Paladin describes a set of internal tools that automate the steps a researcher would take to understand how a given exploit takes advantage of a given vulnerability. As of today, these tools are not for public consumption.

These tools take as input a vulnerable program and an exploit. The tools run the exploit against the vulnerable program and generate an output a file. This output file characterizes how the exploit puts the vulnerable program into a malicious state.

A vulnerable program is in a malicious state when an exploit: 

  1. supplies an argument to a critical function (like exec),
  2. directs the program counter to execute code of the exploit’s choosing, 
  3. overwrites memory so the program counter executes the exploit code itself,
  4. causes an exception forcing the program to terminate. 

These four states encompass a large set of how vulnerabilities in software are exploited.

Our automated vulnerability analysis tools are composed of a binary translator and data flow tracker.  The binary translator works with the data flow tracker to dynamically track the exploit bytes entering a vulnerable program’s address space and propagating throughout the address space during program execution.  Whenever these exploit bytes are used to produce one of the four above conditions, execution is halted and automated analysis is complete.

An example:

Stack based overflow in an Image Viewer program occurs when a field in an image file exceeds a fixed sized buffer limit.

The interesting portions of the characterizing output log of this Image Viewer vulnerability are as follows: 

  1. The initial tracking of the exploit as it enters the program space of Image Viewer.  The Image Viewer program opens up the malicious file to render.  The log file records the system call used to open up the file and then keeps track of the file contents by setting a range of taint values in the data flow tracker.

    NtCreateFile:  C:\POC\poc.emf
    SetTaint: Base=9c608  Len=2a8
    Range 9c608..9c8af set to = [2..2a9]

  2. Next as the Image Viewer program is operating on the contents of the graphics file (poc.emf), the data flow tracker propagates the initial taint in its internal data structures to mirror what is happening in the Image Viewer program space. Any x86 instruction that moves the exploit bytes to different locations in memory or registers is recorded into the log file.  Below shows a move instruction which transfers bytes 0x6 though 0x9 in the poc.emf file from a location in memory into the ecx register.

    Mov rm32, rm32
    EIP 0x4eca6c71  ESP: 0x23efc64  TID: 0x768
    Op1: 0x4 Dirty: 0x6, 0x7, 0x8, 0x9
    Op2: 0x23efd2c Dirty: 0x6, 0x7, 0x8, 0x9

  3. When the Image Viewer program succumbs to one of the four above states an alert is generated, execution is stopped and the log file is closed.

    Alert dirty jmp/call pointer at EIP 0x77f20ffe
    PosR1[0]: 0x0, PosR1[1]: 0x0, PosR1[2]: 0x0, PosR1[3]: 0x0
    PosR2[0]: 0x8a, PosR2[1]: 0x8b, PosR2[2]: 0x8c, PosR2[3]: 0x8d

    0x8a describes the offset in the poc.emf whose bytes influenced the program counter.  This is a malicious condition because the program counter of the Image Viewer program has been hijacked by the exploit.  The program counter points to a location defined by the exploit!

The automatically generated log file provides the following information to the researcher:

  1. How the exploit was received into the vulnerable program’s address space.
  2. In what manner the exploit compromised the vulnerable program. Specifically what bytes in the exploit led to a compromised state.
  3. Describes the path from the initial receive of the exploit to the point of comprise.
  4. If two separate exploits are identical in terms of exploiting the same vulnerability in the same manner.

To obtain the above information in a matter of seconds is a large win for a researcher and just part of an arsenal of tools that will deliver scalable automated vulnerability analysis.

- MMPC Vulnerability Response Team