Csw2016 d antoine_automatic_exploitgeneration

Automatic Exploit
Generation
an Odyssey
Sophia D’Antoine
CanSecWest 2016

Introduction
Programs have become increasingly difficult
to exploit
•  larger, changing surface area
•  mitigations
•  more bytes to siphon through
10/22/2015 Program Analysis to Find Vulnerabilities 2/45

Introduction
Reaction:
people get smarter and tools get better
-  pentesters
-  government research
-  CTF!

CTF & Wargames
A
Binary
PWN
It
A
Flag

The Past
Manual labor
•  static analysis
-  dynamic analysis

Dynamic Analysis
Definition:
•  Running it (concrete execution)
•  Collecting/ observing environment changes
Popular Uses:
-  dump VM memory & grep
-  record/ replay & manual analysis
-  gdb (debuggers) & run

Dynamic Analysis
Common tools:
•  gdb, windbg, cdb
•  python brute force (blind fuzzing)

step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
step...
Example: Dynamic Analysis

Agenda
1.  Intro
2.  Automating Exploitation
a.  what, how?
b.  the target
3.  Program Analysis
a.  background
b.  types we care about
c.  how this helps with AEG
4.  Application
a.  tools
b.  demo
5.  Conclusion
10/22/2015 Automatic Exploit Generation 10/45

-  Focus on discovery and combination of write and read
primitives
Some Background
What is Automated Exploitation?
The ability to generate a successful computer attack with
reduced or entirely without human interaction.
•  Existing AE work focused on Restricted Models:
–  Sean Heelan’s “Automatic Generation of Control Flow Hijacking
Exploits for Software Vulnerabilities”
–  David Brumley (@ Carnegie Mellon) et al. (AEG, MAYHEM, etc)
–  Cyber Grand Challenge! (CGC)
primitives
primitives

Break up AEG into 2 parts:
•  Generating input to get to vulnerability
•  Generating “payload” to profit from vulnerability
Automating Exploitation
-  Both are hard
-  Work being done in
both areas
-  Focus today on
first problem
github.com/programa-stic/ropc-llvm

TARGET?
Automating Exploitation

AEG - pwnable.kr
Program
Operations
Get random binary, pwn it in 10 seconds.
1)  Takes input at argv[1]
2)  Does some decode & operations on it
3)  Calls sequence of 16 functions
4)  Each function checks 3 characters of input
sequentially
5)  If you pass them all, you get to the exploitable
memcpy!
Automated Exploit Generation
1)  Generate input to get to vulnerability
2)  Generate payload to exploit and get shell

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the ﬁle again. If the red x still appears, you may have to delete the image and then insert it again.
AEG - pwnable.kr
fail ...
input
argv[1]
3
checks
... 15 more
functions ...
memcpy
fail ...

How can AEG solve for
this path in the CFG?

Agenda
1.  Intro
a.  what, how?
b.  the target
a.  background
4.  Application
a.  tools
b.  demo
5.  Conclusion

The process of automatically analyzing the
behavior of applications
What is program analysis
-  set of paths == expected paths
-  minimum expense => expected paths
-  In terms of a property:
-  program correctness
-  program optimization

How This Helps with AEG
Analysis helps us hunt for bugs
automatically.
•  Fuzzing/ Instrumenting
•  Symbolic Execution
•  Concolic Execution
==> Pro move: combine analyses

Dynamic Binary Instrumentation
Definition:
•  ‘Hijacked’ environment, binaries, or source
•  Monitor specific system artifacts
•  Attempts at complete (concrete) execution
Popular Uses:
-  Force program states
-  Gather and report observations at runtime
-  Types of hooking: source & binary

Example: DBI
$pin -t inscount0.so -- binary

[BINARY LEVEL]
-  Inject increment after each instruction

[STILL BRUTE FORCE]
-  Return total instructions for fuzzed input
-  Only true for that 1 executed path
(the possible CFG space may be
very large)

icount++
sub $0xff, %edx
icount++
cmp %esi, %edx
icount++
jle
icount++
mov $0x1, %edi
icount++
add $0x10, %eax
sub $0xff, %edx
cmp %esi, %edx
jle
mov $0x1, %edi
add $0x10, %eax
Example: DBI

Symbolic Execution
Definition:
•  Generate 1 sym path for a set of paths
(could still be extremely expensive)
•  Satisfies path conditions
•  Composed of some concrete values
Popular Uses:
-  Determine program state at particular basic block
-  Create ‘equation’ to feed to SAT/SMT solvers
-  Faster than brute forcing all conditions

Example: Symbolic Execution
[INT] a, b, c
[INT] x, y, z = 0;

fun( int a, b, c )
{
if (a) {
x = -2;
}

if (b < 5) {
if (!a && c) {
y = 1;
}
z = 2;
}
assert(x+y+z!=3)
}
. . .
fun( 0, 3, 1 );
. . .
Old Method:
Try all inputs until assert

[WARNING] inputs unbounded!

