automatic exploit generation
play

Automatic Exploit Generation an Odyssey Sophia DAntoine - PowerPoint PPT Presentation

Aug 18, 2022 •187 likes •652 views

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction Programs have become increasingly difficult to exploit larger, changing surface area mitigations more bytes to siphon through 10/22/2015

  1. Automatic Exploit Generation an Odyssey Sophia D’Antoine CanSecWest 2016

  2. Introduction Programs have become increasingly difficult to exploit • larger, changing surface area • mitigations • more bytes to siphon through 10/22/2015 Program Analysis to Find Vulnerabilities 2/45

  3. Introduction Reaction: people get smarter and tools get better - government research - pentesters - CTF! 10/22/2015 Program Analysis to Find Vulnerabilities 3/45

  4. CTF & Wargames A PWN A Binary It Flag 10/22/2015 Program Analysis to Find Vulnerabilities 4/45

  5. The Past Manual labor • static analysis - dynamic analysis 10/22/2015 Program Analysis to Find Vulnerabilities 5/45

  6. Dynamic Analysis Definition: • Running it (concrete execution) • Collecting/ observing environment changes Popular Uses: - dump VM memory & grep - record/ replay & manual analysis - gdb (debuggers) & run 10/22/2015 Program Analysis to Find Vulnerabilities 6/45

  7. Dynamic Analysis Common tools: • gdb, windbg, cdb • python brute force (blind fuzzing) 10/22/2015 Program Analysis to Find Vulnerabilities 7/45

  8. Example: Dynamic Analysis step... step... step... step... step... step... step... step... step... step... step... step... step... step... step... step... step... step... 10/22/2015 Program Analysis to Find Vulnerabilities 8/45 step...

  9. Automated Exploitation

  10. Agenda 1. Intro 2. Automating Exploitation a. what, how? b. the target 3. Program Analysis a. background b. types we care about c. how this helps with AEG 4. Application a. tools b. demo 5. Conclusion 10/22/2015 Automatic Exploit Generation 10/45

  11. Some Background What is Automated Exploitation? The ability to generate a successful computer attack with reduced or entirely without human interaction. - Focus on discovery and combination of write and read - Focus on discovery and combination of write and read - Focus on discovery and combination of write and read primitives primitives primitives • Existing AE work focused on Restricted Models: – Sean Heelan’s “Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities” – David Brumley (@ Carnegie Mellon) et al. (AEG, MAYHEM, etc) – Cyber Grand Challenge ! (CGC) 10/22/2015 Program Analysis to Find Vulnerabilities 11/45

  12. Automating Exploitation Break up AEG into 2 parts: • Generating input to get to vulnerability • Generating “ payload ” to profit from vulnerability - Both are hard - Work being done in both areas - Focus today on first problem github.com/programa-stic/ropc-llvm 10/22/2015 Program Analysis to Find Vulnerabilities 12/45

  13. Automating Exploitation TARGET? 10/22/2015 Automatic Exploit Generation 13/45

  14. AEG - pwnable.kr Program Operations Get random binary, pwn it in 10 seconds. 1) Takes input at argv[1] 2) Does some decode & operations on it 3) Calls sequence of 16 functions 4) Each function checks 3 characters of input sequentially 5) If you pass them all, you get to the exploitable memcpy! Automated Exploit Generation 1) Generate input to get to vulnerability 2) Generate payload to exploit and get shell 10/22/2015 Program Analysis to Find Vulnerabilities 14/45

  15. AEG - pwnable.kr input argv[1] The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. 3 fail ... checks ... 15 more fail ... functions ... memcpy 10/22/2015 Program Analysis to Find Vulnerabilities 15/45

  16. How can AEG solve for this path in the CFG?

  17. Software Program Analysis!

  18. Agenda 1. Intro 2. Automating Exploitation a. what, how? b. the target 3. Program Analysis a. background b. types we care about c. how this helps with AEG 4. Application a. tools b. demo 5. Conclusion 10/22/2015 Automatic Exploit Generation 18/45

