state of the exploit n.
Download
Skip this Video
Download Presentation
State of the Exploit

Loading in 2 Seconds...

play fullscreen
1 / 22

State of the Exploit - PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on

State of the Exploit. Matt Miller / mmiller@leviathansecurity.com. What is the state of the exploit?. Where do generic exploitation techniques stand in 2008? Formidable mitigations exist (ASLR, NX, GS) Many techniques impractical or impossible

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'State of the Exploit' - yaholo


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
state of the exploit

State of the Exploit

Matt Miller / mmiller@leviathansecurity.com

what is the state of the exploit
What is the state of the exploit?
  • Where do generic exploitation techniques stand in 2008?
    • Formidable mitigations exist (ASLR, NX, GS)
    • Many techniques impractical or impossible
    • Exploits are more reliant on vuln-specific qualities
  • How can we evaluate the relevance & feasibility of current & future techniques?
    • Exploitability analysis
exploitability analysis
Exploitability analysis
  • Studying the qualities that influence exploitation
    • If a vulnerability exists, how exploitable would it be?
  • Research directions
    • Exploitation properties
    • Simulating exploitation
slide4
Exploitation

Properties

what are exploitation properties
What are exploitation properties?
  • Specific qualities that enable or inhibit exploitation techniques
    • Objectively derived from a program
    • Vulnerability independent
  • Intuitively known, but not formally defined
    • Exploits have always relied on exploitation properties
relating to exploitation techniques
Relating to exploitation techniques
  • Exploitation techniques have pre-conditions that must be satisfied
    • SEH overwrite must be able to overwrite EH record
  • Exploitation properties help determine the satisfiability of those pre-conditions
    • Function called in EH scope == TRUE
examples of exploitation properties
Examples of exploitation properties

Processor supports NX

Function called in EH scope

Function uses GS

T

F

T

F

T

F

Execute code from NX region

Return address overwrite

SEH overwrite

Inhibits

Enables

deriving exploitation property values
Deriving exploitation property values
  • Dynamic analysis
    • Hardware properties (NX supported?)
    • Operating system properties (ASLR supported?)
    • Process properties (NX enabled?)
  • Static analysis
    • Binary module properties (Relocateable?)
    • Function properties (GS enabled?)
case study ms07 017 ani
Case study: MS07-017 (ANI)
  • Animated cursor vulnerability found by Alexander Sotirov in late 2006
    • Stack-based buffer overflow
  • First highly exploitable issue to affect Vista
  • Why was it so exploitable?
ms07 017 vulnerability details
MS07-017 vulnerability details

01: intLoadAniIcon(structMappedFile* file, ...) {

02: structANIChunk chunk;

03: structANIHeader header; // 36 byte structure

04: while (1) {

05: // read the first 8 bytes of the chunk

06: ReadTag(file, &chunk);

07: switch (chunk.tag) {

08: case ’anih’:

09: // read chunk.size bytes into header

10: ReadChunk(file, &chunk, &header);

Credit to Sotirov for the pseudo-code

exploitation properties of ms07 017
Exploitation properties of MS07-017

Inhibitors

Enablers

Function properties

GS not present

Called in EH scope

Partial overwrite is feasible

Process properties

NX support disabled

  • OS properties
    • ASLR present
    • SafeSEH present
  • Hardware properties
    • NX supported
statically detecting ms07 017
Statically detecting MS07-017
  • MS07-017 could have been found with the help of exploitability analysis
  • Find instances of code enabling reliable exploitation techniques
    • No GS, EH scope, partial overwrite feasible, etc
  • Resultant set would include the function containing the ANI vulnerability
    • Vulnerability analysis can narrow this set
automatically assessing exploitability
Automatically assessing exploitability
  • Recap
    • Exploitation techniques have pre-conditions that must be satisfied
    • Exploitation properties provide objective values for these pre-conditions
  • How can we better assess exploitability with this information?
simulating exploitation
Simulating exploitation
  • Consider exploitation as a state machine
  • Abstract execution states
  • Exploitation techniques are transitions
  • Exploitability is derived from the degree to which pre-conditions are satisfied
simulating exploitation1
Simulating exploitation
  • Vulnerability side-effects represent the pre-conditions of the initial state
    • Extent of memory corruption
    • Pattern of memory corruption
  • Precision can vary
    • Memory corruption of a stack buffer
    • 256 byte overwrite at &local with pattern A-Z
high level exploitation nfa
High-level exploitation NFA

Coalesce NxN

Memory Corruption

Overwrite

Exception Handler

Overwrite

Frame Pointer

Overwrite

Return Address

Overwrite

Function Pointer

Control of Frame Pointer

Control of Instruction Pointer

Instruction pointer from

Frame pointer

Code execution from

Instruction pointer

Control of Code Execution

exploitation technique pre conditions
Exploitation technique pre-conditions
  • Region of corruption = Stack
  • Range of corruption intersects with the address of a return address
  • Guard stack presence = FALSE

Memory Corruption

Overwrite

return address

Control of Instruction Pointer

  • ASLR presence = FALSE
  • NX presence = FALSE if instruction pointer in non-executable region
  • Address of useful code is known

Code execution

from

instruction pointer

Control of Code Execution

uses for exploitability analysis
Uses for exploitability analysis
  • Identify regions of code that may be highly exploitable given the presence of a vulnerability
    • Program risk assessment
  • Evaluate the effectiveness of exploitation techniques & mitigations
  • Automatic exploit generation using post-conditions from simulated exploitation
    • Unlikely to compete with human talent 
future work
Future work
  • Research additional exploitation properties
  • Further develop analysis tools
    • Dynamic analysis of hardware, OS, and process state
  • Further develop exploitation simulator
    • Basic exploit generator using post-conditions
thanks
Thanks!

Additional reading on exploitation properties

http://uninformed.org/?v=9&a=4