The Future of Security

and Exploitation
Modern Binary Exploitation
CSCI 4968 - Spring 2015
Markus Gaasedelen

MBE - 05/12/2015 Future of Security & Exploitation 1

DEFCON Quals
• May 15/16/17
– Starts 8pm Friday, May 15th
– Sage 3101 Friday, Sage 4101 Saturday/Sunday

• Extra Credit
– Letter grade raise on a Lab
– OR +10% on the final project

• To get the extra credit

– Solve one challenge (that’s not a sanity check)
– OR Play 10 hours on Saturday and/or Sunday

MBE - 05/12/2015 Future of Security & Exploitation 2

Lecture Overview
• Security
– Security Today
– Security Tomorrow
• Exploitation
– Exploitation Today
– Exploitation Tomorrow

MBE - 05/12/2015 Future of Security & Exploitation 3

CVE Statistics – May 2015

[Link]

MBE - 05/12/2015 Future of Security & Exploitation 4

Security Trends
• As you know, security and mitigation
technologies are no doubt getting better
– Why the spike in 2014?

MBE - 05/12/2015 Future of Security & Exploitation 5

CVE Statistics – May 2015

[Link]

MBE - 05/12/2015 Future of Security & Exploitation 6

June 2013

MBE - 05/12/2015 Future of Security & Exploitation 7

Security Trends
• As you know, security and mitigation
technologies are no doubt getting better
– Why the spike in 2014?

• Possibly a result of the Snowden revelations

– The fallout raised global awareness and interest in
security/privacy. ‘Cyber’ in the news ever since

MBE - 05/12/2015 Future of Security & Exploitation 8

Unsustainable Complexity
• Exploits are getting more and more complex
– More bugs
– More time
– More money

MBE - 05/12/2015 Future of Security & Exploitation 9

Unsustainable Complexity

$$$$$
Exploit Complexity

$
2015 Years 20??

MBE - 05/12/2015 Future of Security & Exploitation 10

Unsustainable Complexity
• Exploits are getting more and more complex
– More bugs
– More time
– More money

• At what point do hobbyists have to draw the

line? Companies? Contractors? Nation States?

MBE - 05/12/2015 Future of Security & Exploitation 11

Unsustainable Complexity

$$$$$

nation states
Exploit Complexity

sec firms
the hobbyist

$
2015 Years 20??

MBE - 05/12/2015 Future of Security & Exploitation 12

The Security Mindset
• Systems and applications will never be
perfectly secure. Period.

MBE - 05/12/2015 Future of Security & Exploitation 13

The Security Mindset
• Systems and applications will never be
perfectly secure. Period.

• They just have to be hard enough to break

that nobody can afford it anymore

MBE - 05/12/2015 Future of Security & Exploitation 14

The Weakest Link - Humans

[Link]

MBE - 05/12/2015 Future of Security & Exploitation 15

Lecture Overview
• Security
– Security Today
– Security Tomorrow
• Exploitation
– Exploitation Today
– Exploitation Tomorrow

MBE - 05/12/2015 Future of Security & Exploitation 16

The Future of Security
• The entry bar for binary exploitation is rising
faster and faster
– It’s starting to outpace individuals and hobbyists
interest, ability, and dedication to enter the field

MBE - 05/12/2015 Future of Security & Exploitation 17

Unsustainable Complexity

$$$$$
Exploit Complexity

the hobbyist

$
2015 2020? Years 20??

