![Page 1: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/1.jpg)
Automatic Exploit Generation
an Odyssey
Sophia D’AntoineHack.lu 2015
![Page 2: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/2.jpg)
Introduction
Programs have become increasingly difficult to exploit - larger, changing surface area- mitigations- more bytes to siphon through
10/22/2015 Program Analysis to Find Vulnerabilities 2/45
![Page 3: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/3.jpg)
Introduction
Reaction: people get smarter and tools get better
- pentesters
- government research
- CTF!
10/22/2015 Program Analysis to Find Vulnerabilities 3/45
![Page 4: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/4.jpg)
CTF & Wargames
A Binary
PWNIt
A Flag
10/22/2015 Program Analysis to Find Vulnerabilities 4/45
![Page 5: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/5.jpg)
The Past
Manual labor- static analysis
10/22/2015 Program Analysis to Find Vulnerabilities 5/45
- dynamic analysis
![Page 6: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/6.jpg)
Dynamic Analysis
Definition: - Running it (concrete execution)- Collecting/ observing environment changes
Popular Uses:- dump VM memory & grep- record/ replay & manual analysis- gdb (debuggers) & run
10/22/2015 Program Analysis to Find Vulnerabilities 6/45
![Page 7: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/7.jpg)
Dynamic Analysis
Common tools:- gdb, windbg, cdb- python brute force (blind fuzzing)
10/22/2015 Program Analysis to Find Vulnerabilities 7/45
![Page 8: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/8.jpg)
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...step...
step...
step...step...
Example: Dynamic Analysis
10/22/2015 Program Analysis to Find Vulnerabilities 8/45
![Page 9: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/9.jpg)
Automated Exploitation
![Page 10: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/10.jpg)
Agenda
1. Intro2. Automating Exploitation
a. what, how?b. the target
3. Program Analysisa. backgroundb. types we care about c. how this helps with AEG
4. Applicationa. toolsb. demo
5. Conclusion
10/22/2015 Automatic Exploit Generation 10/45
![Page 11: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/11.jpg)
- Focus on discovery and combination of write and read primitives
Some Background
What is Automated Exploitation? The ability to generate a successful computer attack with reduced or entirely without human interaction.
- Existing AE work focused on Restricted Models: - Sean Heelan’s “Automatic Generation of Control Flow Hijacking
Exploits for Software Vulnerabilities” - David Brumley (@ Carnegie Mellon) et al. (AEG, MAYHEM, etc) - Cyber Grand Challenge! (CGC)
- Focus on discovery and combination of write and read primitives
- Focus on discovery and combination of write and read primitives
10/22/2015 Program Analysis to Find Vulnerabilities 11/45
![Page 12: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/12.jpg)
Break up AEG into 2 parts:- Generating input to get to vulnerability- Generating “payload” to profit from vulnerability
Automating Exploitation
- Both are hard- Work being done in
both areas- Focus today on
first problem
10/22/2015 Program Analysis to Find Vulnerabilities 12/45
![Page 13: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/13.jpg)
TARGET?
10/22/2015 Automatic Exploit Generation 13/45
Automating Exploitation
![Page 14: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/14.jpg)
AEG - pwnable.kr
Program Operations
Get random binary, pwn it in 10 seconds.
1) Takes input at argv[1] 2) Does some decode & operations on it3) Calls sequence of 16 functions4) Each function checks 3 characters of input
sequentially5) If you pass them all, you get to the exploitable
memcpy!
Automated Exploit Generation
1) Generate input to get to vulnerability2) Generate payload to exploit and get shell
10/22/2015 Program Analysis to Find Vulnerabilities 14/45
![Page 15: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/15.jpg)
AEG - pwnable.kr
fail ...
input argv[1]
3 checks
... 15 more functions ...
memcpy
fail ...
10/22/2015 Program Analysis to Find Vulnerabilities 15/45
![Page 16: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/16.jpg)
How can AEG solve for this path in the CFG?
![Page 17: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/17.jpg)
Software Program Analysis!
![Page 18: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/18.jpg)
Agenda
1. Intro2. Automating Exploitation
a. what, how?b. the target
3. Program Analysisa. backgroundb. types we care about c. how this helps with AEG
4. Applicationa. toolsb. demo
5. Conclusion
10/22/2015 Automatic Exploit Generation 18/45
![Page 19: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/19.jpg)
The process of automatically analyzing the behavior of applications
What is program analysis
- set of paths == expected paths
- minimum expense => expected paths
- In terms of a property:- program correctness
- program optimization
10/22/2015 Program Analysis to Find Vulnerabilities 19/45
![Page 20: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/20.jpg)
How This Helps with AEG
Analysis helps us hunt for bugs automatically.
