Unleashing mayhem on binary code

IEEE Transactions on Reliability, 2014

This paper presents a new method, capable of automatically generating attacks on binary programs from software crashes. We analyze software crashes with a symbolic failure model by performing concolic executions following the failure directed paths, using a whole system environment model and concrete address mapped symbolic memory in. We propose a new selective symbolic input method and lazy evaluation on pseudo symbolic variables to handle symbolic pointers and speed up the process. This is an end-to-end approach able to create exploits from crash inputs or existing exploits for various applications, including most of the existing benchmark programs, and several large scale applications, such as a word processor (Microsoft office word), a media player (mpalyer), an archiver (unrar), or a pdf reader (foxit). We can deal with vulnerability types including stack and heap overflows, format string, and the use of uninitialized variables. Notably, these applications have become software fuzz testing targets, but still require a manual process with security knowledge to produce mitigation-hardened exploits. Using this method to generate exploits is an automated process for software failures without source code. The proposed method is simpler, more general, faster, and can be scaled to larger programs than existing systems. We produce the exploits within one minute for most of the benchmark programs, including mplayer. We also transform existing exploits of Microsoft office word into new exploits within four minutes. The best speedup is 7,211 times faster than the initial attempt. For heap overflow vulnerability, we can automatically exploit the unlink() macro of glibc, which formerly requires sophisticated hacking efforts.

2021 12th International Conference on Computing Communication and Networking Technologies (ICCCNT), 2021

Vulnerability detection and exploitation serves as a milestone for secure development and identifying major threats in software applications. Automated exploit generation helps in easier identification of bugs, the attack vectors and the various possibilities of generation of the exploit payload. Thus, we introduce AngErza which uses dynamic and symbolic execution to identify hotaspots in the code, formulate constraints and generate a payload based on those constraints. Our tool is entirely based on angr which is an open-sourced offensive binary analysis framework. The work around AngErza focuses on exploit and vulnerability detection in C'TFvstyle C binaries compiled on 64abit Intel architecture for the. early-phase of this project.

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering - ESEC/FSE 2019, 2019

Locating vulnerabilities is an important task for security auditing, exploit writing, and code hardening. However, it is challenging to locate vulnerabilities in binary code, because most program semantics (e.g., boundaries of an array) is missing after compilation. Without program semantics, it is difficult to determine whether a memory access exceeds its valid boundaries in binary code. In this work, we propose an approach to locate vulnerabilities based on memory layout recovery. First, we collect a set of passed executions and one failed execution. Then, for passed and failed executions, we restore their program semantics by recovering fine-grained memory layouts based on the memory addressing model. With the memory layouts recovered in passed executions as reference, we can locate vulnerabilities in failed execution by memory layout identification and comparison. Our experiments show that the proposed approach is effective to locate vulnerabilities on 24 out of 25 DARPA's CGC programs (96%), and can effectively classifies 453 program crashes (in 5 Linux programs) into 19 groups based on their root causes.

Programming and Computer Software, 2015

An automated method for exploit generation is presented. This method allows one to construct exploits for stack buffer overflow vulnerabilities and to prioritize software bugs. The method is based on the dynamic analysis and symbolic execution of programs. It could be applied to program binaries and does not require debug information. The proposed method was used to develop a tool for exploit generation. This tool was used to generate exploits for eight vulnerabilities in Linux and Windows programs, of which three were not fixed at the time this paper was written.

2011

Abstract The automatic exploit generation challenge is given a program, automatically find vulnerabilities and generate exploits for them. In this paper we present AEG, the first end-to-end system for fully automatic exploit generation. We used AEG to analyze 14 open-source projects and successfully generated 16 control flow hijacking exploits. Two of the generated exploits (expect-5.43 and htget-0.93) are zero-day exploits against unknown vulnerabilities.

2007

The automatic identification of security-relevant flaws in binary executables is still a young but promising research area. In this paper, we describe a new approach for the identification of vulnerabilities in object code we called smart fuzzing. While conventional fuzzing uses random input to discover crash conditions, smart fuzzing restricts the input space by using a preliminary static analysis of the program, then refined by monitoring each execution. In other words, the search is driven by a mix of static and dynamic analysis in order to lead the execution path to selected corner cases that are the most likely to expose vulnerabilities, thus improving the effectiveness of fuzzing as a means for finding security breaches in black-box programs.

Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 2007

Understanding security bugs in a vulnerable program is a non-trivial task, even if the target program is known to be vulnerable. Though there exist debugging tools that facilitate the vulnerability analysis and debugging process, human developers still need to manually trace the program execution most of the times. This makes security debugging a difficult and tiresome task even for experienced programmers. In this paper, we present the development of a novel security debugging tool called CBones (SeeBones, where bones is an analogy of program structures). CBones is intended to fully automate the analysis of a class of security vulnerabilities in C programs, the exploits of which would compromise the integrity of program structures satisfied by all legitimate binaries compiled from C source code. In other words, CBones automatically discovers how unknown vulnerabilities in C programs are exploited based on program structural constraints. Unlike the previous approaches, CBones can automatically identify exploit points of unknown security bugs without requiring a training phase, source code access (analysis or instrumentation), or additional hardware supports. To validate the effectiveness of this approach, we evaluate CBones with 12 real-world applications that contain a wide range of vulnerabilities. Our results show that CBones can discover all security bugs with no false alarms, pinpoint the corrupting instructions, and provide information to facilitate the understanding of how an attack exploits a security bug.

2009

Recently, integer bugs, including integer overflow, width conversion, and signed/unsigned conversion errors, have risen to become a common root cause for serious security vulnerabilities. We introduce new methods for discovering integer bugs using dynamic test generation on x86 binaries, and we describe key design choices in efficient symbolic execution of such programs. We implemented our methods in a prototype tool SmartFuzz, which we use to analyze Linux x86 binary executables. We also created a reporting service, metafuzz.com, to aid in triaging and reporting bugs found by SmartFuzz and the black-box fuzz testing tool zzuf. We report on experiments applying these tools to a range of software applications, including the mplayer media player, the exiv2 image metadata library, and ImageMagick convert. We also report on our experience using SmartFuzz, zzuf, and metafuzz.com to perform testing at scale with the Amazon Elastic Compute Cloud (EC2). To date, the metafuzz.com site has recorded more than 2, 614 test runs, comprising 2, 361, 595 test cases. Our experiments found approximately 77 total distinct bugs in 864 compute hours, costing us an average of $2.24 per bug at current EC2 rates. We quantify the overlap in bugs found by the two tools, and we show that SmartFuzz finds bugs missed by zzuf, including one program where Smart-Fuzz finds bugs but zzuf does not.

2012 IEEE Sixth International Conference on Software Security and Reliability, 2012

Vulnerability analysis is one among the important components of overall software assurance practice. Buffer overflow (BoF) is one example of the such vulnerabilities and it is still the root cause of many effective attacks. A general practice to find BoF is to look for the presence of certain functions that manipulate string buffers, like the strcpy family. In these functions, data is moved from one buffer to another, within a loop, without considering destination buffer size. We argue that similar behaviour may also be present in many other functions that are coded separately, and therefore are equally vulnerable. In the present work, we investigate the detection of such functions by finding loops that exhibit similar behaviour. We call such loops Buffer Overflow Inducing Loops (BOIL). We implemented a lightweight static analysis to detect BOILs, and evaluated it on real-world x86 binary executables. The results obtained show that this (simple but yet efficient) vulnerability pattern happens to be very effective in practice to retrieve real vulnerabilities, providing a drastic reduction of the part of the code to be analysed.

Istanbul University - DergiPark, 2020

We feed many smart devices that we use in our daily lives with our personal and environmental data and make them more functional and useful. These devices, which are smart with the software they contain, can often guide us in decision-making. The increasing "need to use a software" in our daily lives also increases the attack surface and can create doubtfulness for privacy-conscious users. This makes the software security as important as functionality. When we find out that the software we use contains security vulnerability we either quickly stop using it completely or we are waiting for the new release of the secure version. Detection of security weaknesses in software before use increases customer satisfaction and developer reputation. In this study, we present a new method and its success for detecting suspicious opcode sequences which cause buffer overflow vulnerabilities in binary executables.