Automatic discovery of API-level exploits

Vinod Ganapathy, Sanjit A. Seshia, Somesh Jha, Thomas W. Reps, Randal E. Bryant

Research output: Contribution to conferencePaper

14 Citations (Scopus)

Abstract

We argue that finding vulnerabilities in software components is different from finding exploits against them. Exploits that compromise security often use several low-level details of the component, such as layouts of stack frames. Existing software analysis tools, while effective at identifying vulnerabilities, fail to model low-level details, and are hence unsuitable for exploit-finding. We study the issues involved in exploit-finding by considering application programming interface (API) level exploits. A software component is vulnerable to an API-level exploit if its security can be compromised by invoking a sequence of API operations allowed by the component. We present a framework to model low-level details of APIs, and develop an automatic technique based on bounded, infinite-state model checking to discover API-level exploits. We present two instantiations of this framework. We show that format-string exploits can be modeled as API-level exploits, and demonstrate our technique by finding exploits against vulnerabilities in widely-used software. We also use the framework to model a cryptographic-key management API (the IBM CCA) and demon-strate a tool that identifies a previously known exploit.

Original languageEnglish (US)
Pages312-321
Number of pages10
StatePublished - Dec 1 2005
Event27th International Conference on Software Engineering, ICSE05 - St. Louis, MO, United States
Duration: May 15 2005May 21 2005

Other

Other27th International Conference on Software Engineering, ICSE05
CountryUnited States
CitySt. Louis, MO
Period5/15/055/21/05

Fingerprint

Application programming interfaces (API)
Model checking

All Science Journal Classification (ASJC) codes

  • Engineering(all)
  • Software

Keywords

  • API-level exploit
  • Bounded model checking

Cite this

Ganapathy, V., Seshia, S. A., Jha, S., Reps, T. W., & Bryant, R. E. (2005). Automatic discovery of API-level exploits. 312-321. Paper presented at 27th International Conference on Software Engineering, ICSE05, St. Louis, MO, United States.
Ganapathy, Vinod ; Seshia, Sanjit A. ; Jha, Somesh ; Reps, Thomas W. ; Bryant, Randal E. / Automatic discovery of API-level exploits. Paper presented at 27th International Conference on Software Engineering, ICSE05, St. Louis, MO, United States.10 p.
@conference{3061c51aabfe4076b236765b1719221e,
title = "Automatic discovery of API-level exploits",
abstract = "We argue that finding vulnerabilities in software components is different from finding exploits against them. Exploits that compromise security often use several low-level details of the component, such as layouts of stack frames. Existing software analysis tools, while effective at identifying vulnerabilities, fail to model low-level details, and are hence unsuitable for exploit-finding. We study the issues involved in exploit-finding by considering application programming interface (API) level exploits. A software component is vulnerable to an API-level exploit if its security can be compromised by invoking a sequence of API operations allowed by the component. We present a framework to model low-level details of APIs, and develop an automatic technique based on bounded, infinite-state model checking to discover API-level exploits. We present two instantiations of this framework. We show that format-string exploits can be modeled as API-level exploits, and demonstrate our technique by finding exploits against vulnerabilities in widely-used software. We also use the framework to model a cryptographic-key management API (the IBM CCA) and demon-strate a tool that identifies a previously known exploit.",
keywords = "API-level exploit, Bounded model checking",
author = "Vinod Ganapathy and Seshia, {Sanjit A.} and Somesh Jha and Reps, {Thomas W.} and Bryant, {Randal E.}",
year = "2005",
month = "12",
day = "1",
language = "English (US)",
pages = "312--321",
note = "27th International Conference on Software Engineering, ICSE05 ; Conference date: 15-05-2005 Through 21-05-2005",

}

Ganapathy, V, Seshia, SA, Jha, S, Reps, TW & Bryant, RE 2005, 'Automatic discovery of API-level exploits' Paper presented at 27th International Conference on Software Engineering, ICSE05, St. Louis, MO, United States, 5/15/05 - 5/21/05, pp. 312-321.

Automatic discovery of API-level exploits. / Ganapathy, Vinod; Seshia, Sanjit A.; Jha, Somesh; Reps, Thomas W.; Bryant, Randal E.

2005. 312-321 Paper presented at 27th International Conference on Software Engineering, ICSE05, St. Louis, MO, United States.

Research output: Contribution to conferencePaper

TY - CONF

T1 - Automatic discovery of API-level exploits

AU - Ganapathy, Vinod

AU - Seshia, Sanjit A.

AU - Jha, Somesh

AU - Reps, Thomas W.

AU - Bryant, Randal E.

PY - 2005/12/1

Y1 - 2005/12/1

N2 - We argue that finding vulnerabilities in software components is different from finding exploits against them. Exploits that compromise security often use several low-level details of the component, such as layouts of stack frames. Existing software analysis tools, while effective at identifying vulnerabilities, fail to model low-level details, and are hence unsuitable for exploit-finding. We study the issues involved in exploit-finding by considering application programming interface (API) level exploits. A software component is vulnerable to an API-level exploit if its security can be compromised by invoking a sequence of API operations allowed by the component. We present a framework to model low-level details of APIs, and develop an automatic technique based on bounded, infinite-state model checking to discover API-level exploits. We present two instantiations of this framework. We show that format-string exploits can be modeled as API-level exploits, and demonstrate our technique by finding exploits against vulnerabilities in widely-used software. We also use the framework to model a cryptographic-key management API (the IBM CCA) and demon-strate a tool that identifies a previously known exploit.

AB - We argue that finding vulnerabilities in software components is different from finding exploits against them. Exploits that compromise security often use several low-level details of the component, such as layouts of stack frames. Existing software analysis tools, while effective at identifying vulnerabilities, fail to model low-level details, and are hence unsuitable for exploit-finding. We study the issues involved in exploit-finding by considering application programming interface (API) level exploits. A software component is vulnerable to an API-level exploit if its security can be compromised by invoking a sequence of API operations allowed by the component. We present a framework to model low-level details of APIs, and develop an automatic technique based on bounded, infinite-state model checking to discover API-level exploits. We present two instantiations of this framework. We show that format-string exploits can be modeled as API-level exploits, and demonstrate our technique by finding exploits against vulnerabilities in widely-used software. We also use the framework to model a cryptographic-key management API (the IBM CCA) and demon-strate a tool that identifies a previously known exploit.

KW - API-level exploit

KW - Bounded model checking

UR - http://www.scopus.com/inward/record.url?scp=26944470937&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=26944470937&partnerID=8YFLogxK

M3 - Paper

SP - 312

EP - 321

ER -

Ganapathy V, Seshia SA, Jha S, Reps TW, Bryant RE. Automatic discovery of API-level exploits. 2005. Paper presented at 27th International Conference on Software Engineering, ICSE05, St. Louis, MO, United States.