AEG Automatic Exploit Generation Thanassis Avgerinos Sang Kil Cha Brent Lim Tze Hao and David Brumley Carnegie Mellon University Pittsburgh PA thanassis sangkilc brentlim dbrumley cmu - PDF document

AEG Automatic Exploit Generation Thanassis Avgerinos Sang Kil Cha Brent Lim Tze Hao and David Brumley Carnegie Mellon University Pittsburgh PA thanassis sangkilc brentlim dbrumley cmu
AEG Automatic Exploit Generation Thanassis Avgerinos Sang Kil Cha Brent Lim Tze Hao and David Brumley Carnegie Mellon University Pittsburgh PA thanassis sangkilc brentlim dbrumley cmu

AEG Automatic Exploit Generation Thanassis Avgerinos Sang Kil Cha Brent Lim Tze Hao and David Brumley Carnegie Mellon University Pittsburgh PA thanassis sangkilc brentlim dbrumley cmu - Description


edu Abstract The automatic exploit generation challenge is given a program automatically 64257nd vulnerabilities and gener ate exploits for them In this paper we present AEG the 64257rst endtoend system for fully automatic exploit gener ation We use ID: 7860 Download Pdf

Tags

edu Abstract The automatic exploit

Embed / Share - AEG Automatic Exploit Generation Thanassis Avgerinos Sang Kil Cha Brent Lim Tze Hao and David Brumley Carnegie Mellon University Pittsburgh PA thanassis sangkilc brentlim dbrumley cmu


Presentation on theme: "AEG Automatic Exploit Generation Thanassis Avgerinos Sang Kil Cha Brent Lim Tze Hao and David Brumley Carnegie Mellon University Pittsburgh PA thanassis sangkilc brentlim dbrumley cmu"— Presentation transcript


codelevel,inpracticethisbugwouldlikelynotbeex-ploitable.Moderncompilerswouldpage-alignthede-claredbuffers,resultinginbothdatastructuresgetting16bytes.Sincethedestinationbufferwouldbe16bytes,the12-bytecopywouldnotbeproblematicandthebugnotexploitable.Whilesourcecodeanalysisisinsufcient,binary-levelanalysisisunscalable.Sourcecodehasabstrac-tions,suchasvariables,buffers,functions,anduser-constructedtypesthatmakeautomatedreasoningeas-ierandmorescalable.Nosuchabstractionsexistatthebinary-level;thereonlystackframes,registers,gotosandagloballyaddressedmemoryregion.Inourapproach,wecombinesource-codelevelanal-ysistoimprovescalabilityinndingbugsandbinaryandruntimeinformationtoexploitprograms.Tothebestofourknowledge,wearethersttocombineanalysisfromthesetwoverydifferentcodeabstractionlevels.B.Findingtheexploitablepathsamonganinnitenumberofpossiblepaths.OurtechniquesforAEGemploysymbolicexecution,aformalvericationtech-niquethatexploresprogrampathsandchecksifeachpathisexploitable.Programshaveloops,whichinturnmeansthattheyhaveapotentiallyinnitenumberofpaths.However,notallpathsareequallylikelytobeexploitable.Whichpathsshouldwecheckrst?Ourmainfocusistodetectexploitablebugs.Ourresultsshow(x8)thatexistingstate-of-the-artsolutionsprovedinsufcienttodetectsuchsecurity-criticalbugsinreal-worldprograms.Toaddressthepathselectionchallenge,wedevel-opedtwonovelcontributionsinAEG.First,wehavedevelopedpreconditionedsymbolicexecution,anoveltechniquewhichtargetspathsthataremorelikelytobeexploitable.Forexample,onechoiceistoexploreonlypathswiththemaximuminputlength,orpathsrelatedtoHTTPGETrequests.Whilepreconditionedsymbolicexecutioneliminatessomepaths,westillneedtoprior-itizewhichpathsweshouldexplorerst.Toaddressthischallenge,wehavedevelopedapriorityqueuepathprioritizationtechniquethatusesheuristicstochooselikelymoreexploitablepathsrst.Forexample,wehavefoundthatifaprogrammermakesamistake—notneces-sarilyexploitable—alongapath,thenitmakessensetoprioritizefurtherexplorationofthepathsinceitismorelikelytoeventuallyleadtoanexploitablecondition.C.Anend-to-endsystem.Weprovidetherstprac-ticalend-to-endsystemforAEGonrealprograms.Anend-to-endsystemrequiresnotonlyaddressingatremendousnumberofscienticquestions,e.g.,binaryprogramanalysisandefcientformalverication,butalsoatremendousnumberofengineeringissues.OurAEGimplementationisasinglecommandlinethatan-alyzessourcecodeprograms,generatessymbolicexe-cutionformulas,solvesthem,performsbinaryanalysis,generatesbinary-levelruntimeconstraints,andformatstheoutputasanactualexploitstringthatcanbefeddi-rectlyintothevulnerableprogram.Avideodemonstrat-ingtheend-to-endsystemisavailableonline[1].Scope.While,inthispaper,wemakeexploitsrobustagainstlocalenvironmentchanges,ourgoalisnottomakeexploitsrobustagainstcommonsecuritydefenses,suchasaddressspacerandomization[25]andwxmemorypages(e.g.,WindowsDEP).Inthiswork,wealwaysrequiresourcecode.AEGonbinary-onlyisleftasfuturework.WealsodonotclaimAEGisa“solved”problem;thereisalwaysopportunitytoimproveperfor-mance,scalability,toworkonalargervarietyofexploitclasses,andtoworkinnewapplicationsettings.2OverviewofAEGThissectionexplainshowAEGworksbysteppingthroughtheentireprocessofbug-ndingandexploitgenerationonarealworldexample.Thetargetappli-cationisthesetuidrootiwconfigutilityfromtheWirelessToolspackage(version26),aprogramconsistingofabout3400linesofCsourcecode.BeforeAEGstartstheanalysis,therearetwoneces-sarypreprocessingsteps:1)WebuildtheprojectwiththeGNUCCompiler(GCC)tocreatethebinarywewanttoexploit,and2)withtheLLVM[17]compiler—toproducebytecodethatourbug-ndinginfrastructureusesforanalysis.Afterthebuild,werunourtool,AEG,andgetacontrolowhijackingexploitinlessthan1second.Providingtheexploitstringtotheiwconfigbinary,asthe1stargument,resultsinarootshell.Wehavepostedademonstrationvideoonline[1].Figure1showsthecodesnippetthatisrelevanttothegeneratedexploit.iwconfighasaclassicstrcpybufferoverowvulnerabilityintheget infofunction(line15),whichAEGspotsandexploitsautomaticallyinlessthan1second.Todoso,oursystemgoesthroughthefollowinganalysissteps:1.AEGsearchesforbugsatthesourcecodelevelbyexploringexecutionpaths.Specically,AEGexecutesiwconfigusingsymbolicarguments(argv)astheinputsources.AEGconsidersavari-etyofinputsources,suchasles,arguments,etc.,bydefault.2.Afterfollowingthepathmain!print info!get info,AEGreachesline15,whereitde-tectsanout-of-boundsmemoryerroronvariable2 fact,inthisspecicexamplethereisnoneedforasolverquery,sincevalidityorinvaliditycanbedeterminedbyasimpleiterationthroughourassumptionsetP^L).Thus,byapplyingthelengthpreconditionweonlyneedasingleinterpretertoexploretheentireloop.Intherestofthesection,weshowhowwecangeneratedifferenttypesofpreconditionstoreducethesearchspace.5.2.1PreconditionsInAEG,wehavedevelopedandimplemented4differentpreconditionsforefcientexploitgeneration:NoneThereisnopreconditionandthestatespaceisexploredasnormal.KnownLengthThepreconditionisthatinputsareofknownmaximumlength,asinthepreviousexam-ple.Weusestaticanalysistoautomaticallydeter-minethisprecondition.KnownPrexThepreconditionisthatthesymbolicin-putshaveaknownprex.ConcolicExecutionConcolicexecution[24]canbeviewedasaspecicformofpreconditionedsym-bolicexecutionwherethepreconditionisspeciedbyasingleprogrampathasrealizedbyanexam-pleinput.Forexample,wemayalreadyhaveaninputthatcrashestheprogram,andweuseitasapreconditiontodetermineiftheexecutedpathisexploitable.Theabovepreconditionsassumevaryingamountsofstaticanalysisoruserinput.Inthefollowing,wefurtherdiscussthesepreconditions,andalsodescribethereduc-tioninthestatespacethatpreconditionedsymbolicex-ecutionoffers.Asummaryofthepreconditions'effectonbranchingisshowninFigure7.None.Preconditionedsymbolicexecutionisequiva-lenttostandardsymbolicexecution.Theinputprecon-ditionistrue(theentirestatespace).InputSpace:ForSsymbolicinputbytes,thesizeoftheinputspaceis256S.TheexampleinFigure7containsN+Msym-bolicbranchesandasymbolicloopwithSmaximumiterations,thusintheworstcase(withoutpruning),weneed2NS2Minterpreterstoexplorethestatespace.KnownLength.Thepreconditionisthatallinputsshouldbeofmaximumlength.Forexample,ifthein-putdataisoftypestring,weaddthepreconditionthateachbyteofinputuptothemaximuminputlengthisnotNULL,i.e.,(strlen(input)=len)orequiva-lentlyinlogic(input[0]6=0)^(input[1]6=0)^:::^(input[len�1]6=0)^(input[len]=0).Inputspace:Theinputspaceofastringoflengthlenwillbe255len.Notethatforlen=S,thismeansa0.4%decreaseofthein-putspaceforeachbyte.Savings:Thelengthprecondi-tiondoesnotaffecttheN+MsymbolicbranchesoftheexampleinFigure7.However,thesymbolicstrcpywillbeconvertedintoastraight-lineconcretecopy—sinceweknowthelengthandpruningisenabled,weneednotconsidercopyingstringsofallpossiblelengths.Thus,weneed2N+Minterpreterstoexploretheentirestatespace.Overall,thelengthpreconditiondecreasestheinputspaceslightly,butcanconcretizestrcpy-likeloops—acommonpatternfordetectingbufferover-ows.KnownPrex.Thepreconditionconstrainsaprexoninputbytes,e.g.,anHTTPGETrequestalwaysstartswith“GET”,orthataspecicheadereldneedstobewithinacertainrangeofvalues,e.g.,theprotocoleldintheIPheader.Weuseaprexpreconditiontotar-getoursearchtowardsinputsthatstartwiththatspecicprex.Forexample,supposethatwewishtoexploreonlyPNGimagesonanimage-processingutility.ThePNGstandardspeciesthatallimagesmuststartwithastandard8-byteheaderPNG H,thussimplybyspec-ifyingaprexprecondition(input[0]=PNG H[0])^:::^(input[7]=PNG H[7]),wecanfocusoursearchtoPNGimagesalone.Notethatprexpreconditionsneednotonlyconsistofexactequalities;theycanalsospec-ifyarangeoranenumerationofvaluesforthesymbolicbytes.Inputspace:ForSsymbolicbytesandanexactprexoflengthP(PNS),thesizeoftheinputspacewillbe256S�P.Savings:FortheexampleshowninFigure7,theprexpreconditioneffectivelyconcretizestherstPbranchesaswellastherstPiterationsofthesymbolicstrcpy,thusreducingthenumberofrequiredinter-preterstoS2N+M�P.Aprexpreconditioncanhavearadicaleffectonthestatespace,butisnopanacea.Forexample,byconsideringonlyvalidprexeswearepo-tentiallymissingexploitscausedbymalformedheaders.ConcolicExecution.Thedualofspecifyingnopre-conditionisspecifyingthepreconditionthatallin-putbyteshaveaspecicvalue.Specifyingallin-putbyteshaveaspecicvalueisequivalenttocon-colicexecution[24].Mathematically,wespecify8i:V(input[i]=concrete input[i]):InputSpace:Thereisasingleconcreteinput.Savings:Asingleinterpreterisneededtoexploretheprogram,andbecauseofstatepruning,weareconcretelyexecut-ingtheexecutionpathforthegiveninput.Thus,es-peciallyforconcolicexecution,itismuchmoreusefultodisablestatepruninganddropthepreconditioncon-straintswheneverweforkanewinterpreter.Notethat,inthiscase,AEGbehavesasaconcolicfuzzer,where8 