MBE - 05/12/2015 Future of Security & Exploitation 18

The Future of Security
• Memory corruption based exploits will no
longer be feasible to produce for the average
desktop or server

MBE - 05/12/2015 Future of Security & Exploitation 19

The Future of Security
• Memory corruption based exploits will no
longer be feasible to produce for the average
desktop or server
– In the immediate 10-20 years (?)
• Embedded devices are further behind

MBE - 05/12/2015 Future of Security & Exploitation 20

The Future of Security
• Implementation & logic flaws will probably
always exist
– You can’t really fix stupid

MBE - 05/12/2015 Future of Security & Exploitation 21

The Future of Security
• Implementation & logic flaws will probably
always exist
– You can’t really fix stupid

• What we will see and discover more of:

– Sponsored backdoors, ‘cheating’
– Hardware backdoors, flaws, supply chain trust
– Crypto backdoors, subtle design flaws

MBE - 05/12/2015 Future of Security & Exploitation 22

Lecture Overview
• Security
– Security Today
– Security Tomorrow
• Exploitation
– Exploitation Today
– Exploitation Tomorrow

MBE - 05/12/2015 Future of Security & Exploitation 23

This Course
• You spent hours looking for bugs

• You spent hours reversing in IDA

• You spent hours debugging with GDB

• You spent hours writing python

MBE - 05/12/2015 Future of Security & Exploitation 24

This Course
• You spent hours looking for bugs

• You spent hours reversing in IDA

• You spent hours debugging with GDB

• You spent hours writing python

MBE - 05/12/2015 Future of Security & Exploitation 25

Bug Hunting
• Looking for bugs with or without source is the
most time consuming part of the process

MBE - 05/12/2015 Future of Security & Exploitation 26

Bug Hunting
• Looking for bugs with or without source is the
most time consuming part of the process

• How can we find these bugs faster?

MBE - 05/12/2015 Future of Security & Exploitation 27

Bug Hunting
• Looking for bugs with or without source is the
most time consuming part of the process

• How can we find these bugs faster?

– Automation

MBE - 05/12/2015 Future of Security & Exploitation 28

Static Code Analyzers
• Source code analyzers can help find bugs
statically, but they can also miss a lot
– Very hard to detect many real UAF’s statically

MBE - 05/12/2015 Future of Security & Exploitation 29

Static Code Analyzers
• Source code analyzers can help find bugs
statically, but they can also miss a lot
– Very hard to detect many real UAF’s statically

• Coverity is popular with the kids nowadays

– integrates straight with GitHub

MBE - 05/12/2015 Future of Security & Exploitation 30

Coverity

MBE - 05/12/2015 Future of Security & Exploitation 31

Static Code Analyzers
• Source code analyzers can help find bugs
statically, but they can also miss a lot
– Very hard to detect many real UAF’s statically

• Coverity is popular with the kids nowadays

– integrates straight with GitHub

• Tons of good options for C/C++ Code

– [Link]

MBE - 05/12/2015 Future of Security & Exploitation 32

Fuzzing
• Fuzzing – The act of mangling data and
throwing it at a target application to see if it
mishandles it in some fashion

• Fuzzing has probably been the source of over

95% of the bugs from the past 10 years
– The fuzzing era is starting to wind down

MBE - 05/12/2015 Future of Security & Exploitation 33

Fuzzing
• Remember these labs?
– 7C
– 7A
– 9C
– 9A
–…

• Since the scope of the labs is so small, it would

have been easy to fuzz them

MBE - 05/12/2015 Future of Security & Exploitation 34

Instant Bugs

MBE - 05/12/2015 Future of Security & Exploitation 35

American Fuzzy Lop (AFL)
• A ‘security-oriented’ fuzzer that inserts and
utilizes instrumentation that it inserts at
compile time
– Requires source code to be super effective

MBE - 05/12/2015 Future of Security & Exploitation 36

American Fuzzy Lop (AFL)

MBE - 05/12/2015 Future of Security & Exploitation 37

American Fuzzy Lop (AFL)
• A ‘security-oriented’ fuzzer that inserts and
utilizes instrumentation that it inserts at
compile time
– Requires target source code to be super effective

• Great for file format fuzzing!

