Casting exploit analysis as a Weird Machine reconstruction problem

09/27/2021
by   Robert Abela, et al.
0

Exploits constitute malware in the form of application inputs. They take advantage of security vulnerabilities inside programs in order to yield execution control to attackers. The root cause of successful exploitation lies in emergent functionality introduced when programs are compiled and loaded in memory for execution, called `Weird Machines' (WMs). Essentially WMs are unexpected virtual machines that execute attackers' bytecode, complicating malware analysis whenever the bytecode set is unknown. We take the direction that WM bytecode is best understood at the level of the process memory layout attained by exploit execution. Each step building towards this memory layout comprises an exploit primitive, an exploit's basic building block. This work presents a WM reconstruction algorithm that works by identifying pre-defined exploit primitive-related behaviour during the dynamic analysis of target binaries, associating it with the responsible exploit segment - the WM bytecode. In this manner any analyst familiar with exploit programming will immediately recognise the reconstructed WM bytecode's semantics. This work is a first attempt at studying the feasibility of this method and focuses on web browsers when targeted by JavaScript exploits.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
12/23/2022

Detecting Exploit Primitives Automatically for Heap Vulnerabilities on Binary Programs

Automated Exploit Generation (AEG) is a well-known difficult task, espec...
research
11/27/2021

Evading Malware Analysis Using Reverse Execution

Malware is a security threat, and various means are adapted to detect an...
research
04/23/2018

Automatic Heap Layout Manipulation for Exploitation

Heap layout manipulation is integral to exploiting heap-based memory cor...
research
11/29/2019

Drndalo: Lightweight Control Flow Obfuscation Through Minimal Processor/Compiler Co-Design

Binary analysis is traditionally used in the realm of malware detection....
research
12/03/2020

Can I Take Your Subdomain? Exploring Related-Domain Attacks in the Modern Web

Related-domain attackers control a sibling domain of their target web ap...
research
04/30/2020

Non-Volatile Kernel Root kit Detection and Prevention in Cloud Computing

The field of web has turned into a basic part in everyday life. Security...
research
04/10/2018

Monotonic models for real-time dynamic malware detection

In dynamic malware analysis, programs are classified as malware or benig...

Please sign up or login with your details

Forgot password? Click here to reset