Jump to content
Tuts 4 You

Malware Analysis

59 files

  1. Hardware Involved Software Attacks

    By Teddy Rogers

    Computer security vulnerabilities involving hardware are under-represented within the security industry. With a growing number of attackers, malware, and researchers moving beyond pure software attack scenarios and into scenarios incorporating a hardware element, it is important to start laying a foundation on how to understand, characterize, and defend against these types of hybrid attacks. This paper introduces and details a starting taxonomy of security attacks called hardware involved software attacks, in an effort to further security community awareness of hardware security and its role in upholding the security of the PC platform.

    72 downloads

    0 comments

    Submitted

  2. Hunting Obfuscated Malware

    By Teddy Rogers

    A malware is a program with a malicious behaviour, that is designed to replicate with no user consent and to damage software and/or data on infected machines. Malwares are generally classified according to their goals and propagation methods into viruses, worms, backdoors, Trojans, etc. A malware detector is a system that attempts to verify whether a program presents a malicious behaviour or not. The design of efficient malware detectors is crucial for preventing serious damages caused by malware infection. Current malware detectors (e.g. commercial virus scanners) in general rely on static signature matching and, more recently, on dynamic analyses. The dynamic approach executes the potentially infected program in a controlled environment (sandbox) thus performing a run-time verification of malicious behaviours. However, smart malwares may foil a dynamic analysis by modifying their behaviour when executed in a sandbox. Static signature matching classifies a program P as infected by a malware M when an instruction sequence of P matches the characteristic instruction sequence of M. Malware writers frequently use obfuscation to prevent signature matching detection. Code obfuscation consists in syntactically transforming a program while maintaining its functional behaviour. Recent results show that static signature matching can be defeated using simple obfuscating techniques, including code transposition, substitution of equivalent instruction sequences, opaque predicate insertion and variable renaming. Thus, the signature matching methodology is not resilient to slight modifications of malwares and needs a frequently updated database of malware signatures (one for each version of the malware). The reason way obfuscation can easily foil signature matching lies in the syntactic nature of this approach that ignores program functionality. Program behaviours are precisely described by formal semantics, so that facing the malware detection problem from a semantic point of view could lead to a more resilient detection system. Preliminary work on semantics-aware malware detectors confirms the potential benefits of a semantic approach. Our goal is to provide a semantic characterization of malware infection to be used as a basis for designing malware detectors that are resilient to most commonly used obfuscating techniques.

    78 downloads

    0 comments

    Submitted

  3. Inference and Analysis of Formal Models of Botnet Command and Control Protocols

    By Teddy Rogers

    We propose a novel approach to infer complete protocol state machines in realistic high-latency network setting, and apply it to the analysis of botnet C&C protocols. Our proposed techniques enable an order of magnitude reduction in the number of queries and time needed to learn a botnet C&C protocol than classic algorithms (from days to hours for inferring MegaD C&C protocol). We also show that the computed complete protocol state machines enable powerful analysis for botnet defense, including finding weakest links in a protocol, uncovering protocol design flaws, inferring the existence of unobservable communication back-channels among botnet servers, and finding deviations of protocol implementations which can be used for fingerprinting. Our experimental results on MegaD demonstrate that our technology offers invaluable novel insights to existing problems on botnet C&C and provides a powerful weapon for botnet defense.

    65 downloads

    0 comments

    Submitted

  4. Information-based Dependency Matching for Behavioral Malware Analysis

    By Teddy Rogers

    Malicious software (malware) has been a constant threat to computer environments. Every year malware inflict staggering amount of damage and incur vast financial losses worldwide. Malware has changed drastically and its purpose, attack vectors and methods are no longer simple. Furthermore the attackers often utilize unknown vulnerability, evasion techniques and generator algorithms which drastically increase the impact, effectiveness and quantity of malware. Thus the task falls to security experts to develop tools and techniques to thwart this ever expanding threat. The challenge is to detect all attacks, regardless of evasion techniques, while keeping false alarms to a minimum. This thesis seeks to analyze the application of function call-based malware detection. More specifically function calls with their inter-dependencies, extracted by use of information-based dependency matching. Analysis will be performed to research whether this method is reliable and improve obfuscation resilience. The thesis discusses the difference of per­forming detection at library call, system call or function call(hybrid) layer, and how well detection can be performed at these layers.

