Making a Scalable Automated Hacking System by Artem Dinaburg

71
Making a Scalable Automated Hacking System ShakaCon VIII Artem Dinaburg artem@trailo=its.com

Transcript of Making a Scalable Automated Hacking System by Artem Dinaburg

Page 1: Making a Scalable Automated Hacking System by Artem Dinaburg

MakingaScalableAutomatedHackingSystem

ShakaConVIIIArtemDinaburg

artem@trailo=its.com

Page 2: Making a Scalable Automated Hacking System by Artem Dinaburg

•  PrincipalSecurityEngineeratTrailofBits– artem@trailo=its.com/[email protected]– hFp://blog.trailo=its.com

AboutMe

Page 3: Making a Scalable Automated Hacking System by Artem Dinaburg

AboutThisTalk•  Automatedvulnerabilitydiscoveryisaverybroadtopic.

Page 4: Making a Scalable Automated Hacking System by Artem Dinaburg

AboutThisTalk•  Automatedvulnerabilitydiscoveryisaverybroadtopic.

•  Thistalkisgoingtobetechnical,butaccessible.

Page 5: Making a Scalable Automated Hacking System by Artem Dinaburg

AboutThisTalk•  Automatedvulnerabilitydiscoveryisaverybroadtopic.

•  Thistalkisgoingtobetechnical,butaccessible.– WewilltalkaboutbuildingapracLcalsystem

Page 6: Making a Scalable Automated Hacking System by Artem Dinaburg

Outline•  Part1:Learnhowourautomatedbugfindingsystemworks&howtomakeyourown

Page 7: Making a Scalable Automated Hacking System by Artem Dinaburg

Outline•  Part1:Learnhowourautomatedbugfindingsystemworks&howtomakeyourown

•  Part2:Understandourapproachtoautomatedbinarypatching

Page 8: Making a Scalable Automated Hacking System by Artem Dinaburg

Outline•  Part1:Learnhowourautomatedbugfindingsystemworks&howtomakeyourown

•  Part2:Understandourapproachtoautomatedbinarypatching

•  What’sNext:thefutureofautomatedvulnerabilitydiscovery

Page 9: Making a Scalable Automated Hacking System by Artem Dinaburg

IntroducLon•  TrailofBitswasacompeLtorinDARPA’sCyberGrandChallenge

Page 10: Making a Scalable Automated Hacking System by Artem Dinaburg

IntroducLon•  TrailofBitswasacompeLtorinDARPA’sCyberGrandChallenge

•  WebuiltCyberdyne,anautomatedbugfindingandpatchingsystem

Page 11: Making a Scalable Automated Hacking System by Artem Dinaburg

IntroducLon•  TrailofBitswasacompeLtorinDARPA’sCyberGrandChallenge

•  WebuiltCyberdyne,anautomatedbugfindingandpatchingsystem

•  ItworkedpreFywell…

Page 12: Making a Scalable Automated Hacking System by Artem Dinaburg

2ndinBugsFound

77

65

57

57

44

39

23

12

12

9

0 10 20 30 40 50 60 70 80

TeamACyberdyne

TeamBTeamCTeamDTeamETeamFTeamGTeamHTeamI

ConfirmedBugsFound

Page 13: Making a Scalable Automated Hacking System by Artem Dinaburg

5thinPatchingEffecLveness

Page 14: Making a Scalable Automated Hacking System by Artem Dinaburg

IntroducLon•  TrailofBitswasacompeLtorinDARPA’sCyberGrandChallenge

•  WebuiltCyberdyne,anautomatedbugfindingandpatchingsystem

•  ItworkedpreFywell…•  Butdidn’tqualify 😢

Page 15: Making a Scalable Automated Hacking System by Artem Dinaburg

LastinPerformance

Page 16: Making a Scalable Automated Hacking System by Artem Dinaburg

AutomatedBugFinding

©flickruserHenriSivonen

Page 17: Making a Scalable Automated Hacking System by Artem Dinaburg

VulnerabilityDiscoveryTheory•  Notoolwillfindallthebugs.•  Provablyimpossible.