– Generally not that useful for CTF fuzzing :/

• [Link]

MBE - 05/12/2015 Future of Security & Exploitation 38

Fundamentals of Modern Bugs
• As the bugs get more refined and complex,
fuzzing will only take us so far

MBE - 05/12/2015 Future of Security & Exploitation 39

Fundamentals of Modern Bugs
• As the bugs get more refined and complex,
fuzzing will only take us so far

• Many modern bugs have to be ‘forced’ by

requiring very specific conditions
– like some sort of crazy edge cases

MBE - 05/12/2015 Future of Security & Exploitation 40

QIRA
• A ‘timeless debugger’ – By GeoHot
– Observe a binary at any point of its execution
state for a given input
– You can move forwards and backwards in time

MBE - 05/12/2015 Future of Security & Exploitation 41

QIRA

MBE - 05/12/2015 Future of Security & Exploitation 42

QIRA
• A ‘timeless debugger’ – By GeoHot
– Observe a binary at any point of its execution
state for a given input
– You can move forwards and backwards in time

• Super basic taint sort of functionality

– Helps visualize r/w of specific memory addresses

• [Link]

MBE - 05/12/2015 Future of Security & Exploitation 43

PANDA
• An ‘open-source Platform for Architecture-
Neutral Dynamic Analysis’ – By MITLL

MBE - 05/12/2015 Future of Security & Exploitation 44

PANDA

MBE - 05/12/2015 Future of Security & Exploitation 45

PANDA
• An ‘open-source Platform for Architecture-
Neutral Dynamic Analysis’ – By MITLL

• Built on top of QEMU, allows instrumentation,

analysis, and replay of an entire system

MBE - 05/12/2015 Future of Security & Exploitation 46

PANDA

MBE - 05/12/2015 Future of Security & Exploitation 47

PANDA
• An ‘open-source Platform for Architecture-
Neutral Dynamic Analysis’ – By MITLL

• Built on top of QEMU, allows instrumentation,

analysis, and replay of an entire system

• Awesome plugin infrastructure

– Utilizes LLVM Intermediate Representation to make
one size fits all (CPU’s) analysis plugins

• [Link]
MBE - 05/12/2015 Future of Security & Exploitation 48
Advanced Concepts Today
• Taint Analysis
– Tracing the impact of user input throughout the
binary, and how it influences execution
– PANDA, QIRA

• Symbolic Execution + SAT/SMT Solving

– Proving that specific conditions can exist in execution
to manifest difficult bugs
– Z3, SMT-LIB

• Machine Learning

MBE - 05/12/2015 Future of Security & Exploitation 49

Lecture Overview
• Security
– Security Today
– Security Tomorrow
• Exploitation
– Exploitation Today
– Exploitation Tomorrow

MBE - 05/12/2015 Future of Security & Exploitation 50

DARPA’s Cyber Grand Challenge

MBE - 05/12/2015 Future of Security & Exploitation 51

DARPA’s Cyber Grand Challenge

[Link]
MBE - 05/12/2015 Future of Security & Exploitation 52
About CGC
• A challenge set forth by DARPA

• Can we develop a completely autonomous

system that is capable of…
– finding vulnerabilities (whitebox and blackbox)
– patching said vulnerabilities
– writing exploits for said vulnerabilities

• [Link]

MBE - 05/12/2015 Future of Security & Exploitation 53

Some CGC Competitors

MBE - 05/12/2015 Future of Security & Exploitation 54

Exploitation of Tomorrow
• The ‘Cyber Reasoning Systems’ being
developed by CGC competitors are quickly
pushing the envelope of bug discovery and
exploitation

MBE - 05/12/2015 Future of Security & Exploitation 55

Exploitation of Tomorrow
• The ‘Cyber Reasoning Systems’ being
developed by CGC competitors are quickly
pushing the envelope of bug discovery and
exploitation

• The technology behind them is likely to be

some smart fuzzers guided by taint analysis,
constraint solvers, and more

MBE - 05/12/2015 Future of Security & Exploitation 56