Binary analysis is essential for protecting software, running on various devices, when you do not have access to resources such as source code, open communications with the manufacturer, and otherwise private information that has not been made public. In each of these cases, traditional cybersecurity measures such as static source code analysis and applying the latest patch are not an option.<\/strong><\/span><\/p>\n Most firmware analysis and SBOM generation vendors only report known and\/or publicly published vulnerabilities (i.e., CVEs). These vendors do not deeply inspect the ground truth of a program\u2019s behavior; they do not analyze the machine code being executed as defined at the binary level. This leaves much to be desired, as novel exploits that are not yet published in the National Vulnerability Database still pose a daily threat to the client organizations.<\/p>\n This poses the following question: to what extent can novel binary exploit detection be automated? In this blog post, we will explore this problem through the lens of a user of ObjectSecurity’s BinLens\u2122<\/a> (formerly ObjectSecurity OT.AI Platform)\u00a0and walk through the steps they would take to detect a novel exploit in a binary executable program.<\/p>\n<\/div><\/div><\/div><\/div><\/div> Imagine you have a program that reads some form of user input. Although the source of this user input may vary (e.g., from the terminal, over the network, from a UI form, etc.), in most cases the program will define an internal function to parse the input and perform some operation. The previous statement is quite general, so let\u2019s provide a concrete example.<\/p>\n<\/div> When compiled, the source code produces a binary that takes as input a single command line argument, and then performs one of two operations depending upon it.<\/p>\n This behavior is demonstrated in the screenshot below:<\/p>\n<\/div> Although this example is contrived, it does mimic a simplified version of how vulnerable programs typically behave. Vulnerable programs read input data from an external source (in our case, a command line argument), and perform different operations depending on this input. These operations may contain certain weaknesses, some of which can be exploited if the program\u2019s developer wasn\u2019t careful enough.<\/p>\n In a real-world example, these unsafe operations are hidden deep within a binary file, only occurring in certain obtuse cases. Many times, developers might lack the knowledge, time, or resources to account for every possible edge case. This makes automating the detection of unsafe operations critical.<\/p>\n Let\u2019s assume that we don\u2019t have the source code for this binary (called sample_1<\/em>), and that we don\u2019t know what inputs cause it to crash. How then could we determine if the binary is exploitable? More specifically, how can we reliably determine that input 123<\/em> causes the program to crash, if we were never told this information?<\/p>\n<\/div><\/div><\/div><\/div><\/div> Fuzzing is an automated testing method that feeds pseudo-random input into a target program to generate exploits. This input is typically malformed, invalid, and\/or unexpected. Fuzzing a vulnerable program sometimes results in the exploitation of one or more weaknesses, causing the program to crash or perform some other kind of unintended behavior. Some weaknesses include:<\/p>\n Each of these weaknesses, and many others, are detectable by ObjectSecurity’s BinLens\u2122<\/a> (formerly ObjectSecurity OT.AI Platform). We can use fuzzing in conjunction with the assessment information produced by ObjectSecurity’s BinLens\u2122<\/a> (formerly ObjectSecurity OT.AI Platform)\u00a0to prove or disprove if any detected weakness is exploitable. In the case of sample_1<\/em>, our binary contains a heap overflow. A heap overflow occurs when memory on the program\u2019s heap is written to memory outside of the bounds that were allocated on the heap. Heap overflows can lead to segmentation faults, program crashes, data leaks, and data corruption.<\/p>\n Fuzzing is useful when a program consumes untrusted inputs. For example:<\/p>\n Once again, our trivial sample_1<\/em> case receives input from the command line, but you could imagine a more general case where the input is received from another source. The approach we will take to exploit the heap overflow weakness in sample_1<\/em> will involve in-memory fuzzing. In-memory fuzzing alleviates the need to know where the input to a program is coming from, making it more generally applicable than something like interface fuzzing.<\/p>\n<\/div><\/div><\/div><\/div><\/div> Our approach to determine if sample_1<\/em> is exploitable consists of the following steps:<\/p>\n Each step in this process can be generalized to varying degrees for other binary programs outside of just sample_1<\/em>. Although how step 3 is accomplished depends highly on the CPU architecture, compiler, and other factors, step 3 can be completed for pretty much any binary program you could envision. The same is true for the other steps. For the sake of simplicity, this article will stick to how the steps apply to sample_1<\/em>, and not focus too much on how each step applies to other binaries in general. That is a focus for another time.<\/p>\n Steps 1 and 2 are fully automated by ObjectSecurity’s BinLens\u2122<\/a> (formerly ObjectSecurity OT.AI Platform). When scanned, various assessments performed by the platform identified PC address 0x1220<\/em> as the location of a weakness. For example, the Weak Pointers assessment reported 0x1220<\/em> as a containing a weak pointer:<\/p>\n<\/div> The Dangerous Functions assessment reported a potentially dangerous instance of memcpy()<\/em> at 0x1220<\/em>.<\/p>\n<\/div> Other CWE-120 assessments also reported memcpy()<\/em> at 0x1220<\/em>, including a general buffer overflow detection assessment:<\/p>\n<\/div> Viewing the 0x1220<\/em> address in BinLens’ disassembler\/decompiler showed that the function containing the weakness is called heap_overflow()<\/em>,and that heap_overflow()<\/em> is called from memory_operation()<\/em>.<\/p>\n<\/div> BinLens took under 5 minutes to fully reverse engineer sample_1<\/em> (both disassembly and decompilation) and to produce these results.