State of the Exploit Matt Miller / [email protected] Trust Boundary...
-
Upload
daniela-gallimore -
Category
Documents
-
view
220 -
download
2
Transcript of State of the Exploit Matt Miller / [email protected] Trust Boundary...
![Page 1: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/1.jpg)
State of the ExploitMatt Miller / [email protected]
![Page 2: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/2.jpg)
What is the state of the exploit?
Where do generic exploitation techniques stand in 2008? Formidable mitigations exist (ASLR, NX, GS) Many techniques impractical or impossible Exploits are more reliant on vuln-specific qualities
How can we evaluate the relevance & feasibility of current & future techniques? Exploitability analysis
![Page 3: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/3.jpg)
Exploitability analysis
Studying the qualities that influence exploitation If a vulnerability exists, how exploitable would it be?
Research directions Exploitation properties Simulating exploitation
![Page 4: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/4.jpg)
ExploitationProperties
![Page 5: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/5.jpg)
What are exploitation properties?
Specific qualities that enable or inhibit exploitation techniques Objectively derived from a program Vulnerability independent
Intuitively known, but not formally defined Exploits have always relied on exploitation
properties
![Page 6: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/6.jpg)
Relating to exploitation techniques
Exploitation techniques have pre-conditions that must be satisfied SEH overwrite must be able to overwrite EH
record
Exploitation properties help determine the satisfiability of those pre-conditions Function called in EH scope == TRUE
![Page 7: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/7.jpg)
Examples of exploitation properties
Processor supports
NX
Processor supports
NX
Function called in EH scope
Function called in EH scope
Function uses GSFunction uses GS
Execute code from NX regionExecute code
from NX region
FT
InhibitsEnables
SEH overwriteSEH overwrite
FT
Return address overwrite
Return address overwrite
FT
![Page 8: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/8.jpg)
Deriving exploitation property values
Dynamic analysis Hardware properties (NX supported?) Operating system properties (ASLR supported?) Process properties (NX enabled?)
Static analysis Binary module properties (Relocateable?) Function properties (GS enabled?)
![Page 9: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/9.jpg)
Case study: MS07-017 (ANI)
Animated cursor vulnerability found by Alexander Sotirov in late 2006 Stack-based buffer overflow
First highly exploitable issue to affect Vista
Why was it so exploitable?
![Page 10: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/10.jpg)
MS07-017 vulnerability details
01: int LoadAniIcon(struct MappedFile* file, ...) {02: struct ANIChunk chunk;03: struct ANIHeader header; // 36 byte structure04: while (1) {05: // read the first 8 bytes of the chunk06: ReadTag(file, &chunk);07: switch (chunk.tag) {08: case ’anih’:09: // read chunk.size bytes into header10: ReadChunk(file, &chunk, &header);
Credit to Sotirov for the pseudo-code
![Page 11: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/11.jpg)
Exploitation properties of MS07-017
Inhibitors OS properties
ASLR present SafeSEH present
Hardware properties NX supported
Enablers Function properties
GS not present Called in EH scope Partial overwrite is feasible
Process properties NX support disabled
![Page 12: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/12.jpg)
Statically detecting MS07-017 MS07-017 could have been found with the help
of exploitability analysis
Find instances of code enabling reliable exploitation techniques No GS, EH scope, partial overwrite feasible, etc
Resultant set would include the function containing the ANI vulnerability Vulnerability analysis can narrow this set
![Page 13: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/13.jpg)
Automatically assessing exploitability
Recap Exploitation techniques have pre-conditions that
must be satisfied Exploitation properties provide objective values
for these pre-conditions
How can we better assess exploitability with this information?
![Page 14: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/14.jpg)
Simulated Exploitation
![Page 15: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/15.jpg)
Simulating exploitation
Consider exploitation as a state machine
Abstract execution states
Exploitation techniques are transitions
Exploitability is derived from the degree to which pre-conditions are satisfied
![Page 16: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/16.jpg)
Simulating exploitation
Vulnerability side-effects represent the pre-conditions of the initial state Extent of memory corruption Pattern of memory corruption
Precision can vary Memory corruption of a stack buffer 256 byte overwrite at &local with pattern A-Z
![Page 17: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/17.jpg)
High-level exploitation NFA
Memory CorruptionMemory Corruption
Control of Frame Pointer
Control of Frame Pointer
Control of Instruction Pointer
Control of Instruction Pointer
Control of Code Execution
Control of Code Execution
Coalesce NxN
Overwrite Return Address
Overwrite Exception Handler
Overwrite Function Pointer
Code execution fromInstruction pointer
Instruction pointer fromFrame pointer
Overwrite Frame Pointer
![Page 18: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/18.jpg)
Exploitation technique pre-conditions
Memory CorruptionMemory Corruption
Control of Instruction Pointer
Control of Instruction Pointer
Control of Code Execution
Control of Code Execution
Overwrite return address
Code execution frominstruction pointer
- Region of corruption = Stack
- Range of corruption intersects with the address of a return address
- Guard stack presence = FALSE
- Region of corruption = Stack
- Range of corruption intersects with the address of a return address
- Guard stack presence = FALSE
- ASLR presence = FALSE
- NX presence = FALSE if instruction pointer in non-executable region
- Address of useful code is known
- ASLR presence = FALSE
- NX presence = FALSE if instruction pointer in non-executable region
- Address of useful code is known
![Page 19: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/19.jpg)
Conclusion
![Page 20: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/20.jpg)
Uses for exploitability analysis Identify regions of code that may be highly
exploitable given the presence of a vulnerability Program risk assessment
Evaluate the effectiveness of exploitation techniques & mitigations
Automatic exploit generation using post-conditions from simulated exploitation Unlikely to compete with human talent
![Page 21: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/21.jpg)
Future work
Research additional exploitation properties
Further develop analysis tools Dynamic analysis of hardware, OS, and process
state
Further develop exploitation simulator Basic exploit generator using post-conditions
![Page 22: State of the Exploit Matt Miller / mmiller@leviathansecurity.com Trust Boundary VulnerabilityExploitation.](https://reader035.fdocuments.us/reader035/viewer/2022062318/551c37445503467b488b4643/html5/thumbnails/22.jpg)
Thanks!
Additional reading on exploitation propertieshttp://uninformed.org/?v=9&a=4