Summary: NorthSect 2016

Part 2: CanSecWest 2016

Part 1: 2015

Binary Constraint Solving: Automatic Exploit Generation

Talk Description:

"Practical Uses of Program Analysis to Enable Automatic Exploit Generation"

This talk will show how to perform a full chain control flow attack against a complex, stand-alone application. Specifically, how to use mcsema, llvm, and satisfiability solvers to discover a targeted execution path using side channel analysis. From this we show how to traverse this path to collect path constraints and solve for user input which would give us the desired output. This process can then be applied to any targeted behavior in a program, from finding known vulnerability characteristics to simply supplying the correct input to a ‘crackme’ binary.

Practical uses of program analysis will be presented and explained. Including Instrumentation, Symbolic and Concolic Execution, both in theory, in practice, and tools for each type.

A demonstration will conclude the talk by solving an obfuscated ‘crackme’ challenge using the above described process as well as a mini ‘competition’ by running a pintool solver and a pysymemu solver against the same binary and comparing to see which gets the flag first.



LLVM Symbolic Solver: Flow-sensitive constraint analysis
Tool based on Symbolic Analysis and LLVM concepts discussed in talk, available on github


Peerlyst [ Recap Sophia D'Antoine: Automating Exploitation ]