(C) K_atc 2018 All Rights Reserved Girls Meets Symbolic Execution Assertion 2. Automated Exploit Generation Tomori Nao (@K_atc)

Girls Meets Symbolic Execution (2) by @K_atc Author Nao Tomori ( @K_atc @K-atc） Security Engineer Interested in binary analysis, CTF, illustration, and design Illustration K_atc Doing for 6 years. Person same with author. https://www.pixiv.net/member.php?id=4440209 2 Profile

Girls Meets Symbolic Execution (2) by @K_atc 3 Previous story (Assertion 1) is...

Girls Meets Symbolic Execution (2) by @K_atc “Automated exploit generation” - two of girls are truly fascinated by its good sound. Aoi thought that vulnerabilities can be found when it comes to succeed in fuzzing. Futaba thought that symbolic execution automates exploits leverages vulnerabilities. At that time, black shadow gradually approaches to excited girls. 4 Summary

Girls Meets Symbolic Execution (2) by @K_atc Main Heroine Futaba Futaki 2nd year high school student. 17 years old. She has many repertory of room wear. Favorite food: Cream puff Favorite word: Binary tastes good. 5 Character introduction Heroine Aoi Sayama 2nd year university student. 19 years old. She loves room wear with hood of cat. Favorite food: Sushi Favorite word: Wasabi running over its space.

Girls Meets Symbolic Execution (2) by @K_atc ☺Introduction ☺Day 1 Exploit Automation ☺Day 2 Patient Aoi and Arbitrary Fuzzer ☺Day 3 Futaba + Symbolic Execution, Exploit Today ☺Demo / Conclusion 6 Table of contents

Introduction • What is symbolic execution? • What is exploit? 7

Girls Meets Symbolic Execution (2) by @K_atc Symbolic execution is a execution symbolizes any inputs. Symbol is similar to mathematical variables, and is NOT fixed values. In symbolic execution, execution environment such as registers, stack, memory, and files is symbolized. 8 What is symbolic execution? Generate Symbolic Vars Interpret Instructions Build Semantics Constraint Solving Path Selection Get Models Next slides illustrates example Fig. execution flow in Forward Symbolic Execution (FSE) (FSE is a method often adopted to implement symbolic execution)

void testme(int a, int b) { int c = 0; if (a * b == 6) { c = 1; if (a == 1) c = 3; } assert(a * b * c == 6); } Girls Meets Symbolic Execution (2) by @K_atc The following execution tree illustrates the process of symbolic execution. Node is a triple of next instruction, memory, path constraint*. Next slides are the steps to build this tree. 9 A example of symbolic execution using execution tree (o) (2. c = 0, {a ↦ α, b ↦ β}, true) (4. c = 1, {a ↦ α, b ↦ β, c ↦ 0}, α × β = 6) (7. assert, {a ↦ α, b ↦ β, c ↦ 0}, α × β ≠ 6) assert: fail (unsat) (5. c = 3, {a↦α, b↦β, c↦1}, α × β = 6 ∧ α = 1) (7. assert, {a↦α, b↦β, c↦1}, α × β = 6 ∧ α ≠ 1) (7. assert, {a↦α, b↦β, c↦3}, α × β = 6 ∧ α = 1) assert: pass (α = 1, β = 2) assert: pass (α = 2, β = 3) assert is assert(a * b * c == 6) (a) (b) (c) if-true if-false if-true if-false *Path constraint constraint of a path to be executed ▼ Execution target

Girls Meets Symbolic Execution (2) by @K_atc 1. Symbolize params a, b as α, β 2. Path constraint is true, because next instruction is always executed 10 Step 1. Symbolize inputs (o) (2. c = 0, {a ↦ α, b ↦ β}, true) (4. c = 1, {a ↦ α, b ↦ β, c ↦ 0}, α × β = 6) (7. assert, {a ↦ α, b ↦ β, c ↦ 0}, α × β ≠ 6) assert: fail (unsat) b↦β, c↦1}, α × β = 6 ∧ α = 1) (7. assert, {a↦α, b↦β, c↦1}, α × β = 6 ∧ α ≠ 1) (b) (c) if-true if-false if-true if-false void testme(int a, int b) { int c = 0; if (a * b == 6) { c = 1; if (a == 1) c = 3; } assert(a * b * c == 6); } PC (Next instruction)

