AEG_ Automatic Exploit Generation

•

0 likes•21 views

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Seminar, Redhung @ SQLab, NYCU, AEG_ Automatic Exploit Generation

Software

AEG: Automatic Exploit Generation
Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao and David Brumley
Carnegie Mellon University, Pittsburgh, PA
NDSS Symposium 2011
redhung@SQLab, NYCU

>_ Outline
● Introduction
● Overview
● Approach
● Problems and solutions
● Evaluation

>_ Introduction
● Manual Exploit Generation
○ Locate the address where is overflow
○ Locate the return address
○ Construct the shellcode
● Automatic Exploit Generation
○ Automatically find vulnerabilities
○ Detect exploitable bugs
○ Generate exploits

>_ Introduction
● Challenges
○ Source code analysis alone is inadequate
■ char src[12], dst[10]; strncpy(dst, src, sizeof(src))
○ Infinite number of possible paths
■ Which paths should we check first?

>_ Overview
● Condition
○ Stack overflow or format string
○ Overwrite the return address to hijack the workflow
○ Not against common security defenses e.g. NX, ASLR
○ Source code is needed
○ Linux x86

>_ Overview
● Step for shell spawning
○ Find the bug
○ Get the run-time information
○ Generate the exploit
○ Verify the exploit

>_ Overview
● Modeling
○ The Unsafe Path Predicate Πbug
■ Safe property Φ
○ The Exploit Predicate Πexploit
■ Attacker’s logic
○ Πbug
(ε) ∧ Πexploit
(ε) = true

>_ Approach
● 1. Pre-Process
○ src → ( Bgcc,
Bllvm
)
○ Bgcc
for binary analysis
○ Bllvm
for source code analysis

>_ Approach
● 2. Src-Analysis
○ Bllvm
→ max
○ Static analysis
○ Generate the maximum size of symbolic data max

>_ Approach
● 3. Bug-Find
○ (Bllvm
, Φ, max) → (Πbug
, V)
○ V contains source-level information
○ e.g. buffer name, vulnerable function name

>_ Approach
● 4. DBA ( Dynamic Binary Analysis )
○ (Bgcc
, (Πbug
, V)) → R
○ R represents run-time information
○ e.g. stack address, return address, stack frame

>_ Approach
● 5. Exploit-Gen
○ (Πbug
, R) → Πbug ∧ Πexploit
○ Program counter points to a user-determined location
○ The location contains shellcode

$>_ Approach ● 6. Verify ○ (Bgcc , Πbug ∧ Πexploit ) → { ε, ⊥ } ○ ε for true ○ ⊥ for false$

>_ Problems
● Traditional symbolic execution
○ State space explosion problem
○ Path selection problem
● Other
○ Environment modelling problem

>_ Solutions
● Preconditioned symbolic execution
○ State space is determined by Πprec
○ Known length
○ Known prefix
○ Concolic execution

>_ Solutions
● Path prioritization
○ Buggy-Path-First
○ Loop exhaustion

>_ Solutions
● Environment modleing
○ Symbolic files
○ Symbolic sockets
○ Environment variables
○ Library function calls and system calls

>_ Evaluation
● Experimental setup
○ 2.4 GHz Intel(R) Core 2 Duo CPU
○ 4GB of RAM
○ Debian Linux 2.6.26-2
○ LLVM-GCC 2.7
○ GCC 4.2.4

Similar to AEG_ Automatic Exploit Generation

Andriy Shalaenko - GO security tips

OWASP Kyiv

syslog-ng: from log collection to processing and information extraction

BalaBit

PyParis 2017 / Camisole : A secure online sandbox to grade student - Antoine ...

Pôle Systematic Paris-Region

source{d} is building the open-source components to enable large-scale code analysis and machine learning on source code. Their powerful tools can ingest all of the world’s public git repositories turning code into ASTs ready for machine learning and other analyses, all exposed through a flexible and friendly API. Francesc will show you how to run machine learning on source code with a series of live demos.

