Transformation-aware Exploit Generation using a HI-CFG
Dan Caselden and Alex Bazhanyuk and Mathias Payer and Laszlo Szekeres and Stephen McCamant and Dawn Song
EECS Department, University of California, Berkeley
Technical Report No. UCB/EECS-2013-85
May 16, 2013
http://www2.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-85.pdf
A common task for security analysts is to determine whether potentially unsafe code constructs (as found by static analysis or code review) can be triggered by an attacker-controlled input to the program under analysis. We refer to this problem as proof-of-concept (POC) exploit generation. Exploit generation is challenging to automate because it requires precise reasoning across a large code base; in practice it is usually a manual task. An intuitive approach to exploit generation is to break down a program's relevant computation into a sequence of transformations that map an input value into the value that can trigger an exploit.
We automate this intuition by describing an approach to discover the buffer structure (the chain of buffers used between transformations) of a program, and use this structure to construct an exploit input by inverting one transformation at a time. We propose a new program representation, a hybrid information- and control-flow graph (HI-CFG), and give algorithms to build a HI-CFG from instruction traces. We then describe how to guide program exploration using symbolic execution to efficiently search for transformation pre-images.
We implement our techniques in a tool that operates on applications in x86 binary form. In two case studies we discuss how our tool creates POC exploits for (i) a vulnerability in a PDF rendering library that is reachable through multiple different transformation stages and (ii) a vulnerability in the processing stage of a specific document format in AbiWord.
BibTeX citation:
@techreport{Caselden:EECS-2013-85, Author= {Caselden, Dan and Bazhanyuk, Alex and Payer, Mathias and Szekeres, Laszlo and McCamant, Stephen and Song, Dawn}, Title= {Transformation-aware Exploit Generation using a HI-CFG}, Year= {2013}, Month= {May}, Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-85.html}, Number= {UCB/EECS-2013-85}, Abstract= {A common task for security analysts is to determine whether potentially unsafe code constructs (as found by static analysis or code review) can be triggered by an attacker-controlled input to the program under analysis. We refer to this problem as proof-of-concept (POC) exploit generation. Exploit generation is challenging to automate because it requires precise reasoning across a large code base; in practice it is usually a manual task. An intuitive approach to exploit generation is to break down a program's relevant computation into a sequence of transformations that map an input value into the value that can trigger an exploit. We automate this intuition by describing an approach to discover the buffer structure (the chain of buffers used between transformations) of a program, and use this structure to construct an exploit input by inverting one transformation at a time. We propose a new program representation, a hybrid information- and control-flow graph (HI-CFG), and give algorithms to build a HI-CFG from instruction traces. We then describe how to guide program exploration using symbolic execution to efficiently search for transformation pre-images. We implement our techniques in a tool that operates on applications in x86 binary form. In two case studies we discuss how our tool creates POC exploits for (i) a vulnerability in a PDF rendering library that is reachable through multiple different transformation stages and (ii) a vulnerability in the processing stage of a specific document format in AbiWord.}, }
EndNote citation:
%0 Report %A Caselden, Dan %A Bazhanyuk, Alex %A Payer, Mathias %A Szekeres, Laszlo %A McCamant, Stephen %A Song, Dawn %T Transformation-aware Exploit Generation using a HI-CFG %I EECS Department, University of California, Berkeley %D 2013 %8 May 16 %@ UCB/EECS-2013-85 %U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-85.html %F Caselden:EECS-2013-85