Automatic Exploit Generation (AEG) aims to automatically find vulnerabilities and generate exploits by analyzing source code through a series of steps: 1. It pre-processes source code to generate intermediate representations for binary and source code analysis. 2. It performs source code analysis to determine the maximum size of symbolic data. 3. It uses symbolic execution guided by an "unsafe path predicate" to find bugs in the source code and collect related information. 4. It performs dynamic binary analysis to gather runtime information needed for exploit generation. 5. It generates an "exploit predicate" using the collected information to hijack program control flow and execute shellcode. 6. It verifies whether the generated

1. AEG: Automatic Exploit Generation
Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao and David Brumley
Carnegie Mellon University, Pittsburgh, PA
NDSS Symposium 2011
redhung@SQLab, NYCU

2. >_ Outline
● Introduction
● Overview
● Approach
● Problems and solutions
● Evaluation

3. Introduction

4. >_ Introduction
● Manual Exploit Generation
○ Locate the address where is overflow
○ Locate the return address
○ Construct the shellcode
● Automatic Exploit Generation
○ Automatically find vulnerabilities
○ Detect exploitable bugs
○ Generate exploits

5. >_ Introduction
● Challenges
○ Source code analysis alone is inadequate
■ char src[12], dst[10]; strncpy(dst, src, sizeof(src))
○ Infinite number of possible paths
■ Which paths should we check first?

6. Overview

7. >_ Overview
● Condition
○ Stack overflow or format string
○ Overwrite the return address to hijack the workflow
○ Not against common security defenses e.g. NX, ASLR
○ Source code is needed
○ Linux x86

8. >_ Overview

9. >_ Overview
● Step for shell spawning
○ Find the bug
○ Get the run-time information
○ Generate the exploit
○ Verify the exploit

10. >_ Overview
● Modeling
○ The Unsafe Path Predicate Πbug
■ Safe property Φ
○ The Exploit Predicate Πexploit
■ Attacker’s logic
○ Πbug
(ε) ∧ Πexploit
(ε) = true

11. Approach

12. >_ Approach

13. >_ Approach
● 1. Pre-Process
○ src → ( Bgcc,
Bllvm
)
○ Bgcc
for binary analysis
○ Bllvm
for source code analysis

14. >_ Approach
● 2. Src-Analysis
○ Bllvm
→ max
○ Static analysis
○ Generate the maximum size of symbolic data max

15. >_ Approach
● 3. Bug-Find
○ (Bllvm
, Φ, max) → (Πbug
, V)
○ V contains source-level information
○ e.g. buffer name, vulnerable function name

16. >_ Approach
● 4. DBA ( Dynamic Binary Analysis )
○ (Bgcc
, (Πbug
, V)) → R
○ R represents run-time information
○ e.g. stack address, return address, stack frame

17. >_ Approach
● 5. Exploit-Gen
○ (Πbug
, R) → Πbug ∧ Πexploit
○ Program counter points to a user-determined location
○ The location contains shellcode

18. >_ Approach
● 6. Verify
○ (Bgcc
, Πbug
∧ Πexploit
) → { ε, ⊥ }
○ ε for true
○ ⊥ for false

19. Problems and Solutions

20. >_ Problems
● Traditional symbolic execution
○ State space explosion problem
○ Path selection problem
● Other
○ Environment modelling problem

21. >_ Solutions
● Preconditioned symbolic execution
○ State space is determined by Πprec
○ Known length
○ Known prefix
○ Concolic execution

22. >_ Solutions

23. >_ Solutions

24. >_ Solutions
● Path prioritization
○ Buggy-Path-First
○ Loop exhaustion

25. >_ Solutions
● Environment modleing
○ Symbolic files
○ Symbolic sockets
○ Environment variables
○ Library function calls and system calls

26. >_ Solutions

27. Evaluation

28. >_ Evaluation
● Experimental setup
○ 2.4 GHz Intel(R) Core 2 Duo CPU
○ 4GB of RAM
○ Debian Linux 2.6.26-2
○ LLVM-GCC 2.7
○ GCC 4.2.4

29. >_ Evaluation

30. >_ Evaluation

31. >_ Evaluation

32. THANKS