- Fuzzing/ Instrumenting- Symbolic Execution- Concolic Execution
==> Pro move: combine analyses
10/22/2015 Program Analysis to Find Vulnerabilities 20/45
![Page 21: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/21.jpg)
Types we care about.
![Page 22: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/22.jpg)
Dynamic Binary Instrumentation
Definition:- ‘Hijacked’ environment, binaries, or source- Monitor specific system artifacts- Attempts at complete (concrete) execution
Popular Uses:- Force program states- Gather and report observations at runtime- Types of hooking: source & binary
10/22/2015 Program Analysis to Find Vulnerabilities 22/45
![Page 23: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/23.jpg)
Example: DBI
$pin -t inscount0.so -- binary
[BINARY LEVEL]
- Inject increment after each instruction
[STILL BRUTE FORCE]
- Return total instructions for fuzzed input - Only true for that 1 executed path
(the possible CFG space may be very large)
10/22/2015 Program Analysis to Find Vulnerabilities 23/45
![Page 24: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/24.jpg)
icount++
sub $0xff, %edx
icount++
cmp %esi, %edx
icount++
jle
icount++
mov $0x1, %edi
icount++
add $0x10, %eax
sub $0xff, %edx
cmp %esi, %edx
jle
mov $0x1, %edi
add $0x10, %eax
Example: DBI
10/22/2015 Program Analysis to Find Vulnerabilities 24/45
![Page 25: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/25.jpg)
Symbolic Execution
Definition:- Generate 1 sym path for a set of paths
(could still be extremely expensive)- Satisfies path conditions - Composed of some concrete values
-Popular Uses:- Determine program state at particular basic block - Create ‘equation’ to feed to SAT/SMT solvers- Faster than brute forcing all conditions
10/22/2015 Program Analysis to Find Vulnerabilities 25/45
![Page 26: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/26.jpg)
Example: Symbolic Execution
[INT] a, b, c[INT] x, y, z = 0;
fun( int a, b, c ){if (a) {
x = -2;}
if (b < 5) { if (!a && c) {
y = 1; } z = 2;
}assert(x+y+z!=3)
}
. . .fun( 0, 3, 1 );. . .
Old Method: Try all inputs until assert
[WARNING] inputs unbounded!
10/22/2015 Program Analysis to Find Vulnerabilities 26/45
![Page 27: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/27.jpg)
Example: Symbolic Execution
[SYMBOL] a, b, c[INT] x, y, z = 0;
if (a) { x = -2;
}
if (b < 5) { if (!a && c) {
y = 1; } z = 2;
}assert(x+y+z!=3)
10/22/2015 Program Analysis to Find Vulnerabilities 27/45
![Page 28: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/28.jpg)
Concolic Execution
Definition:- Dynamic symbolic execution- Instrumentation of symbolic execution as it runs- One path at a time to maintain concrete state
underneath symbolic variablesPopular Uses:- Concretization
(replace symbols with values to satisfy path condition)- Handle system calls & library loading - Cases which SMT can’t solve
10/22/2015 Program Analysis to Find Vulnerabilities 28/45
![Page 29: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/29.jpg)
Example: Concolic Execution
[INT] a, b, c[INT] x, y, z = 0;
fun( int a, b, c ){if (a) {
x = -2;}
if (b < 5) { if (!a && c) {
y = 1; } z = 2;
}assert(x+y+z!=3)
}
. . .fun( 0, 3, 1 );. . .
Old Method:Try all inputs until assert
[WARNING] inputs unbounded!
10/22/2015 Program Analysis to Find Vulnerabilities 29/45
![Page 30: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/30.jpg)
Example: Concolic Execution
[INT & SYMBOL] a, b, c[INT] x, y, z = 0;
if (a) { x = -2;
}
if (b < 5) { if (!a && c) {
y = 1; } z = 2;
}assert(x+y+z!=3)
STEPS
[ONE] concrete execution of function
[TWO]while building symbolic path model
[THREE]constraints on input are modeled
[FOUR]models used to generate concrete input
10/22/2015 Program Analysis to Find Vulnerabilities 30/45
![Page 31: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/31.jpg)
Creating a Feedback Loop
In practice using the results of different analyses finds bugs quicker.
Example Pairing:- Concrete execution- Fuzz input- Symbolic/ Concolic execution- Examine results- Craft new input
10/22/2015 Program Analysis to Find Vulnerabilities 31/45
![Page 32: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/32.jpg)
Agenda
1. Intro2. Automating Exploitation
a. what, how?b. the target
3. Program Analysisa. backgroundb. types we care about c. how this helps with AEG
4. Applicationa. toolsb. demo
5. Conclusion
10/22/2015 Automatic Exploit Generation 32/45
![Page 33: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/33.jpg)
Common tools:- PIN Tool- Valgrind (before/during runtime)- DynamoRIO- Qemu
10/22/2015 Program Analysis to Find Vulnerabilities 33/45
Dynamic Binary Instrumentation
![Page 34: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/34.jpg)
Example: Flare-on Challenge 9
[ http://blog.trailofbits.com/2015/09/09/flare-on-reversing-challenges-2015/ ]- Pintool instruction count- More instructions == Closer to correct input
10/22/2015 Program Analysis to Find Vulnerabilities 34/45
Input: AAAAAAAA...
