I submitted an abstract etc. for a Blackhat talk a few days ago. The title is “Automatic exploit generation for complex programs” and the following is the abstract:
The topic of this presentation is the automatic generation of control ﬂow hijacking exploits. I will explain how we can generate functional exploits that execute shellcode when provided with a known ’bad’ input, such as the crashing input from a fuzzing session, and sample shellcode. The theories presented are derived from software veriﬁcation and I will explain their relevance to the problem at hand and the beneﬁts of using them compared to approaches based on ad-hoc pattern matching in memory.
The novel aspect of this approach is the combination of techniques from data ﬂow analysis and symbolic execution for the purpose of exploit generation. We track input data as it is passed through a running program and taints other variables; in parallel we also track all constraints and modiﬁcations imposed on such data. As a result, we can precisely locate all memory regions inﬂuenced by the tainted input. We can then apply a constraint solver to generate an exploit.
This technique is effective in environments where the input data is subjected to complex, low level manipulations that may be difficult and time consuming for a human to unravel. I will demonstrate that this approach can be used in the presence of ASLR, non-executable regions and other protections for which known work-arounds exist.
During the presentation I will show functioning exploits generated by this technique and describe their creation in detail. I will also discuss a number of auxiliary beneﬁts of the tool and possible extensions. These include the ability to denote sections of a given input used in determining the path taken, in memory allocation routines and in length constraints. Possible uses of this information are in generating more reliable versions of known exploits and in guiding a fuzzer.
So, in a nutshell I’m using dynamic data flow analysis in combination with path constraint gathering and SAT/SMT solving to generate an input for a program that will result in shellcode execution…. assuming it works 😉 I should know by June 1st if it was accepted or not.
Update: The talk was rejected. Success!… or not.