Machine Learning on Code - SF meetup

source{d}

[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)

Yogi Sharo

Profilers find performance bottlenecks in your app but provide confusing information. Let's give you insights into how your profiler and your app are really interacting. What profiling APIs are available, how they work, and what their implementation on the JVM (OpenJDK) side looks like: Stack sampling profilers: stop motion view of your app GetCallTrace(JVisualVM case study): The official stack sampling API Safepoints and safepoint sampling bias AsyncGetCallTrace(Honest Profiler Case Study): The unofficial API JVM Profilers vs System Profilers: No API needed?

Jvm profiling under the hood

RichardWarburton

The Linux 4.x series introduced a new powerful engine of programmable tracing (BPF) that allows to actually look inside the kernel at runtime. This talk will show you how to exploit this engine in order to debug problems or identify performance bottlenecks in a complex environment like a cloud. This talk will cover the latest Linux superpowers that allow to see what is happening “under the hood” of the Linux kernel at runtime. I will explain how to exploit these “superpowers” to measure and trace complex events at runtime in a cloud environment. For example, we will see how we can measure latency distribution of filesystem I/O, details of storage device operations, like individual block I/O request timeouts, or TCP buffer allocations, investigating stack traces of certain events, identify memory leaks, performance bottlenecks and a whole lot more.

Linux kernel tracing superpowers in the cloud

Andrea Righi

Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.

"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...

PROIDEA

This will address two recently concluded Kaggle competitions. 1. Google landmark retrieval 2. Google landmark recognition The talk would focus on image retrieval and recognition in large scale. The tentative plan for the presentation: Primer on signal analysis (DFT, Wavelets). Primer on information retrieval. Tips for parallelizing your data pipeline. Description of my approach and detailed discussion of bottlenecks, limitations and lessons. In-depth analysis of winning solutions. This will be a combination of theoretical rigor and practical implementation.

Landmark Retrieval & Recognition

kenluck2001

Neo4j after 1 year in production

Andrew Nikishaev

A simple tool for debug (tap>)

Laurence Chen

A closure ekon16

Max Kleiner

Apache Flink Training Workshop @ HadoopCon2016 - #2 DataSet API Hands-On

Apache Flink Taiwan User Group

Two C++ Tools: Compiler Explorer and Cpp Insights

Alison Chaiken

Ln monitoring repositories

snyff

[DSC] Introduction to Binary Exploitation

Florian Müller

Peter Czanik: syslog-ng - from log collection to processing and infomation extraction LOADays 2015. After a short introduction to system logging, we will show how the current log messages look like, and what the problem is with this free text format. Next, we will introduce you the powerful concept of name-value pairs, and how you can extract useful information from your logs by parsing log messages into name-value pairs. Next we will demonstrate the flexibility of syslog-ng’s message parsers (patterndb, csv and JSON parsers), and show you how to create patterns using a text editor or a GUI. This can also be used to overwrite sensitive information due to privacy regulations. At the end, you will learn about the Perl/Python/Lua/Java bindings of syslog-ng Open Source Edition, how value pairs can be passed to them, and some reference applications written for syslog-ng.

LOADays 2015 - syslog-ng - from log collection to processing and infomation e...

BalaBit

By Daniel Ehrenberg. Slides at https://docs.google.com/presentation/d/1UOk7RlrCdFLs95OPQ-emm__oHD3n43zGyLsn0aGZWyI/edit#slide=id.p JavaScript code frequently has to deal with missing values, but current mechanisms are repetitive or error-prone. Some are proposing that we change the JavaScript programming language, in a way inspired by other languages like Swift: the optional chaining and nullish coalescing operators. We got a big upgrade to JavaScript with ES6, but TC39, the standards committee which defines the programming language, is still making improvements with this and other proposals. In this talk, I'll explain what kinds of things TC39 thinks about, how it goes about improving the programming language, and how you can participate to shape the future of JavaScript. (c) BrazilJS 2018 24 e 25 de Agosto, Brazil

Missing objects: ?. and ?? in JavaScript (BrazilJS 2018)

Igalia

Introduction to nand2 tetris

Yodalee

Meltdown & spectre

Sergio Shevchenko

Similar to AEG_ Automatic Exploit Generation (20)

Andriy Shalaenko - GO security tips

syslog-ng: from log collection to processing and information extraction

PyParis 2017 / Camisole : A secure online sandbox to grade student - Antoine ...