Input: FLAGAAAA...
![Page 35: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/35.jpg)
Symbolic Execution
Common tools:- KLEE (runs on LLVM bc)- SAGE (MS internal tool)
feed it to z3 to solve
10/22/2015 Program Analysis to Find Vulnerabilities 35/45
![Page 36: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/36.jpg)
Concolic Execution
Common tools:- Angr- Pysymemu- Triton
10/22/2015 Program Analysis to Find Vulnerabilities 36/45
![Page 37: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/37.jpg)
AEG Demo: Assumptions
[ Assumptions ]- Space of potential vulnerabilities too large- Need to write tools to hunt for subset
- Target memory corrupt (memcpy)- ROP from there…
[ Dynamically Acquire ]- Path to target- Solve for constraints- Addresses of gadgets for ROP
[ Statically (Pre) Acquired ]- Semantics of target & gadgets
10/22/2015 Program Analysis to Find Vulnerabilities 37/45
![Page 38: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/38.jpg)
LLVM Pass
Using the structure of the binary:- Dominator Tree
- Longest path of CFG is the “winning” path - Use-def chain
- Each cmp of this path comprises the “constraints”
⇒ “Flow-sensitive constraint analysis"
LLVM:- Makes this analysis easier
- DomTree & Use-def construction- Semantics of cmp and vars easy to pull out- Runs statically over bitcode (lift with Mcsema) - Fast
10/22/2015 Program Analysis to Find Vulnerabilities 38/45
![Page 39: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/39.jpg)
Angr Script
… acquire binary & some conditions …. b = angr.Project("aeg")
ss = b.factory.blank_state(addr=entry_func)
ss.options.discard("LAZY_SOLVES")
ss.se._solver.timeout=10000
ss.memory.store(argv1_buff, ss.BV("input", 50*8))
pg = b.factory.path_group(ss, immutable=False)
angr.path_group.l.setLevel("DEBUG")
pg.explore(find=vuln_addr[0], avoid=fail_bbs)
argv1_win = pg.found[0].state.se.any_str(pg.found[0].state.memory.load(argv1_buff, 50))
#setup env
#fake input with no value
#target & bad branches, 4 speed
#solved for path to target, dump memory
10/22/2015 Program Analysis to Find Vulnerabilities 39/45
![Page 40: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/40.jpg)
Demo
![Page 41: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/41.jpg)
[ What We are (still) Working With ]- Binaries- Source is nice
- Need to lift bins to IR for LLVM- Most concolic exec. tools would need to compile it
Conclusion: The Future
[ Difficulty ]- Know how to express our targeted vulnerability - Semantics for UAF, Memory Corruption, etc....
10/22/2015 Program Analysis to Find Vulnerabilities 41/45
![Page 42: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/42.jpg)
Automatic program analysis- translate program (IR)- define program in-correctness
goal: proving existence or absence of bugs
Finding (More) Bugs
10/22/2015 Program Analysis to Find Vulnerabilities 42/45
![Page 43: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/43.jpg)
Acknowledgements - Trail of Bits- RPISEC
10/22/2015 Automatic Exploit Generation 43/45
![Page 44: Automatic Exploit Generation - Hack.luarchive.hack.lu/2015/AutomaticExploitGeneration.pdf · 2015-10-28 · 10/22/2015 Automatic Exploit Generation 18/45. The process of automatically](https://reader030.vdocuments.us/reader030/viewer/2022040215/5ed1682e103edb27a1224f58/html5/thumbnails/44.jpg)
References[Good Course Material]https://www.cs.umd.edu/class/spring2013/cmsc631/lectures/symbolic-exec.pdfhttps://www.utdallas.edu/~zxl111930/spring2012/public/lec4.pdfhttp://web.mit.edu/16.399/www/lecture_01-intro/Cousot_MIT_2005_Course_01_4-1.pdfhttp://homepage.cs.uiowa.edu/~tinelli/classes/seminar/Cousot.pdf
[Site for Tool Documentation]https://github.com/angr/angr-dochttps://github.com/llvm-mirror/llvm
[Other Good Resources]http://www.grammatech.com/blog/hybrid-concolic-execution-part-1http://openwall.info/wiki/_media/people/jvanegue/files/aegc_vanegue.pdf
10/22/2015 Automatic Exploit Generation 44/45