1 / 22

State of the Exploit

State of the Exploit. Matt Miller / mmiller@leviathansecurity.com. What is the state of the exploit?. Where do generic exploitation techniques stand in 2008? Formidable mitigations exist (ASLR, NX, GS) Many techniques impractical or impossible

yaholo
Download Presentation

State of the Exploit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. State of the Exploit Matt Miller / mmiller@leviathansecurity.com

  2. What is the state of the exploit? • Where do generic exploitation techniques stand in 2008? • Formidable mitigations exist (ASLR, NX, GS) • Many techniques impractical or impossible • Exploits are more reliant on vuln-specific qualities • How can we evaluate the relevance & feasibility of current & future techniques? • Exploitability analysis

  3. Exploitability analysis • Studying the qualities that influence exploitation • If a vulnerability exists, how exploitable would it be? • Research directions • Exploitation properties • Simulating exploitation

  4. Exploitation Properties

  5. What are exploitation properties? • Specific qualities that enable or inhibit exploitation techniques • Objectively derived from a program • Vulnerability independent • Intuitively known, but not formally defined • Exploits have always relied on exploitation properties

  6. Relating to exploitation techniques • Exploitation techniques have pre-conditions that must be satisfied • SEH overwrite must be able to overwrite EH record • Exploitation properties help determine the satisfiability of those pre-conditions • Function called in EH scope == TRUE

  7. Examples of exploitation properties Processor supports NX Function called in EH scope Function uses GS T F T F T F Execute code from NX region Return address overwrite SEH overwrite Inhibits Enables

  8. Deriving exploitation property values • Dynamic analysis • Hardware properties (NX supported?) • Operating system properties (ASLR supported?) • Process properties (NX enabled?) • Static analysis • Binary module properties (Relocateable?) • Function properties (GS enabled?)

  9. Case study: MS07-017 (ANI) • Animated cursor vulnerability found by Alexander Sotirov in late 2006 • Stack-based buffer overflow • First highly exploitable issue to affect Vista • Why was it so exploitable?

  10. MS07-017 vulnerability details 01: intLoadAniIcon(structMappedFile* file, ...) { 02: structANIChunk chunk; 03: structANIHeader header; // 36 byte structure 04: while (1) { 05: // read the first 8 bytes of the chunk 06: ReadTag(file, &chunk); 07: switch (chunk.tag) { 08: case ’anih’: 09: // read chunk.size bytes into header 10: ReadChunk(file, &chunk, &header); Credit to Sotirov for the pseudo-code

  11. Exploitation properties of MS07-017 Inhibitors Enablers Function properties GS not present Called in EH scope Partial overwrite is feasible Process properties NX support disabled • OS properties • ASLR present • SafeSEH present • Hardware properties • NX supported

  12. Statically detecting MS07-017 • MS07-017 could have been found with the help of exploitability analysis • Find instances of code enabling reliable exploitation techniques • No GS, EH scope, partial overwrite feasible, etc • Resultant set would include the function containing the ANI vulnerability • Vulnerability analysis can narrow this set

  13. Automatically assessing exploitability • Recap • Exploitation techniques have pre-conditions that must be satisfied • Exploitation properties provide objective values for these pre-conditions • How can we better assess exploitability with this information?

  14. Simulated Exploitation

  15. Simulating exploitation • Consider exploitation as a state machine • Abstract execution states • Exploitation techniques are transitions • Exploitability is derived from the degree to which pre-conditions are satisfied

  16. Simulating exploitation • Vulnerability side-effects represent the pre-conditions of the initial state • Extent of memory corruption • Pattern of memory corruption • Precision can vary • Memory corruption of a stack buffer • 256 byte overwrite at &local with pattern A-Z

  17. High-level exploitation NFA Coalesce NxN Memory Corruption Overwrite Exception Handler Overwrite Frame Pointer Overwrite Return Address Overwrite Function Pointer Control of Frame Pointer Control of Instruction Pointer Instruction pointer from Frame pointer Code execution from Instruction pointer Control of Code Execution

  18. Exploitation technique pre-conditions • Region of corruption = Stack • Range of corruption intersects with the address of a return address • Guard stack presence = FALSE Memory Corruption Overwrite return address Control of Instruction Pointer • ASLR presence = FALSE • NX presence = FALSE if instruction pointer in non-executable region • Address of useful code is known Code execution from instruction pointer Control of Code Execution

  19. Conclusion

  20. Uses for exploitability analysis • Identify regions of code that may be highly exploitable given the presence of a vulnerability • Program risk assessment • Evaluate the effectiveness of exploitation techniques & mitigations • Automatic exploit generation using post-conditions from simulated exploitation • Unlikely to compete with human talent 

  21. Future work • Research additional exploitation properties • Further develop analysis tools • Dynamic analysis of hardware, OS, and process state • Further develop exploitation simulator • Basic exploit generator using post-conditions

  22. Thanks! Additional reading on exploitation properties http://uninformed.org/?v=9&a=4

More Related