  19. What is program analysis The process of automatically analyzing the behavior of applications - In terms of a property : - program correctness - set of paths == expected paths - program optimization - minimum expense => expected paths 10/22/2015 Program Analysis to Find Vulnerabilities 19/45

  20. How This Helps with AEG Analysis helps us hunt for bugs automatically. • Fuzzing/ Instrumenting • Symbolic Execution • Concolic Execution ==> Pro move: combine analyses 10/22/2015 Program Analysis to Find Vulnerabilities 20/45

  21. Types we care about.

  22. Dynamic Binary Instrumentation Definition: • ‘Hijacked’ environment, binaries, or source • Monitor specific system artifacts • Attempts at complete (concrete) execution Popular Uses: - Force program states - Gather and report observations at runtime - Types of hooking: source & binary 10/22/2015 Program Analysis to Find Vulnerabilities 22/45

  23. Example: DBI $pin -t inscount0.so -- binary [BINARY LEVEL] - Inject increment after each instruction [STILL BRUTE FORCE] - Return total instructions for fuzzed input - Only true for that 1 executed path (the possible CFG space may be very large) 10/22/2015 Program Analysis to Find Vulnerabilities 23/45

  24. Example: DBI icount++ sub $0xff, %edx sub $0xff, %edx cmp %esi, %edx icount++ jle cmp %esi, %edx mov $0x1, %edi icount++ add $0x10, %eax jle icount++ mov $0x1, %edi icount++ add $0x10, %eax 10/22/2015 Program Analysis to Find Vulnerabilities 24/45

  25. Symbolic Execution Definition: • Generate 1 sym path for a set of paths (could still be extremely expensive) • Satisfies path conditions • Composed of some concrete values Popular Uses: - Determine program state at particular basic block - Create ‘equation’ to feed to SAT/SMT solvers - Faster than brute forcing all conditions 10/22/2015 Program Analysis to Find Vulnerabilities 25/45

  26. Example: Symbolic Execution [ INT ] a, b, c [ INT ] x, y, z = 0; . . . fun( 0, 3, 1 ); fun( int a, b, c ) . . . { if (a) { x = -2; } Old Method: if (b < 5) { Try all inputs until assert if (!a && c) { y = 1; [ WARNING ] inputs unbounded! } z = 2; } assert(x+y+z!=3) } 10/22/2015 Program Analysis to Find Vulnerabilities 26/45

  27. Example: Symbolic Execution [ SYMBOL ] a, b, c [ INT ] x, y, z = 0; if (a) { x = -2; } if (b < 5) { if (!a && c) { y = 1; } z = 2; } assert(x+y+z!=3) 10/22/2015 Program Analysis to Find Vulnerabilities 27/45

  28. Concolic Execution Definition: • Dynamic symbolic execution • Instrumentation of symbolic execution as it runs • One path at a time to maintain concrete state underneath symbolic variables Popular Uses: - Concretization (replace symbols with values to satisfy path condition) - Handle system calls & library loading - Cases which SMT can’t solve 10/22/2015 Program Analysis to Find Vulnerabilities 28/45

  29. Example: Concolic Execution [ INT ] a, b, c [ INT ] x, y, z = 0; . . . fun( 0, 3, 1 ); fun( int a, b, c ) . . . { if (a) { x = -2; } Old Method: if (b < 5) { Try all inputs until assert if (!a && c) { y = 1; [ WARNING ] inputs unbounded! } z = 2; } assert(x+y+z!=3) } 10/22/2015 Program Analysis to Find Vulnerabilities 29/45

  30. Example: Concolic Execution STEPS [INT & SYMBOL ] a, b, c [ INT ] x, y, z = 0; [ ONE ] if (a) { concrete execution of function x = -2; } [ TWO ] while building symbolic path model if (b < 5) { [ THREE ] if (!a && c) { y = 1; constraints on input are modeled } [ FOUR ] z = 2; models used to generate concrete input } assert(x+y+z!=3) 10/22/2015 Program Analysis to Find Vulnerabilities 30/45

