Presentation is loading. Please wait.

Presentation is loading. Please wait.

State of the Exploit Matt Miller / Trust Boundary VulnerabilityExploitation.

Published byDaniela Gallimore Modified over 10 years ago

Similar presentations

Presentation on theme: "State of the Exploit Matt Miller / Trust Boundary VulnerabilityExploitation."— Presentation transcript:

1 State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation

2 What is the state of the exploit?  Where do generic exploitation techniques stand in 2008?  Formidable mitigations exist (ASLR, NX, GS)  Many techniques impractical or impossible  Exploits are more reliant on vuln-specific qualities  How can we evaluate the relevance & feasibility of current & future techniques?  Exploitability analysis

3 Exploitability analysis  Studying the qualities that influence exploitation  If a vulnerability exists, how exploitable would it be?  Research directions  Exploitation properties  Simulating exploitation

4 Exploitation Properties

5 What are exploitation properties?  Specific qualities that enable or inhibit exploitation techniques  Objectively derived from a program  Vulnerability independent  Intuitively known, but not formally defined  Exploits have always relied on exploitation properties

6 Relating to exploitation techniques  Exploitation techniques have pre-conditions that must be satisfied  SEH overwrite must be able to overwrite EH record  Exploitation properties help determine the satisfiability of those pre-conditions  Function called in EH scope == TRUE

7 Examples of exploitation properties Processor supports NX Function called in EH scope Function uses GS Execute code from NX region FT Inhibits Enables SEH overwrite FT Return address overwrite FT

8 Deriving exploitation property values  Dynamic analysis  Hardware properties (NX supported?)  Operating system properties (ASLR supported?)  Process properties (NX enabled?)  Static analysis  Binary module properties (Relocateable?)  Function properties (GS enabled?)

9 Case study: MS07-017 (ANI)  Animated cursor vulnerability found by Alexander Sotirov in late 2006  Stack-based buffer overflow  First highly exploitable issue to affect Vista  Why was it so exploitable?

10 MS07-017 vulnerability details 01: int LoadAniIcon(struct MappedFile* file,...) { 02: struct ANIChunk chunk; 03: struct ANIHeader header; // 36 byte structure 04: while (1) { 05: // read the first 8 bytes of the chunk 06: ReadTag(file, &chunk); 07: switch (chunk.tag) { 08: case ’anih’: 09: // read chunk.size bytes into header 10: ReadChunk(file, &chunk, &header); Credit to Sotirov for the pseudo-code

11 Exploitation properties of MS07-017 Inhibitors  OS properties  ASLR present  SafeSEH present  Hardware properties  NX supported Enablers  Function properties  GS not present  Called in EH scope  Partial overwrite is feasible  Process properties  NX support disabled

12 Statically detecting MS07-017  MS07-017 could have been found with the help of exploitability analysis  Find instances of code enabling reliable exploitation techniques  No GS, EH scope, partial overwrite feasible, etc  Resultant set would include the function containing the ANI vulnerability  Vulnerability analysis can narrow this set

13 Automatically assessing exploitability  Recap  Exploitation techniques have pre-conditions that must be satisfied  Exploitation properties provide objective values for these pre-conditions  How can we better assess exploitability with this information?

14 Simulated Exploitation

15 Simulating exploitation  Consider exploitation as a state machine  Abstract execution states  Exploitation techniques are transitions  Exploitability is derived from the degree to which pre-conditions are satisfied

16 Simulating exploitation  Vulnerability side-effects represent the pre- conditions of the initial state  Extent of memory corruption  Pattern of memory corruption  Precision can vary  Memory corruption of a stack buffer  256 byte overwrite at &local with pattern A-Z

17 High-level exploitation NFA Memory Corruption Control of Frame Pointer Control of Instruction Pointer Control of Code Execution Coalesce NxN Overwrite Return Address Overwrite Exception Handler Overwrite Function Pointer Code execution from Instruction pointer Instruction pointer from Frame pointer Overwrite Frame Pointer

18 Exploitation technique pre-conditions Memory Corruption Control of Instruction Pointer Control of Code Execution Overwrite return address Code execution from instruction pointer - Region of corruption = Stack - Range of corruption intersects with the address of a return address - Guard stack presence = FALSE - Region of corruption = Stack - Range of corruption intersects with the address of a return address - Guard stack presence = FALSE - ASLR presence = FALSE - NX presence = FALSE if instruction pointer in non-executable region - Address of useful code is known - ASLR presence = FALSE - NX presence = FALSE if instruction pointer in non-executable region - Address of useful code is known

19 Conclusion

20 Uses for exploitability analysis  Identify regions of code that may be highly exploitable given the presence of a vulnerability  Program risk assessment  Evaluate the effectiveness of exploitation techniques & mitigations  Automatic exploit generation using post- conditions from simulated exploitation  Unlikely to compete with human talent

21 Future work  Research additional exploitation properties  Further develop analysis tools  Dynamic analysis of hardware, OS, and process state  Further develop exploitation simulator  Basic exploit generator using post-conditions

22 Thanks! Additional reading on exploitation properties http://uninformed.org/?v=9&a=4 Trust Boundary VulnerabilityExploitation

Download ppt "State of the Exploit Matt Miller / Trust Boundary VulnerabilityExploitation."

Similar presentations

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 107.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 107.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 40.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 40.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 28.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 28.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 44.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 44.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 101.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 101.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 58.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 58.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 112.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 112.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 75.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 75.
U.S. Army Research, Development and Engineering Command Jaime C. Acosta, Ph.D. Using the Longest Common Substring on Dynamic Traces of Malware to Automatically.

U.S. Army Research, Development and Engineering Command Jaime C. Acosta, Ph.D. Using the Longest Common Substring on Dynamic Traces of Malware to Automatically.
Euripides Montagne University of Central Florida (Summer 2011)

Euripides Montagne University of Central Florida (Summer 2011)
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers.

Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Similar presentations

Ads by Google