Presentation Material
Abstract
This research focuses on determining the practical exploitability of software issues by means of crash analysis. The target was not to automatically generate exploits, and not even to fully automate the entire process of crash analysis; but to provide a holistic feedback-oriented approach that augments a researcher’s efforts in triaging the exploitability and impact of a program crash (or fault). The result is a semi-automated crash analysis framework that can speed-up the work of an exploit writer (analyst). Fuzzing, a powerful method for vulnerability discovery keeps getting more popular in all segments across the industry - from developers to bug hunters. With fuzzing frameworks becoming more sophisticated (and intelligent), the task of product security teams and exploit analysts to triage the constant influx of bug reports and associated crashes received from external researchers has increased dramatically. Exploit writers are also facing new challenges: with the advance of modern protection mechanisms, bug bounties and high-prices in vulnerabilities, their time to analyze a potential issue found and write a working exploits is shrinking.
Given the need to improve the existing tools and methodologies in the field of program crash analysis, our research speeds-up dealing with a vast corpus of crashes. We discuss existing problems, ideas and present our approach that is in essence a combination of backward and forward taint propagation systems. The idea here is to leverage both these approaches and to integrate them into one single framework that provides, at the moment of a crash, the mapping of the input areas that influence the crash situation and from the crash on, an analysis of the potential capabilities for achieving code execution. We discuss the concepts and the implementation of two functional tools developed by the authors (one of which was previously released) and go about the benefits of integrating them. Finally, we demonstrate the use of the integrated tool (DPTrace to be released as open-source at Black Hat) with public vulnerabilities (zero-days at the time of the released in the past), including a few that the authors themselves discovered, analyzed/exploited and reported.
AI Generated Summarymay contain errors
Here is a summary of the content:
The speaker is discussing a tool for dynamic analysis of binaries, which can help identify vulnerabilities. The tool uses a tracer to follow the execution path of a program and provide context to an analyzer. The speaker notes that this approach has limitations, as it may not be able to see certain instructions or code paths. However, it is still a step forward in improving vulnerability detection.
The speaker acknowledges the work done by Giulio D’Angelo and others in developing similar tools. They also mention that their tool is available on GitHub and invite others to contribute to its development.
During a Q&A session, an audience member asks about the performance overhead of the tool and how it can help find the root cause of vulnerabilities. The speaker responds that the tool does not use certain hardware features to improve performance, but instead relies on tracing instructions to make analysis easier. They also note that while the tool can provide some insight into vulnerabilities, it is not a magic solution and may require additional analysis to identify the root cause of a bug.
Another audience member asks about comparisons with other tools, such as Bang Exploitable. The speaker responds that their tool provides more context and information than Bang Exploitable, but does not have specific metrics for comparison. They also mention that their approach is practical and has worked in their experience.