Automatic discovery of API-level exploits
Ganapathy, V.; Seshia, S.A.; Jha, S.; Reps, T.W.; Bryant, R.E.
Software Engineering, 2005. ICSE 2005. Proceedings. 27th International Conference on
Volume , Issue , 15-21 May 2005 Page(s): 312 - 321
Digital Object Identifier 10.1109/ICSE.2005.1553574
Summary: We argue that finding vulnerabilities in software components is different from finding exploits against them. Exploits that compromise security often use several low-level details of the component, such as layouts of stack frames. Existing software analysis tools, while effective at identifying vulnerabilities, fail to model low-level details, and are hence unsuitable for exploit-finding. We study the issues involved in exploit-finding by considering application programming interface (API) level exploits. A software component is vulnerable to an API-level exploit if its security can be compromised by invoking a sequence of API operations allowed by the component. We present a framework to model low-level details of APIs, and develop an automatic technique based on bounded, infinite-state model checking to discover API-level exploits. We present two instantiations of this framework. We show that format-string exploits can be modeled as API-level exploits, and demonstrate our technique by finding exploits against vulnerabilities in widely-used software. We also use the framework to model a cryptographic-key management API (the IBM CCA) and demonstrate a tool that identifies a previously known exploit.
View citation and abstract |
Cart