    64 downloads

    0 comments

    Submitted

  5. Internals of Windows Memory Management for Malware Analysis

    By Teddy Rogers

    This document presents insights from extensive reverse engineering efforts of the memory management mechanisms of Windows XP. The focus lies on the mechanisms which are used to map executable modules into the address space and the role of the page fault handler in this context.

    77 downloads

    0 comments

    Submitted

  6. Introduction to File Infection Techniques

    By Teddy Rogers

    This paper was written within the scope of the author's own learning process, during her studies of computer science and on the basis of her own malware analyses. It was published in order to offer an introduction to several file infection techniques used by viruses, showing examples and explaining appropriate countermeasures. It is aimed at everyone who is interested in the topic of malware and does not require previous knowledge, though a basic understanding of the PE file format, virtual memory management and the Windows OS in general is advantageous.
    The author apologies for grammar and/or contextual mistakes and is happy about any feedback.

    80 downloads

    0 comments

    Submitted

  7. Introduction to Malware Techniques and Logics

    By Teddy Rogers

    Following the great works by EvilCry, I have decided it's time to release some of my past and present works on Malware Analysis (some of them will be coming soon). This is in the hope of igniting some interests in Malware Analysis via Reverse Engineers mindset.

    This tutorial is written to provide a better understanding of where to find information and what is the aim of most Trojans. Their aim is simply to steal information or to act as a Bot in a Botnet. Please note that this article has been written for learning purposes and not for complex functionality. In the early days, there were many incidents where users received emails with malicious CHM (Microsoft Compiled HTML Help) and DOC (Microsoft Office Word Document) attachments containing Trojan Riler which is also known as BackDoor-BCB.

    So I have decided to impart some of my knowledge on Forensics in order to complete this tutorial, writing Introduction to Malware Techniques and Logics. The tutorial will cover different issues:
    How to decompile .CHM files. How to detect and analyse the shellcode How to dump the backdoor components How to discover the communication protocol I hope that this could begin a new chapter in the ongoing series of Reverse Engineering and Forensics guides from ARTeam and spark a new interest. Today's topic will go over Introduction to Malware Techniques and Logics.

    This paper attempts to document an approach on how the malware developers make use of the Macros and vulnerabilities to install malicious software on the vulnerable machine. We hope this document will help the future Reverse Engineers and Forensics guys / gals to conduct a more viable and comprehensive research.

    This article does not claim to be complete, exclusivity and is geared towards beginners.

    89 downloads

    0 comments

    Submitted

  8. Kernel-based Monitory on Windows (32-64bit)

    By Teddy Rogers

    Since malware works fast and quiet there is demand to analyze, track and block such scrap at some central point. There is nothing as central as the kernel of an operating system. This white paper describes how to monitor and protect your Windows-based system by using a minifilter driver intercepting IRP_MJ-Functions in its PreOperation-Callback. The white paper also discusses some basic analyzing and protection drivers I have written in the past. By following Microsoft's recommendation and guidelines for multiplatform compatible driver development, the resulting drivers are called kernel minifilter drivers that are reliable and compatible with all modern versions of Microsoft Windows (2000, XP, Vista, Server, 7 and including their 64 bit versions. Minifilter drivers are powerful tools to track and mitigate against many kinds of malware out there. Once you have build up your own minifilter drivers they are like a Swiss Army Knife. I highly encourage everyone in the Windows based security scene to have a deep look into the powerful stuff one can achieve with minifilter drivers.

    75 downloads

    0 comments

    Submitted

  9. Kernel Malware - The Attack from Within

    By Teddy Rogers

    The Kernel is the heart of modern operating systems. Code executing in kernel mode has full access to all memory including the kernel itself, all CPU instructions, and all hardware. For this obvious reason only the most trusted software should be allowed to run in kernel mode.

    Today, we are facing an emerging threat in the form of kernel-mode malware. By kernel-mode malware we mean malicious software that executes as part of the operating system having full access to the computer's resources. To the end-user this means malware that can bypass software firewalls and can be almost impossible to detect or remove even if the best anti-virus solutions are being used.

    This paper will examine the most important malware cases utilizing kernel-mode techniques over the last few years. The research will be limited to malware running on Windows NT and later operating system versions. It will look at the possible motives for the malware authors to move their creations to kernel mode. A detailed analysis of the key techniques making their existence possible will be covered.

