- MAYHEM is a system for automatically generating exploits by combining concrete and symbolic execution. It aims to maximize the amount of work done while minimizing wasted effort. - It uses a hybrid execution approach where it concurrently runs a concrete executor client and symbolic executor server. The client explores new paths while the server performs symbolic analysis. - A key challenge is handling symbolic memory addresses, which MAYHEM addresses through techniques like value set analysis to bound possible addresses and index search trees to efficiently search the memory state space.

1. redhung@SQLab, NYCU
Unleashing
MAYHEM
On Binary Code
Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert and David Brumley, Carnegie Mellon University
2012 IEEE Symposium on Security and Privacy
redhung@SQLab, NYCU
Unleashing
MAYHEM
On Binary Code
Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert and David Brumley, Carnegie Mellon University
2012 IEEE Symposium on Security and Privacy
我用Keynote輸出Power Point會跑版請見諒

2. >_ CAT ./OUTLINE
Introduction
0x00
Overview
0x10
Technique
s
0x20
Evaluation
0x30
>_ CAT ./OUTLINE
Introduction
0x00
Overview
0x10
Technique
s
0x20
Evaluation
0x30

3. Introduction

4. >_ Introduction
•AEG
---
-The automatic exploit generation challenge is given a program, automatically
find vulnerabilities and generate exploits for them.
-Heelan, AEG, Mayhem, CRAX

5. >_ Introduction
•MAYHE
M
---
-MAYHEM’s design is based on four main principles:
1. The system should be able to make forward progress for arbitrarily long
times, ideally run “forever”
2. In order to maximize performance, the system should not repeat work
3. The system should not throw away any work, previous analysis results of
the system should be reusable on subsequent runs
4. The system should be able to reason about symbolic memory where a load
or store address depends on user input

6. >_ Introduction
•Symbolic Executors
---
-Current executors can be divided into two main categories: offline
executors, online executors
-Offline executors: which concretely run a single execution path and then
symbolically execute it
-Online executors: which try to execute all possible paths in a single run of the
system

7. >_ Introduction
•Overall, MAYHEM makes the following
contributions:
---
-Hybrid execution
-Index-based memory modeling
-Binary-only exploit generation

8. Overview

9. >_ Overview
---
•We use an HTTP server, orzHttpd as an example to highlight the main challenges
and present how MAYHEM works.
•Note that we show source for clarity and simplicity; MAYHEM runs on binary code

10. >_ Overview
---

11. >_ Overview
---

12. >_ Overview
---

13. >_ Overview
---

14. >_ Overview
---

15. >_ Overview
---

16. >_ Overview
---

17. >_ Overview
---
•We highlight several key points for finding exploitable bugs:
-Low-level details matter
-There are an enormous number of paths
-The more checked paths, the better
-Execute as much natively as possible

18. >_ Overview
---
•MAYHEM consists of two concurrently running processes:
-Concrete Executor Client (CEC)
-Symbolic Executor Server (SES)

19. >_ Overview
---

20. Technique
s

21. >_
Techniques
---
•Challenges
-Resource management in symbolic execution
-Symbolic indices

22. >_
Techniques
---
•Challenges
-Resource management in symbolic execution
-Symbolic indices

23. >_
Techniques
---
•Offline Execution
One path
at a time

24. >_
Techniques
---
•Offline Execution
One path
at a time
Method 1:
Rerun from scratch
=> Inefficient

25. >_
Techniques
---
•Online Execution
Fork at
branches

26. >_
Techniques
---
•Online Execution
Fork at
branches
Hit resource cap

27. >_
Techniques
---
•Online Execution
Fork at
branches
Method 2:
Stop forking
=> Miss paths
Hit resource cap

28. >_
Techniques
---
•Online Execution
Fork at
branches
Method 2:
Stop forking
=> Miss paths
Method 3:
Snapshot process
=> Huge disk image
Hit resource cap

