This research focuses on determining the practical exploitability of software issues by means of crash analysis. The target was not to automatically generate exploits, and not even to fully automate the entire process of crash analysis; but to provide a holistic feedback-oriented approach that augments a researcher's efforts in triaging the exploitability and impact of a program crash (or fault). The result is a semi-automated crash analysis framework that can speed-up the work of an exploit writer (analyst). Fuzzing, a powerful method for vulnerability discovery keeps getting more popular in all segments across the industry - from developers to bug hunters. With fuzzing frameworks becoming more sophisticated (and intelligent), the task of product security teams and exploit analysts to triage the constant influx of bug reports and associated crashes received from external researchers has increased dramatically. Exploit writers are also facing new challenges: with the advance of modern protection mechanisms, bug bounties and high-prices in vulnerabilities, their time to analyze a potential issue found and write a working exploits is shrinking.
Given the need to improve the existing tools and methodologies in the field of program crash analysis, our research speeds-up dealing with a vast corpus of crashes. We discuss existing problems, ideas and present our approach that is in essence a combination of backward and forward taint propagation systems. The idea here is to leverage both these approaches and to integrate them into one single framework that provides, at the moment of a crash, the mapping of the input areas that influence the crash situation and from the crash on, an analysis of the potential capabilities for achieving code execution. We discuss the concepts and the implementation of two functional tools developed by the authors (one of which was previously released) and go about the benefits of integrating them. Finally, we demonstrate the use of the integrated tool (DPTrace to be released as open-source at Black Hat) with public vulnerabilities (zero-days at the time of the released in the past), including a few that the authors themselves discovered, analyzed/exploited and reported.
Rodrigo Rubira Branco (BSDaemon) works as Principal Security Researcher atIntel Corporation in the Security Center of Excellence where he leads theClient Core Team. He is the Founder of the Dissect || PE Malware AnalysisProject. Held positions as Director of Vulnerability & Malware Research atQualys and as Chief Security Research at Check Point where he founded theVulnerability Discovery Team (VDT) and released dozens of vulnerabilities inmany important software. In 2011 he was honored as one of the top contributorsto Adobe Vulnerabilities in the past 12 months. Previous to that, he worked asSenior Vulnerability Researcher in COSEINC, as Principal Security Researcherat Scanit and as Staff Software Engineer in the IBM Advanced Linux ResponseTeam (ALRT) also working in the IBM Toolchain (Debugging) Team for PowerPCArchitecture. He is a member of the RISE Security Group and is the organizerof Hackers to Hackers Conference (H2HC), the oldest and security researchconference in Latin America. He is an active contributor to open-sourceprojects (like ebizzy, linux kernel, others). Accepted speaker in lots ofsecurity and open-source related events as H2HC, Black Hat, Hack in The Box,XCon, OLS, Defcon, Hackito, Zero Nights, Troopers and many others.
Rohit Mothe worked for iDefense labs, VeriSign as a vulnerability researcherand has many years of experience working with vulnerability hunting andexploit writing. Currently, he is part of the Intel Security Center ofExcellence, directly contributing in finding vulnerabilities in theManageability Engine for Client Platforms.