1charptr=malloc(100);2charbuf[100];3strcpy(buf,input);//overflow4strcpy(ptr,buf);//ptrdereference5return;Figure8:Whenstackcontentsaregarbledbystackoverow,aprogramcanfailbeforethereturnin-struction.ablefunctionreturns,simplyoverwritingthestackwillnotalwaysproduceavalidexploit.SupposeanattackertriestoexploittheprogramshowninFigure8usingthestrcpybufferoverowvulnerability.Inthiscase,ptrislocatedbetweenthereturnaddressandthebufbuffer.Notethatptrisdereferencedafterthestackoverowattack.Sinceptrisalsoonthestack,thecontentsofptraregarbledbythestackoverow,andmightcausetheprogramtocrashbeforethereturninstruction.Thus,asophisticatedattackmustconsidertheabovecasebyoverwritingavalidmemorypointertothestack.AEGproperlyhandlesthissituationbyexaminingtheentirestackspaceduringDBA,andpassingtheinformation(m)toEXPLOIT-GEN.6.2Exploit­GenEXPLOIT-GENtakesintwoinputstoproduceanex-ploit:theunsafeprogramstatecontainingthepathcon-straints(Pbug)andlow-levelruntimeinformationR,i.e.,thevulnerablebuffer'saddress(bufaddr),theaddressofthevulnerablefunction'sreturnaddress(&retaddr),andtheruntimestackmemorycontents(m).Usingthatinformation,EXPLOIT-GENgeneratesexploitfor-mulas(Pbug^Pexploit)forfourtypesofexploits:1)stack-overowreturn-to-stack,2)stack-overowreturn-to-libc,3)format-stringreturn-to-stack,4)format-stringreturn-to-libc.Inthispaper,wepresentthefullalgo-rithmonlyfor1.Thefullalgorithmsfortherestofourexploitationtechniquescanbefoundonourwebsite[2].Inordertogenerateexploits,AEGperformstwoma-jorsteps.First,AEGdeterminestheclassofattacktoperformandformulatesPexploitforcontrolhijack.Forexample,inastack-overowreturn-to-stackattack,Pexploitmusthavetheconstraintthattheaddressofthereturnaddress(&retaddr)shouldbeoverwrittentocon-taintheaddressoftheshellcode—asprovidedbyDBA.Further,theexploitpredicatePexploitmustalsocontainconstraintsthatshellcodemustbewrittenonthetargetbuffer.ThegeneratedpredicateisusedinconjunctionwithPbugtoproducethenalconstraints(theexploitformulaPbug^Pexploit)thatcanbesolvedtoproduce Algorithm2:Stack-OverowReturn-to-StackEx-ploitPredicateGenerationAlgorithm input:(bufaddr,&retaddr,m)=Routput:Pexploit1fori=1tolen(m)do 2exp str[i] m[i];//stackrestoration3offset &retaddr-bufaddr;4jmp target offset+8;//oldebp+retaddr=85exp str[offset] jmp target;//eiphijack6fori=1tolen(shellcode)do 7exp str[offset+i] shellcode[i];8return(Mem[bufaddr]==exp str[1])^:::^(Mem[bufaddr+len(m)�1]==exp str[len(m)]);//Pexploit anexploit.Algorithm2showshowtheexploitpredicate(Pexploit)isgeneratedforstack-overowreturn-to-stackattacks.6.2.1ExploitsAEGproducestwotypesofexploits:return-to-stack[21]andreturn-to-libc[10],bothofwhicharethemostpop-ularclassiccontrolhijackattacktechniques.AEGcur-rentlycannothandlestate-of-the-artprotectionschemes,butwediscusspossibledirectionsinx9.Additionally,ourreturn-to-libcattackisdifferentfromtheclassiconeinthatwedonotneedtoknowtheaddressofa“/bin/sh”stringinthebinary.Thistechniqueallowsbypassingstackrandomization(butnotlibcrandomization).Return-to-stackExploit.Thereturn-to-stackexploitoverwritesthereturnaddressofafunctionsothattheprogramcounterpointsbacktotheinjectedinput,e.g.,user-providedshellcode.Togeneratetheexploit,AEGndstheaddressofthevulnerablebuffer(bufaddr)intowhichaninputstringcanbecopied,andtheaddresswherethereturnaddressofavulnerablefunctionislo-catedat.Usingthetwoaddresses,AEGcalculatesthejumptargetaddresswheretheshellcodeislocated.Al-gorithm2describeshowtogenerateanexploitpredicateforastackoverowvulnerabilityinthecaseofareturn-to-stackexploitwheretheshellcodeisplacedafterthereturnaddress.Return-to-libcExploit.Intheclassicreturn-to-libcattack,anattackerusuallychangesthereturnaddresstopointtotheexecvefunctioninlibc.However,tospawnashell,theattackermustknowtheaddressofa“/bin/sh”stringinthebinary,whichisnotcommoninmostprograms.Inourreturn-to-libcattack,wecreateasymboliclinkto/bin/shandforthelinknameweuseanarbitrarystringwhichresidesinlibc.Forexam-11 