Automatic PatchBased Exploit Generation is Possible Te - PDF document

AutomaticPatch-BasedExploitGenerationisPossible:TechniquesandImplicationsDavidBrumley,PongsinPoosankamDawnSongJiangZhengfdbrumley,ppoosankg@cs.cmu.edudawnsong@cs.berkeley.edujzheng@cs.pitt.eduCarnegieMellonUniversityUCBerkeley&CMUU.PittsburghAbstractTheautomaticpatch-basedexploitgenerationprob-lemis:givenaprogramPandapatchedversionoftheprogramP0,automaticallygenerateanexploitforthepotentiallyunknownvulnerabilitypresentinPbutxedinP0.Inthispaper,weproposetechniquesforauto-maticpatch-basedexploitgeneration,andshowthatourtechniquescanautomaticallygenerateexploitsfor5Mi-crosoftprogramsbaseduponpatchesprovidedviaWin-dowsUpdate.Althoughourtechniquesmaynotworkinallcases,afundamentaltenantofsecurityistocon-servativelyestimatethecapabilitiesofattackers.Thus,ourresultsindicatethatautomaticpatch-basedexploitgenerationshouldbeconsideredpractical.Oneimpor-tantsecurityimplicationofourresultsisthatcurrentpatchdistributionschemeswhichstaggerpatchdistri-butionoverlongtimeperiods,suchasWindowsUpdate,mayallowattackerswhoreceivethepatchrsttocom-promisethesignicantfractionofvulnerablehostswhohavenotyetreceivedthepatch.1IntroductionAtrstglance,releasingapatchthataddressesavul-nerabilitycanonlybenetsecurity.Wemust,however,considertheentiretimelineforpatchdistribution.A ThismaterialisbaseduponworkpartiallysupportedbytheNa-tionalScienceFoundationunderGrantsNo.0311808,No.0433540,No.0448452,No.0627511,andCCF-0424422.PartialsupportwasalsoprovidedbytheU.S.ArmyResearchOfceundertheCyber-TAResearchGrantNo.W911NF-06-1-0316,andundergrantDAAD19-02-1-0389throughCyLabatCarnegieMellon.Theviewsandcon-clusionscontainedherearethoseoftheauthorsandshouldnotbeinterpretedasnecessarilyrepresentingtheofcialpoliciesorendorse-ments,eitherexpressedorimplied,ofARO,NSF,ortheU.S.Gov-ernmentoranyofitsagencies.ThisworkwasalsosupportedinpartbytheKoreanMinistryofInformationandCommunicationandtheKoreanInstituteforInformationTechnologyAdvancementunderpro-gram2005-S-606-02.newpatchrevealssomeinformation,andhavingearlyaccesstoapatchmayconferadvantagestoanattacker.Fromasecuritystandpoint,weshouldconsidera)whatinformationaboutapotentiallyunknownvulnerabilityisrevealedbyapatch,b)howquicklythatinformationcanbederivedfromtheoriginalandpatchedprogram,andc)whatadvantagethatinformationyieldstoattackers.Nopreviouswork(suchasfuzztestingasdiscussedinSection7)hasaddressedthesequestions.Theautomaticpatch-basedexploitgeneration(APEG)problemis:givenaprogramPandapatchedversionoftheprogramP0,automaticallygenerateanexploitforthepotentiallyunknownvulnerabilitypresentinPbutxedinP0.SuccessfulAPEGwoulddemonstratethatattackerscouldusepatchestocreateexploits.Tothebestofourknowledge,APEGhasnotbeenpreviouslydemonstratedinpublicliterature.Thus,thequestionofwhetherAPEGisfeasibleforreal-worldprogramswasunanswered.Inthispaper,weshowthatautomaticpatch-basedex-ploitgenerationispossibleasdemonstratedbyourex-perimentsusing5Windowsprogramsthathaverecentlybeenpatched.Wedonotclaimourtechniquesworkinallcasesorforallvulnerabilities.However,afundamen-taltenantofsecurityistoconservativelyestimatethecapabilitiesofattackers.Underthisassumption,APEGshouldbeconsideredpractical,andthosewhohavere-ceivedapatchshouldbeconsideredarmedwithanex-ploit.Oneimportantconsequenceofourresultisthathav-ingaccesstoapatchconfersasignicantadvantageoverthosewhodonothaveaccesstothepatch.Thesecu-rityadvantageisimportantinlightofcurrentpatchdis-tributionpractices.Currentpatchdistributionpracticesstaggerpatchdistribution,usuallyoverhours,days,orlonger.Forexample,Gkantsidisetal.showthatforWindowsUpdateittakesabout24hoursfor80%oftheuniqueobservedIPstocheckforanewpatch[18].In Safe Inputs All inputs Figure1.AninputvalidationvulnerabilityoccurswhenthesetofallinputsforP(inwhite)isasupersetofthesetofsafein-putsforP(inblack).ThesetdifferenceisthesetofexploitsforP.ourexperiments,wegenerateexploitsfromapatchinonlyafewminutes.ModernthreatssuchastheSlammerwormhaveempiricallydemonstratedthatonceanex-ploitisavailable,mostvulnerablehostscanbecompro-misedinminutes[27].Ourresultsthereforeimplythatthosewhorstreceiveapatchcouldpotentiallycom-promisemostremainingvulnerablehostsbeforetheyre-ceiveapatchviacurrentpatchdistributionarchitectures.Thus,ourworkindicatesthatcurrentpatchdistributionschemesthatstaggerpatchroll-outoverlargetimeperi-odsrequiresrethinking.InputValidationVulnerabilities.Wetargetinputval-idationvulnerabilitieswherethesetofinputsacceptedbyPisasupersetofthesafeinputsforP.Figure1showsthisintuitiongraphically,wherethesetofsafeinputsisasubsetofallinputsforP.ThedifferencebetweenthesafeandallinputsacceptedbyPisthesetofexploitinputs.Acommonapproachforpatchingsuchvulnerabilitiesistoaddadditionalinputsanitiza-tionchecksinP0sothatonlysafeinputsareprocessedwithouterror.Manycommontypesofvulnerabilitiesareatcoreinputvalidationvulnerabilities,suchasbufferoverows,integeroverowsandunderows,andheapoverows.Figure2showsatypicalintegeroverowinputvali-dationvulnerabilityweusethroughoutthispaper.Thisexampleismotivatedbyareal-lifevulnerabilityinIn-ternetExplorer(calledDSA SetItem,forwhichwegen-erateanexploitforinSection4).Allintegersinthisexampleare32-bits,andthereforeallarithmeticisper-formedmod232.Online1,theinputintegervari-ableischeckedtoseeifitiseven:ifso,atemporaryvari-ablenamedsisassignedinput+2(mod232),elseifodd,input+3(mod232).Line6callsrealloc,amanualmemorymanagementroutine,whichchangesthesizeofthepassedinptrtopointtosallocatedbytesofmemory.Forexample,ifsislessthanthesizecur-rentlypointedtobyptr,thentheresultingpointerwillpointtoasmallerareaofmemory.Inthisexample,weconsideranyinputthatcausesoverowonline2or4tobeanexploit.Thus,thesetofP:inputisauserinput1.if(input%2==0)goto2elsegoto4;2.s:=input+2;3.goto5;4.s:=input+3;5.nop&#x-1.6;鎕6.ptr:=realloc(ptr,s);7...useofptr...;P0:inputisauserinput1.if(input%2==0)goto2elsegoto4;2.s:=input+2;3.goto5;4.s:=input+3;5.if(s&#x-1.6;鎕input)goto6elsegotoERROR;6.ptr:=realloc(ptr,s);7....useofptr...Figure2.Ourrunningexampleofaninte-geroverowinput-validationvulnerabilityinP(top)andthepatchP0(below).Anin-tegeroverowmayhappenonlines2or4ofP.Line5ofP0checksforoverow.inputswhichareexploitsis2323input2321.Atbest,anyexploitwillcauseauserofptrafterline6tocauseadenialofserviceattackbycrashingthepro-gram,oratworst,allowanattackertohijackcontroloftheprogram(asinthereal-lifevulnerabilitythatmoti-vatedthisexample).ThepatchedprogramP0addsacheckforoverowonline5.Anyinputwhichisanex-ploitforPwillfailtheinsertedcheckinP0.Challenges.OnechallengeforAPEGisthatsoftwareisoftenonlyavailableinbinary(i.e.,executable)form.Thus,inourapproachandimplementation,wetargetthecasewhenPandP0arebinarycode.Inoursetting,PandP0canbeeitheranexecutableprogramsorlibrary.AddressingAPEGforlibrariesisimportantsincea)li-braryvulnerabilitiesmayoftenbeexploitedbymultipleprogramswhichusethelibrary,andb)onmanyOSsse-curityupdatesareoftentolibraries.Forexample,weconductedasurveyofpatchesreleasedfromMicrosoftin2006andfound84%ofthesecurity-relatedupdateswerechangesinlibraries.IfPisalibrary,thenthegen-eratedexploitxisavalidsetofargumentstoanexported(e.g.,callable)functioninthelibrary,whileifPisapro-gram,xisaninputtotheprogram.Anotherchallengeistoisolatewhatchangeshaveoc-curredbetweenPandP0.Toaddressthisproblem,se-curitypractitionershavedevelopedtools,suchasbin-diff[33]andEBDS[13],whichrstdisassemblebothPandP0,andthenidentifywhichassemblyinstruc-tionshavechanged.Securitypractitionersusethesedif-ferencingtoolstohelpmanuallyreverseengineerwhat