Page 18: Making a Scalable Automated Hacking System by Artem Dinaburg

VulnerabilityDiscoveryTheory•  OverApproximateAnalyses– PointsTo– AliasAnalysis

Page 19: Making a Scalable Automated Hacking System by Artem Dinaburg

VulnerabilityDiscoveryTheory•  UnderApproximateAnalyses– Fuzzing,SymbolicExecuLon

Page 20: Making a Scalable Automated Hacking System by Artem Dinaburg

Under-ApproximateAnalyses:Roadblocks

HardForFuzzing,EasyforSymbolicExecuLon

if(input[0]==0xBADFOOD)

Page 21: Making a Scalable Automated Hacking System by Artem Dinaburg

Under-ApproximateAnalyses:Roadblocks

HardforSymbolicExecuLon,EasyforFuzzing

if(hash(input[0])==hash(input[1]))

Page 22: Making a Scalable Automated Hacking System by Artem Dinaburg

Under-ApproximateAnalyses:Theory

•  Alltoolsoperateoverthesamedomain

•  Alldiscoveriesareequallytrue

•  Whatiftoolscouldsharediscoveries?

©flickruserJean-PierreDalbéra

Page 23: Making a Scalable Automated Hacking System by Artem Dinaburg

AnalysisBoosLng•  Sharingdiscoveriesacrosstoolscreatesavirtuouscyclethatremovesroadblocks

if(input[0]==0xBADFOOD)if(hash(input[0])==hash(input[1]))BUG();

Page 24: Making a Scalable Automated Hacking System by Artem Dinaburg

AnalysisBoosLng•  Sharingdiscoveriesacrosstoolscreatesavirtuouscyclethatremovesroadblocks

if(input[0]==0xBADFOOD)if(hash(input[0])==hash(input[1]))BUG();

Page 25: Making a Scalable Automated Hacking System by Artem Dinaburg

AnalysisBoosLng•  Sharingdiscoveriesacrosstoolscreatesavirtuouscyclethatremovesroadblocks

if(input[0]==0xBADFOOD)if(hash(input[0])==hash(input[1]))BUG();

Page 26: Making a Scalable Automated Hacking System by Artem Dinaburg

AnalysisBoosLng

• Howdoyoucombineexis1nganalysistools?

Page 27: Making a Scalable Automated Hacking System by Artem Dinaburg

AnalysisBoosLng

• Howdoyoucombineexis1nganalysistools?•  ‘Universal’Knowledge:Inputs!– Kindoflame,butitworks!

Page 28: Making a Scalable Automated Hacking System by Artem Dinaburg

AnalysisBoosLng•  Inputsgeneratedbyonetoolfeedintoallothers

Inputs

Page 29: Making a Scalable Automated Hacking System by Artem Dinaburg

AnalysisBoosLng•  Inputsgeneratedbyonetoolfeedintoallothers

Inputs

Analyses

Page 30: Making a Scalable Automated Hacking System by Artem Dinaburg

AnalysisBoosLng•  Inputsgeneratedbyonetoolfeedintoallothers

Inputs

Analyses New Inputs

Page 31: Making a Scalable Automated Hacking System by Artem Dinaburg

AnalysisBoosLng•  Inputsgeneratedbyonetoolfeedintoallothers

Inputs

Analyses New Inputs

Merge Knowledge

Page 32: Making a Scalable Automated Hacking System by Artem Dinaburg

AnalysisBoosLng:ImplementaLon•  TwosymbolicexecuLonengines– KLEE(viaanx86toLLVMtranslator)– PySymEmu

Page 33: Making a Scalable Automated Hacking System by Artem Dinaburg

AnalysisBoosLng:ImplementaLon•  TwosymbolicexecuLonengines– KLEE(viaanx86toLLVMtranslator)– PySymEmu

•  Grr:areallyawesomeDBT-basedfuzzer

Page 34: Making a Scalable Automated Hacking System by Artem Dinaburg

AnalysisBoosLng:ImplementaLon•  TwosymbolicexecuLonengines– KLEE(viaanx86toLLVMtranslator)– PySymEmu

•  Grr:areallyawesomeDBT-basedfuzzer•  MergeknowledgeviaMinSet– Minimalsetofmaximalcoverageinputs

Page 35: Making a Scalable Automated Hacking System by Artem Dinaburg

PracLcalConsideraLons:MinSet•  MinimizingtheinputsetisessenLalforanalysisboosLngtobepracLcal.

