Exploitability Analysis of Public Component Library Vulnerabilities Based on Taint Analysis

The reuse of public component libraries has contributed to the field of computer science because of its low implementation time and high production efficiency. However, the vulnerabilities in libraries can be more serious than those in real-world software because they can affect various software which uses these libraries. Therefore, the technologies of vulnerability mining of public component libraries have received extensive attention, such as fuzzing. But the number of crashes generated by fuzzing is huge, and only an exceedingly small number of public component library vulnerabilities are exploitable in real-world software. To solve this problem, we use taint analysis techniques to analyze the exploitability of library vulnerabilities in real-world software. We first use Pin binary instrumentation technology to instrument the consumer program, analyze the process of calling the library in the consumer program through the taint analysis, and convert the extracted execution path and parameter information into an adjacency matrix. Then we analyze the execution path and crash scene of the crash file, convert the exploitability analysis into path reachability analysis, and determine whether the crash can reach the vulnerable pointer of the software through reachability. Finally, we divide the library vulnerabilities into three levels: directly exploitable, indirectly exploitable, and unexploitable. We design and implement a prototype tool, LibExp-T, to analyze nine public component libraries and four real-world software containing multiple attack surfaces such as images, audio, video, fonts, etc. And we compare them with automatic exploit generation tools CRAX and REX. The results show that LibExp-T can effectively verify the exploitability of component library vulnerabilities in real-world software with low overhead.