theunknownorunpublishedvulnerabilitythatapatchaddresses[13,14,31,33],andinsomecases,manuallycreateexploits[14].However,itisinsufcienttosimplylocatethein-structionswhichhavechangedbetweenPandP0.Inor-derforAPEGtobefeasible,onehastosolvetheharderproblemofautomaticallyconstructingrealinputswhichexploitthevulnerabilityintheoriginalunpatchedpro-gram.Further,whenfeasible,itisimportanttoknowthespeedatwhichexploitscanbegeneratedfrompatchesinordertodesignadequatesecuritydefenses.ApproachOverview.OurapproachtoAPEGisbasedontheobservationthatinput-validationbugsareusuallyxedbyaddingthemissingsanitizationchecks.TheaddedchecksinP0identifya)wherethevulnerabilityexists,andb)underwhatconditionsaninputmayex-ploitthevulnerability.TheintuitionforourapproachisthataninputwhichfailstheaddedcheckinP0islikelyanexploitforP.Ourgoalisto1)identifythechecksaddedinP0,and2)automaticallygenerateinputswhichfailtheaddedchecks.InFigure2,thegoalwouldbetorstdiscoverthecheckaddedonline5,thengener-ateavalueforinputsuchthatP0(input)thatfailsthecheckandleadstotheERRORstate.Wecallexecutionpathsthatfailthenewcheck(i.e.,executetheERRORstateinourexample)inP0ex-ploitablepathssinceanyinputthatwouldexecutesuchapathinP0isalikelyexploitforP.Theremaybemanyexploitablepaths,e.g.,thereare2exploitablecodepathsinourrunningexample.However,thenumberofex-ploitablepathsistypicallyonlyafractionofallpossibleexecutionpaths.Weproposetechniqueswhichscalewhentherearemanydifferentpossiblepaths,butpotentiallyonlyafewareexploitable.Wepresentthreedifferentapproaches:adynamicanalysisapproachwhichconsidersasinglepathatatime,astaticapproachwhichencompassesmultiplepathswithoutenumeratingthemindividually,andacombinedapproachbaseduponacombinationofdynamicandstaticanalysis.Weshowthrougheval-uationthateachtechniqueisusefulforautomaticallygeneratingexploitsfrompatchesfordifferentreal-worldvulnerabilities.ResultsOverview.Toevaluatetheeffectivenessofourapproach,wehaveconductedexperimentsusing5pro-gramsfromMicrosoft.Eachprograminitiallyhadase-rioussecurityvulnerabilitywhichwasxedbyapatch.Insomecases,thevulnerabilityiswidelyexploited,indicatingthepotentialimpactoffutureautomaticallygeneratedexploits.Ourresultsalsoshowthateachofthe3approachesweproposehavestrengthsfordifferentvulnerabilities.Ineachcaseweareabletogenerateanexploit,usuallywithinafewminutes.Thefastestend-to-endtimewewereabletogenerateaveriableexploitisunder30seconds.Webelievethatwithfurtherworkonourresearchprototypethistimecouldbereduced.Inourevaluation,forthecaseswhenapublicproof-of-conceptexploitisavailable,theexploitswegener-ateareoftendifferentthanthosepubliclydescribed.Wealsodemonstratethatwecanautomaticallygeneratepolymorphicexploitvariants.Finally,weareabletoau-tomaticallygenerateexploitsforvulnerabilitieswhich,tothebestofourknowledge,havenopreviouslypub-lishedexploit.Contributions.Thispapershowsthatautomaticallygeneratingexploitsfrompatcheswithinminutesshouldbeconsideredpractical.Currentpatchdistributionar-chitecturesarenotdesignedwiththethreatofAPEGinmind.Wearguethatourresultsimplythatweshouldim-mediatelybeginrethinkingthedesignofcurrentpatchdistributionarchitectures,andtothisend,weproposeseveralresearchdirections.AlthoughwetargetthecasewhereAPEGisusedbyanattacker,APEGisalsousefulforsecuritypractition-ers.Forexample,sinceAPEGdemonstratesabugisexploitable,itcouldbeusedbyvendorstoprioritizebugxes.Atthecoreofourapproachforautomaticpatch-basedexploitgenerationistheabilitytogenerateanin-putthatfailsacheckataspeciedlineofcode.Gen-eratinginputsthatexecutealineofcodeisalsostudiedinautomatictestcasegeneration.However,existingau-tomatictestcasegenerationtechniquesdidnotworkforseveralvulnerabilitiesinourexperiments.Weproposeanewtechniquebaseduponamixofdynamicandstaticanalysistohandlethesecases.Thus,ourtechniquesarelikelytobeofindependentinterest.2AutomaticPatch-BasedExploitGenera-tion:ProblemDenitionandApproach2.1BackgroundDenitionsOurtechniquesarebasedonmethodsfromtheprogramvericationcommunity,thusweadopttheirnotationinthispaper(suchasin[11]).Aprogramdenesarela-tionshipbetweenaninitialstatespaceandanalstatespace.Thestatespaceofaprogramconsistsofallvari-ablesandmemory.Inoursetting,memoryismodeledasanarraymapping32-bitintegerssignifyingmemoryaddressesto8-bitintegerssignifyingmemoryvalues.Inoursetting,allregistersaremodeledasvariables,andeachmemorycellcanalsobeconsideredaseparatevari-ablewhenconvenient.InFigure2,thestatespacecon-sistsofmemoryandthevariablessandinput.Whendesired,wecanalsodistinguishvariablesbytheirup- datesite,e.g.,thevariablesonline2fromsonline5(e.g.,bytransformingtheprogramintostaticsingleassignmentform[28]).Asafetypolicyisarst-orderlogicBooleanpredi-catefromtheprogramsstatespacetooneoftwovalues:safeorunsafe.Inoursetting,weconsideronlysafetypoliciesenforceablebyanexecutionmonitor[34].Atahighlevel,suchpoliciesareallowedtoevaluateabooleanpredicateontheprogramstatespaceateachstepoftheexecution,aswellaskeeptrackofanyprevi-ousstatesexecutedsofar.Commonexecutionmonitorenforceablesafetypoliciesincludedynamictaintanaly-sis,checkingreturnaddressintegrity,anddynamictypeenforcement.WedenoteexecutingPoninputxasP(x),andtheexecutionofinstructioniasPi(x).Wedenotecheckingthesafetypolicyatexecutionstepias(Pi(x)).Thevulnerabilitypoint[5]foravulnerableprogramistherstinstructionisuchthat(Pi(x))=unsafe.Weusethetermexploittomeananinputxforwhichthesafetypolicyreturnsunsafe.Forexample,ifweuseadynamictaintanalysispolicy,anexploitwouldbeanyinputthatcausestheanalysistoraiseawarning.Onereasonweusethisdenitionofanexploitisthatitdoesnotpresupposeaparticularattackgoal,e.g.,informa-tiondisclosurevs.denial-of-servicevs.hijackcontrolow.Thismakessenseinourcontextsincethevulnera-bilityitselfdetermineswhethersuchspecicattacksareevenpossible(e.g.,informationdisclosureexploitsareorthogonaltocontrolhijackexploits).Notethattherearepotentiallymanydifferentexploits,witheachindi-vidualexploitcalledapolymorphicvariant.Safetypoliciesarepowerfulenough(sincetheyarerst-orderlogicBooleanpredicatesovertheentirepro-gramstatespace,includingallmemory)tospecifyspe-cickindsofattackwhendesired.Forexample,itispossibletospecifyasafetypolicythatisonlyviolatedbycontrolhijackattacks.Forexample,wecancreateasafetypolicywhichstatesthereturnaddressonthestackshouldnotbeoverwrittenbyuserinput.Suchasafetypolicywouldonlybeviolatedbyatypicalcontrol-hijackbufferoverow.Aprogramcontrolowgraph(CFG)G=(V;E)isagraphwhereeachvertex2Visasingleinstruction,andthereisanedge(i1;i2)2Eifthereisapossibletransferofcontrolfrominstructioni1toi2.AnexecutionpathisasequenceofverticesthroughthecontrolowgraphsuchthatforeachvertexthereisanedgetothenextvertexintheCFG(noteverticesmayrepeatinthepath).2.2TheAutomaticPatch-BasedExploitGen-erationProblemIntheautomaticpatch-basedexploitgenerationprob-lem,wearegiventwoversionsofthesameprogramPandP0whereP0xesanunknownvulnerabilityinP.ThegoalistogenerateanexploitforPforthevulnera-bilityxedinP0.Moreformally,wearegivenasafetypolicy,andtheprogramsPandP0.Thepurposeofistoencodewhatconstitutesanexploit.Ourgoalistogenerateaninputxsuchthat(P(x))=unsafe,but(P0(x))=safe.2.3ProblemScopeandApproachVulnerabilitiesAddressedinthisPaper.WefocusoninputvalidationvulnerabilitieswhereuserinputisnotsufcientlysanitizedinP,butissanitizedvianewchecksinP0.Manycommonvulnerabilitiesareinputvalidationvulnerabilitieswhicharexedbyaddingin-putsanitizationlogic.Forexample,ifPisvulnerabletoanintegeroverowattack,thenP0mayinsertacheckforthisoverow,andultimatelywewillbeusingthatin-sertedchecktohelpderiveanexploit.AnotherexampleiswhenPcontainsatypicalbufferoverowwhereaninputstringmaybetoolarge,whichisaddressedinP0byinsertingacheckforoverly-longinputs.However,axinwhichP0increasesthesizeofthedestinationbuffertoaccommodateoverly-longinputscurrentlyfallsoutsideourproblemsetting.Weplanontargetingothertypesofvulnerabilitiesinfuturework.ApproachOverview.OurapproachtoAPEGisbasedontheobservationthatthenewsanitizationchecksaddedtoP0often1)identifythevulnerabilitypointwherethevulnerabilityoccurs,and2)indicatethecon-ditionsunderwhichwecanexploitP.Thus,aninputxthatfailstheaddedsanitizationcheckatthevulnera-bilitypointinP0isacandidateexploitforP.Wecallxacandidateexploitbecauseanewcheckmaynotcor-respondtoarealvulnerability.Weverifyacandidateexploitbychecking(P(x)),e.g.,observingtheexecu-tionofP(x)withinanexecutionmonitor.Ourapproachthereforeattemptstogenerateinputswhichwouldfailthenewchecksinsertedatthevulnerabilitypoint.Wecanuseoff-the-shelftoolstoidentifythevulner-abilitypointandtheaddedchecks.Inourimplementa-tion,weuseEBDS[13],atoolthatautomaticallycom-parestwoexecutablesandreportsthedifferences.Wecanalsouseoff-the-shelfsafetycheckersfor.Forexample,dynamictaintanalysisisatypeofexecutionmonitorcommonlyusedtodetectawidevarietyofex-ploits.Thus,inthispaper,wefocusonthetechnicalchal-lengeofhowtoautomaticallygeneratecandidateex- ploitswhichreachandfailthegivennewchecksinthepatchedversion.Toaddressthistechnicalchallenge,weproposeanapproachwhich1)generatesthesetofcon-straintsontheinputdomaintoreachandfailthenewcheck,and2)ndsasatisfyinganswertotheconstraints,whichisasamplecandidateexploit.Moreformally,wecomputetheweakestprecondi-tion[11]ontheinputstatespaceoftheP0toexecuteandfailthedesiredcheck.TheweakestpreconditionisaconstraintformulaF:I!ftrue;falsegwhereIistheinputstatespace,andasatisfyinganswerisoursampleexploit.Forexample,theconstraintformulaF(input):=input%2==0^s=input+2(mod232)^:(s�input)issatisedbyallinputsthatexecutethetruebranchofPinFigure2andoverow.Finally,giventhecon-straintformula,wequeryasolvertogenerateasatis-fyinganswertotheformula(i.e.,aninputxsuchthatF(x)=true).Ifthesolverreturnsasolution,thesolu-tionisacandidateexploit.Thus,thestepstoourapproachare:1.IdentifythenewsanitizationchecksaddedinP0.Theremainingstepsareperformedforeachnewcheckin-dividually(seeSection6foradiscussiononmultiplechecks).2.GenerateacandidateexploitxwhichfailsthenewcheckinP0by:(a)CalculatingtheweakestpreconditiontofailthenewcheckinP0.TheresultistheconstraintformulaF.Wepresentthreeapproachesforgeneratingthecon-straintformulatargetthisprobleminSection3.2.1.(b)UseasolvertondxsuchthatF(x)=true.xisthecandidateexploit.3.Verifyacandidateexploitisarealexploitbyrunning(P(x)).4.Ifdesired,wecangeneratepolymorphicvariants.Letxbeaknownexploit.LetF0(X)=F(X)^(X&#x-5.1;ä¡£x).Thenx0suchthatF0(x0)=trueisapolymor-phicvariantexploitcandidate.Thisprocesscanberepeatedtoenumeratepolymorphicvariants.3AutomaticPatch-BasedExploitGenera-tionInthissection,wedescribeourapproachandstepsforautomaticpatch-basedexploitgeneration.3.1DifferencingTwoBinariesUsinganOff-The-ShelfToolTherststepofourpatch-basedexploitgenerationistodifferencePandP0tondnewsanitizationchecksthatareaddedinP0.Severaltoolsexistfordifferencingbi-narieswhicharereasonablyaccurateandcanbeusedtodeterminewhatnewchecksexist[12–14,33].WelookfornewchecksthatintroduceanewcodepathsincethatindicatesthatP0isdoingsomethingdifferentthanP.WeuseeEyE'sBinaryDifngSuite(EBDS)[13]inourimplementationsinceitisfreelyavailable.Ourapproachdoesnotassumethedifferenceronlyoutputssemanticallymeaningfuldifferences(seeSec-tion7).Infact,thedifferencer(EBDS)weuseisbaseduponalmostpurelysyntacticanalysisofthedisassem-bledbinary.Asaresult,thelistofnewchecksbasedonthesyntacticanalysisisasupersetofthemeaning-fulchecks.Ourapproachwill(correctly)failtoproduceanexploitforsemanticallymeaninglessdifferences.Forexample,ifPhasthechecki&#x-5.1;ä¡£10,andP0hasthechecki1&#x-5.1;ä¡£9,thedifferencermayreportthelatterisanewcheck.Semanticallymeaninglessdifferencessuchastheseareweededoutbythevericationstep.Forexample,i=12isanexampleinputwhichmaysatisfytheabovedifference,butwouldfailvericationsinceitbehavesthesameinthenewandoldversion.EBDSreturnsthelistofdifferences;welterthemfornewchecks.EBDSalsoindicateswhetherthetrueorfalsebranchofanewcheckcorrespondstoanewpath.Weassumeanewpathcorrespondstofailingthecheck.Forexample,inFigure2EBDSwouldreportthefalsebranchofthenewcheckonline5introducesanewpath,andweinferthats&#x-5.1;ä¡£inputisthecheckthatshouldfail.Recallthattheremainingstepsinourprocessofpatch-basedexploitgenerationareperformedoneachidentiednewcheck.Ofcourseourapproachbene-tsfrombetterdifferencingtoolswhichoutputfewerandmoresemanticallymeaningfulchecks,asfewerit-erationsareneeded.Inourevaluation,wemeasurethenumberofnewchecksreportedbythetool,butassumetheattackercanprocesseachnewcheckinparallel.Thisisrealisticsinceattackersoftenhavemany(perhapshun-dredsorthousandsof)compromisedhoststheycanuseforcheckingeachreporteddifference.IfthereisaneedtoprioritizewhichnewchecksaretriedrstforAPEG,wehavefoundthatoneeffectiveschemeforprioritizingistotrynewchecksthatappearinproceduresthathavechangedverylittle.TheeEyetoolalreadyprovidesametricforhowmuchaprocedurehaschangedbetweenPandP0.3.2GeneratingConstraintFormulasInthissection,wediscusstechniquesforautomaticallygeneratingtheconstraintformulas.First,weexplorethedesignspaceandprovideintuitionwhyweneedtoconsiderseveraldifferentapproaches.Wethenpro-videbackgroundongeneratingformulasusingdynamic andstaticanalysis(interestedreadersshouldconsultthecitedpapersforfulldetails).Wethenshowhowtoadapttheseideastothecombineddynamicandstaticapproach.3.2.1KeyDesignPointsThemostimportantdesignquestionforconstructingtheconstraintformulaistogureoutwhatinstructionstoincludeintheformula.Weneedtoincludeallthein-structionsforanexploitablepathforthesolvertogen-erateacandidateexploit.However,thenumberofex-ploitablepathsisusuallyonlyafractionofallpathstothenewcheck.Shouldtheformulacoverallsuchexe-cutionpaths,someofthem,orjustone?Weconsiderthreeapproachestoansweringthisquestion:adynamicapproachwhichconsidersonlyasinglepathatatime,astaticapproachwhichconsidersmultiplepathsintheCFGwithoutenumeratingthem,andacombineddy-namicandstaticapproach.TheDynamicApproach:GeneratingaConstraintFormulafromaSampleExecution.Insomecases,thenewcheckappearsonaprogrampathwhichisexecutedbyaknowninput,e.g.,alongacommonlyexecutedpath.Suchnormalinputscanbefoundbyexamininglogsofnormalinputs,fuzzing,orothertechniques.Ofcourse,anormalinputwilllikelysatisfythenewcheck;other-wise,itisalreadyacandidateexploit.ForsuchagiveninputiwhereP0(i)executesthenewcheck,weusetechniquesfromdynamicanalysistogen-eratetheconstraintformularepresentingtheconstraintsoninputforanyexecutionofthatsinglepathuptothenewcheck.Sincetheintuitionbehindourapproachisthatexploitsfailthenewcheck,weaddanadditionalconstraintthattheinputfailsthenewcheck.Thedynamicapproachproducesformulasthataretypicallythesmallestofthethreeapproaches.Sincesmallformulasaregenerallytheeasiesttosolve,thedy-namicapproachisusuallythefastestforproducingcan-didateexploits.TheASPNet Filtervulnerabilityinourevaluation(Section4)isanexampledemonstratingreal-worldutil-ityofthedynamicapproach.InASPNet Filter,thevul-nerabilityisinawebserverandthenewcheckisaddedalongacommoncodepathwhichisexecutedbymostURIrequests.Thus,itisrelativelyeasytoobtainatleastonebenigninputthatreachesthepointofthenewcheck,andhenceitmakessensetostartbyanalyzingthatpathrstandseeifwecangenerateanexploitusingthatpath.TheStaticApproach:GeneratingaConstraintFor-mulafromaControlFlowGraph.AnotherapproachistocreateaformulaoveraCFG[6].Inparticular,inthestaticcaseweareconcernedwiththeCFGthatincludesallpathsfromtheinstructionwhereinputisreadtothenewcheck.Weperformprogramchoppingonthepro-gramCFGinordertocreateaCFGthatonlyincludespathstothenewcheck.ComputingaformulaovertheCFGismoreefcientthancomputingaseparateformulaforeachpathintheCFGseparately[6].ThestaticapproachwillgenerateacandidateexploitifanypathintheCFGisexploitable.SincethestaticformulapotentiallyincludesallinstructionsintheCFGfragment,theformulasaretypicallylargerandthereforetakelongertosolve.TheDSA