Page 36: Making a Scalable Automated Hacking System by Artem Dinaburg

PracLcalConsideraLons:MinSet•  MinimizingtheinputsetisessenLalforanalysisboosLngtobepracLcal.

•  MinSetneedsafastmethodtomeasureandcomparecoverage.

Page 37: Making a Scalable Automated Hacking System by Artem Dinaburg

PracLcalConsideraLons:MinSet•  MinimizingtheinputsetisessenLalforanalysisboosLngtobepracLcal.

•  MinSetneedsafastmethodtomeasureandcomparecoverage.

•  Doesn’thavetobeperfect.

Page 38: Making a Scalable Automated Hacking System by Artem Dinaburg

AutomatedBugFinding:BuildingIt

©flickruserJuliaManzerova

Page 39: Making a Scalable Automated Hacking System by Artem Dinaburg

BuildingYourOwn

A NB

•  Step1:Findthetoolstocombine

Page 40: Making a Scalable Automated Hacking System by Artem Dinaburg

BuildingYourOwn•  Step2:Wrapyourtoolswithamanagerscript

A NB

Page 41: Making a Scalable Automated Hacking System by Artem Dinaburg

BuildingYourOwn•  Step3•  WriteTests

• WriteTests

• WriteTests

Page 42: Making a Scalable Automated Hacking System by Artem Dinaburg

BuildingYourOwn•  Step4:SharedResources

A NB

MessageQueueDistributed Storage

Page 43: Making a Scalable Automated Hacking System by Artem Dinaburg

BuildingYourOwn•  Step5:MinSet

A NB

MessageQueueDistributed Storage

Page 44: Making a Scalable Automated Hacking System by Artem Dinaburg

BuildingYourOwn•  Step6•  WriteTests

• WriteTests

• WriteTests

Page 45: Making a Scalable Automated Hacking System by Artem Dinaburg

BuildingYourOwn•  Step7:MonitoringandStaLsLcs

A NB

MessageQueueDistributed Storage

Page 46: Making a Scalable Automated Hacking System by Artem Dinaburg

BuildingYourOwn•  Step8:ControlandProvision

MessageQueueDistributed Storage

MessageQueueDistributed Storage

MessageQueueDistributed Storage

MessageQueueDistributed Storage

MessageQueueDistributed Storage

MessageQueueDistributed Storage

MessageQueueDistributed Storage

MessageQueueDistributed Storage

Control & Provision

Page 47: Making a Scalable Automated Hacking System by Artem Dinaburg

ObligatoryAFLComparison

78

69

68

65

61

16

14

0 10 20 30 40 50 60 70 80

Boosted(current)

Boosted(CQE)

AFL(DrillerPaper)

Union(KLEE,PSE,Grr)

Grr(Fuzzing)

PSE(Symbolic)

KLEE(Symbolic)

BugsFoundinCQEBinariesByMethod

(approximate)

Page 48: Making a Scalable Automated Hacking System by Artem Dinaburg

Patching

©USArmy

Page 49: Making a Scalable Automated Hacking System by Artem Dinaburg

Patching•  Makethebinarynotcrash

Page 50: Making a Scalable Automated Hacking System by Artem Dinaburg

Patching•  Makethebinarynotcrash•  PatchingMethod– Whatdoyou“fix”?

Page 51: Making a Scalable Automated Hacking System by Artem Dinaburg

Patching•  Makethebinarynotcrash•  PatchingMethod– Whatdoyou“fix”?