<\/p>\n<\/div><\/div><\/div> For step 3, the GNU Project Debugger (GDB) can be used to determine the argument(s) to the memory_operation()<\/em> function. GDB lets you see what is going on \u2018inside\u2019 another program while it executes (in this case, \u2018inside\u2019 sample_1<\/em>). GDB is typically used during the development process to find and address problems in source code but can also be used on binaries exclusively.<\/p>\n<\/div><\/div><\/div> A breakpoint at the memory_operation()<\/em> function can be set using the break memory_operation<\/em> command. This breakpoint will halt sample_1<\/em>\u2019s execution and allow us to run other GDB command at that time.<\/p>\n<\/div><\/div><\/div> We can then begin program execution. Because sample_1<\/em> requires us to input a command line argument, we include the command line argument as \u201carg\u201d<\/em>:<\/p>\n<\/div><\/div><\/div> As shown above, GDB pauses the binary’s execution at the start of the memory_operation()<\/em> function. At this point, we can determine the arguments to this function:<\/p>\n<\/div><\/div><\/div> The command above prints the value of the RDI register (in this case, the memory address 0x7fffffffdeda<\/em>) and the value found at memory address pointed to by the RDI register (in this case, “arg”<\/em>). As you can see, the RDI register points to memory containing the command line argument we gave to the program when we began running it.<\/p>\n (NOTE: This could have been in any register. Arguments are not always stored exclusively in the RDI register. This behavior varies between CPUs, compilers, and programming languages.)<\/em><\/p>\n For step 4, we want to fuzz the arguments to the memory_operation()<\/em> function by manipulating the value found at memory address 0x7fffffffdeda<\/em>: the memory address pointed to by the RDI register. To do this, I have provided a Python script called function_fuzzer.py<\/a> which makes use Python\u2019s GDB library to instrument GDB. The source code for this script can be found at the bottom of this article. The gist of this script is as follows:<\/p>\n [4.1]\u00a0\u00a0 Set a breakpoint at the start of the memory_operation() <\/em>function.<\/p>\n [4.2]\u00a0 Start executing the binary.<\/p>\n [4.3]\u00a0 Once at the breakpoint, create a checkpoint. This checkpoint allows GDB to rewind the binary’s state (e.g., current PC address, all register values, values stored in memory, etc.) to how it was at the time the checkpoint was created.<\/p>\n [4.4] Overwrite the value at the memory address pointed to by the RDI register with a random value.<\/p>\n [4.5] Finish executing the memory_operation()<\/em> function. If the program does not crash, rewind to the checkpoint created in [4.3]. If the program crashes, report the exploit.<\/p>\n (NOTE: In [4.4], you could alternatively allocate the random value to a different memory address and mutate the RDI register to point to this different memory address. This approach may be more applicable in certain scenarios.)<\/em><\/p>\n Running this script produced the follow output, some of which has been condensed as to not bloat the content of this article:<\/p>\n<\/div> As you can see, on iteration 1180 the input 123<\/em> was attempted. This input caused the program to perform a heap overflow, segmentation fault, and ultimately crash. The script took under a minute to find the exploit, although this speed was hastened because we only fuzzed with 3-byte long numeric values.<\/p>\n<\/div> This article demonstrates how parts of the novel binary exploit generation process can be automated using ObjectSecurity’s BinLens\u2122<\/a> (formerly ObjectSecurity OT.AI Platform), most notably target weakness detection. Because fuzzing is a time-consuming and computationally intensive process, we hope that the time saved by ObjectSecurity’s BinLens\u2122<\/a> (formerly ObjectSecurity OT.AI Platform)\u00a0in detecting and cataloging binary weaknesses allows for faster and more informed threat hunting. In the future, we plan on further automating the novel exploit detection process and improving our automated binary reverse engineering capabilities.<\/p>\n<\/div><\/div><\/div><\/div><\/div>Creating a Target Binary Executable<\/strong><\/h2><\/div><\/div><\/div>
\n
![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture2.png?resize=624%2C96&ssl=1\" "\\"Picture2\\"")
<\/span><\/div><\/div><\/div>![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture1.png?resize=326%2C704&ssl=1\" "\\"Picture1\\"")
<\/span><\/div><\/div><\/div>A Primer on Fuzzing<\/strong><\/h2><\/div><\/div><\/div>
\n
\n
In Memory Fuzzing using GDB<\/strong><\/h2><\/div><\/div><\/div>
\n
![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture3.png?resize=609%2C362&ssl=1\" "\\"Picture3\\"")
<\/span><\/div>![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture4.png?resize=617%2C215&ssl=1\" "\\"Picture4\\"")
<\/span><\/div>![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture5.png?resize=624%2C345&ssl=1\" "\\"Picture5\\"")
<\/span><\/div>![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture6.png?resize=607%2C520&ssl=1\" "\\"Picture6\\"")
<\/span><\/div>![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture7.png?resize=452%2C661&ssl=1\" "\\"Picture7\\"")
<\/span><\/div>![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture8.png?resize=367%2C65&ssl=1\" "\\"Picture8\\"")
<\/span><\/div><\/div><\/div>![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture9.png?resize=265%2C45&ssl=1\" "\\"Picture9\\"")
<\/span><\/div><\/div><\/div>![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture10.png?resize=624%2C106&ssl=1\" "\\"Picture10\\"")
<\/span><\/div><\/div><\/div>![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture11.png?resize=201%2C46&ssl=1\" "\\"Picture11\\"")
<\/span><\/div><\/div><\/div>![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture12.png?resize=494%2C425&ssl=1\" "\\"Picture12\\"")
<\/span><\/div>![](\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/04\/Picture13.png?resize=505%2C137&ssl=1\" "\\"Picture13\\"")
<\/span><\/div><\/div><\/div><\/div><\/div>Conclusion<\/strong><\/h2><\/div><\/div><\/div>
Caveats<\/strong><\/h3><\/div><\/div><\/div>
\n
Resources<\/strong><\/h2><\/div><\/div><\/div>
\n