Electrical Engineering
      and Computer Sciences

Electrical Engineering and Computer Sciences

COLLEGE OF ENGINEERING

UC Berkeley

Transformation-aware Exploit Generation using a HI-CFG

Dan Caselden, Alex Bazhanyuk, Mathias Payer, Laszlo Szekeres, Stephen McCamant and Dawn Song

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2013-85
May 16, 2013

http://www.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-85.pdf

A common task for security analysts is to determine whether potentially unsafe code constructs (as found by static analysis or code review) can be triggered by an attacker-controlled input to the program under analysis. We refer to this problem as proof-of-concept (POC) exploit generation. Exploit generation is challenging to automate because it requires precise reasoning across a large code base; in practice it is usually a manual task. An intuitive approach to exploit generation is to break down a program's relevant computation into a sequence of transformations that map an input value into the value that can trigger an exploit. We automate this intuition by describing an approach to discover the buffer structure (the chain of buffers used between transformations) of a program, and use this structure to construct an exploit input by inverting one transformation at a time. We propose a new program representation, a hybrid information- and control-flow graph (HI-CFG), and give algorithms to build a HI-CFG from instruction traces. We then describe how to guide program exploration using symbolic execution to efficiently search for transformation pre-images. We implement our techniques in a tool that operates on applications in x86 binary form. In two case studies we discuss how our tool creates POC exploits for (i) a vulnerability in a PDF rendering library that is reachable through multiple different transformation stages and (ii) a vulnerability in the processing stage of a specific document format in AbiWord.


BibTeX citation:

@techreport{Caselden:EECS-2013-85,
    Author = {Caselden, Dan and Bazhanyuk, Alex and Payer, Mathias and Szekeres, Laszlo and McCamant, Stephen and Song, Dawn},
    Title = {Transformation-aware Exploit Generation using a HI-CFG},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2013},
    Month = {May},
    URL = {http://www.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-85.html},
    Number = {UCB/EECS-2013-85},
    Abstract = {A common task for security analysts is to determine whether
potentially unsafe code constructs (as found by static analysis or code review) can be triggered by an attacker-controlled input to the program under analysis. We refer to this problem as proof-of-concept (POC) exploit generation. Exploit generation is challenging to automate because it requires precise reasoning across a large code base; in practice it is usually a manual task. An intuitive approach to exploit generation is to break down a program's relevant computation into a sequence of transformations that map an input value into the value that can trigger an exploit.

We automate this intuition by describing an approach to discover the buffer structure (the chain of buffers used between transformations) of a program, and use this structure to construct an exploit input by inverting one transformation at a time. We propose a new program representation, a hybrid information- and control-flow graph (HI-CFG), and give algorithms to build a HI-CFG from instruction traces. We then describe how to guide program exploration using symbolic execution to efficiently search for transformation pre-images.

We implement our techniques in a tool that operates on
applications in x86 binary form. In two case studies we discuss how our tool creates POC exploits for (i) a vulnerability in a PDF rendering library that is reachable through multiple different transformation stages and (ii) a vulnerability in the processing stage of a specific document format in AbiWord.}
}

EndNote citation:

%0 Report
%A Caselden, Dan
%A Bazhanyuk, Alex
%A Payer, Mathias
%A Szekeres, Laszlo
%A McCamant, Stephen
%A Song, Dawn
%T Transformation-aware Exploit Generation using a HI-CFG
%I EECS Department, University of California, Berkeley
%D 2013
%8 May 16
%@ UCB/EECS-2013-85
%U http://www.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-85.html
%F Caselden:EECS-2013-85