Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Similar documents
AEG: Automatic Exploit Generation

AEG: Automatic Exploit Generation

Buffer overflow background

Buffer overflow prevention, and other attacks

Lecture Notes: Unleashing MAYHEM on Binary Code

CSE 565 Computer Security Fall 2018

Symbolic Execution for Bug Detection and Automated Exploit Generation

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Introduction to software exploitation ISSISP 2017

SoK: Eternal War in Memory

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

CS 161 Computer Security

A program execution is memory safe so long as memory access errors never occur:

CS161 Midterm 1 Review

Buffer Overflow Defenses

Lecture 9 Assertions and Error Handling CS240

Lecture 4 September Required reading materials for this class

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Bouncer: Securing Software by Blocking Bad Input

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

CS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan

0x1A Great Papers in Computer Security

Computer Science 50: Introduction to Computer Science I Harvard College Fall Quiz 0 Solutions. Answers other than the below may be possible.

Black Hat Webcast Series. C/C++ AppSec in 2014

Runtime Defenses against Memory Corruption

Unleashing MAYHEM on Binary Code

Computer Security Course. Midterm Review

Buffer Overflows Defending against arbitrary code insertion and execution

Verification & Validation of Open Source

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

in memory: an evolution of attacks Mathias Payer Purdue University

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Program Security and Vulnerabilities Class 2

CS 161 Computer Security. Security Throughout the Software Development Process

Baggy bounds with LLVM

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Lecture 08 Control-flow Hijacking Defenses

Plan for Today. Safe Programming Languages. What is a secure programming language?

SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin

Memory Corruption 101 From Primitives to Exploit

CIS 4360 Secure Computer Systems. Integers

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

How Software Executes

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Sample Midterm (Spring 2010)

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

Memory Safety (cont d) Software Security

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CS 550 Operating Systems Spring Interrupt

CS 161 Computer Security

Secure Software Development: Theory and Practice

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher

Static Analysis and Bugfinding

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

CS 161 Computer Security

Secure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E

Software Security: Buffer Overflow Defenses

Outline. Format string attack layout. Null pointer dereference

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Security Lab. Episode 6: Format String Vulnerabilities. Jan Nordholz, Matthias Petschick, Julian Vetter

Reversed Buffer Overflow Cross Stack Attacks. Kris Kaspersky Endeavor Security, Inc.

20: Exploits and Containment

Intrusion Detection and Malware Analysis

Inline Reference Monitoring Techniques

How to Break Software by James Whittaker

CS 161 Computer Security

Exploits and gdb. Tutorial 5

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation

CSE 565 Computer Security Fall 2018

Understanding Undefined Behavior

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Oracle Developer Studio Code Analyzer

C Programming. Course Outline. C Programming. Code: MBD101. Duration: 10 Hours. Prerequisites:

"Secure" Coding Practices Nicholas Weaver

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

Undefined Behaviour in C

CSE 565 Computer Security Fall 2018

Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Security Coding Module - Buffer Overflow Data Gone Wild CS1

CRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

C and C++ Secure Coding 4-day course. Syllabus

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

FiE on Firmware Finding Vulnerabilities in Embedded Systems using Symbolic Execution. Drew Davidson Ben Moench Somesh Jha Thomas Ristenpart

ISA564 SECURITY LAB. Code Injection Attacks

Protection and Mitigation of Software Bug Exploitation

Symbolic Execution. Wei Le April

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Sendmail crackaddr - Static Analysis strikes back

TI2725-C, C programming lab, course

Buffer Overflow Attacks

Transcription:

CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012

Outline 1 Overview Introduction Considerations 2 AEG Challenges iwconfig Example Constraint Equation Components Preconditioned Symbolic Execution 3 Conclusion

Outline 1 Overview Introduction Considerations 2 AEG Challenges iwconfig Example Constraint Equation Components Preconditioned Symbolic Execution 3 Conclusion

