Game Over! Thank you for playing Academia

I’ve recently finished my Msc dissertation, titled “Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities“. A PDF copy of it is available here should you feel the need to trawl through 110 or so pages of prose, algorithms, diagrams and general ramblings. The abstract is the following:

Software bugs that result in memory corruption are a common and dangerous feature of systems developed in certain programming languages. Such bugs are security vulnerabilities if they can be leveraged by an attacker to trigger the execution of malicious code. Determining if such a possibility exists is a time consuming process and requires technical expertise in a number of areas. Often the only way to be sure that a bug is in fact exploitable by an attacker is to build a complete exploit. It is this process that we seek to automate. We present a novel algorithm that integrates data-flow analysis and a decision procedure with the aim of automatically building exploits. The exploits we generate are constructed to hijack the control flow of an application and redirect it to malicious code.

Our algorithm is designed to build exploits for three common classes of security vulnerability; stack-based buffer overflows that corrupt a stored instruction pointer, buffer overflows that corrupt a function pointer, and buffer overflows that corrupt the destination address used by instructions that write to memory. For these vulnerability classes we present a system capable of generating functional exploits in the presence of complex arithmetic modification of inputs and arbitrary constraints. Exploits are generated using dynamic data-flow analysis in combination with a decision procedure. To the best of our knowledge the resulting implementation is the first to demonstrate exploit generation using such techniques. We illustrate its effectiveness on a number of benchmarks including a vulnerability in a large, real-world server application.

The implementation of the described system is approx. 7000 lines of C++. I probably won’t be releasing the code as I’m fairly sure I signed over my soul (and anything I might create) to the University earlier in the year. The two core components are a data-flow/taint analysis library and higher level library that uses the previous API to perform data-flow/taint analysis over x86 instructions (as given to us by Pin). Both of these components are useful in their own right so I think I’m going to do a full rewrite (with added GUI + DB) and open source the code in the next couple of months. Hopefully they’ll prove useful for others working on dynamic analysis problems.

4 thoughts on “Game Over! Thank you for playing Academia

  1. Definitely interesting… reads like a summary “how to write exploits” for academics – in the beginning ;). But it’s inspiring to see this in a formal and correct way though. Reads like a lot of good work.

    I didn’t read through all of that (it’s pretty much…) but how often did your algorithm really successfully alter the program flow in exploitable cases? – Because redirecting in some modern cases on modern OSes (at least from my perspective) can be really cumbersome.

    • Yea, the ‘how to write exploits’ bit is pretty boring to read (and even more so to write) if you’re already familiar with it.

      Can you give an example of what you mean by ‘cumbersome’? Of course there are cases where an overflow can be complicated but for a chunk of vulnerability classes the process is pretty repeatable (keep in mind I didn’t work on heap metadata overflows). For overflows of stored EIP values, function pointers or write-n-bytes-anywhere vulnerabilities I find most of the effort goes into figuring out where your input is stored in memory, and what bytes you can change and still trigger the overflow. Both of these activities can be automated in a lot of cases. Also, remember my starting point is an input that causes the program to crash in a certain way. i.e. you already have an input that can alter the control flow, just not in a very useful way.

  2. I found my way to your thesis through Daniel’s blog and being someone who has never been into university but enjoy reading research papers written by others, I would say this is probably one of the most beautifully written thesis in my collection. I have only had a quick look of it but man, I am impressed! It is clean and well organized but not filled with too many mathematical formula which make it easy to read. If only each and everyone in the academics world would write a thesis/research paper like this, then everyone would become a scientist..

    Thanks for sharing, god bless you 🙂

  3. where are you now? haven’t seen or heard from you in ages, did you get hired into some three letter agency or something similar?

Comments are closed.