aconcreteworkingexploit,i.e.,anexploitthatspawnsashell,or?,ifAEGfailstogeneratetheexploit.VER-IFYrstsolvestheexploitconstraintstogetaconcreteexploit.Iftheexploitisalocalattack,itrunstheexe-cutablewiththeexploitastheinputandchecksifashellhasbeenspawned.Iftheexploitisaremoteattack,AEGspawnsthreeprocesses.Therstprocessrunstheexe-cutable.Thesecondprocessrunsnctosendtheexploittotheexecutable.Thethirdprocesschecksthataremoteshellhasbeenspawnedatport31337.Notethat,inFigure5,wehaveshownastraight-lineowfromPRE-PROCESStoVERIFYforsimplic-ity.However,intheactualsystem,VERIFYprovidesfeedbacktoEXPLOIT-GENiftheconstraintscannotbesolved.ThisisacueforEXPLOIT-GENtoselectadif-ferentshellcode.7ImplementationAEGiswritteninamixtureofC++andPythonandconsistsof4majorcomponents:symbolicexecu-tor(BUG-FIND),dynamicbinaryevaluator(DBA),ex-ploitgenerator(EXPLOIT-GEN),andconstraintsolver(VERIFY).WechoseKLEE[5]asourbackendsym-bolicexecutor,andaddedabout5000linesofcodetoimplementourtechniquesandheuristicsaswellastoaddinsupportforotherinputsources(suchassocketsandsymbolicenvironmentvariables).Ourdynamicbi-naryevaluatorwaswritteninPython,usingawrapperfortheGNUdebugger[22].WeusedSTPforconstraintsolving[12].8EvaluationThefollowingsectionspresentourexperimentalworkontheAEGchallenge.Werstdescribetheenvironmentinwhichweconductedourexperiments.Then,weshowtheeffectivenessofAEGbypresent-ing16exploitsgeneratedbyAEGfor14real-worldap-plications.Next,wehighlighttheimportanceofoursearchheuristics—includingpreconditionedsymbolicexecution—inidentifyingexploitablebugs.Inaddition,wepresentseveralexamplesillustratingtheexploitationtechniquesalreadyimplementedinAEG.Last,weeval-uatethereliabilityofthegeneratedexploits.Foracom-pleteexplanationofeachgeneratedexploitandmoreex-perimentalresults,wereferthereadertoourwebsite[2].8.1ExperimentalSetupWeevaluatedouralgorithmsandAEGonamachinewitha2.4GHzIntel(R)Core2DuoCPUand4GBofRAMwith4MBL2Cache.Allexperimentswereper-formedunderDebianLinux2.6.26-2.WeusedLLVM-GCC2.7tocompileprogramstoruninoursource-basedAEGandGCC4.2.4tobuildbinaryexecutables.Allprogramspresentedinthepaperareunmodiedopen-sourceapplicationsthatpeopleuseandcanbedown-loadedfromtheInternet.Timemeasurementsareper-formedwiththeUnixtimecommand.Thebuggy-path-rstandloopexhaustionsearchheuristicselaboratedinx5.3wereturnedonbydefaultforalltheexperiments.8.2ExploitsbyAEGTable1showsthelistofvulnerabilitiesthatAEGsuc-cessfullyexploits.Wefoundthese14programsfromavarietyofpopularadvisories:CommonVulnerabili-tiesandExposures(CVE),OpenSourceVulnerabilityDatabase(OSVDB),andExploit-DB(EDB)anddown-loadedthemtotestonAEG.NotonlydidAEGreproducetheexploitsprovidedintheCVEs,itfoundandgener-atedworkingexploitsfor2additionalvulnerabilities—1forexpect-5.43and1forhtget-0.93.Weorderthetablebythekindofpathexplorationtechniqueusedtondthebug,orderedfromtheleasttomostamountofinformationgiventothealgorithmit-self.4exploitsrequirednopreconditionatallandpathswereexploredusingonlyourpathprioritizationtech-niques(x5.3).WenotethatalthoughwebuildontopofKLEE[5],inourexperimentsKLEEonlydetectedtheiwconfigexploitablebug.6oftheexploitsweregeneratedonlyafterinferringthepossiblemaximumlengthsofsymbolicinputsusingourstaticanalysis(theLengthrows).Withoutthemax-imuminputlengthAEGfailedmostoftenbecausesym-bolicexecutionwouldendupconsideringallpossibleinputlengthsuptosomemaximumbuffersize,whichwasusuallyverylarge(e.g.,512bytes).Sincelengthisautomaticallyinferred,these6combinedwiththepre-vious4meanthat10totalexploitswereproducedauto-maticallywithnoadditionaluserinformation.5exploitsrequiredthattheuserspecifyaprexontheinputspacetoexplore.Forexample,xmail'svulner-ableprogrampathisonlytriggeredwithvalidaemailaddress.Therefore,weneededtospecifytoAEGthattheinputincludedan“@”signtotriggerthevulnerablepath.Corehttpistheonlyvulnerabilitythatrequiredcon-colicexecution.Theinputweprovidedwas"A"x(repeats880times)+nrnnnrnn.WithoutspecifyingthecompleteGETrequest,symbolicexecu-tiongotstuckonexploringwheretoplacewhite-spacesandEOL(end-of-line)characters.GenerationTime.Column5inTable1showstheto-taltimetogenerateworkingexploits.Thequickestwegeneratedanexploitwas0.5sforiwcong(withalength13 Figure9:Comparisonofpreconditionedsymbolicexecutiontechniques.andthustheeffectivenessofAEG.Forexample,bypro-vidingalengthpreconditionwealmosttripledthenum-berofexploitablebugsthatAEGcoulddetectwithinthetimelimit.However,theamountofinformationsupplieddidnottremendouslychangehowquicklyanexploitisgenerated,whenitsucceedsatall.8.3.2Buggy-Path-First:ConsecutiveBugDetectionRecallfromx5.3thepathprioritizationheuristictocheckbuggypathsrst.tipxdandhtgetareexam-pleapplicationswherethisprioritizationheuristicpaysoff.Inbothcasesthereisanon-exploitablebugfol-lowedbyanexploitablebuginthesamepath.Fig-ure10showsasnippetfromtipxd,wherethereisaninitialnon-exploitablebugonline1(itshouldbe“malloc(strlen(optarg)+1)”fortheNULLbyte).AEGrecognizesthatthebugisnon-exploitableandprioritizesthatpathhigherforcontinuedexplo-ration.Lateronthepath,AEGdetectsaformatstringvul-nerabilityonline10.Sincetheconfig filenameissetfromthecommandlineargumentoptarginline5,wecanpassanarbitraryformatstringtothesyslogfunctioninline10viathevariablelog entry.AEGrecognizestheformatstringvulnerabilityandgeneratesaformatstringattackbycraftingasuitablecommandlineargument.8.4MixedBinaryandSourceAnalysisInx1,wearguethatsourcecodeanalysisaloneisinsufcientforexploitgenerationbecauselow-levelruntimedetailslikestacklayoutmatter.Theaspell,htget,corehttp,xserverareex-1intProcessURL(charTheURL,charHostname,charFilename,charActualFilename,unsignedPort)f2charBufferURL[MAXLEN];3charNormalURL[MAXLEN];4strcpy(BufferURL,TheURL);5...6strncpy(Hostname,NormalURL,I);Figure11:Codesnippetofhtgetamplesofthisaxiom.Forexample,Figure11showsacodesnippetfromhtget.Thestackframewheninvokingthisfunc-tionhasthefunctionargumentsatthetopofthestack,thenthereturnaddressandsavedebp,followedbythelocalbuffersBufferURLandNormalURL.Thestrcpyonline4isexploitablewhereTheURLcanbemuchlongerthanBufferURL.However,wemustbecarefulintheexploittoonlyoverwriteuptothere-turnaddress,e.g.,ifweoverwritethereturnaddressandHostname,theprogramwillsimplycrashwhenHostnameisdereferenced(beforereturning)online6.Sinceourtechniqueperformsdynamicanalysis,wecanreasonaboutruntimedetailssuchastheexactstacklayout,exactlyhowmanybytesthecompilerallocatedtoabuffer,etc,veryprecisely.Fortheaboveprogramsthisprecisionisessential,e.g.,inhtgetthepredicateassertsthatweoverwriteuptothereturnaddressbutnofurther.Ifthereisnotenoughspacetoplacethepayloadbeforethereturnaddress,AEGcanstillgenerateanex-15 1if(!