Download as PDF, PPTX
![>_
Techniques
---
•Symbolic indices
x = user_input();
y = mem[x];
assert ( y == 42 );](https://image.slidesharecdn.com/unleashingmayhemonbinarycode-221012091709-948ac6e4/85/Unleashing-MAYHEM-On-Binary-Code-36-320.jpg)
![>_
Techniques
---
•Symbolic indices
x = user_input();
y = mem[x];
assert ( y == 42 );
x can be everything
Which memory cell
contains 42?](https://image.slidesharecdn.com/unleashingmayhemonbinarycode-221012091709-948ac6e4/85/Unleashing-MAYHEM-On-Binary-Code-37-320.jpg)
![>_
Techniques
---
•Symbolic indices
x = user_input();
y = mem[x];
assert ( y == 42 );
x can be everything
Which memory cell
contains 42?
2^32 cells to check
Memory
0 2^32 - 1](https://image.slidesharecdn.com/unleashingmayhemonbinarycode-221012091709-948ac6e4/85/Unleashing-MAYHEM-On-Binary-Code-38-320.jpg)
![>_
Techniques
---
•One cause: overwritten pointers
arg
ret addr
ptr
buf
assert ( *ptr == 42 );
return;
mem[0x11223344]
ptr = 0x11223344](https://image.slidesharecdn.com/unleashingmayhemonbinarycode-221012091709-948ac6e4/85/Unleashing-MAYHEM-On-Binary-Code-39-320.jpg)
![>_
Techniques
---
•One cause: overwritten pointers
AAAAAAA
AAAAAAA
AAAAAAA
AAAAAAA
assert ( *ptr == 42 );
return;
mem[input]
ptr = input](https://image.slidesharecdn.com/unleashingmayhemonbinarycode-221012091709-948ac6e4/85/Unleashing-MAYHEM-On-Binary-Code-40-320.jpg)
![>_
Techniques
---
•Method 1: Concretization
mem[x] = 42;
x = 17;
mem[x] = 42;](https://image.slidesharecdn.com/unleashingmayhemonbinarycode-221012091709-948ac6e4/85/Unleashing-MAYHEM-On-Binary-Code-42-320.jpg)
![>_
Techniques
---
•Method 2: Fully symbolic
mem[x] = 42;
mem[0] = v … mem[2^32-1] = v
0 2^32-1](https://image.slidesharecdn.com/unleashingmayhemonbinarycode-221012091709-948ac6e4/85/Unleashing-MAYHEM-On-Binary-Code-43-320.jpg)
![>_
Techniques
---
•Observation
x can be everything
x <= 42
x >= 50
y = mem[x]
F T
F T
42 < x < 50](https://image.slidesharecdn.com/unleashingmayhemonbinarycode-221012091709-948ac6e4/85/Unleashing-MAYHEM-On-Binary-Code-44-320.jpg)
Unleashing MAYHEM On Binary Code
- MAYHEM is a system for automatically generating exploits by combining concrete and symbolic execution. It aims to maximize the amount of work done while minimizing wasted effort. - It uses a hybrid execution approach where it concurrently runs a concrete executor client and symbolic executor server. The client explores new paths while the server performs symbolic analysis. - A key challenge is handling symbolic memory addresses, which MAYHEM addresses through techniques like value set analysis to bound possible addresses and index search trees to efficiently search the memory state space.
More Related Content
Similar to Unleashing MAYHEM On Binary Code
![[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzer](https://cdn.slidesharecdn.com/ss_thumbnails/20126thcodeengnbeisteveryonehashisorherownfuzzer-130525175318-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
More from Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
Unleashing MAYHEM On Binary Code
- 1. redhung@SQLab, NYCU Unleashing MAYHEM On BinaryCode Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert and David Brumley, Carnegie Mellon University 2012 IEEE Symposium on Security and Privacy redhung@SQLab, NYCU Unleashing MAYHEM On Binary Code Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert and David Brumley, Carnegie Mellon University 2012 IEEE Symposium on Security and Privacy 我用Keynote輸出Power Point會跑版請見諒
- 2. >_ CAT ./OUTLINE Introduction 0x00 Overview 0x10 Technique s 0x20 Evaluation 0x30 >_CAT ./OUTLINE Introduction 0x00 Overview 0x10 Technique s 0x20 Evaluation 0x30
- 3.
- 4. >_ Introduction •AEG --- -The automaticexploit generation challenge is given a program, automatically find vulnerabilities and generate exploits for them. -Heelan, AEG, Mayhem, CRAX
- 5. >_ Introduction •MAYHE M --- -MAYHEM’s designis based on four main principles: 1. The system should be able to make forward progress for arbitrarily long times, ideally run “forever” 2. In order to maximize performance, the system should not repeat work 3. The system should not throw away any work, previous analysis results of the system should be reusable on subsequent runs 4. The system should be able to reason about symbolic memory where a load or store address depends on user input
- 6. >_ Introduction •Symbolic Executors --- -Currentexecutors can be divided into two main categories: offline executors, online executors -Offline executors: which concretely run a single execution path and then symbolically execute it -Online executors: which try to execute all possible paths in a single run of the system
- 7. >_ Introduction •Overall, MAYHEMmakes the following contributions: --- -Hybrid execution -Index-based memory modeling -Binary-only exploit generation
- 8.
