Zhechang Zhang (The Pennsylvania State University), Hengkai Ye (The Pennsylvania State University), Song Liu (University of Delaware), Hong Hu (The Pennsylvania State University)

Control-flow integrity (CFI) is a widely adopted defense against control-flow hijacking attacks, designed to restrict indirect control transfers to a set of legitimate targets. However, even under a precise static CFI policy, attackers can still hijack control flow through function substitution attacks (Sub attacks), by replacing one valid target with another that remains within the allowed set. While prior work has demonstrated the feasibility of such attacks through manual construction, no approach constructs them systematically, scalably, and in an end-to-end manner.

In this work, we present SACK, the first systematic framework for automatically constructing Sub attacks at scale. SACK collects triggered indirect call targets from benign executions and synthesizes security oracles with the assistance of a large language model. It then automatically performs target substitutions and leverages security oracles to detect security violations, while ensuring that execution strictly adheres to precise CFI policies. We apply SACK to seven widely used applications and successfully construct 419 Sub attacks that compromise critical security features. We further develop five end-to-end exploits based on historical bugs in SQLite3, V8 and Nginx, enabling arbitrary command execution or authentication bypass. Our results demonstrate that SACK provides a scalable and automated pipeline capable of uncovering large numbers of end-to-end attacks across diverse applications.

View More Papers

Discovering Blind-Trust Vulnerabilities in PLC Binaries via State Machine...

Fangzhou Dong (Arizona State University), Arvind S Raj (Arizona State University), Efrén López-Morales (New Mexico State University), Siyu Liu (Arizona State University), Yan Shoshitaishvili (Arizona State University), Tiffany Bao (Arizona State University), Adam Doupé (Arizona State University), Muslum Ozgur Ozmen (Arizona State University), Ruoyu Wang (Arizona State University)

Read More

AWE: Adaptive Agents for Dynamic Web Penetration Testing

Akshat Singh Jaswal (Stux Labs), Ashish Baghel (Stux Labs)

Read More

Achieving Interpretable DL-based Web Attack Detection through Malicious Payload...

Peiyang Li (INSC and the State Key Laboratory of Internet Architecture, Tsinghua University and Ant Group), Fukun Mei (INSC and the State Key Laboratory of Internet Architecture, Tsinghua University), Ye Wang (INSC and the State Key Laboratory of Internet Architecture, Tsinghua University), Zhuotao Liu (INSC and the State Key Laboratory of Internet Architecture, Tsinghua University),…

Read More