(sysinfo.config filename=malloc(strlen(optarg))))f2fprintf(stderr,”Could not allocate memory for filename storagenn”);3exit(1);4g5strcpy((char)sysinfo.config filename,optarg);6tipxd log(LOG INFO,”Config file is %snn”,sysinfo.config filename);7...8voidtipxd log(intpriority,charformat,...)f9vsnprintf(log entry,LOG ENTRY SIZE�1,format,ap);10syslog(priority,log entry);Figure10:Codesnippetoftipxd.ploitbyapplyingstackrestoration(presentedinx6.1),wherethelocalvariablesandfunctionargumentsareoverwritten,butweimposeconstraintsthattheirvaluesshouldremainunchanged.Todoso,AEGagainreliesonourdynamicanalysiscomponenttoretrievetheruntimevaluesofthelocalvariablesandarguments.8.5ExploitVariantsWheneveranexploitablebugisfound,AEGgener-atesanexploitformula(Pbug^Pexploit)andproducesanexploitbyndingasatisfyinganswer.However,thisdoesnotmeanthatthereisasinglesatisfyinganswer(exploit).Infact,weexpectedthatthereishugenumberofinputsthatsatisfytheformula.Toverifyourexpecta-tions,weperformedanadditionalexperimentwhereweconguredAEGtogenerateexploitvariants—differentexploitsproducedbythesameexploitformula.Table2showsthenumberofexploitvariantsgeneratedbyAEGwithinanhourfor5sampleprograms.8.6AdditionalSuccessAEGalsohadananecdotalsuccess.OurresearchgroupenteredsmpCTF2010[27],atime-limitedinter-nationalcompetitionwhereteamscompeteagainsteachotherbysolvingsecuritychallenges.Oneofthechal-lengeswastoexploitagivenbinary.OurteamrantheHex-raysdecompilertoproducesource,whichwasthenfedintoAEG(withafewtweakstoxsomeincorrectdecompilationfromtheHex-raystool).AEGreturnedanexploitinunder60seconds.9DiscussionandFutureWorkAdvancedExploits.Inourexperimentswefocusedonstackbufferoverowsandformatstringvulnerabili-ties.InordertoextendAEGtohandleheap-basedover-owswewouldlikelyneedtoextendthecontrolowreasoningtoalsoconsiderheapmanagementstructures.Integeroverowsaremorecomplicatedhowever,astyp- Program#ofexploits iwconfig3265ncompress576aeon612htget939glftpd2201 Table2:NumberofexploitvariantsgeneratedbyAEGwithinanhour.icallyanintegeroverowisnotproblematicbyitself.Security-criticalproblemsusuallyappearwhentheover-owedintegerisusedtoindexorallocatememory.Weleaveaddingsupportforthesetypesofvulnerabilitiesasfuturework.OtherExploitClasses.Whileourdenitionin-cludesthemostpopularbugsexploitedtoday,e.g.,inputvalidationbugs,suchasinformationdisclosure,bufferoverows,heapoverows,andsoon,itdoesnotcaptureallsecurity-criticalvulnerabilities.Forexample,ourformulationleavesout-of-scopetimingattacksagainstcrypto,whicharenotreadilycharacterizedassafetyproblems.WeleaveextendingAEGtothesetypesofvulnerabilitiesasfuturework.SymbolicInputSize.Ourcurrentapproachper-formssimplestaticanalysisanddeterminesthatsym-bolicinputvariablesshouldbe10%largerinsizethanthelargeststaticallyallocatedbuffer.WhilethisisanimprovementoverKLEE(KLEErequiredauserspec-ifythesize),andwassufcientforourexamples,itissomewhatsimplistic.Moresophisticatedanalysiswouldprovidegreaterprecisionforexactlywhatmaybeex-ploitable,e.g.,byconsideringstacklayout,andmaybenecessaryformoreadvancedexploits,e.g.,heapover-owswherebuffersaredynamicallyallocated.16 DependableandSecureComputing,5(4):224–241,Oct.2008.[4]D.Brumley,P.Poosankam,D.Song,andJ.Zheng.Automaticpatch-basedexploitgenerationispossible:Techniquesandimplications.InProceedingsoftheIEEESymposiumonSecurityandPrivacy,May2008.[5]C.Cadar,D.Dunbar,andD.Engler.Klee:Unas-sistedandautomaticgenerationofhigh-coveragetestsforcomplexsystemsprograms.InProceedingsoftheUSENIXSymposiumonOperatingSystemDesignandImplementation,2008.[6]C.Cadar,V.Ganesh,P.Pawlowski,D.Dill,andD.En-gler.EXE:Asystemforautomaticallygeneratinginputsofdeathusingsymbolicexecution.InProceedingsoftheACMConferenceonComputerandCommunicationsSe-curity,Oct.2006.