State of the Exploit
description
Transcript of State of the Exploit
![Page 1: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/1.jpg)
State of the ExploitMatt Miller / [email protected]
![Page 2: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/2.jpg)
What is the state of the exploit? Where do generic exploitation techniques
stand in 2008? Formidable mitigations exist (ASLR, NX, GS) Many techniques impractical or impossible Exploits are more reliant on vuln-specific qualities
How can we evaluate the relevance & feasibility of current & future techniques? Exploitability analysis
![Page 3: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/3.jpg)
Exploitability analysis
Studying the qualities that influence exploitation If a vulnerability exists, how exploitable would it be?
Research directions Exploitation properties Simulating exploitation
![Page 4: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/4.jpg)
ExploitationProperties
![Page 5: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/5.jpg)
What are exploitation properties?
Specific qualities that enable or inhibit exploitation techniques Objectively derived from a program Vulnerability independent
Intuitively known, but not formally defined Exploits have always relied on exploitation
properties
![Page 6: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/6.jpg)
Relating to exploitation techniques
Exploitation techniques have pre-conditions that must be satisfied SEH overwrite must be able to overwrite EH
record
Exploitation properties help determine the satisfiability of those pre-conditions Function called in EH scope == TRUE
![Page 7: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/7.jpg)
Examples of exploitation properties
Processor supports
NX
Function called in EH scope
Function uses GS
Execute code from NX region
FT
InhibitsEnables
SEH overwrite
FT
Return address overwrite
FT
![Page 8: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/8.jpg)
Deriving exploitation property values
Dynamic analysis Hardware properties (NX supported?) Operating system properties (ASLR supported?) Process properties (NX enabled?)
Static analysis Binary module properties (Relocateable?) Function properties (GS enabled?)
![Page 9: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/9.jpg)
Case study: MS07-017 (ANI)
Animated cursor vulnerability found by Alexander Sotirov in late 2006 Stack-based buffer overflow
First highly exploitable issue to affect Vista
Why was it so exploitable?
![Page 10: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/10.jpg)
MS07-017 vulnerability details
01: int LoadAniIcon(struct MappedFile* file, ...) {02: struct ANIChunk chunk;03: struct ANIHeader header; // 36 byte structure04: while (1) {05: // read the first 8 bytes of the chunk06: ReadTag(file, &chunk);07: switch (chunk.tag) {08: case ’anih’:09: // read chunk.size bytes into header10: ReadChunk(file, &chunk, &header);
Credit to Sotirov for the pseudo-code
![Page 11: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/11.jpg)
Exploitation properties of MS07-017
Inhibitors OS properties
ASLR present SafeSEH present
Hardware properties NX supported
Enablers Function properties
GS not present Called in EH scope Partial overwrite is feasible
Process properties NX support disabled
![Page 12: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/12.jpg)
Statically detecting MS07-017 MS07-017 could have been found with the help
of exploitability analysis
Find instances of code enabling reliable exploitation techniques No GS, EH scope, partial overwrite feasible, etc
Resultant set would include the function containing the ANI vulnerability Vulnerability analysis can narrow this set
![Page 13: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/13.jpg)
Automatically assessing exploitability
Recap Exploitation techniques have pre-conditions that
must be satisfied Exploitation properties provide objective values
for these pre-conditions
How can we better assess exploitability with this information?
![Page 14: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/14.jpg)
Simulated Exploitation
![Page 15: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/15.jpg)
Simulating exploitation Consider exploitation as a state machine
Abstract execution states
Exploitation techniques are transitions
Exploitability is derived from the degree to which pre-conditions are satisfied
![Page 16: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/16.jpg)
Simulating exploitation
Vulnerability side-effects represent the pre-conditions of the initial state Extent of memory corruption Pattern of memory corruption
Precision can vary Memory corruption of a stack buffer 256 byte overwrite at &local with pattern A-Z
![Page 17: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/17.jpg)
High-level exploitation NFA
Memory Corruption
Control of Frame Pointer
Control of Instruction Pointer
Control of Code Execution
Coalesce NxN
Overwrite Return Address
Overwrite Exception Handler
Overwrite Function Pointer
Code execution fromInstruction pointer
Instruction pointer fromFrame pointer
Overwrite Frame Pointer
![Page 18: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/18.jpg)
Exploitation technique pre-conditions
Memory Corruption
Control of Instruction Pointer
Control of Code Execution
Overwrite return address
Code execution frominstruction pointer
- Region of corruption = Stack
- Range of corruption intersects with the address of a return address
- Guard stack presence = FALSE
- ASLR presence = FALSE
- NX presence = FALSE if instruction pointer in non-executable region
- Address of useful code is known
![Page 19: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/19.jpg)
Conclusion
![Page 20: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/20.jpg)
Uses for exploitability analysis Identify regions of code that may be highly
exploitable given the presence of a vulnerability Program risk assessment
Evaluate the effectiveness of exploitation techniques & mitigations
Automatic exploit generation using post-conditions from simulated exploitation Unlikely to compete with human talent
![Page 21: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/21.jpg)
Future work
Research additional exploitation properties
Further develop analysis tools Dynamic analysis of hardware, OS, and process
state
Further develop exploitation simulator Basic exploit generator using post-conditions
![Page 22: State of the Exploit](https://reader034.fdocuments.in/reader034/viewer/2022051002/56815e6b550346895dcce94d/html5/thumbnails/22.jpg)
Thanks!
Additional reading on exploitation propertieshttp://uninformed.org/?v=9&a=4