aeg: automatic exploit generationcu2600.org/presentations/aeg_presentation.pdf · mayhem in cgc...
TRANSCRIPT
![Page 1: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/1.jpg)
AEG: Automatic Exploit Generation
Benjamin Lim(with some content shamelessly
stolen from)Wong Wai Tuck
![Page 2: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/2.jpg)
How do I pwn?
● Take a binary● Find a vulnerability and inputs which trigger
that vulnerability● Create a payload which exploits the
vulnerability● ???● proft responsible disclosure● Vendor doesn’t patch it after several months● proft
![Page 3: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/3.jpg)
Why can’t I pwn?
● Vulnerability discovery is a slow and tedious process
● Large size of binaries● Vulnerability → Exploit can be
nontrivial – e.g. restrictions on input, insufcient space for
shellcode, etc.● Patching of vulnerabilities varies in
difculty
![Page 4: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/4.jpg)
![Page 5: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/5.jpg)
![Page 6: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/6.jpg)
DARPA Cyber Grand Challenge (2014-)2016
● Automatic exploitation and patching● Custom pwnables written for DECREE OS● DECREE caveats and rant● Winners:
– 1st: Mayhem (CMU)– 2nd: Xandra (TECHx)– 3rd: Mechanical Phish (UCSB)
● Only Mechanical Phish (angr) open-sourced :(
![Page 7: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/7.jpg)
Mayhem in CGC
● Challenges modeled after real exploits– Morris Worm (bufer overfow)– Stuxnet LNK (of by one) (CVE-2010-2568)– Crackaddr (bufer overfow) (CVE-2002-1337)– Heartbleed (leak of sensitive data) (CVE-2014-0160)
● Patching– Return pointer encryption– Protection of indirect calls/jmps– Extended malloc allocations– Manual ASLR– Cleaning of uninitialized space
● For DEFCON challenge that was broadcasted at 14:10:25 UTC, hardened binary created at 14:11:08 UTC (43 seconds)
![Page 8: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/8.jpg)
Symbolic Execution Primer
![Page 9: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/9.jpg)
Toy Program
![Page 10: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/10.jpg)
Concrete Execution (testing)
● Concrete Store:– x = 4
– y = 4
![Page 11: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/11.jpg)
Concrete Execution (testing)
● Concrete Store:– x = 4
– y = 4
– t = 0
![Page 12: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/12.jpg)
Concrete Execution (testing)
● Concrete Store:– x = 4
– y = 4
– t = 4
![Page 13: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/13.jpg)
Concrete Execution (testing)
● Concrete Store:– x = 4
– y = 4
– t = 4
● 4 < 4 is false, quik mafs
![Page 14: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/14.jpg)
Concrete Execution (testing)
● Concrete Store:– x = 4
– y = 4
– t = 4
● 4 < 4 is false, assertion unreached
![Page 15: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/15.jpg)
Static Symbolic Execution
● Symbolic Store:– x = X
– y = Y
![Page 16: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/16.jpg)
Static Symbolic Execution
● Symbolic Store:– x = X
– y = Y
– t = 0
![Page 17: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/17.jpg)
Static Symbolic Execution
● Symbolic Store:– x = X
– y = Y
– t = ite(X<Y,X,Y)
![Page 18: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/18.jpg)
Static Symbolic Execution
● Symbolic Store:– x = X
– y = Y
– t = ite(X<Y,X,Y)
● Assert condition: ite(X<Y,X,Y)<X
![Page 19: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/19.jpg)
Static Symbolic Execution
● Symbolic Store:– x = X
– y = Y
– t = ite(X<Y,X,Y)
● Assert condition: ite(X<Y,X,Y)<X
● Throw into solver – assert not hit
![Page 20: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/20.jpg)
Dynamic Symbolic Execution
● Symbolic Store:– x = X
– y = Y
– T = 0
● Case split on conditional
![Page 21: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/21.jpg)
Dynamic Symbolic Execution
● Branch 1: X > Y● Symbolic Store:
– x = X
– y = Y
– t = X
● Assert condition: X<X
● Assert not hit
![Page 22: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/22.jpg)
Dynamic Symbolic Execution
● Branch 2: !(X > Y)
● Symbolic Store:– x = X
– y = Y
– t = Y
● Assert condition: Y<Y
● Assert not hit
![Page 23: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/23.jpg)
Actually Exploiting Stuf(kindof maybe)
![Page 24: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/24.jpg)
AEG in Four Easy Steps
● Symbolically execute program (warning! slow!)