Girls Meets Symbolic Execution (2) by @K_atc 1. Branches execution to handle branch instruction 11 Step 2. Branch execution (o) (2. c = 0, {a ↦ α, b ↦ β}, true) (4. c = 1, {a ↦ α, b ↦ β, c ↦ 0}, α × β = 6) (7. assert, {a ↦ α, b ↦ β, c ↦ 0}, α × β ≠ 6) assert: fail (unsat) b↦β, c↦1}, α × β = 6 ∧ α = 1) (7. assert, {a↦α, b↦β, c↦1}, α × β = 6 ∧ α ≠ 1) (b) (c) if-true if-false if-true if-false void testme(int a, int b) { int c = 0; if (a * b == 6) { c = 1; if (a == 1) c = 3; } assert(a * b * c == 6); }

Girls Meets Symbolic Execution (2) by @K_atc 1. value of c is updated to 0 《Substitution》 2. Think that we take if-then clause, and update path constraint 12 Step 3. Build semantics & Update path constraint (o) (2. c = 0, {a ↦ α, b ↦ β}, true) (4. c = 1, {a ↦ α, b ↦ β, c ↦ 0}, α × β = 6) (7. assert, {a ↦ α, b ↦ (5. c = 3, {a↦α, b↦β, c↦1}, α × β = 6 ∧ α = 1) (7. assert, {a↦α, b↦β, c↦1}, α × assert (a) (b if-true if-false if-true if-false void testme(int a, int b) { int c = 0; if (a * b == 6) { c = 1; if (a == 1) c = 3; } assert(a * b * c == 6); }

(o) (2. c = 0, {a ↦ α, b ↦ β}, true) = 1, {a ↦ α, b ↦ β, c ↦ 0}, α × β = 6) (7. assert, {a ↦ α, b ↦ β, c ↦ 0}, α × β ≠ 6) assert: fail (unsat) c↦1}, α × β = 6 ∧ α = 1) (7. assert, {a↦α, b↦β, c↦1}, α × β = 6 ∧ α ≠ 1) , c↦3}, α × β = 6 ∧ α = 1) assert: pass (α = 1, β = 2) assert: pass (α = 2, β = 3) assert is assert(a * b * c == 6) (a) (b) (c) if-true if-false if-true if-false Girls Meets Symbolic Execution (2) by @K_atc 1. value of c is updated to 1 《Substitution》 2. Think that we break if statement (①→②), and update path constraint 13 Step 4. Repeats previous steps void testme(int a, int b) { int c = 0; if (a * b == 6) { c = 1; if (a == 1) c = 3; } assert(a * b * c == 6); } ① ②

(o) (2. c = 0, {a ↦ α, b ↦ β}, true) = 1, {a ↦ α, b ↦ β, c ↦ 0}, α × β = 6) (7. assert, {a ↦ α, b ↦ β, c ↦ 0}, α × β ≠ 6) assert: fail (unsat) c↦1}, α × β = 6 ∧ α = 1) (7. assert, {a↦α, b↦β, c↦1}, α × β = 6 ∧ α ≠ 1) , c↦3}, α × β = 6 ∧ α = 1) assert: pass (α = 1, β = 2) assert: pass (α = 2, β = 3) assert is assert(a * b * c == 6) (a) (b) (c) if-true if-false if-true if-false What input executes current path? Solve current path constraint: α × β = 6 ∧ α ≠ 1 and, we get α = 2, β = 3 void testme(int a, int b) { int c = 0; if (a * b == 6) { c = 1; if (a == 1) c = 3; } assert(a * b * c == 6); } 14 Girls Meets Symbolic Execution (2) by @K_atc Step 5. Constraint Solving

Girls Meets Symbolic Execution (2) by @K_atc Test case generation [KLEE] It’s hard to perform high-coverage software test by hands! Reverse engineering [S2E, Triton] e.g. Path coverage, Deobfuscation Exploit generation (Includes crash) [AEG, S2E, Driller] eg. Control flow hijack 15 Usage of symbolic execution (Previous researches) [KLEE] Cadar, C., Dunbar, D., and Engler, D. (2008). KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. [S2E] Chipounov, V., Kuznetsov, V., and Candea, G. (2012). The S2E platform: Design, implementation, and applications. [Triton] https://github.com/JonathanSalwan/Tigress_protection [AEG] T. Avgerinos, S. K. Cha, B. L. Tze Hao, and D. Brumley. (2011). AEG: Automatic Exploit Generation. [Driller] Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., and Vigna, G. (2016). Driller: Augmenting fuzzing through selective symbolic execution. Today’s topic

Part of exploit code Girls Meets Symbolic Execution (2) by @K_atc Exploit is a attack leverages software flaws. For example, Buffer over flow bugs → Spawn shell (/bin/sh) One of ways to exploit 16 What is exploit? Cause Crash Information Leak Arbitrary memory overwrite Hijack Program Counter Spawn shell Trigger Shellcode … SIGSEGV, SIGABRT, SIGBUS … e.g. libc function address … e.g. GOT Overwrite, UAF … e.g. Make program counter head to shellcode It’s hard manual task!

