State of the ExploitMatt Miller / mmiller@leviathansecurity.com

What is the state of the exploit?

Where do generic exploitation techniques stand in 2008? Formidable mitigations exist (ASLR, NX, GS) Many techniques impractical or impossible Exploits are more reliant on vuln-specific qualities

How can we evaluate the relevance & feasibility of current & future techniques? Exploitability analysis

Exploitability analysis

Studying the qualities that influence exploitation If a vulnerability exists, how exploitable would it be?

Research directions Exploitation properties Simulating exploitation

ExploitationProperties

What are exploitation properties?

Specific qualities that enable or inhibit exploitation techniques Objectively derived from a program Vulnerability independent

Intuitively known, but not formally defined Exploits have always relied on exploitation

properties

Relating to exploitation techniques

Exploitation techniques have pre-conditions that must be satisfied SEH overwrite must be able to overwrite EH

record

Exploitation properties help determine the satisfiability of those pre-conditions Function called in EH scope == TRUE

Examples of exploitation properties

Processor supports

NX

Processor supports

NX

Function called in EH scope

Function called in EH scope

Function uses GSFunction uses GS

Execute code from NX regionExecute code

from NX region

FT

InhibitsEnables

SEH overwriteSEH overwrite

FT

Return address overwrite

Return address overwrite

FT

Deriving exploitation property values

Dynamic analysis Hardware properties (NX supported?) Operating system properties (ASLR supported?) Process properties (NX enabled?)

Static analysis Binary module properties (Relocateable?) Function properties (GS enabled?)

Case study: MS07-017 (ANI)

Animated cursor vulnerability found by Alexander Sotirov in late 2006 Stack-based buffer overflow

First highly exploitable issue to affect Vista

Why was it so exploitable?

MS07-017 vulnerability details

01: int LoadAniIcon(struct MappedFile* file, ...) {02: struct ANIChunk chunk;03: struct ANIHeader header; // 36 byte structure04: while (1) {05: // read the first 8 bytes of the chunk06: ReadTag(file, &chunk);07: switch (chunk.tag) {08: case ’anih’:09: // read chunk.size bytes into header10: ReadChunk(file, &chunk, &header);

Credit to Sotirov for the pseudo-code

Exploitation properties of MS07-017

Inhibitors OS properties

ASLR present SafeSEH present

Hardware properties NX supported

Enablers Function properties

GS not present Called in EH scope Partial overwrite is feasible

Process properties NX support disabled

Statically detecting MS07-017 MS07-017 could have been found with the help

of exploitability analysis

Find instances of code enabling reliable exploitation techniques No GS, EH scope, partial overwrite feasible, etc

Resultant set would include the function containing the ANI vulnerability Vulnerability analysis can narrow this set

Automatically assessing exploitability

Recap Exploitation techniques have pre-conditions that

must be satisfied Exploitation properties provide objective values

for these pre-conditions

How can we better assess exploitability with this information?

Simulated Exploitation

Simulating exploitation

Consider exploitation as a state machine

Abstract execution states

Exploitation techniques are transitions

Exploitability is derived from the degree to which pre-conditions are satisfied

Simulating exploitation

Vulnerability side-effects represent the pre-conditions of the initial state Extent of memory corruption Pattern of memory corruption

Precision can vary Memory corruption of a stack buffer 256 byte overwrite at &local with pattern A-Z

High-level exploitation NFA

Memory CorruptionMemory Corruption

Control of Frame Pointer

Control of Frame Pointer

Control of Instruction Pointer

Control of Instruction Pointer

Control of Code Execution

Control of Code Execution

Coalesce NxN

Overwrite Return Address

Overwrite Exception Handler

Overwrite Function Pointer

Code execution fromInstruction pointer

Instruction pointer fromFrame pointer

Overwrite Frame Pointer

Exploitation technique pre-conditions

Memory CorruptionMemory Corruption

Control of Instruction Pointer

Control of Instruction Pointer

Control of Code Execution

Control of Code Execution

Overwrite return address

Code execution frominstruction pointer

- Region of corruption = Stack

- Range of corruption intersects with the address of a return address

- Guard stack presence = FALSE

- Region of corruption = Stack

- Range of corruption intersects with the address of a return address

- Guard stack presence = FALSE

- ASLR presence = FALSE

- NX presence = FALSE if instruction pointer in non-executable region

- Address of useful code is known

- ASLR presence = FALSE

- NX presence = FALSE if instruction pointer in non-executable region

- Address of useful code is known

Conclusion

Uses for exploitability analysis Identify regions of code that may be highly

exploitable given the presence of a vulnerability Program risk assessment

Evaluate the effectiveness of exploitation techniques & mitigations

Automatic exploit generation using post-conditions from simulated exploitation Unlikely to compete with human talent

Future work

Research additional exploitation properties

Further develop analysis tools Dynamic analysis of hardware, OS, and process

state

Further develop exploitation simulator Basic exploit generator using post-conditions

Thanks!

Additional reading on exploitation propertieshttp://uninformed.org/?v=9&a=4