Paper Appeared at 27th ICSE
Posted 20 May 2005
The paper Automatic Discovery of API-Level Exploits by
Vinod Ganapathy (pictured at left), Sanjit A. Seshia, Somesh Jha
(pictured at center), Thomas W. Reps (pictured at right), and
Randal E. Bryant appeared at the 27th International Conference on
Software Engineering. The conference was held May 16--19 in
St. Louis, Missouri. Vinod presented the paper at the conference.
The authors argued that finding vulnerabilities in software components is different from finding exploits against them. Exploits that compromise security often use several low-level details of the component, such as layouts of stack frames. Existing software analysis tools, while effective at identifying vulnerabilities, fail to model low-level details, and are hence unsuitable for exploit-finding.
The authors studied the issues involved in exploit-finding by considering application programming interface (API) level exploits. A software component is vulnerable to an API-level exploit if its security can be compromised by invoking a sequence of API operations allowed by the component. They developed a formal framework that allowed them to model low-level details of API operations, and developed an automatic technique based upon bounded, infinite-state model checking to discover API-level exploits.
The authors presented two instantiations of this framework. They showed that format-string exploits can be modeled as API-level exploits, and demonstrated their technique by finding exploits against vulnerabilities in widely-used software. They also used the framework to model a cryptographic-key management API (the IBM CCA) and demonstrated a tool that identifies a previously known exploit.
