Transformation-aware Exploit Generation using a HI-CFG
Abstract
A common task for security analysts is to determine whether potentially unsafe code constructs (as found by static analysis or code review) can be triggered by an attacker-controlled input to the program under analysis. We refer to this problem as proof-of-concept (POC) exploit generation. Exploit generation is challenging to automate because it requires precise reasoning across a large code base; in practice it is usually a manual task. An intuitive approach to exploit generation is to break down a program's relevant computation into a sequence of transformations that map an input value into the value that can trigger an exploit. We automate this intuition by describing an approach to discover the buffer structure (the chain of buffers used between transformations) of a program, and use this structure to construct an exploit input by inverting one transformation at a time. We propose a new program representation, a hybrid information- and control-flow graph (HI-CFG), and give algorithms to build a HI-CFG from instruction traces. We then describe how to guide program exploration using symbolic execution to efficiently search for transformation pre-images. We implement our techniques in a tool that operates on applications in x86 binary form. In two case studies we discuss how our tool creates POC exploits for (1) a vulnerability in a PDF rendering library that is reachable through multiple different transformation stages and (2) a vulnerability in the processing stage of a specific document format in AbiWord.
Document Details
- Document Type
- Technical Report
- Publication Date
- May 16, 2013
- Accession Number
- ADA587051
Entities
People
- Alex Bazhanyuk
- Dan Caselden
- Dawn Song
- Laszlo Szekeres
- Mathias Payer
- Stephen Mccamant
Organizations
- University of California, Berkeley