[SC-L] Automatic Generation of Control Flow Hijacking, Exploits for Software Vulnerabilities
Kenneth Van Wyk
ken at krvw.com
Mon Sep 28 14:35:28 EDT 2009
Hi SC-L,
I figured the referenced dissertation below would be of some interest
here. Interesting reading, IMHO.
Cheers,
Ken van Wyk
Begin forwarded message:
> From: Ian Cook <ian at cymru.com>
> Date: September 27, 2009 5:06:51 AM EDT
> Subject: [1st NEWS] [DNB] Automatic Generation of Control Flow
> Hijacking, Exploits for Software Vulnerabilities
>
> Title: Automatic Generation of Control Flow Hijacking
> Exploits for Software Vulnerabilities
> Author: Sean Heelan
> Source: University of Oxford
> Date Published: 3rd September 2009
>
> Excerpt:
>
> '....
>
> Software bugs that result in memory corruption are a common and
> dangerous feature of systems developed in certain programming
> languages. Such bugs are security vulnerabilities if they can be
> leveraged by an attacker to trigger the execution of malicious code.
> Determining if such a possibility exists is a time consuming process
> and requires technical expertise in a number of areas. Often the
> only way to be sure that a bug is in fact exploitable by an attacker
> is to build a complete exploit. It is this process that we seek to
> automate.
>
> We present a novel algorithm that integrates data-flow analysis and
> a decision procedure with the aim of automatically building
> exploits. The exploits we generate are constructed to hijack the
> control flow of an application and redirect it to malicious code.
> Our algorithm is designed to build exploits for three common classes
> of security vulnerability; stack-based buffer overflows that corrupt
> a stored instruction pointer, buffer overflows that corrupt a
> function pointer, and buffer overflows that corrupt the destination
> address used by instructions that write to memory. For these
> vulnerability classes we present a system capable of generating
> functional exploits in the presence of complex arithmetic
> modification of inputs and arbitrary constraints. Exploits are
> generated using dynamic data-flow analysis in combination with a
> decision procedure. To the best of our knowledge the resulting
> implementation is the first to demonstrate exploit generation using
> such techniques. We illustrate its effectiveness on a number
> of benchmarks including a vulnerability in a large, real-world
> server application......'
>
> To read the complete article see:
> http://seanhn.files.wordpress.com/2009/09/thesis1.pdf
>
> For more Security News see: www.team-cymru.org/News
> www.team-cymru.org/News/secnews.rss
>
> The opinions expressed in the posted news items do not
> necessarily reflect the views of Team Cymru.
>
> The appearance of hyperlinks does not constitute endorsement
> by Team Cymru of an external Web site, or any commercial
> company, information, products or services contained therein.
>
> Dragon News Bytes is a Private and Restricted mailing
> list.
>
> To subscribe to this mailing list, please signup at
> https://cymru.com/mailman/listinfo/ians_dragon_newsbytes and
> then send an email to: outreach at cymru.com providing some personal
> background and two references, preferably from FIRST.ORG
> www.first.org/members/teams
>
>
> _ //` `\
> _,-"\% // /``\`\
> ~^~ >__^ |% // / } `\`\ Team Cymru
> ) )%// / } } }`\`\ Dragon News Bytes
> / (%/`/.\_/\_/\_/\`/
> ( ` `-._`
> \ , ( \ _`-.__.- %>
> /_`\ \ `\ \." `-..- `
> ``` /_/`"-=-``/_/
> ``` ```
>
> For more Security News see:
> www.team-cymru.org/News
> www.youtube.com/teamcymru
> http://twitter.com/teamcymru
>
> _____________________________________________________
>
> Ian Cook
> Security Evangelist
> Team Cymru
> www.cymru.com/contact.html
>
> 'To communicate simply you must understand profoundly'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2252 bytes
Desc: not available
URL: <http://krvw.com/pipermail/sc-l/attachments/20090928/a7ee9d33/attachment.bin>
More information about the SC-L
mailing list