Girls Meets Symbolic Execution (2) by @K_atc i … Instruction I … Program inputs 17 [Reference] Definition of symbols

Exploit Automation Collaboration of Futaba and Aoi 18 Day 1 Aoi Futaba

Girls Meets Symbolic Execution (2) by @K_atc 19 Futaba’s reckless idea Using symbolic execution

Girls Meets Symbolic Execution (2) by @K_atc Limitation of symbolic execution ・Path explosion ➡ Exhaustive search is unrealistic ・Exponential increase of search space O(2m)* ➡ Not good at long inputs 20 Problems of Futaba’s idea * Where m is input length. Since behavior of programs is deterministic for inputs, this problem is equivalent to path explosion problem. Using symbolic execution

Girls Meets Symbolic Execution (2) by @K_atc Toward automation of exploit, is there any good solutions mitigates weakness of symbolic execution? 21 Black box that fulfills her wish ? Exploit Code Something Good Symbolic Execution ((o(´∀｀)o)) What... what is it?

Fuzzing (AFL) Symbolic Execution (Triton) Girls Meets Symbolic Execution (2) by @K_atc 22 Good collaboration: Aoia × Futaba (Fuzzing × Symbolic Execution)

Girls Meets Symbolic Execution (2) by @K_atc A security test that generates unexpected input and checks the presence of abnormal behavior 23 [Supplement] What is Fuzzing? Fuzzer Program Fig. Spectacle of idyllical fuzzing

Girls Meets Symbolic Execution (2) by @K_atc Goal Arbitrary Memory Overwrite → Control Flow Hijack* Details 1. Get input I that crashes using fuzzing** 2. Execute under input I, and get executed path P which causes crash 3. Detect control flow hijack vulnerability under path P*** 4. Solution of condition to trigger vulnerability is rough exploit code 24 White box that fulfills her wish Fuzzing Symbolic Execution Exploit Code Crash Input Seed Method I ︙ To Detect Control Flow Hijack Vulnerability *Control Flow Hijack A attack to hijack program counter. ** Should verify it is exploitable crash. In this time, Aoi (I) checked manually. *** Note that all crashes does NOT lead to this vulnerabilities. Day 2 Day 3

Mechanical Phish @Cyber Grand Challenge Girls Meets Symbolic Execution (2) by @K_atc Symbolic Execution × Exploit → AEG (2011) ・Goal: Automation of exploit code generation leverages control flow hijack vulnerability ・Attacked on: Exponential increase of search space problem ・Approach: Preconditioned Symbolic Execution (Limitation of input space) Fuzzing × Symbolic Execution → Driller (2016) ・Goal: Efficient vulnerability detection ・Attacked on: Path explosion problem ・Approach: Cover the drawbacks of symbolic execution using fuzzing [Reference] Theirs position in Cyber Reasoning System (CRS) 25 [Supplement] Previous researches on exploit automation Vulnerability Detection Exploit Generation Input Generation Automatic Patching Driller (CGC) AEG (Stack BOF)

Girls Meets Symbolic Execution (2) by @K_atc notes: original Linux CUI application which manages notes Pointer can be overwritten by buffer over flow bug Deploys shellcode to known address to make things simple 26 About demo application to be exploited Futaba% ./notes ---- [menu] ---- n: new note u: update note s: show notes q: quit input command: n ==== [note #0] ==== title: Futaki Futaba content: I’m a high school student. ---- [menu] ---- ... snipped ... input command: s note #0:Futaki Futaba I’m a high school student. typedef struct { char* content; char title[16]; } note; note notes[8]; void update_note(unsigned int note_id) { ... snipped ... _printf(“title: "); _fgets(notes[note_id].title, 1024, stdin); } ▼Buffer overflow bug section ▼Definition of notes struct Pointer can be overwritten BOF

Patient Aoi and Arbitrary Fuzzer Aoi (AFL) Side 27 Day 2

Girls Meets Symbolic Execution (2) by @K_atc Aoi adopted AFL to her work. AFL (American Fuzzy Lop) is a fuzzer (fuzzing software). AFL is OSS, and hosted by Michal Zalewski working at Google. 28 What is AFL?

