State of the ExploitMatt Miller / [email protected]
What is the state of the exploit? Where do generic exploitation techniques
stand in 2008? Formidable mitigations exist (ASLR, NX, GS) Many techniques impractical or impossible Exploits are more reliant on vuln-specific qualities
How can we evaluate the relevance & feasibility of current & future techniques? Exploitability analysis
Exploitability analysis
Studying the qualities that influence exploitation If a vulnerability exists, how exploitable would it be?
Research directions Exploitation properties Simulating exploitation
ExploitationProperties
What are exploitation properties?
Specific qualities that enable or inhibit exploitation techniques Objectively derived from a program Vulnerability independent
Intuitively known, but not formally defined Exploits have always relied on exploitation
properties
Relating to exploitation techniques
Exploitation techniques have pre-conditions that must be satisfied SEH overwrite must be able to overwrite EH
record
Exploitation properties help determine the satisfiability of those pre-conditions Function called in EH scope == TRUE
Examples of exploitation properties
Processor supports
NX
Function called in EH scope
Function uses GS
Execute code from NX region
FT
InhibitsEnables
SEH overwrite
FT
Return address overwrite
FT
Deriving exploitation property values
Dynamic analysis Hardware properties (NX supported?) Operating system properties (ASLR supported?) Process properties (NX enabled?)
Static analysis Binary module properties (Relocateable?) Function properties (GS enabled?)
Case study: MS07-017 (ANI)
Animated cursor vulnerability found by Alexander Sotirov in late 2006 Stack-based buffer overflow
First highly exploitable issue to affect Vista
Why was it so exploitable?
MS07-017 vulnerability details
01: int LoadAniIcon(struct MappedFile* file, ...) {02: struct ANIChunk chunk;03: struct ANIHeader header; // 36 byte structure04: while (1) {05: // read the first 8 bytes of the chunk06: ReadTag(file, &chunk);07: switch (chunk.tag) {08: case ’anih’:09: // read chunk.size bytes into header10: ReadChunk(file, &chunk, &header);
Credit to Sotirov for the pseudo-code
Exploitation properties of MS07-017
Inhibitors OS properties
ASLR present SafeSEH present
Hardware properties NX supported
Enablers Function properties
GS not present Called in EH scope Partial overwrite is feasible
Process properties NX support disabled
Statically detecting MS07-017 MS07-017 could have been found with the help
of exploitability analysis
Find instances of code enabling reliable exploitation techniques No GS, EH scope, partial overwrite feasible, etc
Resultant set would include the function containing the ANI vulnerability Vulnerability analysis can narrow this set
Automatically assessing exploitability
Recap Exploitation techniques have pre-conditions that
must be satisfied Exploitation properties provide objective values
for these pre-conditions
How can we better assess exploitability with this information?
Simulated Exploitation
Simulating exploitation Consider exploitation as a state machine
Abstract execution states
Exploitation techniques are transitions
Exploitability is derived from the degree to which pre-conditions are satisfied
Simulating exploitation
Vulnerability side-effects represent the pre-conditions of the initial state Extent of memory corruption Pattern of memory corruption
Precision can vary Memory corruption of a stack buffer 256 byte overwrite at &local with pattern A-Z
High-level exploitation NFA
Memory Corruption
Control of Frame Pointer
Control of Instruction Pointer
Control of Code Execution
Coalesce NxN
Overwrite Return Address
Overwrite Exception Handler
Overwrite Function Pointer
Code execution fromInstruction pointer
Instruction pointer fromFrame pointer
Overwrite Frame Pointer
Exploitation technique pre-conditions
Memory Corruption
Control of Instruction Pointer
Control of Code Execution
Overwrite return address
Code execution frominstruction pointer
- Region of corruption = Stack
- Range of corruption intersects with the address of a return address
- Guard stack presence = FALSE
- ASLR presence = FALSE
- NX presence = FALSE if instruction pointer in non-executable region
- Address of useful code is known
Conclusion
Uses for exploitability analysis Identify regions of code that may be highly
exploitable given the presence of a vulnerability Program risk assessment
Evaluate the effectiveness of exploitation techniques & mitigations
Automatic exploit generation using post-conditions from simulated exploitation Unlikely to compete with human talent
Future work
Research additional exploitation properties
Further develop analysis tools Dynamic analysis of hardware, OS, and process
state
Further develop exploitation simulator Basic exploit generator using post-conditions
Thanks!
Additional reading on exploitation propertieshttp://uninformed.org/?v=9&a=4