•  PatchingMechanics– Howdoyouapplythe“fix”?

Page 52: Making a Scalable Automated Hacking System by Artem Dinaburg

Patching•  Makethebinarynotcrash•  PatchingMethod– Whatdoyou“fix”?

•  PatchingMechanics– Howdoyouapplythe“fix”?

•  PatchLocaLon– Wheredoyoufix,ifyouaren’tsureofthebug?

Page 53: Making a Scalable Automated Hacking System by Artem Dinaburg

Patching•  PatchingMethod– Preventaccesstoinvalidmemory

Page 54: Making a Scalable Automated Hacking System by Artem Dinaburg

Patching•  PatchingMethod– Preventaccesstoinvalidmemory

•  PatchingMechanics– TranslatebinarytoLLVM,patchthebitcode

Page 55: Making a Scalable Automated Hacking System by Artem Dinaburg

PatchingviaLLVM

Bin LLVMPatchBin

PatchLLVM

Page 56: Making a Scalable Automated Hacking System by Artem Dinaburg

Patching•  PatchingMethod– Preventaccesstoinvalidmemory

•  PatchingMechanics– TranslatebinarytoLLVM,patchthebitcode

•  PatchLocaLon– Specificvs.Generic

Page 57: Making a Scalable Automated Hacking System by Artem Dinaburg

PatchLocaLon:SpecificPatching•  So,wehavethisthingthatfindsbugs…– Letsjustpatchthose

•  Insertcheckformemoryvalidity•  Problems– Wrongbug– MulLplecodepaths

Page 58: Making a Scalable Automated Hacking System by Artem Dinaburg

PatchLocaLon:GenericPatching•  Fixeverybugofacertainclass•  Examples:– StackCookies– ASLR– CFI

•  Problem:slow

Page 59: Making a Scalable Automated Hacking System by Artem Dinaburg

PatchingProblems•  Slow.Bloated.

Page 60: Making a Scalable Automated Hacking System by Artem Dinaburg

Patching:EntertheDragon

Page 61: Making a Scalable Automated Hacking System by Artem Dinaburg

PatchingMontage•  Cross-BlockDeadStoreEliminaLon

Page 62: Making a Scalable Automated Hacking System by Artem Dinaburg

PatchingMontage•  Cross-BlockDeadStoreEliminaLon•  Unusedregisteranalysis

Page 63: Making a Scalable Automated Hacking System by Artem Dinaburg

PatchingMontage•  Cross-BlockDeadStoreEliminaLon•  Unusedregisteranalysis•  DominatorTreeTraversal

Page 64: Making a Scalable Automated Hacking System by Artem Dinaburg

PatchingMontage•  Cross-BlockDeadStoreEliminaLon•  Unusedregisteranalysis•  DominatorTreeTraversal•  DataFlowfrominputs

Page 65: Making a Scalable Automated Hacking System by Artem Dinaburg

PatchingMontage•  Cross-BlockDeadStoreEliminaLon•  Unusedregisteranalysis•  DominatorTreeTraversal•  DataFlowfrominputs•  CombinaLonsoftheabove

Page 66: Making a Scalable Automated Hacking System by Artem Dinaburg

Reminder:LastinPerformance

Page 67: Making a Scalable Automated Hacking System by Artem Dinaburg

What’sNext?•  CyberGrandChallengeconLnues!•  FinalsareAugust4th,co-locatedwithDEFCON– Freetoenter

•  WinnerwillplaythewinninghumanCTFteamatDEFCON

Page 68: Making a Scalable Automated Hacking System by Artem Dinaburg

WhatsNext?•  FindLinuxbugs!

©[email protected]

Page 69: Making a Scalable Automated Hacking System by Artem Dinaburg

What’sNext?•  Integratemoretoolsandknowledge!– AFL(viaNCC’sprojecttriforce)– Grammar-basedfuzzers–  InformaLonfromcompiler/sourcecode

•  Broaderlibrarysupport

Page 70: Making a Scalable Automated Hacking System by Artem Dinaburg

What’sNext?•  Letsautomate(orsemi-automate)boringassessmentwork.

