vadayath, Yan Shoshitaishvili, and 3 more authors

   In Proceedings of the 35th Annual Computer Security Applications Conference, San Juan, Puerto Rico, USA, Aug 2019

   Abs

   We present a novel approach to automatically recover information about the address space layout of remote processes in the presence of Address Space Layout Randomization (ASLR). Our system, dubbed Sleak, performs static analysis and symbolic execution of binary executable programs, and identifies program paths and input parameters leading to partial (i.e., only a few bits) or complete (i.e., the whole address) information disclosure vulnerabilities, revealing addresses of known objects of the target service or application. Sleak takes, as input, the binary executable program, and generates a symbolic expression for each program output that leaks information about the addresses of objects, such as stack variables, heap structures, or function pointers. By comparing these expressions with the concrete output of a remote process executing the same binary program image, our system is able to recover from a few bits to whole addresses of objects of the target application or service. Discovering the address of a single object in the target application is often enough to guess the layout of entire sections of the address space, which can be leveraged by attackers to bypass ASLR.

2018

1. A Binary Analysis Approach to Retrofit Security in Input Parsing Routines

   Jayakrishna Menon, Christophe Hauser, Yan Shoshitaishvili, and 1 more author

   In 2018 IEEE Security and Privacy Workshops (SPW), Aug 2018

   Abs

   In spite of numerous attempts to mitigate memory corruption vulnerabilities in low-level code over the years, those remain the most common vector of software exploitation today. A common cause of such vulnerabilities is the presence of errors in string manipulation, which are often found in input parsers, where the format of input data is verified and eventually converted into an internal program representation. This process, if done manually in an ad-hoc manner, is error prone and easily leads to unsafe and potentially exploitable behavior. While principled approaches to input validation exist, such as those based on parser generators (e.g., Lex [20] and Ragel [28]), these require a formalization of the input grammar, which is not always a straightforward process and tends to dissuade programmers. As a result, a large portion of input parsing routines as found in commodity software is still implemented in an ad-hoc way, causing numerous security issues. We propose to address this problem from a post-development perspective, by targeting software presenting security risks in opaque, closed-source environments where software components have already been deployed and integrated, and where re-implementation is not an option (e.g., as part of an embedded device’s proprietary firmware). Our system is able to effectively detect vulnerability patterns in binary software and to retrofit security mechanisms preventing exploitation. In a semi-automated setting, it was able to discover an unknown security bug.