    78 downloads

    0 comments

    Submitted

  10. Efficient and Fine-grained Address Space Randomization

    By Teddy Rogers

    In recent years, the deployment of many application-level countermeasures against memory errors and the increasing number of vulnerabilities discovered in the kernel has fostered a renewed interest in kernel-level exploitation. Unfortunately, no comprehensive and well-established mechanism exists to protect the operating system from arbitrary attacks, due to the relatively new development of the area and the challenges involved.

    In this paper, we propose the first design for fine-grained address space randomization (ASR) inside the operating system (OS), providing an efficient and comprehensive countermeasure against classic and emerging attacks, such as return-oriented programming. To motivate our design, we investigate the differences with application-level ASR and find that some of the well-established assumptions in existing solutions are no longer valid inside the OS; above all, perhaps, that information leakage becomes a major concern in the new context. We show that our ASR strategy outperforms state-of-the-art solutions in terms of both performance and security without affecting the software distribution model. Finally, we present the first comprehensive live re-randomization strategy, which we found to be particularly important inside the OS. Experimental results demonstrate that our techniques yield low run-time performance overhead (less than 5% on average on both SPEC and syscall-intensive benchmarks) and limited run-time memory footprint increase (around 15% during the execution of our benchmarks). We believe our techniques can greatly enhance the level of OS security without compromising the performance and reliability of the OS.

    120 downloads

    0 comments

    Submitted

  11. Embedded Malware Detection using Markov n-grams

    By Teddy Rogers

    Embedded malware is a recently discovered security threat that allows malcode to be hidden inside a benign file. It has been shown that embedded malware is not detected by commercial antivirus software even when the malware signature is present in the antivirus database. In this paper, we present a novel anomaly detection scheme to detect embedded malware. We ï¬rst analyze byte sequences in benign files to show that benign files data generally exhibit a 1-st order dependence structure. Consequently, conditional n-grams provide a more meaningful representation of a files statistical properties than traditional n-grams. To capture and leverage this correlation structure for embedded malware detection, we model the conditional distributions as Markov n-grams. For embedded malware detection, we use an information-theoretic measure, called entropy rate, to quantify changes in Markov n-gram distributions observed in a file. We show that the entropy rate of Markov n-grams gets signiï¬cantly perturbed at malcode embedding locations, and therefore can act as a robust feature for embedded malware detection. We evaluate the proposed Markov n-gram detector on a comprehensive malware dataset consisting of more than 37,000 malware samples and 1, 800 benign samples of six well-known filetypes. We show that the Markov n-gram detector provides better detection and false positive rates than the only existing embedded malware detection scheme.

    76 downloads

    0 comments

    Submitted

  12. Evolving Shell Code

    By Teddy Rogers

    Everything evolves. There are no exceptions, even for shell code.First the code was hidden using encryption. Now, it mimics the host data file. This paper discusses the evolution thus far, and though impossible to know for certain, the probable future.

    72 downloads

    0 comments

    Submitted

  13. Experimental Security Analysis of a Modern Automobile

    By Teddy Rogers

    Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In this paper we experimentally evaluate these issues on a modern automobile and demonstrate the fragility of the underlying system structure. We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarial control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car's two internal subnets. We also present composite attacks that leverage individual weaknesses, including an attack that embeds malicious code in a car's telematics unit and that will completely erase any evidence of its presence after a crash. Looking forward, we discuss the complex challenges in addressing these vulnerabilities while considering the existing automotive ecosystem.

    68 downloads

    0 comments

    Submitted

  14. DEP/ASLR Implementation Progress in Popular Third-party Windows Applications

    By Teddy Rogers

    Vulnerabilities that corrupt memory typically result in the execution of arbitrary code by redirecting the program flow to a writable memory area containing instructions defined by an attacker.

    DEP (Data Execution Prevention) is a generic defensive measure that prevents the execution of writable memory, first added to Windows in XP Service Pack 2 in August 2004. In a default configuration, Windows applications have to inform the operating system that they want DEP enabled in their context. The most popular method of enabling DEP on pre-Vista systems is a call to the "SetProcessDEPPolicy()" function. On Windows Vista and newer systems, an executable can communicate its DEP choice by simply setting the NX_COMPAT (0x100) flag in the "DllCharacteristics" field of a PE (Portable Executable).