•  WearedoingapilotauditofzlibfortheMozillaFoundaLon.

•  EventuallywewouldliketoautomaLcallyauditopensourcesosware.

Page 71: Making a Scalable Automated Hacking System by Artem Dinaburg

QuesLons?ContactInformaLon:

artem@trailo=its.comhFp://blog.trailo=its.com

FurtherReading:hFp://blog.trailo=its.com/2015/07/15/how-we-fared-in-the-cyber-grand-challenge/hFp://blog.trailo=its.com/2016/01/13/hacking-for-charity-automated-bug-finding-in-libotr/hFps://github.com/trailo=its/mcsemahFps://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentaLon/walker


IT Kitchen (Artem Levchenko)

IT Kitchen (Artem Levchenko)

Lobuzov Artem Yuryevich

Lobuzov Artem Yuryevich

Artem Shabarshin. CSEDays

Artem Shabarshin. CSEDays

Litvinov Artem

Litvinov Artem

Oct. 25, 2005© Artem Chebotko, 20051 OntoELAN: An Ontology-Based Linguistic Multimedia Annotator Speaker: Artem Chebotko (artem@cs.wayne.edu) Department.

Oct. 25, 2005© Artem Chebotko, 20051 OntoELAN: An Ontology-Based Linguistic Multimedia Annotator Speaker: Artem Chebotko ([email protected]) Department.

Belov Artem , CFO

Belov Artem , CFO

Artem Kovalevich. Drupal. Getting Started.

Artem Kovalevich. Drupal. Getting Started.

Ovchinnikov artem, portfolio

Ovchinnikov artem, portfolio

Zlib - Mozilla Automated Security Assessment Zlib version 1.2.8 September 30th, 2016 Prepared For: Gervase Markham, Chris Riley Secure Open Source Prepared By: Artem Dinaburg | Trail

Zlib - Mozilla Automated Security Assessment Zlib version 1.2.8 September 30th, 2016 Prepared For: Gervase Markham, Chris Riley Secure Open Source Prepared By: Artem Dinaburg | Trail

1.99215!Artem Syromiatnikov Paper WICSA2014

1.99215!Artem Syromiatnikov Paper WICSA2014

Nicolas Artem

Nicolas Artem

Artem Pankov.Eclipse.DrupalCamp Kyiv 2011

Artem Pankov.Eclipse.DrupalCamp Kyiv 2011

Artem Loskutov in Smena Magazine

Artem Loskutov in Smena Magazine

Marketing automatisation (Artem Daniliants)

Marketing automatisation (Artem Daniliants)

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

artem welcome page · 2009-05-15 · ARTEM FURNITURE CATALOGUE 2009 WRITING TABLES CWT002 ARTEM FURNITURE CV.,TOIO cu,T010: Height 77cm (30.5' CWTOOI: Height CWTOOI Oval Executive

artem welcome page · 2009-05-15 · ARTEM FURNITURE CATALOGUE 2009 WRITING TABLES CWT002 ARTEM FURNITURE CV.,TOIO cu,T010: Height 77cm (30.5' CWTOOI: Height CWTOOI Oval Executive

Vagrant. Halturin Artem

Vagrant. Halturin Artem

photographer Artem Popkoff

photographer Artem Popkoff

ARTEM I NFORMATION & STRATEGIES · ARTEM I NFORMATION & STRATEGIES ARTEM Defence n°02 - 2006/11 n° ISSN 1951 -6878 ARTEM Defence is the free newsletter provided by ARTEM INFORMATION

ARTEM I NFORMATION & STRATEGIES · ARTEM I NFORMATION & STRATEGIES ARTEM Defence n°02 - 2006/11 n° ISSN 1951 -6878 ARTEM Defence is the free newsletter provided by ARTEM INFORMATION

ARTEM - DLR

ARTEM - DLR