● Detect violation of safety property● Check if exploitable● Generate exploit (using template
shellcode)
![Page 25: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/25.jpg)
Case Study: Crackaddr Variant
● CVE2002-1337– Sendmail 5.79 to 8.12.7– Remote execution via bufer overfow in
‘crackaddr’ function of headers.c● CGC Challenge (Halvar Flake (2011))
– Extracted core of bug (50 LOC vs. 247)– ‘Tool should automatically show vulnerable
version has a bug and the fxed version is safe’
![Page 26: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/26.jpg)
Case Study: Crackaddr Variant
![Page 27: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/27.jpg)
its a state machine woaw
● 201 loop iterations to trigger bug ● 10 diferent paths through loop● 5201 (approx 2664) paths
![Page 28: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/28.jpg)
Case Study: Unintended Solution
![Page 29: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/29.jpg)
Case Study: Unintended Solution
● Solved by Mayhem (~1h 45m)
![Page 30: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/30.jpg)
oh no
● Symbolic execution sufers from scaling issues
● Real world nuisances like libraries, device drivers, operating systems– On top of standard binary analysis issues (e.g.
CFG recovery)● A lot of efort has gone into making
symbolic execution of programs more viable
![Page 31: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/31.jpg)
help! i’m too slow!
● Handling path explosion– Heuristic preconditions on state space
● Known Length (automatic – max)● Known Prefx (manual, e.g. HTTP GET)● Concolic Execution (manual, crashing input)
– Heuristic path prioritization● Buggy-path-frst● Loop Exhaustion
![Page 32: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/32.jpg)
help! i’m too slow!
● Handling state space explosion– ‘Driller’ architecture (Mechanical Phish)
● Dynamic Symbolic Execution with fuzzing● Each shores up weaknesses of the other
– Veritesting (CMU Cylab)● Alternate between dynamic and static symbolic
execution● Balances between the solver and the symbolic
execution engine
![Page 33: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/33.jpg)
help! the real world exists!
● Handling the real world– Actually symbolically execute into
kernel/library● (probably going to fail)
– Function/syscall hooking● Unconstrained symbolic values● Model efects of function call on symbolic state● Tedious and possibly error prone
![Page 34: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/34.jpg)
help! the real world exists!
● Handling the real world– Indirect jumps/calls
● Resolve all jump targets● Randomly concretize
– S2E framework (‘in-vivo’ execution)● Switch between concrete and symbolic execution● Concretize e.g. syscall inputs, make symbolic after
return
![Page 35: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/35.jpg)
Some Remarks
● AEG is a relatively new and developing feld
● Techniques have been around for decades
● Practical implementations of AEG are still very much in development
● Real world is hard● Formal methods is (are?) cool
![Page 36: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/36.jpg)
Useful Readings
● Symbolic Execution Survey– https://github.com/season-lab/survey-symbolic-e
xecution● Decision Procedures, SMT solving
– The Calculus of Computation (Bradley, Manna)– Logic in Computer Science (Huth)
● Theorem Proving/Provers– CPDT (Chlipala), DeepSpec project– CompCert, seL4– Coq, Isabelle/HOL, Twelf, Idris, etc. etc.
![Page 37: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/37.jpg)
COOL VIDEO
![Page 38: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/38.jpg)
Cool video
● D:\Documents\AEG Exploits Demo.mp4
![Page 39: AEG: Automatic Exploit Generationcu2600.org/presentations/aeg_presentation.pdf · Mayhem in CGC Challenges modeled after real exploits – Morris Worm (bufer overfow) – Stuxnet](https://reader033.vdocuments.site/reader033/viewer/2022042807/5f7fc9ed958fec306c6f3176/html5/thumbnails/39.jpg)
thanken you
qeustions?