29. >_
Techniques
---
•Hybrid Execution
Fork at
branches

30. >_
Techniques
---
•Hybrid Execution
Fork at
branches
Hit resource cap

31. >_
Techniques
---
•Hybrid Execution
Fork at
branches
Hit resource cap
MAYHEM’s Method:
Don’t snapshot state;
use path predicate
to recreate state

32. >_
Techniques
---
•Hybrid Execution
Fork at
branches
Hit resource cap
MAYHEM’s Method:
Don’t snapshot state;
use path predicate
to recreate state
Check point
Reduce the program state
From 9.4M to 500K

33. >_
Techniques
---

34. >_
Techniques
---
•Challenges
-Resource management in symbolic execution
-Symbolic indices

35. >_
Techniques
---
•Symbolic indices
-If user input is used as index to access the memory, then we call
it as a symbolic index

36. >_
Techniques
---
•Symbolic indices
x = user_input();
y = mem[x];
assert ( y == 42 );

37. >_
Techniques
---
•Symbolic indices
x = user_input();
y = mem[x];
assert ( y == 42 );
x can be everything
Which memory cell
contains 42?

38. >_
Techniques
---
•Symbolic indices
x = user_input();
y = mem[x];
assert ( y == 42 );
x can be everything
Which memory cell
contains 42?
2^32 cells to check
Memory
0 2^32 - 1

39. >_
Techniques
---
•One cause: overwritten pointers
arg
ret addr
ptr
buf
assert ( *ptr == 42 );
return;
mem[0x11223344]
ptr = 0x11223344

40. >_
Techniques
---
•One cause: overwritten pointers
AAAAAAA
AAAAAAA
AAAAAAA
AAAAAAA
assert ( *ptr == 42 );
return;
mem[input]
ptr = input

41. >_
Techniques
---
•Another cause: table lookups
-Really frequent in standard API
-e.g. sscanf, vfprintf, toupper, tolower, etc
-If user gives user input as an argument, then inside these functions we
will use user input as a memory index and we will use that index to
look up a table

42. >_
Techniques
---
•Method 1: Concretization
mem[x] = 42;
x = 17;
mem[x] = 42;

43. >_
Techniques
---
•Method 2: Fully symbolic
mem[x] = 42;
mem[0] = v … mem[2^32-1] = v
0 2^32-1

44. >_
Techniques
---
•Observation
x can be everything
x <= 42
x >= 50
y = mem[x]
F T
F T
42 < x < 50

45. >_
Techniques
---
•Use symbolic execution state to:
1. Bound memory addresses referenced
2. Make search tree for memory address values
-Value Set Analysis (VSA)
•Other algorithms:
-Refinement Cache
-Lemma Cache
-Index Search Trees (ISTs)
-Bucketization with Linear Functions

46. Evaluation

47. >_ Evaluation
---
•Experimental Setup
-3.40GHz Intel® Core i7-2600 CPU and 16GB of RAM
-One VM was running Debian Linux (Squeeze)
-One VM was running Windows XP SP3

48. >_ Evaluation
---
•Exploitable Bug Detection
-Downloaded 29 different vulnerable programs
-2 Zero-Day
-1 Packed binary (Windows)

49. >_ Evaluation
---
•Exploitable Bug Detection
-Downloaded 29 different vulnerable programs
-2 Zero-Day
-1 Packed binary (Windows)

50. >_ Evaluation
---
•Scalability of Hybrid Symbolic Execution
-Less Memory-Hungry than Online Execution
-Faster than Offline Execution

51. >_ Evaluation
---
•Scalability of Hybrid Symbolic Execution
-Less Memory-Hungry than Online Execution
-Faster than Offline Execution

52. >_ Evaluation
---
•Handling Symbolic Memory in Real-World Applications

53. >_ Evaluation
---
•MAYHEM Coverage Comparison

54. >_ Evaluation
---
•Comparison against AEG

55. >_ Evaluation
---
•Performance Tuning

56. THANK YOU!
redhung@hung.red
r3dhun9 @r3dhun9 Philip Chen
THANK YOU!
redhung@hung.red
r3dhun9 @r3dhun9 Philip Chen