[7]S.K.Cha,B.Pak,D.Brumley,andR.J.Lipton.Platform-independentprograms.InProceedingsoftheACMConferenceonComputerandCommunicationsSe-curity,2010.[8]M.Costa,M.Castro,L.Zhou,L.Zhang,andM.Peinado.Bouncer:Securingsoftwarebyblockingbadinput.InProceedingsoftheACMSymposiumonOperatingSystemPrinciples,Oct.2007.[9]M.Costa,J.Crowcroft,M.Castro,A.Rowstron,L.Zhou,L.Zhang,andP.Barham.Vigilante:End-to-endcontainmentofinternetworms.InProceedingsoftheACMSymposiumonOperatingSystemPrinciples,2005.[10]S.Designer.“return-to-libc”attack.Bugtraq,Aug.1997.[11]D.EnglerandD.Dunbar.Under-constrainedexecution:makingautomaticcodedestructioneasyandscalable.InInternationalSymposiumonSoftwareTestingandAnal-ysis,pages1–4,2007.[12]V.GaneshandD.L.Dill.Adecisionprocedureforbit-vectorsandarrays.InProceedingsontheConferenceonComputerAidedVerication,volume4590ofLectureNotesinComputerScience,pages524–536,July2007.[13]S.Heelan.AutomaticGenerationofControlFlowHi-jackingExploitsforSoftwareVulnerabilities.TechnicalReportMScThesis,OxfordUniversity,2002.[14]I.JagerandD.Brumley.Efcientdirectionlessweakestpreconditions.TechnicalReportCMU-CyLab-10-002,CarnegieMellonUniversity,CyLab,Feb.2010.[15]R.JohnsonandD.Wagner.Findinguser/kernelpointerbugswithtypeinference.InProceedingsoftheUSENIXSecuritySymposium,2004.[16]J.King.Symbolicexecutionandprogramtesting.Com-municationsoftheACM,19:386–394,1976.[17]C.Lattner.LLVM:Acompilationframeworkforlife-longprogramanalysisandtransformation.InProceed-ingsoftheSymposiumonCodeGenerationandOpti-mization,2004.[18]V.B.LivshitsandM.S.Lam.Findingsecurityvulnera-bilitiesinjavaapplicationswithstaticanalysis.InPro-ceedingsoftheUSENIXSecuritySymposium,2005.[19]B.Miller,L.Fredriksen,andB.So.AnempiricalstudyofthereliabilityofUNIXutilities.CommunicationsoftheAssociationforComputingMachinery,33(12):32–44,1990.[20]J.NewsomeandD.Song.Dynamictaintanalysisforau-tomaticdetection,analysis,andsignaturegenerationofexploitsoncommoditysoftware.InProceedingsoftheNetworkandDistributedSystemSecuritySymposium,Feb.2005.[21]A.One.Smashingthestackforfunandprot.Phrack,7(49),1996.File14/16.[22]PyGDB.Pythonwrapperforgdb.http://code.google.com/p/pygdb/.[23]E.J.Schwartz,T.Avgerinos,andD.Brumley.Allyoueverwantedtoknowaboutdynamictaintanalysisandforwardsymbolicexecution(butmighthavebeenafraidtoask).InProceedingsoftheIEEESymposiumonSe-curityandPrivacy,pages317–331,May2010.[24]K.Sen,D.Marinov,andG.Agha.CUTE:AconcolicunittestingengineforC.InProceedingsoftheACMSymposiumontheFoundationsofSoftwareEngineering,2005.[25]H.Shacham,M.Page,B.Pfaff,E.-J.Goh,N.Modadugu,andD.Boneh.Ontheeffective-nessofaddress-spacerandomization.InProceedingsoftheACMConferenceonComputerandCommunicationsSecurity,pages298–307,2004.[26]U.Shankar,K.Talwar,J.Foster,andD.Wagner.Detect-ingformat-stringvulnerabilitieswithtypequaliers.InProceedingsoftheUSENIXSecuritySymposium,2001.[27]smpCTF.smpctf2010.http://ctf2010.smpctf.com/.[28]G.E.Suh,J.Lee,andS.Devadas.Secureprogramexe-cutionviadynamicinformationowtracking.InPro-ceedingsoftheInternationalConferenceonArchitec-turalSupportforProgrammingLanguagesandOperat-ingSystems,2004.18

Shom More....
By: cheryl-pisano
Views: 178
Type: Public

Download Section

Please download the presentation from below link :


Download Pdf - The PPT/PDF document "AEG Automatic Exploit Generation Thanass..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Try DocSlides online tool for compressing your PDF Files Try Now

Related Documents