Machine Learning on Code - SF meetup

[Gary entsminger] turbo_pascal_for_windows_bible(book_fi.org)

Jvm profiling under the hood

Linux kernel tracing superpowers in the cloud

"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...

Landmark Retrieval & Recognition

Neo4j after 1 year in production

A simple tool for debug (tap>)

A closure ekon16

Apache Flink Training Workshop @ HadoopCon2016 - #2 DataSet API Hands-On

Two C++ Tools: Compiler Explorer and Cpp Insights

Ln monitoring repositories

[DSC] Introduction to Binary Exploitation

LOADays 2015 - syslog-ng - from log collection to processing and infomation e...

Missing objects: ?. and ?? in JavaScript (BrazilJS 2018)

Introduction to nand2 tetris

Meltdown & spectre

More from Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Windows Offender_ Reverse Engineering Windows Defender's Antivirus Emulator

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Unleashing MAYHEM On Binary Code

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Firmadyne

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Fintech Newebpay API using Flask and VueJS

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

TA-java-method-109

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

TA Lesson Web-109

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

TA Lesson Binary Exploitation (Pwn)

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Java - TA課 - Array

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Reverse Engineering - Assembly & Introduction

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

TA Lesson3 - Method

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Web Introduction

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Java - TA課 - Let's Begin

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Java - TA課 - 開發環境

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

IoT Penetration Talk

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Introduction to computer network

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Assembly Language Redhung ( x86 ) @ TDOH

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

TP-Link SR20 Zero-day attack

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

Penetration test introduction for beginner. It only contains a little of web pen-test . (This is my first lesson teaching others about security!) 這是我在中正大學開的一堂滲透測試入門課程，裡面主要是一些入門的知識，沒有太深的東西，因此很適合初學的資安愛好者觀看。 (這是我第一次做關於資安的校內課程，因此有不對的地方還煩請告知我，謝謝您！)

滲透測試入門 Penetration test - white hat hacking introduction

Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.

More from Redhung @ Nationtal Chung Cheng University, Chiayi, Taiwan. (18)

Windows Offender_ Reverse Engineering Windows Defender's Antivirus Emulator

Unleashing MAYHEM On Binary Code

Firmadyne

Fintech Newebpay API using Flask and VueJS

TA-java-method-109

TA Lesson Web-109

TA Lesson Binary Exploitation (Pwn)

Java - TA課 - Array

Reverse Engineering - Assembly & Introduction

TA Lesson3 - Method

Web Introduction

Java - TA課 - Let's Begin

Java - TA課 - 開發環境

IoT Penetration Talk

Introduction to computer network

Assembly Language Redhung ( x86 ) @ TDOH

TP-Link SR20 Zero-day attack

滲透測試入門 Penetration test - white hat hacking introduction

Recently uploaded

WSO2CON2024 - It's time to go Platformless

WSO2

%in Soweto+277-882-255-28 abortion pills for sale in soweto

masabamasaba

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

masabamasaba

tonesoftg

lanshi9

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...

Jittipong Loespradit

WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source

WSO2

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

Shane Coughlan

Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...

Bert Jan Schrijver

WSO2CON 2024 - Does Open Source Still Matter?

WSO2

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

masabamasaba

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

SelfMade bd

WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...