  31. Creating a Feedback Loop In practice using the results of different analyses finds bugs quicker . Example Pairing: • Concrete execution • Fuzz input • Symbolic/ Concolic execution • Examine results • Craft new input 10/22/2015 Program Analysis to Find Vulnerabilities 31/45

  32. Agenda 1. Intro 2. Automating Exploitation a. what, how? b. the target 3. Program Analysis a. background b. types we care about c. how this helps with AEG 4. Application a. tools b. demo 5. Conclusion 10/22/2015 Automatic Exploit Generation 32/45

  33. Dynamic Binary Instrumentation Common tools: • PIN Tool • Valgrind (before/during runtime) • DynamoRIO • Qemu 10/22/2015 Program Analysis to Find Vulnerabilities 33/45

  34. Example: Flare-on Challenge 9 [ http://blog.trailofbits.com/2015/09/09/flare-on-reversing- challenges-2015/ ] • Pintool instruction count • More instructions == Closer to correct input Input: AAAAAAAA... Input: FLAGAAAA... 10/22/2015 Program Analysis to Find Vulnerabilities 34/45

  35. Symbolic Execution Common tools: • KLEE (runs on LLVM bc) • SAGE (MS internal tool) feed it to z3 to solve 10/22/2015 Program Analysis to Find Vulnerabilities 35/45

  36. Concolic Execution Common tools: • Angr • Pysymemu • Triton 10/22/2015 Program Analysis to Find Vulnerabilities 36/45

  37. AEG Demo: Assumptions [ Assumptions ] • Space of potential vulnerabilities too large • Need to write tools to hunt for subset – Target memory corrupt (memcpy) • ROP from there … [ Dynamically Acquire ] • Path to target • Solve for constraints • Addresses of gadgets for ROP [ Statically (Pre) Acquired ] • Semantics of target & gadgets 10/22/2015 Program Analysis to Find Vulnerabilities 37/45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu 1,2,3 , Yueqi Chen 2 , Jun Xu 2 , Xinyu Xing 2 , XiaoruiGong 1,3 , and Wei Zou 1,3 1. School of Cyber Security, University of Chinese Academy of

782 views • 29 slides
EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2 , Yizhuo Wang 1 , Juanru Li 1 , Siqi Ma 3 1 Shanghai Jiao Tong University , China 2 University of Michigan , America 3 Data 61, CSIRO , Australia

918 views • 38 slides
Dawn Song dawnsong@cs.berkeley.edu 1 Bouncer: Securing Software by Blocking Bad Input 2 Main

Dawn Song dawnsong@cs.berkeley.edu 1 Bouncer: Securing Software by Blocking Bad Input 2 Main

Automatic Worm Defense (II) -- More on Automatic Signature Generation Dawn Song dawnsong@cs.berkeley.edu 1 Bouncer: Securing Software by Blocking Bad Input 2 Main Idea How to generalize from original exploit? i.e., how to generalize from

656 views • 6 slides
Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in

Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in

Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in Next-Generation Portals Fedor Bakalov University of Jena Birgitta Knig-Ries Andreas Nauerz IBM Research and Development Martin Welsch

263 views • 22 slides
Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Introduction DBT principle Design flow Intermediate Representation Generation Conclusion Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc Michel and Nicolas Fournel Tima Laboratory , Grenoble,

686 views • 25 slides
Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hhnle (joint

Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hhnle (joint

Exploit Generation for Information Flow Leaks in Object-Oriented Programs Reiner Hhnle (joint work with Richard Bubel and Quoc Huy Do) Dagstuhl Seminar 15381 Information from Deduction: Models and Proofs September 15, 2015 September 15,

920 views • 49 slides
A Framework for Automatic Generation A Framework for Automatic Generation of Configuration Files

A Framework for Automatic Generation A Framework for Automatic Generation of Configuration Files

A Framework for Automatic Generation A Framework for Automatic Generation of Configuration Files for a Custom of Configuration Files for a Custom Hardware/Software RTOS Hardware/Software RTOS Jaehwan Lee* Lee* Jaehwan Kyeong Keol Keol Ryu

