Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications

The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for 5 Microsoft programs based upon patches provided via Windows Update. Although our techniques may not work in all cases, a fundamental tenant of security is to conservatively estimate the capabilities of attackers. Thus, our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update, may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch.

[1]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[2]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[3]  Arnaud Gotlieb,et al.  Automatic test data generation using constraint solving techniques , 1998, ISSTA '98.

[4]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[5]  Barton P. Miller,et al.  An empirical study of the robustness of Windows NT applications using random testing , 2000 .

[6]  Thomas Dullien,et al.  Graph-based comparison of Executable Objects , 2005 .

[7]  Sarfraz Khurshid,et al.  Korat: automated testing based on Java predicates , 2002, ISSTA '02.

[8]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[9]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[10]  Hao Wang,et al.  Creating Vulnerability Signatures Using Weakest Preconditions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[11]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[12]  Barton P. Miller,et al.  An empirical study of the robustness of MacOS applications using random testing , 2006, RT '06.

[13]  Mary Lou Soffa,et al.  Automated test data generation using an iterative relaxation method , 1998, SIGSOFT '98/FSE-6.

[14]  Manuel Costa,et al.  Bouncer: securing software by blocking bad input , 2008, WRAITS '08.

[15]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[16]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[17]  Zhenkai Liang,et al.  Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation , 2007, USENIX Security Symposium.

[18]  Dawson R. Engler,et al.  EXE: A system for automatically generating inputs of death using symbolic execution , 2006, CCS 2006.

[19]  Christos Gkantsidis,et al.  Planet scale software updates , 2006, SIGCOMM '06.

[20]  Nikolai Tillmann,et al.  Automating Software Testing Using Program Analysis , 2008, IEEE Software.

[21]  Halvar Flake,et al.  Structural Comparison of Executable Objects , 2004, DIMVA.

[22]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[23]  David Brumley,et al.  Replayer: automatic protocol replay by binary analysis , 2006, CCS '06.

[24]  Steven S. Muchnick,et al.  Advanced Compiler Design and Implementation , 1997 .

[25]  Bogdan Korel,et al.  Automated Software Test Data Generation , 1990, IEEE Trans. Software Eng..

[26]  Debin Gao,et al.  BinHunt: Automatically Finding Semantic Differences in Binary Programs , 2008, ICICS.