WSO2

%in Midrand+277-882-255-28 abortion pills for sale in midrand

masabamasaba

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein

masabamasaba

Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pretoria ● Abortion Pills For Sale In Pretoria ● Pretoria 🏥🚑!! Abortion Clinic Near Me Cost, Price, Women's Clinic Near Me, Abortion Clinic Near, Abortion Doctors Near me, Abortion Services Near Me, Abortion Pills Over The Counter, Abortion Pill Doctors' Offices, Abortion Clinics, Abortion Places Near Me, Cheap Abortion Places Near Me, Medical Abortion & Surgical Abortion, approved cyctotec pills and womb cleaning pills too plus all the instructions needed This Discrete women’s Termination Clinic offers same day services that are safe and pain free, we use approved pills and we clean the womb so that no side effects are present. Our main goal is that of preventing unintended pregnancies and unwanted births every day to enable more women to have children by choice, not chance. We offer Terminations by Pill and The Morning After Pill.” Our Private VIP Abortion Service offers the ultimate in privacy, efficiency and discretion. we do safe and same day termination and we do also womb cleaning as well its done from 1 week up to 28 weeks. We do delivery of our services world wide SAFE ABORTION CLINICS/PILLS ON SALE WE DO DELIVERY OF PILLS ALSO Abortion clinic at very low costs, 100% Guaranteed and it’s safe, pain free and a same day service. It Is A 45 Minutes Procedure, we use tested abortion pills and we do womb cleaning as well. Alternatively the medical abortion pill and womb cleansing !!!

Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...

Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg

We specialize in Psychic Readings, Psychic Love Spells, Binding Love Spells, Obsession Spells, Voodoo Spells, Lottery Spells, Marriage Spells, Black Magic Spells, Palm Readings & much more. Are you depressed? We perform this come-to-me love spell that works instantly with the aim of Winnipeg back the victim to the person performing the magic. Have you lost your lover? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? Do u need to solve any relationship problem? Contact the powerful spells caster chief kule with love spells that work overnight and love spells that really work. Have you found yourself infatuated with a special someone you think could be the one? Are you looking for a spell to provide them with a nudge in the right direction? Or maybe the spell you cast didn’t achieve the results you were hoping for? Whether you’re new or versed in the ways of spell casting, we’re here to help. Today we’re going to provide you with a detailed guide on the types of love spells to cast. Not only that but there’s something for those who wish to find outside advice from more advanced spell casters. We’re also going to provide you with the top sites available to help you with your dilemma. Let’s begin our journey by educating ourselves on love magic and what a real love caster looks like. Love Magic and Love Casters Love magic made its first appearance back in Ancient Egypt and has been an active practice since. This type of magic is a branch of traditional magic and can be practiced in various ways. Typically the more common use of love magic is through the work of spells, but other methods look like Charms Rituals-LOVE Potions-Dolls and even Amulets If you are interested in becoming a love caster, be prepared for what’s to come. A genuine love caster knows that the art of love casting is no easy feat and shouldn’t be done casually. You should know that not only does it require you to be gifted spiritually, but you must be ready to serve others. Someone who is considered a real love caster has experience in all manner of spells, no matter the difficulty. Training yourself in attraction, commitment, and marriage spells is an excellent place to start. But this by no means will make you a professional. Practice your craft and expand your knowledge; understand that you will possess the ability to help others in time truly. Types of Love Spells What better way to start broadening your experiences with love spells than by learning more about them? These spells work like just about any other spell. Simply apply your intention, use a medium (sigils, mantras, candles, or charm bags), and top it off with establishing the belief that you will receive what you want. So what kind of spells are available and which ones suit your needs the best? Let’s take a look at the many options you have at your disposal. Attraction Spells

%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...

masabamasaba

Modeling languages are generally applied for developing systems and software – both internally, with domain-specific languages, and with standardized languages targeting a general purpose and a wide audience. Way too often these languages are weakly created and defined leading to poor quality: Language definitions tend to contain errors and inconsistencies; notations do not recognize the communication and problem-solving needs of humans; standardization organizations push exchange formats that do not fully work and offer certificates that do not measure mastery of the language. We describe common problems in language development and point them out with examples from known cases. To overcome these problems, we suggest several solutions to improve language development, including using modeling languages specifically designed to define modeling languages, continuous testing and prototyping, and keeping language users in the loop.

What Goes Wrong with Language Definitions and How to Improve the Situation

Juha-Pekka Tolvanen

WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...

WSO2

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

WSO2

Recently uploaded (20)