Dynamic Program Analysis and Software Exploitation: From the crash to the exploit code

March 31, 2011 (at 1:30 p.m.) in Attack & Research

Program Analysis is a hot topic. Many people are discussing this subject even more given the amazing numbers of crashes the fuzzers are finding nowadays [1] [2].

This article uses program analysis as the way of making a computational system reason automatically (or at least with little human assistance) about the behavior of a program and draw conclusions that are somehow useful.

In a world where thousands of crashes do exist and are easily found in very important software, the classification of exploitability of such bugs is the first priority. It is known that it is impossible (or inviable or nobody wants to, or whatever other excuse you find to not fix your software) to fix all the bugs such fuzzers are finding, so, at least, companies want to fix (or exploit) the ones that are exploitable.

The problem is that the widely used solution to analyze such crashes are provided by Microsoft (named !exploitable or bang exploitable) [3][4] and are not really useful to create actual exploits or to better understand the problem, but just to give a static classification (exploitable, probably exploitable, not exploitable or unknown).

Even people with source code access are sometimes relying on such tools to determine the exploitability of a given path (sometimes it is easier to analyze a bug without getting into the messy code structure).

Taint Analysis concepts and challenges are going to be explained in order to determine what is being done by the proposed solution and to provide a better idea of future and areas of improvements.

[1] Nagy, Ben. “Finding Microsoft Vulnerabilities by Fuzzing Binary. Files with Ruby – A New Fuzzing Framework”; Syscan 2009

[2] Miller, Charlie. “Babysitting an Army of Monkeys: An analysis of fuzzing 4 products with 5 lines of Python”; Cansecwest 2010 http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt

[3] Microsoft !exploitable page http://msecdbg.codeplex.com [4] Abouchaev, Adel; Hasse, Damian; Lambert, Scott; Wroblewski, Greg. “Analyze crashes to find security vulnerabilities in your apps”

Rodrigo Branco

Rodrigo Rubira Branco (BSDaemon) works as Principal Security Researcher at Intel Corporation and is the Founder of the Dissect || PE Malware Analysis Project. Held positions as Director of Vulnerability & Malware Research at Qualys and as Chief Security Research at Check Point where he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. In 2011 he was honored as one of the top contributors to Adobe Vulnerabilities in the past 12 months. Previous to that, he worked as Senior Vulnerability Researcher in COSEINC, as Principal Security Researcher at Scanit and as Staff Software Engineer in the IBM Advanced Linux Response Team (ALRT) also working in the IBM Toolchain (Debugging) Team for PowerPC Architecture. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest and biggest security research conference in Latin America. He is an active contributor to open-source projects (like ebizzy, linux kernel, others). Accepted speaker in lots of security and open-source related events as H2HC, Black Hat, Hack in The Box, XCon, VNSecurity, OLS, Defcon, Hackito, Ekoparty, Troopers and others.