Example: Symbolic Execution
[SYMBOL] a, b, c
[INT] x, y, z = 0;

if (a) {
x = -2;
}

if (b < 5) {
if (!a && c) {
y = 1;
}
z = 2;
}
assert(x+y+z!=3)

Concolic Execution
Definition:
•  Dynamic symbolic execution
•  Instrumentation of symbolic execution as it runs
•  One path at a time to maintain concrete state
underneath symbolic variables
Popular Uses:
-  Concretization
(replace symbols with
values to satisfy path condition)
-  Handle system calls & library loading
-  Cases which SMT can’t solve

Example: Concolic Execution
[INT] a, b, c
[INT] x, y, z = 0;

fun( int a, b, c )
{
if (a) {
x = -2;
}

if (b < 5) {
if (!a && c) {
y = 1;
}
z = 2;
}
assert(x+y+z!=3)
}
. . .
fun( 0, 3, 1 );
. . .
Old Method:
Try all inputs until assert

[WARNING] inputs unbounded!

Example: Concolic Execution
[INT & SYMBOL] a, b, c
[INT] x, y, z = 0;

if (a) {
x = -2;
}

if (b < 5) {
if (!a && c) {
y = 1;
}
z = 2;
}
assert(x+y+z!=3)
STEPS

[ONE]
concrete execution of function
[TWO]
while building symbolic path model
[THREE]
constraints on input are modeled
[FOUR]
models used to generate concrete input

Creating a Feedback Loop
In practice using the results of different
analyses finds bugs quicker.
Example Pairing:
•  Concrete execution
•  Fuzz input
•  Symbolic/ Concolic execution
•  Examine results
•  Craft new input

Agenda
1.  Intro
a.  what, how?
b.  the target
a.  background
4.  Application
a.  tools
b.  demo
5.  Conclusion

Common tools:
•  PIN Tool
•  Valgrind (before/during runtime)
•  DynamoRIO
•  Qemu
Dynamic Binary Instrumentation

Example: Flare-on Challenge 9
[ http://blog.trailofbits.com/2015/09/09/flare-on-reversing-
challenges-2015/ ]
•  Pintool instruction count
•  More instructions == Closer to correct input
Input:
FLAGAAAA...
Input:
AAAAAAAA...

Symbolic Execution
Common tools:
•  KLEE (runs on LLVM bc)
•  SAGE (MS internal tool)
feed it to z3 to solve

Concolic Execution
Common tools:
•  Angr
•  Pysymemu
•  Triton

AEG Demo: Assumptions
[ Assumptions ]
•  Space of potential vulnerabilities too large
•  Need to write tools to hunt for subset
–  Target memory corrupt (memcpy)
•  ROP from there…
[ Dynamically Acquire ]
•  Path to target
•  Solve for constraints
•  Addresses of gadgets for ROP
[ Statically (Pre) Acquired ]
•  Semantics of target & gadgets

LLVM Pass
Using the structure of the binary:
•  Dominator Tree
–  Longest path of CFG is the “winning” path
•  Use-def chain
–  Each cmp of this path comprises the “constraints”
“Flow-sensitive constraint analysis"
LLVM:
-  Makes this analysis easier
-  DomTree & Use-def construction
-  Semantics of cmp and vars easy to pull out
-  Runs statically over bitcode (lift with Mcsema)
-  Fast

LLVM Pass
Download tool:
[ https://github.com/trailofbits/domtresat ]

Angr Script
… acquire binary & some conditions ….
b = angr.Project("aeg")

ss = b.factory.blank_state(addr=entry_func)
ss.options.discard("LAZY_SOLVES")
ss.se._solver.timeout=10000
ss.memory.store(argv1_buff, ss.BV("input", 50*8))

pg = b.factory.path_group(ss, immutable=False)
angr.path_group.l.setLevel("DEBUG")
pg.explore(find=vuln_addr[0], avoid=fail_bbs)

argv1_win = pg.found[0].state.se.any_str(pg.found[0].state.memory.load(argv1_buff, 50))

#setup env

#fake input with no value

#target & bad branches, 4 speed

#solved for path to target, dump memory

[ What We are (still) Working With ]
–  Binaries
–  Source is nice
•  Need to lift bins to IR for LLVM
•  Most concolic exec. tools would need to compile it
Conclusion: The Future
[ Difficulty ]
-  Know how to express our targeted vulnerability
-  Semantics for UAF, Memory Corruption, etc....

Automatic program analysis
•  translate program (IR)
•  define program in-correctness
goal: proving existence or absence
of bugs
Finding (More) Bugs

Acknowledgements
•  Trail of Bits
•  pwnable.kr
•  RPISEC

References
[Good Course Material]
https://www.cs.umd.edu/class/spring2013/cmsc631/lectures/symbolic-exec.pdf
https://www.utdallas.edu/~zxl111930/spring2012/public/lec4.pdf
http://web.mit.edu/16.399/www/lecture_01-intro/Cousot_MIT_2005_Course_01_4-1.pdf
http://homepage.cs.uiowa.edu/~tinelli/classes/seminar/Cousot.pdf

[Site for Tool Documentation]
https://github.com/angr/angr-doc
https://github.com/llvm-mirror/llvm
https://github.com/trailofbits/domtresat [ Tool built on concepts in this talk ]

[Other Good Resources]
http://www.grammatech.com/blog/hybrid-concolic-execution-part-1
http://openwall.info/wiki/_media/people/jvanegue/files/aegc_vanegue.pdf


Any Questions?
IRC: quend
email: sophia@trailofbits.com

Csw2016 d antoine_automatic_exploitgeneration

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Csw2016 d antoine_automatic_exploitgeneration (20)

More from CanSecWest (11)

Recently uploaded (20)

Csw2016 d antoine_automatic_exploitgeneration