    While DEP renders the exploit development process more complex and time consuming, code execution can still be achieved by constructing a chain of function calls to fixed executable addresses inside the address space of the target process (technique known as "return-into-libc"). In order to encumber such techniques, ASLR (Address Space Layout Randomization) was introduced with the release of Windows Vista in early 2007. If a PE file has the DYNAMIC_BASE (0x40) flag set in its "DllCharacteristics" field, the address at which the PE is loaded is randomized on each system boot. This significantly lowers the chances for a return-into-libc attack to succeed. However, note that a single module for which ASLR is not applied can at times be enough for code execution to succeed. If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly, code execution being sometimes impossible to achieve in one attempt.

    This paper intends to depict the evolution and current state of DEP and ASLR support in popular third-party Windows applications.

    Windows XP SP3 and Windows 7, both running on a 32-bit platform, were used as testing environments. Sixteen of the most popular* third-party Windows applications were tested. Only applications, which had at least one memory corruption vulnerability publicly disclosed within the last two years, were chosen.

    While performing ASLR compatibility tests, if DEP was found to be disabled in a tested application, code execution was considered achievable regardless of ASLR support. ASLR is, therefore, irrelevant in such cases and was not tested in detail.

    122 downloads

    3 comments

    Submitted

  15. Detection of Metamorphic and Virtualization-based Malware

    By Teddy Rogers

    We present an overview of the latest developments in the detection of metamorphic and virtualization­ based malware using an algebraic specification of the Intel64 assembly programming language. After giving an overview of related work, we describe the development of a specification of a subset of the Intel 64 instruction set in Maude, an advanced formal algebraic specification tool. We develop the technique of metamorphic malware detection based on equivalence-in-context so that it is applicable to imperative programming languages in general, and we give two detailed examples of how this might be used in a practical setting to detect metamorphic malware. We discuss the application of these techniques within anti-virus software, and give a proof-of-concept system for defeating detection counter-measures used by virtualization-based malware, which is based on our Maude specification of Intel 64. Finally, we compare formal and informal approaches to malware detection, and give some directions for future research.

    71 downloads

    0 comments

    Submitted

  16. Diffing Binaries vs Anti-diffing Binaries

    By Teddy Rogers

    The Problem:

    Security patches are usually meant to fix security vulnerabilities. And those are for fixing problems and protect computers and end users from risks. But how about releasing patch imposes new threats? We call the threat 1-day exploits. Just few minutes after the release of patches, binary diffing technique can be used to identify the vulnerabilities that the security patches are remedying. It's ironical situation but that's what is happening these days.

    This binary diffing technique is especially useful for Microsoft's binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the binary. Those facts make the patched area in the binary more visible and apparent to the patch analyzers.

    We already developed "eEye Binary Diffing Suites" back in 2006 and it's widely used by security researchers to identify vulnerabilities. It's free and open-source and it's powerful enough to be used for 1-day vulnerabilities hunting purpose. So virtually, attackers have access to all the tools and targets they need to identify unknown vulnerabilities that is just patched. They can launch attack during the time frame users or corporates are applying patches. This process typically takes few minutes to few days.

    From our observations during past few years, all the important security patches were binary diffed manually or automatically using tools. Sometimes the researchers claimed they finished analyzing patches in just 20-30 minutes. At most in a day, it's possible to identify the vulnerability itself and make working exploits. And binary diffing has now become too easy and cheap to the attackers. During patch applying time frame, the end users are more vulnerable and targeted using 1-day attack.

    The Answer:

    So now it became crucial to make theses 1-day exploits more difficult and time-consuming so that the vendors can earn more time for the consumers to apply patches. Even though using severe code obfuscation is not an option for Microsoft's products, they can still follow some strategies and techniques to defeat the binary diffing processes without forsaking stability and usability. We are going to show the methods and tactics to make binary differs life harder. And will show the in-house tool that obfuscates the binaries in a way that especially binary differs confused. We call this process anti-binary diffing.

    68 downloads

    0 comments

    Submitted

  17. Disinfection of Alman.NAB

    By Teddy Rogers

    My video tutorial is about the disinfection of Alman.NAB (ESET NOD32 AV) from an infected file with example and full details.