Outline 1 Overview Introduction Considerations 2 AEG Challenges iwconfig Example Constraint Equation Components Preconditioned Symbolic Execution 3 Conclusion

Introduction Current Method Think hard about whether a bug is exploitable Attempt to create an exploit

Introduction Current Method Think hard about whether a bug is exploitable Attempt to create an exploit End-to-end systems not shown to be practical before

Introduction Current Method Think hard about whether a bug is exploitable Attempt to create an exploit End-to-end systems not shown to be practical before The AEG Method Reproduced known exploits Found zero-day vulnerabilities

Introduction Current Method Think hard about whether a bug is exploitable Attempt to create an exploit End-to-end systems not shown to be practical before The AEG Method Reproduced known exploits Found zero-day vulnerabilities Implications Untrained attackers can succeed Easy to find zero-day vulnerabilities Can also use for defense

Outline 1 Overview Introduction Considerations 2 AEG Challenges iwconfig Example Constraint Equation Components Preconditioned Symbolic Execution 3 Conclusion

Considerations Example code char src[12], dst[10]; strncpy(src, dst, sizeof(src));

Considerations Example code char src[12], dst[10]; strncpy(src, dst, sizeof(src)); Can you create a buffer overflow?

Considerations Example code char src[12], dst[10]; strncpy(src, dst, sizeof(src)); Can you create a buffer overflow? If the compiler page-aligns both buffers to 16 bytes, the dst buffer will be large enough for a 12 byte src buffer

What is Needed? Source code Executable binary LLVM bytecode

What is Needed? Source code Executable binary LLVM bytecode From the previous slide, we can see that source code analysis alone is inadequate

What is Needed? Source code Executable binary LLVM bytecode From the previous slide, we can see that source code analysis alone is inadequate Binary analysis alone is unscalable

What is Needed? Source code Executable binary LLVM bytecode From the previous slide, we can see that source code analysis alone is inadequate Binary analysis alone is unscalable Bytecode needed for bug-finding infrastructure

Outline 1 Overview Introduction Considerations 2 AEG Challenges iwconfig Example Constraint Equation Components Preconditioned Symbolic Execution 3 Conclusion

Outline 1 Overview Introduction Considerations 2 AEG Challenges iwconfig Example Constraint Equation Components Preconditioned Symbolic Execution 3 Conclusion

Challenges State space explosion problem Loops greatly increase the number of execution paths (potentially infinite)

Challenges State space explosion problem Loops greatly increase the number of execution paths (potentially infinite) Path selection problem Which paths to try first?

Challenges State space explosion problem Loops greatly increase the number of execution paths (potentially infinite) Path selection problem Which paths to try first? Environment modeling problem Model environment IO behavior (arguments, files, packets)

Challenges State space explosion problem Loops greatly increase the number of execution paths (potentially infinite) Path selection problem Which paths to try first? Environment modeling problem Model environment IO behavior (arguments, files, packets) Mixed analysis challenge Combining analysis of source code and binary

Challenges State space explosion problem Loops greatly increase the number of execution paths (potentially infinite) Path selection problem Which paths to try first? Environment modeling problem Model environment IO behavior (arguments, files, packets) Mixed analysis challenge Combining analysis of source code and binary Exploit verification problem Ensure that the generated exploit actually works

Outline 1 Overview Introduction Considerations 2 AEG Challenges iwconfig Example Constraint Equation Components Preconditioned Symbolic Execution 3 Conclusion

iwconfig Example Search for bugs at source code level

iwconfig Example Search for bugs at source code level Perform dynamic binary analysis (extract address of buffer and return)

iwconfig Example Search for bugs at source code level Perform dynamic binary analysis (extract address of buffer and return) Generate constraints describing exploit

iwconfig Example Search for bugs at source code level Perform dynamic binary analysis (extract address of buffer and return) Generate constraints describing exploit Queries a constraint solver for satisfying answer

iwconfig Example Search for bugs at source code level Perform dynamic binary analysis (extract address of buffer and return) Generate constraints describing exploit Queries a constraint solver for satisfying answer You re root!