SetItemvulnerabilityinourevaluationisanexamplewhereapurelystaticap-proachworks.CreatingConstraintFormulasUsingCombinedDy-namicandStaticApproach.IftheCFGfragmentcon-tainsalargenumberofinstructions(becauseitcoversalargenumberofpaths),thegeneratedformulamaybetoolargeforthesolver.Ontheotherhand,anexploitmaynevertakethesameexecutionpathasaknownin-put,thusapurelydynamicapproachmaynotworkei-ther.Weproposeathirdapproachwhichmixesthedy-namicandstaticapproachestogeneratingconstraints.Theintuitionbehindthecombinedapproachistocom-bineinformationaboutcodepathsweknowhowtoex-ecuteviaknowninputs,andadditionalcodepathswewishtoexploreusingstaticanalysis.Forexample,wemayknowaninputwhichdoesnotreachthepointofthenewcheck,butdoesgetushalf-waythere.Wecanusethedynamicanalysistothehalf-waypoint,thenusethestaticapproachforallpathsfromthehalf-waypointtothenewcheck.Theadvantageofthecombinedapproachisthatitprovidesawayofconsideringasubsetofpathssothatthegeneratedformulais(hopefully)smallenoughforthesolvertogenerateacandidateexploit.TheIGMPvulnerabilityinourevaluationisanexampleofthiscasewhereneitherthestaticnordynamicapproachworkedalone,butthecombinedapproachgeneratedaworkingexploit.3.2.2Background:GeneratingaConstraintFor-mulafromaSampleExecutionHereweprovidearecapoftheoverallmethodforgen-eratingaconstraintformulafromanexecutiontrace.Duetospace,interestedreadersshouldconsultpreviouswork[4,5,7,19,30]foramorethoroughtreatment.ThedynamicapproachforcreatingaformulatakesasinputP0,thenewcheck,andasampleinputi.Weex-ecuteP0(i)andrecordeachinstructionexecuteduptothesamplecheck.Wegeneratetheconstraintformulaovertheinstructionsexecutedalongthispath.Tobeefcient,weonlyrecordinstructions(includingalloftheirexplicitandimplicitoperands)dependentuponin- wp(x:=e;Q)`letx=einQASSIGN wp(asserte;Q)`e^QASSERTwp(s1;wp(s2;Q))`Q1 wp(s1;s2;Q)`Q1SEQwp(s1;Q)`Q1wp(s2;Q)`Q2 wp(ifethens1elses2;Q)`(e)Q1)^(:e)Q2)CHOICETable1.Rulesforcalculatingtheweakestprecondition.putssinceweonlytacklevulnerabilitieswhichcanbeexploitedviauserinput.ModelingtheExecutedx86Instructions.Inordertogeneratetheconstraintformula,weneedtoknowtheef-fectsofeachinstructionexecuted.X86isacomplexin-structionset.Toaccuratelybuildtheconstraintformula,weneedtomodeltheeffectsofanx86instructioncor-rectly,includingallimplicitsideeffectssuchasupdatestostatusregisters.Thus,weraisethex86instructionstoanassemblymodelinglanguagewedesignedcalledVine[2].Theabilitytomodeltheeffectsofeachx86instructionaccuratelyisessentialforautomaticallygen-eratingexploits.Wecreateamodelofthetracebyraisingeachinstruc-tioninthetracetoVine.Werstlifteachrecordedin-structiontoVineinasyntax-directedmanner,e.g.,ifthex86instructionaddeax,ebxisinthetrace,wepro-ducethemodelstatementeax=eax+ebx.Next,anyoperandwhichisnotdependentuponinputisre-placedwithitsconcretevalue.Last,weassertthateachbranchconditioninthetracewillevaluatethesamewayasintheexecutedpath.GeneratingaConstraintFormulafromtheModeledPath.TheresultingexecutiontracefromP0(i)denesasingleprogrampath,whichisalsoavalidmodelinVine.Theconstraintformulaiscalculatedoverthestraight-linemodelbycalculatingtheweakestprecondition[11].Wecalculatetheweakestpreconditionusingtheef-cientalgorithmandimplementationgiveninBrumleyetal.[6].Table1showstherulesforcalculatingtheweakestprecondition.Eachruleisreadasanimplication:ifaprogramfragmentmatchesthepatternshownbelowthehorizontalbartotheleftoftheturnstile(`),weper-formthecalculationshownonthetop.Theresultingformulaistotherightoftheturnstile.Therulesinduc-tivelyformanalgorithm.Thealgorithmisinitializedwithwp(P0(i);Q),whereQisapredicatethatstatesthenewcheckfails.3.2.3Background:GeneratingaConstraintFor-mulafromaCFGInthestaticapproach,weraiseallofP0toVineastherststep.Sinceweareonlyconcernedwithpathsthatexecutethenewcheck,weremoveVinestatementsinthemodelforotherpaths.Weachievethisbycomput-ingthechop[5,6],andthenconstructingtheconstraintformulaonthechop.Choppingisatechniquewhichcre-atesasmallermodelthatincludesonlythosestatementsrelevanttoexecutingasyncnodefromagivenstartnodeintheCFG.Inthestaticcase,thestartnodeistheinputinstruction,andthesyncnodeisthenewcheck.Theexactalgorithmweuseforchoppingisdetailedin[5,6].TheformulaweultimatelygenerateisovertheCFG.Thus,asmaller,morecompactCFGwillgenerallyleadtoasmaller,easier-to-solveformula.Inourexperi-ments,thetimetosolveformulasusuallydominatestotalexploitgenerationtime,thusmakingformulasaseasyaspossibleforthedecisionproceduretosolveisimportant.Ourexperiencehasshownthreecommonreasonsformulasmaytakelongertosolve:1)“dead”codeinthemodelwhereavalueiscomputedbutneverused,2)algebraicsimplicationsthatcanbeperformed,and3)commonsub-expressionsthatarerecomputed.Wehaveimplementedcommoncompileroptimizationsonourmodelinglanguagetooptimizethemodel:were-movedeadcode,performasmuchalgebraicsimplica-tionaspossible,andremoveredundantsub-expressions.Inourevaluation,weshowtheseoptimizationscandou-blethespeedatwhichformulasaresolved.(Notethattheseoptimizationscanalsobeappliedinthedynamiccase.)Theweakestpreconditioncalculationusedforthedy-namiccaseappliesequallywelltoanyacyclicCFG[6].WecreateanacyclicCFGbyunrollingloopsandrecur-siveproceduresaxednumberoftimes.Determininghowmanytimestounrollaloopisknowntobeunde-cidable.Inourevaluation,weunrolledloopsonlyonce.ThesizeofthegeneratedformulaisO(n2)inthenumbernofvinestatementsintheacyclicCFG[6].NotethatenumeratingeachpathandapplyingadynamicapproachwouldresultinatotalformulaO(2b)forbbranches.Therefore,eventhoughthestaticapproachgenerateslargeformulas,itismoreefcientthansimplyiteratingthedynamicapproach.3.2.4FormulaGenerationbyCombinedStaticandDynamicAnalysisRecallthattheformulamustcoverallinstructionsforanexploitablepathinorderforthesolvertogenerateacandidateexploit.Thedynamicapproachconsiders Figure3.Agraphicaldepictionofbuildingamodelofcombineddynamicandstaticinformation.onlyasingleprogrampathtothenewcheck,butgen-eratescompactformulasandrequiresweknowaninputthatexecutesthenewcheck.Thestaticapproachcoversmorepaths,butmayproducelargerformulas.Atahighlevel,theonlydifferencebetweenthetwoisthatthedy-namicapproachusesatracetogenerateastraight-lineprogram,overwhichwegenerateaformula,whilethestaticapproachusestheprogramtogenerateabranch-ingacyclicprogram,overwhichwegenerateaformula.Thus,itshouldbeofnosurprisethatthetwocanbecom-binedwherewealternativelycombinethedynamicandstaticapproachtoselectpathsforformulageneration.Althoughboththestaticanddynamicapproachalonehavebeenusedpreviouslytogenerateformulas,wearethersttoproposethecombineddynamicandstaticap-proachanddemonstrateitsfeasibilityinpractice.Thehighlevelintuitionofacombinedapproachcangraphicallyberepresentedaslolly-popshaped,asshowninFigure2.Thecombinedapproachoffersabalancebe-tweentheefciencyofferedbysingle-pathmodelspro-ducedbydynamicexecutionandthecodecoverageof-feredbymultiple-pathstatictechniques.Supposewehaveatracecontainingexecutedinstruc-tions0::n.Letinstruction0inbeadynamicex-ecution,andlettherebeapathfromitothenewcheck,asshowninFigure2.Webuildacombinedmodelbyrsttruncatingtheexecutiontraceatinstructionitocre-atethe“stick”end.Wecreatethelollyendbychoppingofftheprogramusingthesuccessorofiasthechopstartandthenewcheckasthechopsink.Thetwopiecesareputtogetherbyaddingtheedgefromiinthedy-namicmodeltoitssuccessorinthestaticmodel.Theresultingmodelconsidersonlythestraight-lineprogrampathuptoi,thenanysubsequentpathfromitothenewcheck.Wethencomputetheweakestpreconditionoverthecombinedmodel.Theintuitionwhythisworksisthatifweliftedtheentirechopfrominstruction0tothenewcheck,thentheparticularpathtakenbydynamicanalysisisapathinthechop.Therefore,thepathuptosomestepiinthedynamictracetothechopisalsoapath.Intheworstcase,allpathsfromitothenewcheckareinfeasible,i.e.,thereisnoinputthattakesthepath0::iandthenthesuccessori+1tothenewcheck.Sincethecombinedapproachtakesintwomodelsandsequentiallycombinesthem,theresultisamodel.Forexample,inourevaluationoftheIGMPvulner-ability,wecombineanexecutionpaththatcannotbeturnedintoanexploitwithachopoftheprocedurethatcontainsthenewchecktocreateacombinedmodel.Generatingaformulaandsolvingthismodelproducesaworkingexploitforthisexample,butboththepuredy-namicandstaticapproachesdonot.AutomaticCombinedExecution.Automaticcom-binedexecutionrequiresautomaticallydecidingthemixpoint.InFigure3,thequestioniswhichpointshouldwechooseasi.Ofcourseonepre-requisiteisweshouldchooseanisuchthatthereisapathinthestaticmodelfromitothenewcheck.However,therestillmaybemanysuchinstructionsinthetrace.Onestraight-forwardapproachistotaketheiclosest(intermsofCFGdistance)tothenewcheckandgen-eratethecombinedmodel.Iftheformulageneratedonthecombinedmodelhasnoexploit,wepickinstructioni1,anditerate.Inourexperiments,wefoundagoodheuristicthatisquickerthantheiterativeapproachistochooseiatprocedureboundaries.Proceduresareintendedtoper-formaspecictaskindependentoftheremainingcode.Therefore,bymixingatprocedurepoints,thecombinedmodelincludesoveralltasks,insteadofspeciccodepaths.Oneimplementationadvantageofchoosingpro-cedureboundariesisthatitisrelativelystraight-forwardtoimplementautomaticmixing:wesimplysetupacalltothestaticmodeloftheprocedureatthedesiredmixpointinthetrace.3.3GeneratingaCandidateExploitfromtheConstraintFormulaWeuseSTP[16],adecisionprocedurethatsupportsbit-leveloperations,asasolvertogeneratecandidateex-ploitsfromtheconstraintformula.WhenSTPreturnsasatisfyingsolutionforagivenconstraintformula,theso-lutionprovidesacandidateexploit.Byconstruction,thesatisfyingassignmentwillensurethatinputstakingonsuchsatisfyingassignmentwillmaketheprogramexe-cutionreachthepointofthenewcheckandfailthenewcheck.Theneedforbit-levelsupportinthesolverisneces-sarysinceassemblycodetypicallymakesuseofbit-leveloperationssuchasandlogicalshifts.Forexample,zeroingoutaregisterrisusuallynothandledbyamovr,0,butbytheequivalentxorr,r.Ifthesolverreturnsthattheredoesnotexistasatis-fyingsolutionforagivenconstraintformula,thismeans thatitisnotpossibletohaveaninputgoingdownthepathscoveredintheconstraintformulaandfailingthecheck.Thus,weneedtobuildotherconstraintformulascoveringotherpaths.Insomecasesthesolvermaytaketoolongtore-turnananswer.Inthiscase,wesetatimeoutandthenmoveontobuildotherconstraintformulascoveringotherpaths.Forexample,themixpointcanbechangedsothatfewerpathsareincluded.InSection4.4weeval-uatehowthechangingthemixpointeffectshowlongittakesthesolvertogenerateacandidateexploit.3.4GeneratingPolymorphicExploits.Ourapproachallowsustoenumerate(candidate)poly-morphicexploitvariantsofthepathscoveredbyF.Sup-posexsatisesF.LetF0(X)=F(X)^(X&#x-5.1;ä¡£x).F0issatisedbyallinputsexceptxthatfailthecheckandexecuteapathinF.Thereforeasatisfyinganswerx0suchthatF0(x0)=trueisapolymorphic(candidate)exploitvariant.Thisprocesscanberepeatedasdesired.3.5VerifyingaCandidateExploitWeverifythecandidateexploitxbycheckingifthesafetypolicyisviolatedwhenexecutingP(x).Inourimplementation,weuseanoff-the-shelfdynamic-taint-analysis-styleexploitdetectorasablackboxforformemorysafetyvulnerabilities.Usingothertypesofex-ploitdetectorsisalsopossible.Thecandidateexploitisveriedwhenthedetectorreturnsunsafe.Iftheveri-erreturnssafe,andallpathstothenewcheckhavenotbeenanalyzed,thenweiteratetheaboveprocedureondifferentcodepathsuntilanexploitisgeneratedorallpathsareexhausted.3.6ImplementationOurimplementationofourthreeapproachesforcreatingtheconstraintformulasiswritteninamixtureofC++andOCaml.About16,500linesofC++codeisrespon-sibleforraisingx86toVine.Thereareabout21,000linesofOCaml.Mostoftheanalysis,includingchop-ping,codeoptimizations,andinterfacingwiththedeci-sionprocedureiswritteninOCaml.4EvaluationInthissection,weevaluateourapproachon5differ-entvulnerableMicrosoftprogramswhichhavepatchesavailable.Ourexperimentshighlightthateachapproachforconstraintformulageneration—dynamic,com-bined,andstatic—isvaluableindifferentsettings.Weshowthatwecangenerateexploitswhennopublicex-ploitisavailable(tothebestofourknowledge)fortheASPNet Filter,IGMP,andPNGvulnerabilities.Wealsoshowthatwecangeneratepolymorphicexploitvariants.Wefocusonreportingourresultsongeneratingex-ploitsforthenewcheckwhichisexploitable,asdis-cussedinSection3.1.Wealsoreporttheorderinwhichtheexploitablecheckwouldbefoundusingtheleast-changedheuristicfromSection3.1.4.1VulnerabilityandExploitDescriptionDSA SetItemIntegerOverowVulnerability.TheDSA SetItemroutineincomctl32.dllperformsmemorymanagementsimilartorealloc[35].Theproceduretakesin(essentially)apointerp,asizeforeachobjects,andatotalnumberofobjectsn.Theprocedurecallsrealloc(p,sn).Anoverowcanoccurinthemultiplicationsn,resultinginasmaller-than-expectedreturnedpointersize.Subsequentuseofthepointeratbestcausestheapplicationtocrash,andatworst,canbeexploitedtohijackcontroloftheapplication.DSA SetItemcanbecalleddirectly,orindirectlybyamaliciouswebpageviathesetSliceJScriptmethod.Inpractice,thisvulnerabilityiswidelyexploitedonthewebeitherbyovertlymalicioussitesandlegitimatebuthackedwebsites[29].Thepatchedversionaddslogictoprotectagainstin-tegeroverow.Inparticular,itaddsacheckthatover-owneverhappensandtheresultis231(i.e.,alwayspositive).EBDStook371.9secondstoperformthediff.21functionswerefoundchanged,and5newfunctionswereadded.Giventheleast-changedheuristic,theex-ploitablecheckwouldbethe3rdchecktried.ExploitGenerated:Theexploitswegeneratedcausedadenialofserviceattack,e.g.,InternetExplorercrashed.Anythatcandetectpointermisuseissuitable:weusedTEMU[2].Wealsocouldspecifyspecicmemorylo-cationstooverwrite.Determiningthespecicaddressforasuccessfulcontrolhijackrequirespredictingtheprocessesmemorylayout,whichchangeseachtimetheprocessisinvoked.Attackerscurrentlydothisbyessen-tiallyrepeatedlylaunchinganattackuntilthememorylayoutmatcheswhattheexploitexpects.Wesimilarlyrepeatedlylaunchtheattackuntilweachieveasuccess-fulcontrolhijack.ASPNet FilterInformationDisclosureVulnerability(MS06-033;BugtraqID#18920;CVE-2006-1300).TheASPNet FilterDLLisresponsibleforlteringASPrequestsfortheMicrosoft.NETIISServer,andisvul-nerabletoaninformationdisclosureattack.ThemodulelterssensitivefoldernamesfromaURIrequestduringprocessingsothatinformationcontainedinthesefoldersisnotdiscloseduponresponse.Thesefoldersareauto-maticallybuiltusingASP.NET'sdefaulttemplate.Forexample,App Data,App Code,andBinareusedto storedatales,dynamicallycompiledcode,andcom-piledassemblies,respectively.Anexploitforthisvul-nerabilitywouldallowtheattackertoviewlesunderthesefolders.Thisisaseriousvulnerabilitybecausescriptsinthesedirectoriesoftencontainsensitiveinfor-mation,suchaspasswords,databaseschemas,etc.Tothebestofourknowledge,therearenopublicexploitsforthisvulnerability.TheunpatchedversionperformsproperlteringforURIrequeststhatuseforwardslashes('/'),butnotback-slashes('n').Thepatchedversionxesthisvulnerabil-itybycheckingfor'n'andippingthemto'/'.EBDStook16.6secondstoperformthediff.Onenewfunctionwasadded,alongwith4changestoexist-ingprocedurestocallthenewfunction.Theexploitablecheckusingtheleast-changedheuristicwouldbetherstonetried.ExploitGenerated:Theexploitwegeneratedwasabletoreadlesintheprotecteddirectories.Currentlywedonothaveimplementedathatdetectssuchat-tacks,soweveriedthegeneratedcandidateexploitmanually.IGMPDenialofServiceVulnerability(MS06-007;BugtraqID#16645;CVE-2006-0021).TheIGMP(In-ternetGroupManagementProtocol)protocolisusedformanagingthemembershipofmulti-castgroups.Anex-ploitforthisvulnerabilityisanIGMPquerypacketwithinvalidIPoptions.TheinvalidoptionscancausetheIGMPprocessinglogictoenteraninniteloop.SinceIGMPisasystem-levelnetworkservice,anexploitwillfreezetheentirevulnerablesystem.ThepatchaddschecksintheIGMPprocessingroutineforinvalidIPop-tions.Tothebestofourknowledge,thereisnopublicexploitforthisvulnerability.1EBDStook157.08secondstodiffthepatchedandunpatchedtcpip.sys.Thediffidentiedthatonefunc-tionwaschanged.Usingtheleast-changedheuristic,theexploitablecheckwouldberst.Theexploitwegeneratedsuccessfullycausedthedenial-of-service.Currentlywedonothaveimple-mentedathatdetectsdeadlockduetoaninniteloop,thusweveriedourcandidateexploitmanually.GDIIntegerOverowVulnerability(MS07-046;BugtraqID#25302;CVE-2007-3034).TheWindowsGraphicDeviceInterface(GDI)isthecoreenginefordisplayinggraphicsonscreen.TheGDIroutinerespon-sibleforshowingmetalegraphicsisvulnerabletoanintegeroverow.Theintegeroverowcansubsequentlyleadtoaheapoverow,whichatbestcausesasystem 