702 views • 29 slides
Automatic Generation of 100 Gbps Packet Parsers from P4 Description cek 1 s 1 a 2 Pavel Ben a

Automatic Generation of 100 Gbps Packet Parsers from P4 Description cek 1 s 1 a 2 Pavel Ben a

Automatic Generation of 100 Gbps Packet Parsers from P4 Description cek 1 s 1 a 2 Pavel Ben a Viktor Pu Hana Kub atov 1 Liberouter CESNET 2 Faculty of Information Technology Czech Technical University in Prague H 2 RC Workshop,

130 views • 12 slides
Automatic Synthesizer Preset Generation with PresetGen Kvan Tatar, Matthieu Macret, Philippe

Automatic Synthesizer Preset Generation with PresetGen Kvan Tatar, Matthieu Macret, Philippe

Automatic Synthesizer Preset Generation with PresetGen Kvan Tatar, Matthieu Macret, Philippe Pasquier ENGAGING THE WORLD The preset generation problem Modern synthesizers are very powerful and have many parameters resulting in a vast

543 views • 12 slides
ON THE AUTOMATIC GENERATION OF RECURSIVE ATTITUDE DETERMINATION ALGORITHMS Presented at the AAS

ON THE AUTOMATIC GENERATION OF RECURSIVE ATTITUDE DETERMINATION ALGORITHMS Presented at the AAS

ON THE AUTOMATIC GENERATION OF RECURSIVE ATTITUDE DETERMINATION ALGORITHMS Presented at the AAS GN&amp;C Conference in Breckenridge, CO, on February the 7th, 2017 by Tucker McClure @ An Uncommon Lab WHAT ARE THE GOALS? EXAMINE

775 views • 29 slides
Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher

Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher

Exploit-Generation with Acceleration Daniel Kroening, Matt Lewis, Georg Weissenbacher Under-Approximating Loops in C Programs for Fast Counterexample Detection Daniel Kroening, Matt Lewis, Georg Weissenbacher, CAV 2013

373 views • 25 slides
Languages, Ontologies and automatic grammar generation Pedro Rangel Henriques (M Joo

Languages, Ontologies and automatic grammar generation Pedro Rangel Henriques (M Joo

Languages, Ontologies and automatic grammar generation Pedro Rangel Henriques (M Joo Varanda Pereira) Dep. de Informtica Centro Algoritmi Universidade do Minho, Braga-Portugal UCM Madrid, 2016-07-12 Motivation This talk is about:

1.03k views • 63 slides
Automatic Generation of Efficient Accelerator Designs for Reconfigurable Hardware David

Automatic Generation of Efficient Accelerator Designs for Reconfigurable Hardware David

Automatic Generation of Efficient Accelerator Designs for Reconfigurable Hardware David Koeplinger Raghu Prabhakar Yaqi Zhang Christina Delimitrou Christos Kozyrakis Kunle Olukotun Stanford University ISCA 2016 FPGAs in Data Centers

299 views • 26 slides
Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are The exploit problem Modern software vulnerabilities Hardware-assisted exploit Agenda prevention Prior research

674 views • 45 slides
Automatic Generation of I/O Kernels for HPC Applications Babak Behzad 1 , Hoang-Vu Dang 1 , Farah

Automatic Generation of I/O Kernels for HPC Applications Babak Behzad 1 , Hoang-Vu Dang 1 , Farah

Automatic Generation of I/O Kernels for HPC Applications Babak Behzad 1 , Hoang-Vu Dang 1 , Farah Hariri 1 , Weizhe Zhang 2 , Marc Snir 1 , 3 1 University of Illinois at Urbana-Champaign, 2 Harbin Institue of Technology, 3 Argonne National

537 views • 33 slides
Automatic generation of MedDRA terms groupings using an ontology Gunnar DECLERCK a , Cdric

Automatic generation of MedDRA terms groupings using an ontology Gunnar DECLERCK a , Cdric

Automatic generation of MedDRA terms groupings using an ontology Gunnar DECLERCK a , Cdric BOUSQUET a,b and Marie Christine JAULENT a a INSERM, UMRS 872 EQ20, Universit Paris Descartes, France. b Department of Public Health, CHU University

547 views • 27 slides
Automatic Generation of Hierarchical Placement Rules for Analog Integrated Circuits M. Eick , M.

Automatic Generation of Hierarchical Placement Rules for Analog Integrated Circuits M. Eick , M.

Institute for Electronic Design Automation Technische Universitt Mnchen Automatic Generation of Hierarchical Placement Rules for Analog Integrated Circuits M. Eick , M. Strasser, H. Graeb, U. Schlichtmann Institute for Electronic Design

331 views • 32 slides
Verification and Validation Ian Sommerville, SW Engineering, 7th/8th edition Ch 22 Why Test? 2

Verification and Validation Ian Sommerville, SW Engineering, 7th/8th edition Ch 22 Why Test? 2

Verification and Validation Ian Sommerville, SW Engineering, 7th/8th edition Ch 22 Why Test? 2 Why Test? 3 Software is Buggy! On average, 1-5 errors per 1KLOC Windows 2000 35M LOC 63,000 known bugs at the time of release

823 views • 49 slides
Educational Systems Sebastin Ventura Department of Computer Sciences and Numerical Analysis

Educational Systems Sebastin Ventura Department of Computer Sciences and Numerical Analysis

Data Analysis in in Educational Systems Sebastin Ventura Department of Computer Sciences and Numerical Analysis University of Crdoba Outli line Introduction Motivation Historical perspective Educational Data Science

651 views • 33 slides
Construction Matt Staats KAIST Shin Hong, Moonzoo Kim, Gregory Gay, Mats Heimdahl Gregg

Construction Matt Staats KAIST Shin Hong, Moonzoo Kim, Gregory Gay, Mats Heimdahl Gregg

Supporting Test Oracle Construction Matt Staats KAIST Shin Hong, Moonzoo Kim, Gregory Gay, Mats Heimdahl Gregg Rothermel University of Minnesota Twin-Cities KAIST / University of Nebraska-Lincoln 1 The Testing Problem Test Oracle Test

370 views • 15 slides
Joint Behavioral Health Learning Session Office of Health Analytics Welcome and Introductions

Joint Behavioral Health Learning Session Office of Health Analytics Welcome and Introductions

Hospital Performance Metrics Advisory Committee &amp; Metrics and Scoring Committee Joint Behavioral Health Learning Session Office of Health Analytics Welcome and Introductions Robin Gumpert, Facilitator 1 OHA Behavioral Health Updates

1.32k views • 94 slides
Virginia PSO sponsored Webinar Behavioral Health Patients in Medical Hospitals: Is safe care

Virginia PSO sponsored Webinar Behavioral Health Patients in Medical Hospitals: Is safe care

Virginia PSO sponsored Webinar Behavioral Health Patients in Medical Hospitals: Is safe care humanly possible? Friday, April 21, 2017 Featured Speakers: Rebecca Bishop, BSN, RN Susan Blankenship, MS, BSN, RN Lisa Dishner, MHA, BSN, RN

717 views • 61 slides
Conflicts of interest The speaker has no conflicts of interest to disclose. Learning objectives

Conflicts of interest The speaker has no conflicts of interest to disclose. Learning objectives

APNA 29th Annual Conference Session 3012.1: October 30, 2015 Jesse M. Higgins, PMH NP, MSN The Acadia Hospital Bangor, Maine Conflicts of interest The speaker has no conflicts of interest to disclose. Learning objectives Explain how

232 views • 5 slides
Advancing Comprehensive Primary Care Update on Integrated BH Program FEBRUARY 4, 2019 DEBRA

Advancing Comprehensive Primary Care Update on Integrated BH Program FEBRUARY 4, 2019 DEBRA

Advancing Comprehensive Primary Care Update on Integrated BH Program FEBRUARY 4, 2019 DEBRA HURWITZ, MBA, BSN RN EXECUTIVE DIRECTOR DHURWITZ@CTC RI.ORG CTC RI Overview Vision: Rhode Islanders enjoy excellent health and quality of life .

648 views • 35 slides

More recommend