Outline 1 Overview Introduction Considerations 2 AEG Challenges iwconfig Example Constraint Equation Components Preconditioned Symbolic Execution 3 Conclusion

Constraint Equation The equation π bug (x) π exploit (x) π prec (x) Predicates π bug : unsafe path predicate - path of an execution that violates safety property Out of bounds writes Unsafe format strings π exploit : attacker logic - where to go after hijacking eip Crash the program Perform control flow hijack π prec : preconditions - length, prefix, etc.

Outline 1 Overview Introduction Considerations 2 AEG Challenges iwconfig Example Constraint Equation Components Preconditioned Symbolic Execution 3 Conclusion

Components Six components Pre-Process: src (B gcc, B llvm )

Components Six components Pre-Process: src (B gcc, B llvm ) Src-Analysis: B llvm max max is about 10% larger than the largest statically allocated buffer

Components Six components Pre-Process: src (B gcc, B llvm ) Src-Analysis: B llvm max max is about 10% larger than the largest statically allocated buffer Bug-Find: (B llvm, φ, max) (π bug, V ) φ is the safety properties V is the source code level information about the vulnerable function

Components Six components Pre-Process: src (B gcc, B llvm ) Src-Analysis: B llvm max max is about 10% larger than the largest statically allocated buffer Bug-Find: (B llvm, φ, max) (π bug, V ) φ is the safety properties V is the source code level information about the vulnerable function DBA: (B gcc, (π bug, V )) R R is vulnerable buffer address and address of the vulnerable function return address

Components Six components Pre-Process: src (B gcc, B llvm ) Src-Analysis: B llvm max max is about 10% larger than the largest statically allocated buffer Bug-Find: (B llvm, φ, max) (π bug, V ) φ is the safety properties V is the source code level information about the vulnerable function DBA: (B gcc, (π bug, V )) R R is vulnerable buffer address and address of the vulnerable function return address Exploit-Gen: (π bug, R) π bug π exploit

Components Six components Pre-Process: src (B gcc, B llvm ) Src-Analysis: B llvm max max is about 10% larger than the largest statically allocated buffer Bug-Find: (B llvm, φ, max) (π bug, V ) φ is the safety properties V is the source code level information about the vulnerable function DBA: (B gcc, (π bug, V )) R R is vulnerable buffer address and address of the vulnerable function return address Exploit-Gen: (π bug, R) π bug π exploit Verify: (B gcc, π bug π exploit ) {ɛ, } Returns either a working exploit or nothing

Outline 1 Overview Introduction Considerations 2 AEG Challenges iwconfig Example Constraint Equation Components Preconditioned Symbolic Execution 3 Conclusion

Preconditioned Symbolic Execution Manage state space explosion by restricting the paths that are explored Assumes input[i]!= null-character for 0 < i < 40 and input[41] = null-character

Types of preconditions None

Types of preconditions None Length

Types of preconditions None Length Prefix

Types of preconditions None Length Prefix Concolic execution The path that follows a specific concrete input is taken

Types of preconditions None Length Prefix Concolic execution The path that follows a specific concrete input is taken

Path Prioritization Buggy path first Assumes exploitable bugs follow nonexploitable ones

Path Prioritization Buggy path first Assumes exploitable bugs follow nonexploitable ones Loop exhaustion Higher priority to maximum number of iterations

Dynamic Binary Analysis Stack restoration Ensure that the stack is not corrupted (results in a crash) Return-to-stack and return-to-libc attacks Calculate difference in size of stack during analysis and a normal run

Effectiveness

Outline 1 Overview Introduction Considerations 2 AEG Challenges iwconfig Example Constraint Equation Components Preconditioned Symbolic Execution 3 Conclusion

Future Work Consider heap management structures Integer overflow Timing attacks Platform independent and portable executables Binary only analysis

Effectiveness The average time to find a vulnerability was under 2 minutes Has been used in a timed competition - team had a working exploit in only a minute

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback