The original White Hat
[index][src]

Wed Apr 23 20:43:37 UTC 2008

Automated exploit generation

--

Some interesting research from CMU – automatic exploit generation, based on observing the differences between an original and a patched executable.

The two inputs to the generator are the original program, and it's patched descendant. We don't know what the vulnerability was that caused the patch to be created; but the output is exploit code that can trigger the original vulnerability. Reasonably obviously, if we don't know what the vulnerability was, we can't automatically provide an attack payload, but you could do worse than just assume a stack smash, or just generate a variant for all current attack methods and see which ones work …

The overview page specfically discusses the way that Windows Update rolls out patches slowly around the world, giving plenty of time for an attacker to auto-generate exploits and point them at the later targets. The technique is general, however, and applies equally to anyone who issues updates, including the Linux world.

Of course, in the Linux world security patches are published with source code, so in theory all exploits are openly documented; but it still takes manual intervention to turn that code into an exploit, and that takes time. This automatic generation method is just as dangerous to Linux as it is to Microsoft …

blog comments powered by Disqus --