Dynamic Program Analysis and Software Exploitation: From the crash to the exploit code

Horário: 14:00 as 14:50

Sumário

Program Analysis is a hot topic. Many people are discussing this subject even more given the amazing numbers of crashes the fuzzers are finding nowadays [1] [2]. This article uses program analysis as the way of making a computational system reason automatically (or at least with little human assistance) about the behavior of a program and draw conclusions that are somehow useful. In a world where thousands of crashes do exist and are easily found in very important software, the classification of exploitability of such bugs is the first priority. It is known that it is impossible (or inviable or nobody wants to, or whatever other excuse you find to not fix your software) to fix all the bugs such fuzzers are finding, so, at least, companies want to fix (or exploit) the ones that are exploitable.

The problem is that the widely used solution to analyze such crashes are provided by Microsoft (named !exploitable or bang exploitable) [3][4] and are not really useful to create actual exploits or to better understand the problem, but just to give a static classification (exploitable, probably exploitable, not exploitable or unknown). Even people with source code access are sometimes relying on such tools to determine the exploitability of a given path (sometimes it is easier to analyze a bug without getting into the messy code structure). Taint Analysis concepts and challenges are going to be explained in order to determine what is being done by the proposed solution and to provide a better idea of future and areas of improvements.

[1] Nagy, Ben. “Finding Microsoft Vulnerabilities by Fuzzing Binary. Files with Ruby – A New Fuzzing Framework”; Syscan 2009

[2] Miller, Charlie. “Babysitting an Army of Monkeys: An analysis of fuzzing 4 products with 5 lines of Python”; Cansecwest 2010 http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt

[3] Microsoft !exploitable page http://msecdbg.codeplex.com

[4] Abouchaev, Adel; Hasse, Damian; Lambert, Scott; Wroblewski, Greg. “Analyze crashes to find security vulnerabilities in your apps”

Palestrante

Rodrigo Rubira Branco (BSDaemon) is the founder of the Dissect || PE Project, funded by Qualys. As the Chief Security Research in Check Point he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. Previous to that, he worked as Senior Vulnerability Researcher in Coseinc. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest and biggest security research conference in Latin America.