Automatic exploits by patch analysis
Imagine – a security patch for a previously unknown security hole has just been released for distribution – and within minutes the first web sites are infected with exploits based on the patch, dumping a trojan on visitors to these sites that could, for example, steal their bank details. This horror scenario could soon become an everyday experience.
David Brumley and Pongsin Poosankam at the Carnegie Mellon School of Computer Science, Dawn Song at the University of California, Berkeley and Jiang Zheng at the University of Pittsburgh looked into whether exploits could be automatically generated for a vulnerability, based on a patch intended to cure it, and succeeded in showing it to be feasible.
They examined five Microsoft programs for which updates had been provided. Using tools such as Bindiff and EDBS, they checked for differences between patched and un-patched files, looking for additional input validations, say for integer input. They then sought input values that would cause the patched validation to return an error. These very probably enable the closed hole to be exploited.
On that basis, the researchers were able within a short time to generate exploits automatically that could at the very least make an un-patched application crash. In addition, by running several passes, the team could often exploit a hole to smuggle in alien programming code.
Since we must now regard automatic patch analysis and exploit generation as feasible, the time window between the provision of a patch and the exploitation of the vulnerability has shrunk considerably. Windows computers in default configuration automatically look for updates at around three in the morning. But if Microsoft has already published its patches at eight on the previous evening, web sites could misuse the security holes that are mostly still open, to smuggle in malicious code – say when users are still watching auctions on eBay and surfing the net in the early evening, but have not manually initiated the Windows update.
The research team therefore concludes that something has to be done about the way patches are delivered. They can no longer be rolled out at a leisurely pace over a lengthy period, they say, but should be supplied to all computers as soon as they are available. This is problematic in companies and on servers, where correct interaction between the update and the software in use first has to be checked.
- Automatic Patch-Based Exploit Generation, web site with paper (PDF) by David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng