Behrad Garmany
Thorsten Holz
ABSTRACT
The growing dependence on software and the increasing complexity of such systems builds and feeds the attack surface for exploitable vulnerabilities. Security researchers put up a lot of effort to develop exploits and analyze existing exploits with the goal of staying ahead of the state-of-the-art in attacks and defenses. The urge for automated systems that operate at scale, speed and efficiency is therefore undeniable. Given their complexity and large user base, web browsers pose an attractive target. Due to various mitigation strategies, the exploitation of a browser vulnerability became a time consuming, multi-step task: creating a working exploit even from a crashing input is a resource-intensive task that can take a substantial amount of time to complete. In many cases, the input, which triggers a vulnerability follows a crashing path but does not enter an exploitable state.
In this paper, we introduce novel methods to significantly improve and partially automate the development process for browser exploits. Our approach is based on the observation that an analyst typically performs certain manual analysis steps that can be automated. This serves the purpose to propagate the bug-induced, controlled data to a specific program location to carry out a desired action. These actions include achieving write-what-where or control over the instruction pointer primitives. These are useful to extend control over the target program and are necessities towards successful code execution, the ultimate goal of the adversary. We implemented a prototype of our approach called PrimGen. For a given browser vulnerability, it is capable of automatically crafting data objects that lead the execution to a desired action. We show in our evaluation that our approach is able to generate new and previously unknown exploitation opportunities for real-world vulnerabilities in Mozilla Firefox, Internet Explorer, and Google Chrome. Using small templates, PrimGen generates inputs that conducts specific primitives. In total, PrimGen has found 48 JavaScript inputs which conduct the desired primitives when fed into the target browsers.
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-Flow Integrity. In ACM Conference on Computer and Communications Security (CCS). Google Scholar
Digital Library
- Alfred V. Aho and Margaret J. Corasick. 1975. Efficient String Matching: An Aid to Bibliographic Search. Commun. ACM 18, 6 (1975), 333--340. Google ScholarDigital Library
- Jeffrey Ullman Alfred Aho, Ravi Sethi and Monica S. Lam. 2006. Compilers: Principles, Techniques, and Tools.Google Scholar
- Dennis Andriesse, Xi Chen, Victor van der Veen, Asia Slowinska, and Herbert Bos. 2016. An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries. In USENIX Security Symposium. Google ScholarDigital Library
- Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao, and David Brumley. 2011. AEG: Automatic Exploit Generation. In Symposium on Network and Distributed System Security (NDSS).Google Scholar
- T. Bao, R. Wang, Y. Shoshitaishvili, and D. Brumley. 2017. Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits. In IEEE Symposium on Security and Privacy.Google Scholar
- Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. 2017. Directed Greybox Fuzzing. In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coverage-based Greybox Fuzzing As Markov Chain. In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- François Bourdoncle. 1993. Efficient chaotic iteration strategies with widenings. In Formal Methods in Programming and Their Applications. Lecture Notes in Computer Science, Vol. 735. Springer Berlin Heidelberg, Chapter 9, 128--141.Google Scholar
- David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng. 2008. Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications. In IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Nathan Burow, Scott A. Carr, Stefan Brunthaler, Mathias Payer, Joseph Nash, Per Larsen, and Michael Franz. 2016. Control-Flow Integrity: Precision, Security, and Performance. arXiv preprint arXiv:1602.04056 (2016). Google ScholarDigital Library
- Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing Mayhem on Binary Code. In IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Wei Chen and Juan Vazquez. 2014. "Hack Away at the Unessential" with ExpLib2 in Metasploit. https://blog.rapid7.com/2014/04/07/hack-away-at-the-unessential-with-explib2-in-metasploit/.Google Scholar
- Yuki Chen. 2014. ExpLib2 JavaScript Library. https://github.com/jvazquez-r7/explib2.Google Scholar
- Ron Cytron, Jeanne Ferrante, Barry K Rosen, Mark N Wegman, and F Kenneth Zadeck. 1991. Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems (TOPLAS) 13, 4 (1991), 451--490. Google ScholarDigital Library
- Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, and Herbert Bos. 2016. Undermining Entropy-based Information Hiding (And What to Do About It). In USENIX Security Symposium. Google ScholarDigital Library
- Google. {n. d.}. ClusterFuzz. https://github.com/google/oss-fuzz/blob/master/docs/clusterfuzz.md. Accessed: 2018-02--07.Google Scholar
- Jordan Gruskovnjak. 2012. Advanced Exploitation of Mozilla Firefox Use-after-free (MFSA 2012-22). http://web.archive.org/web/20150121031623/http://www.vupen.com/blog/20120625.Advanced_Exploitation_of_Mozilla_Firefox_UaF_CVE-2012-0469.php.Google Scholar
- Sean Heelan. 2009. Automatic generation of control flow hijacking exploits for software vulnerabilities. Master's thesis. University of Oxford.Google Scholar
- Herbert Jordan, Bernhard Scholz, and Pavle Subotic. 2016. Soufflé: On Synthesis of Program Analyzers. In Computer Aided Verification - 28th International Conference, CAV 2016, Toronto, ON, Canada, July 17-23, 2016, Proceedings, Part II.Google Scholar
- Wenchao Li, Sanjit A. Seshia, and Somesh Jha. 2012. CrowdMine: Towards Crowd-sourced Human-assisted Verification. In Annual Design Automation Conference (DAC). Google ScholarDigital Library
- Zhenhua Liu. 2014. Advanced Exploit Techniques Attacking the IE Script Engine. https://blog.fortinet.com/2014/06/16/advanced-exploit-techniques-attacking-the-ie-script-engine.Google Scholar
- Kangjie Lu, Marie-Therese Walter, David Pfaff, Stefan Nürnberger, Wenke Lee, and Michael Backes. 2017. Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying. In Symposium on Network and Distributed System Security (NDSS).Google Scholar
- Microsoft. 2014. What is the Windows Integrity Mechanism? http://msdn.microsoft.com/en-us/library/bb625957.aspx.Google Scholar
- OpenHub. November 2017. Mozilla Firefox Language Summary. https://goo.gl/Ka32Pp.Google Scholar
- Alexandre Pelletier. 2012. Advanced Exploitation of Internet Explorer Heap Overflow (Pwn2Own 2012 Exploit). http://web.archive.org/web/20141005134545/http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php.Google Scholar
- Charles Reis and Steven D. Gribble. 2009. Isolating Web Programs in Modern Browser Architectures. In Proceedings of the 4th ACM European Conference on Computer Systems. Google ScholarDigital Library
- Dusan Repel, Johannes Kinder, and Lorenzo Cavallaro. 2017. Modular Synthesis of Heap Exploits. In Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security. Google ScholarDigital Library
- Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel, and Thorsten Holz. 2017. kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels. In USENIX Security Symposium. Google ScholarDigital Library
- Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2016. SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- Yan Shoshitaishvili, Michael Weissbacher, Lukas Dresel, Christopher Salls, Ruoyu Wang, Christopher Kruegel, and Giovanni Vigna. 2017. Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance. In ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Yannis Smaragdakis and George Balatsouras. 2015. Pointer Analysis. Found. Trends Program. Lang. 2, 1 (April 2015). Google ScholarDigital Library
- Yannis Smaragdakis and Martin Bravenboer. 2011. Using Datalog for Fast and Easy Program Analysis. In Proceedings of the First International Conference on Datalog Reloaded. Google ScholarDigital Library
- Alexander Sotirov. 2009. Bypassing memory protections: The future of exploitation. In USENIX Security Symposium.Google Scholar
- László Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Mozilla Security Team. {n. d.}. CVE-2016-9079: Use-after-free in SVG Animation. https://bugzilla.mozilla.org/show_bug.cgi?id=1321066.Google Scholar
- Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In USENIX Security Symposium. Google ScholarDigital Library
- Axel Tillequin. 2016. Amoco. https://github.com/bdcht/amoco.Google Scholar
- David Trabish, Andrea Mattavelli, Noam Rinetzky, and Cristian Cadar. 2018. Chopped Symbolic Execution. In International Conference on Software Engineering (ICSE 2018). Google ScholarDigital Library
- Michael James Van Emmerik. 2007. Static single assignment for decompilation. Ph.D. Dissertation. The University of Queensland.Google Scholar
- Junjie Wang, Bihuan Chen, Lei Wei, and Yang Liu. 2017. Skyfire: Data-driven seed generation for fuzzing. In IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, László Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. 2013. Practical Control-Flow Integrity and Randomization for Binary Executables. In IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Mingwei Zhang and R. Sekar. 2013. Control-Flow Integrity for COTS Binaries. In USENIX Security Symposium. Google ScholarDigital Library
- Towards Automated Generation of Exploitation Primitives for Web Browsers
Recommendations
Enhancing Web Applications Observability through Instrumented Automated Browsers
AbstractIn software engineering, observability is the ability to determine the current state of a software system based on its external outputs or signals such as metrics, logs, or traces. Web engineers rely on the web browser console as the ...
Highlights- BrowserWatcher is an open-source browser extension used to observe web applications.
Dynamic pharming attacks and locked same-origin policies for web browsers
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityWe describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-...
Protecting browsers from cross-origin CSS attacks
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityCross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. We show how to conduct these attacks with any browser, ...
Comments