- 9. >_ Overview --- •We usean HTTP server, orzHttpd as an example to highlight the main challenges and present how MAYHEM works. •Note that we show source for clarity and simplicity; MAYHEM runs on binary code
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17. >_ Overview --- •We highlightseveral key points for finding exploitable bugs: -Low-level details matter -There are an enormous number of paths -The more checked paths, the better -Execute as much natively as possible
- 18. >_ Overview --- •MAYHEM consistsof two concurrently running processes: -Concrete Executor Client (CEC) -Symbolic Executor Server (SES)
- 19.
- 20.
- 21. >_ Techniques --- •Challenges -Resource management insymbolic execution -Symbolic indices
- 22. >_ Techniques --- •Challenges -Resource management insymbolic execution -Symbolic indices
- 23.
- 24. >_ Techniques --- •Offline Execution One path ata time Method 1: Rerun from scratch => Inefficient
- 25.
- 26.
- 27. >_ Techniques --- •Online Execution Fork at branches Method2: Stop forking => Miss paths Hit resource cap
- 28. >_ Techniques --- •Online Execution Fork at branches Method2: Stop forking => Miss paths Method 3: Snapshot process => Huge disk image Hit resource cap
- 29.
- 30.
- 31. >_ Techniques --- •Hybrid Execution Fork at branches Hitresource cap MAYHEM’s Method: Don’t snapshot state; use path predicate to recreate state
- 32. >_ Techniques --- •Hybrid Execution Fork at branches Hitresource cap MAYHEM’s Method: Don’t snapshot state; use path predicate to recreate state Check point Reduce the program state From 9.4M to 500K
- 33.
- 34. >_ Techniques --- •Challenges -Resource management insymbolic execution -Symbolic indices
- 35. >_ Techniques --- •Symbolic indices -If userinput is used as index to access the memory, then we call it as a symbolic index
- 36. >_ Techniques --- •Symbolic indices x =user_input(); y = mem[x]; assert ( y == 42 );
- 37. >_ Techniques --- •Symbolic indices x =user_input(); y = mem[x]; assert ( y == 42 ); x can be everything Which memory cell contains 42?
- 38. >_ Techniques --- •Symbolic indices x =user_input(); y = mem[x]; assert ( y == 42 ); x can be everything Which memory cell contains 42? 2^32 cells to check Memory 0 2^32 - 1
- 39. >_ Techniques --- •One cause: overwrittenpointers arg ret addr ptr buf assert ( *ptr == 42 ); return; mem[0x11223344] ptr = 0x11223344
- 40. >_ Techniques --- •One cause: overwrittenpointers AAAAAAA AAAAAAA AAAAAAA AAAAAAA assert ( *ptr == 42 ); return; mem[input] ptr = input
- 41. >_ Techniques --- •Another cause: tablelookups -Really frequent in standard API -e.g. sscanf, vfprintf, toupper, tolower, etc -If user gives user input as an argument, then inside these functions we will use user input as a memory index and we will use that index to look up a table
- 42. >_ Techniques --- •Method 1: Concretization mem[x]= 42; x = 17; mem[x] = 42;
- 43. >_ Techniques --- •Method 2: Fullysymbolic mem[x] = 42; mem[0] = v … mem[2^32-1] = v 0 2^32-1
- 44. >_ Techniques --- •Observation x can beeverything x <= 42 x >= 50 y = mem[x] F T F T 42 < x < 50
- 45. >_ Techniques --- •Use symbolic executionstate to: 1. Bound memory addresses referenced 2. Make search tree for memory address values -Value Set Analysis (VSA) •Other algorithms: -Refinement Cache -Lemma Cache -Index Search Trees (ISTs) -Bucketization with Linear Functions
- 46.
- 47. >_ Evaluation --- •Experimental Setup -3.40GHzIntel® Core i7-2600 CPU and 16GB of RAM -One VM was running Debian Linux (Squeeze) -One VM was running Windows XP SP3
- 48. >_ Evaluation --- •Exploitable BugDetection -Downloaded 29 different vulnerable programs -2 Zero-Day -1 Packed binary (Windows)
- 49. >_ Evaluation --- •Exploitable BugDetection -Downloaded 29 different vulnerable programs -2 Zero-Day -1 Packed binary (Windows)
- 50. >_ Evaluation --- •Scalability ofHybrid Symbolic Execution -Less Memory-Hungry than Online Execution -Faster than Offline Execution
- 51. >_ Evaluation --- •Scalability ofHybrid Symbolic Execution -Less Memory-Hungry than Online Execution -Faster than Offline Execution
- 52. >_ Evaluation --- •Handling SymbolicMemory in Real-World Applications
- 53. >_ Evaluation --- •MAYHEM CoverageComparison
- 54.
- 55.
- 56. THANK YOU! redhung@hung.red r3dhun9 @r3dhun9Philip Chen THANK YOU! redhung@hung.red r3dhun9 @r3dhun9 Philip Chen