    72 downloads

    0 comments

    Submitted

  18. An Approach Towards Disassembly of Malicious Binary Executables

    By Teddy Rogers

    In the recent past computer security has become an issue of foremost importance for individuals, businesses, and governments. Hostile programmers, who write programs with malicious intents of collecting private information, spread spam, etc. breach the existing security measures. Whenever these hostile programmers, specifically virus/worm writers, succeed in spreading a virus or a worm, there is a significant loss to businesses. For example, mi2g website [6] quotes that within one quarter the NetSky worm and all its A - Q variants put together, had already caused between $35.8 billion and $43.8 billion of estimated economic damages worldwide. The website also quotes that, in March, combined losses due to the three worms Beagle, MyDoom, and NetSky crossed the $100 billion mark within a week.

    The war between hostile programmers and antivirus writers resembles any classic arms escalation. The first step in countering the malicious attacks is to identify the malicious programs. Antivirus companies use several dynamic and static analysis techniques to identify malware [25]. Most of the Anti-Virus (AV) tools depend upon knowledge of what are called "virus signatures" which are nothing but patterns of system calls. If these AV tools can find a particular signature in their database of currently known patterns, they raise an alarm. To identify signatures from a malicious program or to understand and counteract the malicious behaviour, we need to analyse the executable. This typically requires converting the byte sequence of an executable to an intermediate representation.

    123 downloads

    0 comments

    Submitted

  19. An In-Depth Analysis of the Bagle Virus

    By Teddy Rogers

    Today, many anti-virus (AV) scanners primarily detect viruses by looking for simple virus signatures within the file being scanned. The signature of a virus is typically created by disassembling the virus into assembly code, analyzing it, and then selecting those sections of code that seem to be unique to the virus. The binary bits of those unique sections become the signature for the virus. However, this approach can be easily subverted by polymorphic viruses, which change their code (and virus signature) every time they're run. In response, AV vendors implemented heuristics and decryption engines that would run the decryptor/loader code of the binary and peak inside the unencrypted binary to determine if it's a virus. However, the fact is that most viruses are of the "simple" type2 ­ not encrypted or polymorphic, and many of them have many variants that come out afterwards.

    We believe that reverse code engineering (RCE) can be used to better analyze viruses and provide us with better techniques to protect against them and their variants. This paper examines the benefits of RCE and how it applies to detecting, preventing, and recovering from a virus. RCE can be defined as analyzing and disassembling a software system in order understand its design, components, and inner-workings. RCE also allows us to see hidden behaviors that cannot be directly observed by running the virus or those actions that have yet to be activated. These benefits can be used to prematurely defeat a virus's future variants by better analyzing the original virus.

    64 downloads

    0 comments

    Submitted

  20. Analysing of an Adobe Flash Malware

    By Teddy Rogers

    It has been a long time since I wrote about something and I thought that maybe it is a good idea to write again. This time I want to tell you a story about a new 0-day vulnerability (well, not 0-day right now but it was at that time) in Adobe Flash that was published some time ago and that was being exploited in the wild.

    Why I'm writing about this? There are a few reasons. First, just for fun. We were analysing this bug with a friend (@fdfalcon) for a week or so and the truth is we spent a really good time with it.

    Besides, malware analysis is a subject I'm interested in but in my daily job I don't have the opportunity to do this kind of things. Of course there are exceptions but is not what I do the whole day, I'm not a malware analyst.

    The third reason is because I'm using this tutorial as an excuse to show you how to write a little tool using Pin.

    69 downloads

    0 comments

    Submitted

  21. Analysis of ZeroAccess Rootkit

    By Teddy Rogers

    When we write about ZeroAccess rootkit, it is essential to go back in 2009 and to remind when this rootkit had been discovered in the wild. It was the time of MBR rootkit and TDL2 rootkit “the second major release of the most advanced kernel mode rootkit currently in the wild“ when security researchers came across a new, previously unknown, rootkit able to kill most of security software as soon as they tried to scan specified folders in the system. ZeroAccess was creating a new kernel device object called __max++> , this is the reason why the rootkit has quickly become known in the security field as the max++ rootkit, also known as ZeroAccess due to a string found in the kernel driver code, presumably pointing to the original project folder called ZeroAccess (f: \VC5\release\ZeroAccess.pdb).

    This rootkit was storing its code in two alternate data streams, win32k.sys:1 and win32k.sys:2. To avoid being detected, it was killing every security software that attempted to scan for alternate data streams. It created in the system folder a number of fake junctions (note: an NTFS junction point is a feature of the NTFS file system that allows a folder to be linked to another local folder, becoming an alias for such target folder) pointing to the fake rootkit device written above. When security software tried to scan such specified folders for Alternate Data Streams presence (FileStreamInformation class), the rootkit’s selfdefense queued a work item in the security process able to immediately kill it. It became a non-trivial job scanning the system without being killed.

    Since then, ZeroAccess rootkit evolved, changing the way it infects the system, becoming yet more advanced and dangerous. In this paper we are going to analyse this threat and how it evolved to its current release.

    79 downloads

    0 comments

    Submitted

  22. Automated Malware Analysis

    By Teddy Rogers

    Malware analysis has evolved in both the sophistication of the samples analyzed and the tools of the trade. Unfortunately human analysis of samples is still very expensive and time consuming. As teams of malware analysts have grown larger, the duplication of effort in analyzing similar pieces of code has also grown.

    The goal of this paper is to outline a simple framework that could be used to help rememdy this situation, ultimately saving time and money for organizations performing malware analysis.

    The author is aware of similar proprietary and commercial products that aim to resolve this issue or similar issues, however he is not aware of any free tools that attempt to reduce redundant analysis.

    72 downloads

    0 comments

    Submitted

  23. Automatic Analysis of Malware Behavior using Machine Learning

    By Teddy Rogers

    Malicious software - so called malware poses a major threat to the security of computer systems. The amount and diversity of its variants render classic security defenses ineffective, such that millions of hosts in the Internet are infected with malware in the form of computer viruses, Internet worms and Trojan horses. While obfuscation and polymorphism employed by malware largely impede detection at file level, the dynamic analysis of malware binaries during run-time provides an instrument for characterizing and defending against the threat of malicious software.

    In this article, we propose a framework for the automatic analysis of malware behaviour using machine learning. The framework allows for automatically identifying novel classes of malware with similar behaviour (clustering) and assigning unknown malware to these discovered classes (classification). Based on both, clustering and classification, we propose an incremental approach for behaviour-based analysis, capable of processing the behaviour of thousands of malware binaries on a daily basis. The incremental analysis significantly reduces the runtime overhead of current analysis methods, while providing accurate discovery and discrimination of novel malware variants.

    70 downloads

    0 comments

    Submitted

  24. Automatic Discovery of Parasitic Malware

    By Teddy Rogers

    Malicious software includes functionality designed to block discovery or analysis by defensive utilities. To prevent correct attribution of undesirable behaviours to the malware, it often subverts the normal execution of benign processes by modifying their in-memory code images to include malicious activity. It is important to find not only maliciously-acting benign processes, but also the actual parasitic malware that may have infected those processes. In this paper, we present techniques for automatic discovery of unknown parasitic malware present on an infected system. We design and develop a hypervisor-based system, Pyrenee, that aggregates and correlates information from sensors at the network level, the network-to-host boundary, and the host level so that we correctly identify the true origin of malicious behaviour. We demonstrate the effectiveness of our architecture with security and performance evaluations on a Windows system: we identified all malicious binaries in tests with real malware samples, and the tool imposed overheads of only 0%-5% on applications and performance benchmarks.

    64 downloads

    0 comments

    Submitted

  25. Automatic Exploit Generation

    By Teddy Rogers

    The automatic exploit generation challenge is given a program, automatically find vulnerabilities and generate exploits for them. In this paper we present AEG, the first end-to-end system for fully automatic exploit generation. We used AEG to analyze 14 open-source projects and successfully generated 16 control flow hijacking exploits. Two of the generated exploits (expect-5.43 and htget-0.93) are zero-day exploits against unknown vulnerabilities. Our contributions are: 1) we show how exploit generation for control flow hijack attacks can be modelled as a formal verification problem, 2) we propose preconditioned symbolic execution, a novel technique for targeting symbolic execution, 3) we present a general approach for generating working exploits once a bug is found, and 4) we build the first end-to-end system that automatically finds vulnerabilities and generates exploits that produce a shell.

    73 downloads

    0 comments

    Submitted

×
×
  • Create New...