Building security predicates for some types of vulnerabilities
https://doi.org/10.15514/ISPRAS-2017-29(6)-8
Abstract
Approaches for code execution using program vulnerabilities are considered in this paper. Particularly, ways of code execution using buffer overflow on stack and on heap, using use-after-free vulnerabilities and format string vulnerabilities are examined in section 2. Methods for automatic generation input data, leading to code execution are described in section 3. This methods are based on dynamic symbolic execution. Dynamic symbolic execution allows to gain input data, which leads program along the path of triggering vulnerability. The security predicate is an extra set of symbolic formulas, describing program's state in which code execution is possible. To get input data, leading to code execution, path and security predicates need to be united, and then the whole system should be solved. Security predicates for pointer overwrite, function pointer overwrite and format string vulnerability, that leads to stack buffer overflow are presented in the paper. Represented security predicates were used in method for software defect severity estimation. The method was applied to several binaries from Darpa Cyber Grand Challenge. Testing security predicate for format string vulnerability, that leads to buffer overflow was conducted on vulnerable version of Ollydbg. As a result of testing it was possible to obtain input data that leads to code execution.
About the Authors
A. N. Fedotov
Ivannikov Institute for System Programming of the Russian Academy of Sciences
Russian Federation
Russian Federation
V. V. Kaushan
Ivannikov Institute for System Programming of the Russian Academy of Sciences
Russian Federation
Russian Federation
S. S. Gaissaryan
Ivannikov Institute for System Programming of the Russian Academy of Sciences; Lomonosov Moscow State University; Moscow Institute of Physics and Technology (State University); National Research University Higher School of Economics (HSE)
Russian Federation
Russian Federation
Sh. F. Kurmangaleev
Ivannikov Institute for System Programming of the Russian Academy of Sciences
Russian Federation
Russian Federation
References
1. C. Anley, J. Heasman, F. Lindner, G. Richarte. The shellcoder’s handbook: discovering and exploiting security holes. John Wiley & Sons, 2011, 61 pp.
2. Thanassis Avgerinos, Sang Kil Cha, Alexandre Rebert et al. Automatic exploit generation. Communications of the ACM, vol. 57, no. 2, 2014, pp. 74-84.
3. Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, David Brumley. Unleashing mayhem on binary code. 2012 IEEE Symposium on Security and Privacy (SP), 2012, pp. 380-394.
4. Shih-Kun Huang, Min-Hsiang Huang, Po-Yen Huang et al. Crax: Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations. Software 2012 IEEE Sixth International Conference on Security and Reliability (SERE), 2012, pp. 78-87.
5. Y Shoshitaishvili, R Wang, C Salls et al. The Art of War: Offensive Techniques in Binary Analysis. IEEE Symposium on Security and Privacy (S&P), 2016, pp. 138-157.
6. A.N. Fedotov, V.A. Padarjan, V.V. Kaushan et al. Software defect severity estimation inpresence of modern defense mechanisms. Trudy ISP RAN / Proc. ISP RAS, vol. 28, issue 5, 2016, pp. 73-92. DOI: 10.15514/ISPRAS-2016-28(5)-4
7. Fedotov A.N. Method for exploitability estimation of program bugs. Trudy ISP RAN / Proc. ISP RAS, vol. 28, issue 5, 2016, pp. 137-148. 10.15514/ISPRAS-2016-28(4)-8
8. One Aleph. Smashing The Stack For Fun And Profit. 1996. URL: http://phrack.org/issues/49/14.html#article (accessed 08.10.2017).
9. Padarjan V.A., Kaushan V.V., Fedotov A.N. Automated exploit generation method for stack buffer overflow vulnerabilities. Trudy ISP RAN / Proc. ISP RAS, vol. 26, issue 3, 2014, pp. 127-144. DOI: 10.15514/ISPRAS-2014-26(3)-7
10. Padaryan V.A., Kaushan V.V., Fedotov A.N. Automated exploit generation for stack buffer overflow vulnerabilities. Programming and Computer Software, vol. 41, № 6, pp. 373-380. DOI: 10.1134/S0361768815060055
11. Once upon a free(). 2001. URL: http://phrack.org/issues/57/9.html#article (accessed 08.10.2017).
12. CWE-123. URL: https://cwe.mitre.org/data/definitions/123.html (accessed 12.05.2017).
13. Malloc Des-Maleficarum. 2009. URL: http://phrack.org/issues/66/10.html (accessed 08.10.2017).
14. gera. Advances in format string exploitation. 2002. URL: http://phrack.org/issues/59/7.html#article (accessed 08.10.2017).
15. I.A. Vahrushev, V.V. Kaushan, V.A. Padarjan, A.N. Fedotov. Search method for format string vulnerabilities. Trudy ISP RAN / Proc. ISP RAS, vol. 27, issue 4, 2015, pp. 23-38. DOI: 10.15514/ISPRAS-2015-27(4)-2
16. Bellard F. QEMU, a fast and portable dynamic translator. USENIX Annual Technical Conference, FREENIX Track, 2005, pp. 41-46.
17. Chipounov V., Kuznetsov V., Candea G. S2E: A platform for in-vivo multi-path analysis of software systems. ACM SIGPLAN Notices, vol. 46, №. 3, 2011, pp. 265-278.
18. Dolan-Gavitt B. et al. Repeatable reverse engineering with PANDA. Proceedings of the 5th Program Protection and Reverse Engineering Workshop, ACM, 2015, p. 4.
19. Zaddach J. et al. AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares. NDSS Symposium 2014.
20. Manticore. URL: https://github.com/trailofbits/manticore (accessed 08.10.2017).
21. Darpa Cyber Grand Challenge. URL: http://archive.darpa.mil/cybergrandchallenge/ (accessed: 08.10.2017).
22. Darpa Cyber Grand Challenge tests pack. URL:https://github.com/trailofbits/cb-multios (accessed 08.10.2017).
23. Ollydbg bug. URL: https://www.exploit-db.com/exploits/388/ (accessed 08.10.2017).
Review
For citations:
Fedotov A.N., Kaushan V.V., Gaissaryan S.S., Kurmangaleev Sh.F. Building security predicates for some types of vulnerabilities. Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS). 2017;29(6):151-162. (In Russ.) https://doi.org/10.15514/ISPRAS-2017-29(6)-8
Email this article 