1AnEBDS[13]tutorialdiscussesthisvulnerability.However,theydonotcreateanexploit.crash,andatworst,canresultinasuccessfulcontrolhi-jack.Thepatchaddressestheintegeroverowbyadding5additionalcheckswhenloadingametale.Theun-patchedversionisexploitablewhenanyoneofthe5checksfails.EBDStook109secondstodiffthepatchandun-patchedversion.Thediffidentiedthe5additionalchecks.Sinceanexploitcanfailanyofthe5checks,anexploitablecheckwouldbetriedimmediatelyusingtheleastchangedheuristic.ExploitGenerated:Theexploitweinitiallygener-atedcausedadenial-of-service.ThisvulnerabilityissimilartoDSA SetItem:wecanspecifywhattoover-writeintheheapstructure,butthelocationoftheheapstructuredependsupontheprocesslayout.Thus,asuc-cessfulcontrolhijackrequiredrepeatedlylaunchingtheattack.Anythatdetectspointermisuseisappropriate:weusedTEMU[2].PNGBufferOverowVulnerability(MS05-025;BugtraqID#13941;CAN-2005-1211).PNG(PortableNetworkGraphics)isaleformatforimagesutilizedbymanyprogramssuchasInternetExplorerandMicrosoftOfceprograms.EachPNGimagecontainsaseriesofrecordswhichspecifydifferentpropertiesoftheimage,e.g.,whethertheimageisindexed-colororgray-scale,thealphachannel,etc.Intheindexed-colormode,therecordformatspeciesanadditionalalphachannelbytevalueforeachindexedcolor.Aheap-basedbufferover-owoccursinearlyMicrosoftimplementationswhenthenumberofalphachannelbytesexceedsthenumberofpre-speciedcolors.Thepatchedversionaddsadditionalcheckstovali-datePNGrecordelds.Tothebestofourknowledge,therearenopublicexploitsforthisvulnerability.Thetotaltimetodiffthetwovulnerableversionswas27.05seconds.Changeswereonlyreportedinthevul-nerableprocedure,withtheexploitablecheckbeingtherstusingtheleastchangedheuristic.ExploitGenerated:Theexploitwegeneratedini-tiallycausedtheprogramtocrash,similartoGDIandDSA SetItem.Again,weuseTEMU[2]toconrmcan-didateexploits,butanythatdetectspointermisuseisalsopossible.Thisattackisontheheap,andalsore-quiredustorepeatedlylaunchtheattacktoachievesuc-cessfulcontrolhijack.4.2Patch-BasedExploitGenerationusingDy-namicAnalysisWesuccessfullygeneratedexploitsfortheDSA SetItem,ASPNet Filter,andGDIvulnerabil-itiesusingdynamicanalysis.ForDSA SetItem,werecordedtheexecutiontraceofIE6loadingavalid DSA SetItem ASPNet Filter GDI Trace 4.99 4.50 9.92 Formula 0.52 0.14 0.41 Solver 0.17 6.93 0.01 Total 5.68 11.57 10.34 Table2.Timetogenerateanexploitus-ingthedynamicapproach.Alltimesareinseconds.webpagethatcallsthesetSliceActiveXcontrolmethod,whichinturncallsDSA SetItem.ForASPNet Filter,werecordedIISprocessinganHTTPrequestfromalogle.ForGDI,wecreatedanimagewithinaPowerPointpresentation,thensavedtheimageintheWindowsmetaleformat.WerecordedtheexecutionofasmallGDIapplicationloadingthesavedle.AllexecutiontraceswererecordedusingTEMU[2].Table2showsanoverviewofourresults.Alltimesinthetableareinseconds.The“Trace”rowshowstheamountoftimeittooktogenerateatraceusingTEMU.The“Formula”rowshowstheamountoftimetoliftthetracetoourmodelinglanguageandproducethecon-straintformula.The“Solver”rowindicateshowlongittookthesolvertosolvetheformula.Thetotaltimetogenerateanexploitafterdifngisunder12secondsinallexperiments.Ifweincludedifngtime,thenthetotalexploitgenerationtimeforDSA SetItemis377.58seconds,ASPNet Filteris28.17seconds,andGDIis119.34seconds.Wewerenotabletogenerateexploitsusingthedy-namicapproachfortheIGMPandPNGvulnerabilities.ForIGMP,werecordedtheexecutionofWindowspro-cessingthesampleIGMPmessagefrom[10].Theiden-tiednewcheckswereexecuted.However,thecon-straintformulabuiltwasnotsatisablebyanyinputthatfailedthenewcheck.Thereasonisthattheparticu-larexecutionpathtakenwasalreadyconstrainedsotheaddedcheckcouldneverfail(i.e.,wasredundantalongthatpath).ForPNG,wewerenotabletogenerateanexploitforasampleexecutiontraceforthesamereason:thepathconstraintspreventedthenewcheckfromeverfailing.Inparticular,theexecutionofPNGinvolvesthecalculationofaCRC-32checksum.Therewerenootherinputsalongthechosenpaththatsatisedthechecksumwhilefailingthenewcheck. DSA SetItem GDI noopt opt noopt opt ModelGen 1.35 1.45 3.61 3.97 Formula 2.48 0.87 3.45 1.02 Solver 182.91 81.15 19.61 21.42 Total 186.74 83.47 26.67 26.41 Table3.Timetogenerateexploitusingthestaticapproach.Alltimesareinseconds.4.3Patch-BasedExploitGenerationusingStaticAnalysisWewereabletogenerateexploitsfortheDSA SetItemandGDIvulnerabilitiesusingapurelystaticapproach.ForDSA SetItem,thestaticmodelincludedsetSliceandDSA SetItem.ForGDI,thevulnerableproce-dureGetEventisreachablebytheexploredAPICopyMetaFileW.Thus,ourstaticmodelconsistedofthesetwofunctions.Table3showsanoverviewofourresults.Alltimesinthetableareinseconds.Weincludeinthistablethetimetogenerateamodelofallstaticpathstothenewcheckunderthe“Model”row.Foreachvulnerability,wealsoconsidertwocases:withandwithouttheoptimizationonthemodeldiscussedinSection3.2.3.Withoutoptimization,wewereabletogenerateex-ploitsforDSA SetItemin186.74seconds.Whenweenableoptimizations,thetimetogeneratethemodelin-creases,butthesubsequentstepsaremuchfaster.Inpar-ticular,theoptimizationsforDSA SetItemreducethetimetogenerateanexploitfromtheformulabyabout55%.Webelievefurtheroptimizationswouldlikelyfur-therreducethesolutiontime.ForGDI,theoptimiza-tionshadlittleeffect,savingonly.26secondsoverall.Weenumerated3differentexploitsfortheDSA SetItemvulnerability.Inparticular,weenu-meratedboththepublicexploit,and2newexploitvariants.Onewaytocomparetheadvantageofthestaticap-proachistomeasurethenumberofpathstothenewcheckincludedintheformula.Asimilarformulaus-ingthedynamicapproachalonewouldrequireenumer-atingeachpath.Thereare6exploitablepathstothenewcheckforDSA SetIteminthestaticmodelweconsider.Thereareabout1408totalpathsinthestaticmodelfortheGDIvulnerability.WewerenotabletogenerateexploitsstaticallyforthePNG,IGMP,andASPNet Filtervulnerabilities.IntheASPNet Filtervulnerability,therearesystemcalls DSA SetItem IGMP GDI PNG TraceGen 4.99 10.14 9.92 103.28 ModelGen 1.42 2.58 3.36 0.58 Formula 0.31 12.57 .027 0.28 Solver 4.79 3.78 0.26 0.14 Total 11.51 29.07 13.57 104.28 Table4.Timetogenerateanexploitusingthecombinedapproach.Alltimesareinseconds.notcurrentlysupportedbyourconstraintformulagener-ator.Thestandardsolutionistogeneratesummariesoftheeffects[6,8].Amanualanalysisindicatesthatsim-plyomittingthevariouscallswouldlikelystillresultinaformulathatgeneratesexploits.Weleaveexploringsuchextensionsasfuturework.WecouldnotgenerateexploitsforallpathsstaticallyforthePNGandIGMPvulnerabilitiesbecausethesolverranoutofmemorytry-ingtosolvethegeneratedconstraints.4.4Patch-BasedExploitGenerationusingCombinedAnalysisWesuccessfullygeneratedexploitsusingthecombinedapproachforDSA SetItem,IGMP,GDI,andPNG.Inourexperiments,weusetheheuristictomixatproce-dureboundaries.Table4showourresultswhenwemixusingthedy-namictracefromSection4.2uptothevulnerablepro-cedure.Thestaticapproachgeneratesaformulaforthevulnerableprocedure.Thetwoarethensplicedtogether.ThemixedapproachworksforIGMPandPNG,butthepurelydynamicandpurelystaticapproachesdonot.Inbothcasesthepurelydynamicapproachfailsbecausetheexecutedpathinthetraceisnotexploitable.Inbothcasesthestaticapproachalsofailsbecausethesolverrunsoutofmemory.Thecombinedapproachoffersawaytobuildaformulaforasubsetofpotentiallyex-ploitablepathswithoutenumeratingthemindividually.Wealsomeasuredhowmixingreducesthestaticfor-mulasizefortheIGMPvulnerability.Theshortestcallpathtothevulnerablefunctionhaslength5:IPRcv-Packet!DeliverToUserEx!DeliverToUser!IGM-PRcv!IGMPRcvQuery.WeconsidermixingatIGM-PRcvQuery,IGMPRcv,andDeliverToUser,i.e.,thefor-mulaconsistsofallpathsthrough1,2,and3procedures,andtherestfromthedynamicpath.Table5showsourresults.Thistableshowsthatus-ingthedynamicformulaforIPRcvPacket!Deliver-ToUserEx!DeliverToUserandthestaticforIGMPRcv