Method for exploitability estimation of program bugs

The method for exploitability estimation of program bugs is presented. Using this technique allows to prioritize software bugs that were found. Thus, it gives an opportunity for a developer to fix bugs, which are most security critical at first. The method is based on combining preliminary classification of program bugs and automatic exploit generation. Preliminary classification is used to filter non-exploitable software defects. For potentially exploitable bugs corresponding exploit generation algorithm is chosen. In case of a successful exploit generation the operability of exploit is checked in program emulator. There are various ways that used for finding software bugs. Fuzzing and dynamic symbolic execution are often used for this purpose. The main requirement for the use of the proposed method is an opportunity to get input data, which cause program to crash. The technique could be applied to program binaries and does not require debug information. Implementation of the method is a set of software tools, which are interconnected with control scripts. The preliminary classification method and automatic exploit generation method are implemented as stand-alone tools, and could be used separately. The technique was used to analyze 274 program crashes, which were obtained by fuzzing. The analysis managed to detect 13 exploitable bugs, for which successfully workable exploits were generated.

vulnerability, buffer overflow, symbolic execution, exploit, binary code

1. Miller C. et al. Crash analysis with BitBlaze. At BlackHat USA, 2010.

2. American fuzzy lop fuzer. URL: http://lcamtuf.coredump.cx/afl//.

3. Peach fuzzer. URL: http://www.peachfuzzer.com/

4. Codenomicon fuzzer. URL: http://www.codenomicon.com/

5. T. Avgerinos, S. K. Cha, Alexandre Rebert, Edard J. Schwartz, Maverick Woo, and D.Brumley. AEG: Automatic exploit generation. Commun. ACM, 2014, №2.

6. Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert and David Brumley. Unleashing MAYHEM on Binary Code. IEEE Symposium on Security and Privacy, 2012

7. Huang S. K. et al. Crax: Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations.Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference on. IEEE, 2012, pp. 78-87.

8. !exploitable. URL: https://msecdbg.codeplex.com/.

9. Padaryan V.A., Kaushan V.V., Fedotov A.N.[Automated exploit generaton method for stack buffer overflow vulnerabilities]. Trudy ISP RAN/Proc. ISP RAS, vol. 26, issue 3, 2014, pp. 127-144. DOI: 10.15514/ISPRAS-2014-26(3)-7.

10. Exploitable plugin for gdb. URL: https://github.com/jfoote/exploitable.

11. Vakhrushev I. A. et al. [Search method for format string vulnerabilities]. Trudy ISP RAN/Proc. ISP RAS, vol. 27, issue 4, pp. 23-38. DOI: 10.15514/ISPRAS-2015-27(4)-2.

12. Heelan S. Automatic generation of control flow hijacking exploits for software vulnerabilities. Master’s thesis, University of Oxford, 2009.

13. Qemu. URL: http://wiki.qemu.org/Main_Page.

14. Schwartz E. J., Avgerinos T., Brumley D. Q: Exploit Hardening Made Easy //USENIX Security Symposium, pp. 25-41, 2011.