Girls Meets Symbolic Execution (2) by @K_atc Setup and preparation are relatively easy. But, whether it works depends on the situation. 1. Prepare fuzzing target 2. Prepare seed (origin value to generate fuzz) 3. Start fuzzing 4. AFL generates input crashes target 5. Verification: Check how the target crashes under generated inputs 29 Flow of fuzzing by AFL afl-fuzz Seed Fuzz Target (In binary form) Crash Inputs afl-gcc Source Code Instrumentation with afl-gcc is optional (recommended) (1) (2) (3) (4) Verification (5)

Girls Meets Symbolic Execution (2) by @K_atc 30 Let’s Fuzzing (>ω<)/ afl-fuzz -i inputs/notes -o result ./notes n title content s n title 2 content! s u 3 n title 3 content!! s q ① Seed ② Start fuzzing ③ Wait for crash Number of crashes

Girls Meets Symbolic Execution (2) by @K_atc 31 Verify fuzzing result wasabi% xxd result-notes/crashes/id:000004,sig:07, src:000000,op:havoc,rep:32 00000000: 6ef8 5d69 74e9 6d0d 320a 730a 750a 330a 00000010: 6e6c 65ff 68ff ff6f 8121 212e 7a81 2121 00000020: 20d5 0a63 6e6e 2120 d50a 636e 6e66 adad 00000030: adad 66ad adad adad adad ad22 adad adad 00000040: adad ad9d adad adad 0d51 0a73 0a75 0a33 00000050: 0a6e 6c65 ff28 ffff 6f81 2121 20d5 0a63 00000060: 6e6e 6e6e 6e81 e16e 6e6e 6e6e 7e6e 6e6f 00000070: 6e21 ff00 730a 71 Verification result Crashed due to illegal memory access! It’s exploitable crash!! ➡Let’s pass this input to Futaba Bottom Fig. Crash input Right Fig. Inspection on gdb ③ rbp can be arbitrary value ② Terminated by illegal memory access ① Definitively the crash was reproduced

Futaba + Symbolic Execution, Exploit Today Futaba (Triton) Side 32 Day 3

Girls Meets Symbolic Execution (2) by @K_atc Futaba adopted Triton at this time Requirements • Tracer: can symbolically execute paths follows given input • libc: can symbolically fast execute libc 33 Futaba <| Which symbolic execution engine should I use? | Triton angr KLEE S2E Published in 2015 2016 2008 2011 Usability Medium Easy Easy Medium Hard User Script Python Python command line, C/C++ Lua, C++ Tracer Available Not Works N/A N/A libc Fully Symbolically Executed Replaced with Symbolic Procedure 1) Engine is written in C++ Python C++ C++ Essential requirements when crash occurs in libc Tbl. Comparison of symbolic execution engine Crashable execution path is known 1) libc can be symbolically executed, but slow

Girls Meets Symbolic Execution (2) by @K_atc A symbolic execution engine * leaded by Jonathan Salwan** (Qarkslab). Triton is able to: • give an instruction trace when executed on the outside (such as Intel Pin) and symbolically execute according to the execution path. • implement an emulator and symbolically execute entire binary. 34 [Supplement] About Triton (Image from https://github.com/JonathanSalwan/Triton ) * accurately, Triton is Dynamic Binary Analysis Framework ** a man of shellstorm

Girls Meets Symbolic Execution (2) by @K_atc 35 How to make an exploit code from a crash input? ① Generate crash input mov byte ptr [rbp], al Invalid Memory Access ② Arbitrary Memory Overwrite Native execution Symbolic Execution following traced path • Path constraint • Memory access constraint mov byte ptr [symvar_rbp], symvar_al Theorem on arbitrary memory overwrite: Be able to write value a on memory address A when executing this instruction ⇔constraint symvar_rbp == A, symvar_al == a is satisfiable • Crash Generate crash input Arbitrary Memory Overwrite PC Hijack Trigger shellcode Tracer executes according input of ①. Outputs instructions trace. NOTE: Described in AFL verification phase Crash input from AFL

Girls Meets Symbolic Execution (2) by @K_atc 36 How to make an exploit code from a crash input? GOT (Global Offset Table) holds libc function address. Using GOT Overwrite, libc function address are overwritten with X (*A = X). fputs() fputs@libc() Index Real Addr fputs fputs@libc GOT lookup call func fputs() X() Index Real Addr fputs X GOT (Overwritten) lookup call func ④ Trigger shellcode This time, there is a function to invoke shell and this address is known. Let X be shellcode address. ③ PC Hijack (In case of GOT Overwrite) Generate crash input Arbitrary Memory Overwrite PC Hijack Trigger shellcode

