Software defect severity estimation in presence of modern defense mechanisms

This paper introduces a refined method for automated exploitability evaluation of found program bugs. During security development lifecycle a significant number of crashes is detected in programs. Because of limited resources, bug fixing is time consuming and needs prioritization. It should be the matter of highest priority to fix exploitable bugs. Automated exploit generation technique is used to solve this problem in practice. Generated exploit confirms the presence of a critical vulnerability. However, state-of-the-art publications omit modern defense mechanisms preventing exploitation. It results in lowering of an evaluation quality. This paper considers modern vulnerability exploitation prevention mechanisms. An evaluation of their prevalence and efficiency is also presented. The method can be applied to program binaries and doesn’t require any debug information. Proposed method is based on symbolic interpretation of traces obtained by a full-system emulator. Our method can demonstrate a real exploitability for stack buffer overflow vulnerability with write-what-where condition even when DEP, ASLR, and “canary” operate together. The implemented method capabilities were shown on model examples and real programs.

critical vulnerability, binary code, symbolic execution

1. One A. Smashing the stack for fun and profit. Phrack magazine, v. 7, №. 49, 1996, pp. 14-16.

2. Durden T. Bypassing pax aslr protection. Phrack Magazine, v. 59, №. 9, 2002, pp. 9.

3. Nergal. The advanced return-into-lib (c) exploits: PaX case study. Phrack Magazine, Volume 58, Issue 4, 2001.

4. Bulba K. Bypassing stackguard and stackshield. 2000.

5. T. Avgerinos, S. K. Cha, Alexandre Rebert, Edard J. Schwartz, Maverick Woo, and D.Brumley. AEG: Automatic exploit generation. Commun. ACM, №2, 2014.

6. Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert and David Brumley. Unleashing MAYHEM on Binary Code. IEEE Symposium on Security and Privacy, 2012.

7. Huang S. K. et al. Crax: Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations. Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference on., IEEE, 2012, pp. 78-87.

8. Hovav Shacham. The Geometry of Innocent Flash on the Bone: Return-into-libc without Function Calls (on the x86). 2007 ACM Conference on Computer and Communications Security (CCS), Proceedings of CCS 2007, pp. 552-561.

9. Shoshitaishvili Y. et al. SOK:(State of) The Art of War: Offensive Techniques in Binary Analysis. 2016 IEEE Symposium on Security and Privacy (SP), IEEE, 2016, pp. 138-157.

10. Padaryan V. A., Kaushan V. V., Fedotov A. N. Automated exploit generation for stack buffer overflow vulnerabilities. Programming and Computer Software, v. 41, №. 6, 2015, pp. 373-380. DOI: 10.1134/S0361768815060055.

11. Padaryan V.A., Solov’ev M.A., Kononov A.I. Simulation of operational semantics of machine instructions. Programming and Computer Software, May 2011, Volume 37, Issue 3, pp 161-170, DOI 10.1134/S0361768811030030.

12. J. Kim, T. Kim and E. G. Im. Survey of dynamic taint analysis. 2014 4th IEEE International Conference on Network Infrastructure and Digital Content, Beijing, 2014, pp. 269-272.

13. Ubuntu security features. https://wiki.ubuntu.com/Security/Features

14. Malloc Des-Maleficarum. Phrack magazine, v. 13, issue 66, 2009.

15. Nurmukhametov A.R.; Kurmangaleev Sh.F.; Kaushan V.V.; Gaissaryan S.S. Application of compiler transformations against software vulnerabilities exploitation. Programming and Computer Software, v. 41, № 4, 2015, pp. 231-236.

16. DOI: 10.1134/S0361768815040052

17. Mauro Conti, Stephen Crane, Tommaso Frassetto, Andrei Homescu, Georg Koppen, Per Larsen, Christopher Liebchen, Mike Perry, Ahmad-Reza Sadeghi. Selfrando: Securing the Tor Browser against De-anonymization Exploits. In Proceedings of the 16th Privacy Enhancing Technologies Symposium (PETS 2016), in press, Darmstadt, Germany, July 19-22, 2016.

18. Nikolaj Bjorner, Leonardo de Moura. Z3: Applications, Enablers, Challenges and Directions. Sixth International Workshop on Constraints in Formal Verification Grenoble, 2009.

19. Heelan, S. Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities. M.Sc. thesis. University of Oxford, Oxford, U.K., Sept. 3, 2009.

20. Chipounov V., Kuznetsov V., Candea G. S2E: a platform for in-vivo multi-path analysis of software systems. ACM SIGPLAN Notices, v. 46, №. 3, 2011, pp. 265-278.

21. Vanegue J., Heelan S., Rolles R. SMT Solvers in Software Security. WOOT, 2012, pp. 85-96.

22. CWE-123, https://cwe.mitre.org/data/definitions/123.html