Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trust Boundary Vulnerability Exploitation State of the Exploit

Published byClaudine Patel Modified over 6 years ago

Similar presentations

Presentation on theme: "Trust Boundary Vulnerability Exploitation State of the Exploit"— Presentation transcript:

1 Matt Miller / mmiller@leviathansecurity.com
Trust Boundary Vulnerability Exploitation State of the Exploit Matt Miller /

2 What is the state of the exploit?
Where do generic exploitation techniques stand in 2008? Formidable mitigations exist (ASLR, NX, GS) Many techniques impractical or impossible Exploits are more reliant on vuln-specific qualities How can we evaluate the relevance & feasibility of current & future techniques? Exploitability analysis Function pointers in heap / Dowd’s bug

3 Exploitability analysis
Studying the qualities that influence exploitation If a vulnerability exists, how exploitable would it be? Research directions Exploitation properties Simulating exploitation Independent of a particular vulnerability

4 Exploitation Properties

5 What are exploitation properties?
Specific qualities that enable or inhibit exploitation techniques Objectively derived from a program Vulnerability independent Intuitively known, but not formally defined Exploits have always relied on exploitation properties

6 Relating to exploitation techniques
Exploitation techniques have pre-conditions that must be satisfied SEH overwrite must be able to overwrite EH record Exploitation properties help determine the satisfiability of those pre-conditions Function called in EH scope == TRUE Satisfiability determines effective exploitability

7 Examples of exploitation properties
Processor supports NX Function called in EH scope Function uses GS T F T F T F Talk about the degree of inhibition – for example, ASLR inhibits exploitation techniques 1/256 – this should be captured Execute code from NX region SEH overwrite Return address overwrite Inhibits Enables

8 Deriving exploitation property values
Dynamic analysis Hardware properties (NX supported?) Operating system properties (ASLR supported?) Process properties (NX enabled?) Static analysis Binary module properties (Relocateable?) Function properties (GS enabled?) Case study next

9 Case study: MS (ANI) Animated cursor vulnerability found by Alexander Sotirov in late 2006 Stack-based buffer overflow First highly exploitable issue to affect Vista Why was it so exploitable?

10 MS07-017 vulnerability details
01: int LoadAniIcon(struct MappedFile* file, ...) { 02: struct ANIChunk chunk; 03: struct ANIHeader header; // 36 byte structure 04: while (1) { 05: // read the first 8 bytes of the chunk 06: ReadTag(file, &chunk); 07: switch (chunk.tag) { 08: case ’anih’: 09: // read chunk.size bytes into header 10: ReadChunk(file, &chunk, &header); Credit to Sotirov for the pseudo-code

11 Exploitation properties of MS07-017
Inhibitors Enablers OS properties ASLR present SafeSEH present Hardware properties NX supported Function properties GS not present Called in EH scope Partial overwrite is feasible Process properties NX support disabled

12 Statically detecting MS07-017
MS could have been found with the help of exploitability analysis Find instances of code enabling reliable exploitation techniques No GS, EH scope, partial overwrite feasible, etc Resultant set would include the function containing the ANI vulnerability Vulnerability analysis can narrow this set

13 Automatically assessing exploitability
Recap Exploitation techniques have pre-conditions that must be satisfied Exploitation properties provide objective values for these pre-conditions How can we better assess exploitability with this information?

14 Simulated Exploitation

15 Simulating exploitation
Consider exploitation as a state machine Abstract execution states Exploitation techniques are transitions Exploitability is derived from the degree to which pre-conditions are satisfied

16 Simulating exploitation
Vulnerability side-effects represent the pre-conditions of the initial state Extent of memory corruption Pattern of memory corruption Precision can vary Memory corruption of a stack buffer 256 byte overwrite at &local with pattern A-Z

17 High-level exploitation NFA
Coalesce NxN Memory Corruption Overwrite Exception Handler Overwrite Frame Pointer Overwrite Return Address Overwrite Function Pointer Control of Frame Pointer Control of Instruction Pointer Instruction pointer from Frame pointer Code execution from Instruction pointer Control of Code Execution

18 Exploitation technique pre-conditions
Region of corruption = Stack Range of corruption intersects with the address of a return address Guard stack presence = FALSE Memory Corruption Overwrite return address Control of Instruction Pointer ASLR presence = FALSE NX presence = FALSE if instruction pointer in non-executable region Address of useful code is known Code execution from instruction pointer Control of Code Execution

19 Conclusion

20 Uses for exploitability analysis
Identify regions of code that may be highly exploitable given the presence of a vulnerability Program risk assessment Evaluate the effectiveness of exploitation techniques & mitigations Automatic exploit generation using post-conditions from simulated exploitation Unlikely to compete with human talent 

21 Future work Research additional exploitation properties
Further develop analysis tools Dynamic analysis of hardware, OS, and process state Further develop exploitation simulator Basic exploit generator using post-conditions

22 Additional reading on exploitation properties
Thanks! Additional reading on exploitation properties Trust Boundary Vulnerability Exploitation

Download ppt "Trust Boundary Vulnerability Exploitation State of the Exploit"

Similar presentations

State of the Exploit Matt Miller / Trust Boundary VulnerabilityExploitation.

State of the Exploit Matt Miller / Trust Boundary VulnerabilityExploitation.
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers.

Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Run-Time Storage Organization

Run-Time Storage Organization
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
In vfprintf(), if (fmt points to “%n”) then **ap = (character count) Achieving Trusted Systems by Providing Security and Reliability FORMAL REASONING ON.

In vfprintf(), if (fmt points to “%n”) then **ap = (character count) Achieving Trusted Systems by Providing Security and Reliability FORMAL REASONING ON.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Software Development and Software Loading in Embedded Systems.

Software Development and Software Loading in Embedded Systems.
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Address Space Layout Permutation

Address Space Layout Permutation
A Survey of Dynamic Techniques for Detecting Device Driver Errors Olatunji Ruwase LBA Reading Group 18 th May 2010.

A Survey of Dynamic Techniques for Detecting Device Driver Errors Olatunji Ruwase LBA Reading Group 18 th May 2010.

Similar presentations

Ads by Google