Girls Meets Symbolic Execution (2) by @K_atc From ❶ to ❸ are described following slides. • Symbolizing stdin and handling read syscall (❶) • Perform arbitrary memory overwrite in two steps (❷) • Wrong models* from path constraint for unknown reasons → Approach renewal: update the input • Run-time error of Triton (❸) • Tracer unexpectedly terminates Triton when received SIGBUS • Termination with exceptions of z3 37 Hardships of implementation * In constraint solver, a collection of values of variables which satisfies the constraint is called model

Girls Meets Symbolic Execution (2) by @K_atc You must symbolize stdin in sys_read when symbolic execution engine does not handle stdin symbolically. Triton is no exception. 38 ❶ Symbolizing stdin and handling read syscall def syscallsEntry(threadId, std): if getSyscallNumber(std) == SYSCALL64.READ: ### Hook read syscall fd = getSyscallArgument(std, 0) buff = getSyscallArgument(std, 1) size = getSyscallArgument(std, 2) if fd == 0: ### Memorize buffer address and read length when reading from stdin isRead = {'buff': buff, 'size': size} return def syscallsExit(threadId, std): if isRead is not None: size = isRead['size'] buff = isRead['buff'] for index in range(size): ### Symbolize the buffer Triton.convertMemoryToSymbolicVariable(MemoryAccess(buff+index, CPUSIZE.BYTE)) isRead = None return

Girls Meets Symbolic Execution (2) by @K_atc It’s difficult to generate “a payload that performs a specific memory overwrite” with one time symbolic execution when giving a crash input (causes bad mem access) to tracer. Futaba performed following two step symbolic execution. When instruction i crashes execution under input I, 1. feed input I, solve the constraint “inst i writes some value on memory address A” *, and generate payload P † 2. feed input P, solve the constraint “mem value at address A becomes X under inst i” **, and generate payload P † ➡ P´ corresponds to exploit code 39 ❷ Perform arbitrary memory overwrite in two steps † payload is generated to satisfy path constraint * A is GOT entry this time ** X is shellcode address this time i : mov byte ptr [rbp], al

Girls Meets Symbolic Execution (2) by @K_atc Futaba (I) encountered the following problem and it is fixed by her (my) pull request*. Tracer unexpectedly terminates Triton when received SIGBUS Triton can handle signals caused by Tracers, but Tracer ignores SIGBUS and terminates Triton. ➡ Fixed to handle SIGBUS in Tracer Termination with exceptions of z3 z3** throws (exception z3::exception) when constraint is wrong. Triton passes on this exception and exits with no messages. ➡ Fixed to catch this exception (thanks Jonathan for helping!） 40 ❸ Run-time error of Triton * This pullreq #695 is merged to dev-v0.6 branch. dev-v0.6 was merged with master branch in Jun 29, 2018. ** z3 is a constraint solver. Triton leverages z3 in back-end.

Demo / Conclusion 41

Girls Meets Symbolic Execution (2) by @K_atc 42 Demo! https://asciinema.org/a/oex5uONOiUy5lNb41fgBQALtb Execution time: 3 mins. Maximum memory usage: 100 MB

Girls Meets Symbolic Execution (2) by @K_atc Coding volumes about 400 lines Coding time 2 ~ 3 weeks Triton has lots of traps ;( I consumed lots of time because inefficient solver took 30 mins per execution. 43 Implementation scale

Girls Meets Symbolic Execution (2) by @K_atc Futaba and Aoi (I) worked on automated exploit generation with the following approach. 1. Generate input causes crash using fuzzing 2. Execute the path may triggers crash symbolically 3. Solve constraints and generate exploit code Futaba&Aoi’s (my) AEG is available on GitHub: https://github.com/macaron-et/wasabi-aeg Future work Apply this tool to other vulnerable application. Find exploitable crash using fuzzing. (Sadly, pwn binaries of CTF may have meaningless DoS vulnerabilities) 44 Conclusion Try it!

Girls Meets Symbolic Execution (2) by @K_atc バイナリ萌えの彼女がシンボリック実行に恋着していますが、 制約に挑む幼気な表情が最高です！（１） https://speakerdeck.com/katc/bainarimeng-efalsebi-nu-gasinboritukushi-xing-nilian- zhao-sitemasuga-zhi-yue-nitiao-muyou-qi-nabiao-qing-gazui-gao-desu-1 American Fuzzy Lop (AFL) http://lcamtuf.coredump.cx/afl/ Triton https://github.com/JonathanSalwan/Triton 45 References