Arya (TA2)

DARPA HACCS Technical Area 2, we developed tools for automatically creating exploits for N-day vulnerabilities.  We focused on the following vulnerability classes:  

• Binary stack overflow
• Binary command injection
• Command injection
• PHP remote file inclusions (RFI) 
• PHP SQL injection
• PHP file upload

For PHP, our GAAphp tool statically analyzes PHP code bases and automatically creates exploits.  These exploits can be tested against dockerized versions of the applications.  We also developed a tool (SourceForge) to automatically find PHP applications from CVEs and automatically dockerize these applications.  The php application is only used to verify the created exploits.  The GAAphp tool is described in detail in section~\ref{section:gaaphp}.  The SourceForage tool is described in section \ref{sec:sourceforage}.

For binaries, our tools take seed inputs that reach (but do not exploit) vulnerable code and automatically determine inputs that will exploit the vulnerability.  This utilizes dynamic instrumentation within an emulation or on real hardware to build up symbolic expressions that describe values based on inputs.  A SAT solver can resolve these expressions to determine inputs that will exercise the vulnerability.  For memory corruption vulnerabilities, we automatically create the binary exploit (ROP-based) statically from the application and library executables.  The exploit downloads and executes the agent.

Since many HTTP vulnerabilities are based on string overflows, we developed a specialized string solver focused on the inputs required to overflow strings (a combination of regular expression inclusion and length constraints). This tool can solve a variety of exploit-related string constraints in seconds, whereas standard String solvers time out and/or return errors.

We developed tools (SeedExtract and SeedSearch) that can extract HTTP seed inputs from vulnerability descriptions (SeedExtract) and automatically find vulnerability descriptions from CVEs (SeedSearch). These provide the inputs necessary for exploit generation. In many cases, though, vulnerability descriptions are not available. We also developed an HTTP exploration tool that automatically explores possible HTTP inputs to find seed inputs that reach possibly vulnerable sinks.

We also developed a tool to automatically create and configure emulations from firmware images. The tool automatically tests the emulation's networking, web server, and web server instrumentation and tries a variety of known fixes to create a working emulation. It also includes a more recent kernel and standard tools that support a wider variety of emulations more consistently.

The Arya TA2 team created 924 exploits over 6 different vulnerability classes during the program, the most automatically generated exploits submitted by any HACCS TA2 performer.