Dyn:Static FormulaSize SolverTime #Paths 4:1 309250 18.94 496 3:2 310414 22.77 496 2:3 6549513 OutofMem 10416 Table5.Resultsforchangingthemixpointatdifferentpointsinthecallpathtothevulnerableprocedure.Theformulasizeisthenumberofexpressionsintheformula.Solvertimeisinseconds.andIGMPRcvQueryissolvable,whileaddingallpathsforDeliverToUsercreatesaformulathatistoodifculttosolve.Italsoshowsacommonbehaviorwhensolv-ingformulasinourexperience:theyareeithersolvablerelativelyfast,e.g.,withinafewminutes,ortheyarenotsolvablewithinareasonableamountoftime.5ImplicationsofAutomaticPatch-BasedExploitGenerationOurevaluationdemonstratesAPEGforseveralvulnera-bilities.Sincewemustconservativelyestimatethecapa-bilitiesofattackers,weconcludeAPEGshouldbecon-sideredarealisticattackmodel.Thefeasibilityofauto-maticexploitgenerationhasimportantimplicationsonthesecuritylandscape.Oneofthemostimmediateprob-lemsisrethinkingtoday'spatchdistributionpracticesinlightoftheseresults.Intoday'spatchdistributionpractices,vulnerablesystemstypicallydownloadpatchesatdifferenttimes,creatingatimewindowfromwhentherstvulnerablesystemdownloadsapatchtothelast.Staggeredpatchdistributionisattractivebecauseitpreventshugetrafcspikeswhenanewpatchisreleased.Forexample,re-centlyGkantsidisetal.conductedalargescalestudyofusersofMicrosoftUpdate.Theirmeasurementsshowthatittakesabout24hoursforWindowsUpdatetosee80%oftheuniqueIPsofhostscheckingforapatch[18].Thesemeasurementsconrmtheintuitionthatnoteveryonewillreceiveapatchatthesametime,withgapsofhoursifnotlongerbeforeeventhemajorityreceivetheupdate.Inourresults,wearetypicallyabletocreateexploitsfromthepatchinamatterofminutes,andsometimesseconds.Therefore,APEGcouldenablethosewhorstreceivedapatchtogenerateanexploitandcompromiseasignicantfractionofsystemsbeforetheyevenhadachancetodownloadtheupdate.Notethisisirrespectiveofwhetherpeopleactuallyapplythepatch;butwhethertheyevenhavetheopportunitytoapplyit. Therearemanyapproachestoxstaggeredpatchdis-tribution.Wediscussthreedirections:1)makeithardtondnewchecks(throughobfuscation),2)makeitsoeveryonecandownloadtheupdatebeforeanyonecanapplyit(usingencryption),and3)makeitsoeveryonecandownloadthepatchatthesametime(usingP2P).PatchObfuscation.OneapproachistohidewhatlinesofcodechangedbetweenPandP0.Inparticular,ven-dorscouldobfuscatepatchessuchthatthedifferencebe-tweenPandP0isverylarge.Thisapproachwouldbetheeasiesttobreakourparticularimplementation,sincetheresultsofEBDS[13]wouldcontaintoomanyin-structionstoisolatewhichcheckswereadded.Theadvantageofthisapproachisobfuscationtech-niquesarewidelyavailable.However,therearemanychallengestotheobfuscationapproach.Forexample,guringoutthelevelofobfuscationnecessarytothwartattackersmaybetricky.Simpleinstructionreplacement,e.g.,multiplicationsby2withleftshifts,maythwartEBDSbutnotamoresophisticatedtoolthatfocusedonsemantic,notassembly-levelsyntacticdifferences.Anotherproblemistheeffectsofobfuscationshouldbetransparenttolegitimateusers,e.g.,obfuscationthatde-gradesperformanceislikelyunacceptable.PatchEncryption.Wecouldinitiallyencryptpatchessothatsimplyhavingthepatchleaksnoinformation.Then,afterasuitabletimeperiod,ashortdecryptionkey(e.g.,128-bits)isbroadcast.Thisschemeallowsalluserswhohavethepatchandreceivethekeytoapplyitsimultaneously.Othershaveindependentlyarrivedatsimilarideas[32].Patchencryptionallowsvendorstouseessentiallythesamestaggeredpatchdistributionarchitecturewhilede-fendingagainstautomaticpatch-basedexploitgenera-tion.Simultaneously(ornearsimultaneously)distribut-ingthedecryptionkeyispossiblesincethekeyisverysmall,e.g.,64-bits.Therefore,thisschemeispotentiallyfairinthesecuritysense:everyonehasthesameop-portunitytoapplythepatchbeforeanyonecouldpoten-tiallyderiveanexploit.However,onepotentialprob-lemishowtohandleoff-linehosts.Asecondproblemistheactualxesaredelayedfromtheusersperspec-tive,whichraisesanumberofpolicyissues.Therearesecurity-relatedpolicychoices,e.g.,shouldpatchesbeencryptedwhenazero-dayexploitisavailabletoafewattackers,butnotallattackers.Therearealsohuman-relatedchoices,e.g.,peoplemaynotliketheideaofhavingapatchthattheycannotapply.Furtherresearchisneededtoanswersuchquestions.FastPatchDistribution.Itmaybepossibletochangepatchdistributionsoeveryonereceivesthepatchataboutthesametime.Forexample,Gkantsidisetal.proposeusingapeer-to-peernetworkforpatchdistri-butioninordertoreducetheloadonpatchdistributionservers[18].Suchapeer-to-peersystemcouldpoten-tiallyalsodistributepatchesfasterthanthecentralizedmodel.However,suchasschemewouldstillneedtoad-dressoff-linehosts.ItisalsounclearwhethersuchaschemeisfastenoughtocombatAPEG.6DiscussionGeneratingSpecicExploits.Thetechniqueswede-scribegenerateanexploitfromtheuniverseofallex-ploitsforapatchedvulnerability.Atahighlevel,thesolvergetstopickanyexploitthatsatisesthegeneratedformula.Wecanmaketheformulaspecictoachieveaparticularattackpurpose,e.g.,acontrolhijackattack.Notethatsinceinitiallywedonotknowwhatvulner-abilityispatched,itdoesnotmakesensetotrytocreateaspecictypeofexploitapriori.Forexample,iftheunknownvulnerabilityisaninformationdisclosurevul-nerability,itmakesnosensetotrytocreateacontrolhijackexploit.However,onceweknowwhatvulnerabilitycanbeexploited,wecanextendourapproachtogeneratespe-cickindsofattacks,aslongaswecanwritethecondi-tionsnecessaryinthemodelinglanguage.Vineallowsustospecifymeta-propertieswewouldliketoholdonthex86program.Thus,wecanstateameta-propertysuchasassertingastoreinstructionoverwritesthere-turnaddress.Forexample,thex86callinstructionismodeledasrststoringthereturnaddressonthestack,thenjumpingtothedesignatedprogramlocation.Anx86returninstructioncanbemodeledasloadinga32-bitnumberfromthestack,thenjumpingtothegivenaddressinVine.Inthemodelinglanguage,wecanaddchecksaboutthex86programsuchasthereturnistothesameaddressstoredbythecallinstruction.Overwritingthestackpointerisjustoneexample:wecouldmonitortheinitialexploittogarnermoreinformationaboutwhatsensitivedatastructuresarepossibletooverwrite.Weleaveexploringthisasfuturework.DealingwithMultipleChecks.Thepatchforasinglevulnerabilitymayhavemanynewchecksinthepatchedversion.Insomecases,ourtechniqueswillstillworkasintheGDIvulnerability.Inothercases,itisnotsoclear.Recallthatthemodelisgeneratedwithrespecttothepatchedprogram.Considerthecasewhereanin-puthastofailtwonewchecksaandbinsequencetoexploittheunpatchedversion.Initialexploitgenerationforamaygenerateanexploit,butvericationwillfailsincebyassumptiontheprogramisnotexploitablewhencheckafailsalone.Wethenconsiderb.Sincewearebuildingamodeloverthepatchedprogram,themodel representsallpotentialpathsthroughaandb,e.g.,thecasewheretheyfailtogether,butalsothecasewhereasucceedsbutbfails.Bydefaulttheformulageneratedbyourtechniquesconsiderseachcheckindependently.Sincethesetofinputswhichfailbandaisasubsetofthosethatjustfailb,wemaygetluckyandthedeci-sionprocedurereturnsaninputwhichfailsbothaandb.Fromthesecuritystandpoint,itisusuallyprudenttoassumeattackersarelucky.However,wemayalsogetbackananswerwherebfailsbutadoesnot,sincethatisalltheformularequired.Thiscanbesolvedbyqueryingforvariouscombinationsofnewchecks.Sinceconsider-ingeachcombinationisundesirable,thisproblemwouldbenetfromfurtherresearch.Noteanindependentproblemisifanupdatead-dressesmultiplevulnerabilities.Sinceourcurrentap-proachisconsiderseachcheckindividually,itwouldsimplybeiteratedoverallchecksirrespectiveofhowmanyvulnerabilitiesarepatched.OtherApplicationsofOurTechniques.Ourtech-niqueshaveapplicationsinotherareas.Forexample,au-tomaticdeviationdetectionisconcernedwiththeprob-lemofndinganyinputiforprogramsP1andP2suchthatthebehaviorofP1(i)isdifferentthanP2(i).Inourscenario,P1=PandP2=P0,andthedeviationinputi=esuchthatP1isexploitedbutP2isnot.Previ-ousworkfocusedondeviationdetectionfromasingledynamictrace[4];weconsidermultiplepaths.Weexpectourtechniques,especiallycombineddy-namicandstaticformulageneration,willbeapplicabletomanysimilarproblemsthatrequiremodelingmulti-pleprogrampaths.Mostpreviousworkthatrequiresgeneratingaformulatorepresentaprogrampathonlyfocusonasinglepathforscalabilityreasons.Ourworkshowsforthersttimethatscalinguptomultiplepathsispossible.Inparticular,applyingthecombinedstaticanddynamicapproachtoothersettingsisaninterestingavenuetoexplore.7RelatedWorkFuzzingtondinputswhichcrashprogramsessen-tiallytriesrandomorguidedsemi-randominputsonaprogram[15,20,24–26].Fuzzingtoolshaverecentlybecomepopularasawayofndingexploitsforpro-grams,e.g.,fuzzingfoundnumerousvulnerabilitiesintheMonthofBrowserBugs[1].Recently,fuzzingtech-niqueshavebeenaugmentedtoproduceparticularkindsofexploits,e.g.,control-hijackexploitsforbufferover-owvulnerabilities[24].Unlikefuzzing,ourapproachisgoal-oriented:wendaninputthatreachaspeciclineofcode(thenewcheck).Insteadofsearchingforvulnerabilitiesatrandom,weusethepatchasaguidetogenerateexploits.FuzzingandsimilartechniquesalsoonlyconsiderP,thusdonotaddressgeneratingexploitsfrompatches.Weuseanoff-the-differencertoidentifychanges.Researchinndingsemanticdifferences,suchasBin-Hunt[17],wouldhelpwinnowdownthenumberofnewchecksforwhichwetryexploitgeneration.Ourtechniquesarecloselyrelatedtoautomatictestcasegeneration,whichhasalonghistory(e.g.,[3,21–23]).Ourtechniquesaremostcloselyrelatedtogoal-basedtestgeneration(e.g.,[21])whereinputsareauto-maticallygeneratedthatwillexecuteagivengoalstate-mentintheprogram.Testcasegenerationdoesnotad-dresstheproblemofcreatingexploitsfrompatches,andthereforedoesnotaddressthesecurityramications.Similartechniquesforgeneratingformulasinthestaticanddynamicapproacheshavepreviouslybeenap-pliedtosignaturegeneration[5,6,8,9].Weusethechop-pingalgorithmfromourpreviouswork[5],andgenerateformulasusingtheefcientmethodfrom[6].8ConclusionWehavedemonstratedthatautomaticpatch-basedex-ploitgenerationispossibleinseveralreal-worldcases.Inourevaluation,weareabletoautomaticallygener-ateanexploitgivenjusttheunpatchedandpatchedpro-gramusuallywithinafewminutes.Inordertoachieveourresults,wedevelopednoveltechniquesforanalyzingpotentialexploitablepathstoanewsanitizationcheck.Sincebestsecuritypracticesdictatethatweconserva-tivelyestimatethepowerofanattacker,ourresultsim-plythatinsecuritycriticalscenariosautomaticpatch-basedexploitgenerationshouldbeconsideredpractical.Oneimmediateconsequencewesuggestisthatthecur-rentpatchdistributionschemesareinsecure,andshouldberedesignedtomorefullydefendagainstautomaticpatch-basedexploitgeneration.AcknowledgementsTheauthorswouldliketothanktheanonymousrefer-ees,IvanJager,JamesNewsome,StevenRudich,VyasSekar,andShobhaVenkataramanfortheirfeedbackinpreparingthispaper.References[1]Monthofbrowserbugswebsite.http://browserfun.blogspot.com,2006.[2]TheBitBlazebinaryanalysisproject.http://bitblaze.cs.berkeley.edu,2007.[3]C.Boyapati,S.Khurshid,andD.Marinov.Korat:Auto-matedtestingbasedonjavapredicates.InACMInterna-tionSymposiumonSoftwareTestingandAnalysis,pages123–133,July2002. [4]D.Brumley,J.Caballero,Z.Liang,J.Newsome,andD.Song.Towardsautomaticdiscoveryofdeviationsinbinaryimplementationswithapplicationstoerrordetec-tionandngerprintgeneration.InProceedingsoftheUSENIXSecuritySymposium,Boston,MA,Aug.2007.[5]D.Brumley,J.Newsome,D.Song,H.Wang,andS.Jha.Towardsautomaticgenerationofvulnerability-basedsig-natures.InProceedingsoftheIEEESymposiumonSe-curityandPrivacy,pages2–16,2006.[6]D.Brumley,H.Wang,S.Jha,andD.Song.Creatingvulnerabilitysignaturesusingweakestpre-conditions.InProceedingsoftheIEEEComputerSecurityFoundationsSymposium,2007.[7]C.Cadar,V.Ganesh,P.Pawlowski,D.Dill,andD.En-gler.EXE:Asystemforautomaticallygeneratinginputsofdeathusingsymbolicexecution.InProceedingsoftheACMConferenceonComputerandCommunicationsSe-curity,Oct.2006.[8]M.Costa,M.Castro,L.Zhou,L.Zhang,andM.Peinado.Bouncer:Securingsoftwarebyblockingbadinput.InProceedingsoftheACMSymposiumonOperatingSys-temPrinciples,oct2007.[9]M.Costa,J.Crowcroft,M.Castro,A.Rowstron,L.Zhou,L.Zhang,andP.Barham.Vigilante:End-to-endcontainmentofinternetworms.InProceedingsoftheACMSymposiumonOperatingSystemPrinciples,2005.[10]A.Crosswell.Igmpv3tcpdumptrace.http://www.columbia.edu/alan/igmp/ex1b/.[11]E.Dijkstra.ADisciplineofProgramming.PrenticeHall,EnglewoodCliffs,NJ,1976.[12]T.DulleinandR.Rolles.Graph-basedcomparisonofex-ecutableobjects.InProceedingsoftheSymposiumsurlaSecuritedesTechnologiesdeL'informationetdescom-munications,2005.[13]eEyESecurity.eEyebinarydifngsuite(EBDS).http://research.eeye.com/html/tools/RT20060801-1.html.Version1.0.5.[14]H.Flake.Structuralcomparisonofexecutableobjects.InProceedingsoftheIEEEConferenceonDetectionofIn-trusions,Malware,andVulnerabilityAssessment,2004.[15]J.ForresterandB.Miller.Anempiricalstudyofthero-bustnessofwindowsntapplicationsusingrandomtest-ing.In4thUSENIXWindowsSystemsSymposium,2000.[16]V.GaneshandD.L.Dill.Adecisionprocedureforbit-vectorsandarrays.InW.DammandH.Hermanns,edi-tors,ProceedingsontheConferenceonComputerAidedVerication,volume4590ofLectureNotesinComputerScience,pages524–536,Berlin,Germany,July2007.Springer-Verlag.[17]D.Gao,M.K.Reiter,andD.Song.Binhunt:Automat-icallyndingsemanticdifferencesinbinaryprograms.Technicalreport,SchoolofInformationSciences,Singa-poreManagementUniversity,February2008.[18]C.Gkantsidis,T.Karagiannis,P.Rodriguez,andM.Vo-jnovic.Planetscalesoftwareupdates.InProceedingsoftheACMSpecialInterestGrouponDataCommunica-tion,2006.[19]P.Godefroid,N.Klarlund,andK.Sen.DART:Directedautomatedrandomtesting.InProceedingsoftheACMConferenceonProgrammingLanguageDesignandIm-plementation,2005.[20]P.Godefroid,M.Levin,andD.Molnar.Automatedwhiteboxfuzztesting.InProceedingsoftheNetworkandDistributedSystemSecuritySymposium,Feb.2008.[21]A.Gotlieb,B.Botella,andM.Rueher.Auto-matictestdatagenerationusingconstraintsolvingtech-niques.ACMSIGSOFTSoftwareEngineeringNotes,23(2):1998,1998.[22]N.Gupta,A.Mathur,andM.L.Soffa.Automatedtestdatagenerationusinganiterativerelaxationmethod.ACMSIGSOFTSoftwareEngineeringNotes,23(6):231–244,Nov.1998.[23]B.Korel.Automatedtestdatageneration.IEEETrans-actionsonSoftwareEngineering,16(8):870–879,1990.path-basedtestsetgeneration.[24]J.Medeiros.Automatedexpoitdevelopment:Thefutureofexploitationishere.http://toorcon.org/2007/talks/19/toorcon whitepaper.pdf,2007.[25]B.Miller,G.Cooksey,andF.Moore.Anempiricalstudyoftherobustnessofmacosapplicationsusingrandomtesting.InProceedingsoftheInternationalWorkshoponRandomTesting,2006.[26]B.Miller,L.Fredriksen,andB.So.AnempiricalstudyofthereliabilityofUNIXutilities.CommunicationsoftheAssociationforComputingMachinery,33(12):32–44,1990.[27]D.Moore,V.Paxson,S.Savage,C.Shannon,S.Stani-ford,andN.Weaver.Insidetheslammerworm.InPro-ceedingsoftheIEEESymposiumonSecurityandPri-vacy,volume1,2003.[28]S.Muchnick.AdvancedCompilerDesignandImplemen-tation.AcademicPress,1997.[29]R.Naraine.Crimeringstargetie'setslice'aw.http://www.eweek.com/article2/0%2C1759%2C2022805%2C00.asp,2006.[30]J.Newsome,D.Brumley,J.Franklin,andD.Song.Re-player:Automaticprotocolreplaybybinaryanalysis.InR.Write,S.D.C.diVimercati,andV.Shmatikov,edi-tors,ProceedingsoftheACMConferenceonComputerandCommunicationsSecurity,pages311–321,2006.[31]A.ProtasandS.Manzuik.Skeletonsinmi-crosoft'scloset.BlackHatEurope2006:http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Manzuik.pdf.[32]J.Roskind.Attacksagainstthenetscapebrowserplussecurityresponsephilosophyandmethods.Privatecom-municationandseminartalk.[33]SabreSecurity.Bindiff.http://www.sabre-security.com/products/bindiff.html.[34]F.B.Schneider.Enforceablesecuritypolicies.ACMTransactionsonInformationandSystemSecurity,3(1):30–50,February2000.[35]SecureScienceCorporation.AnalysisoftheWebView-FolderIconActiveXintegeroverow(setSlice).http://www.mnin.org,2006.