Current patch distribution procedures are insecure, according to a team of university researchers who have demonstrated a way to automatically generate an exploit based on the unpatched and patched versions of software. But security pros have been critical of the warning, calling the threat minimal.
The researchers said an exploit could be generated in minutes using techniques for analyzing potential exploit paths. They demonstrated their techniques on five Microsoft programs using patches provided via Windows Update. One exploit generated by the technique caused Internet Explorer to crash and allowed the team to successfully hijack the vulnerable machine.
The researchers -- David Brumley and Pongsin Poosankam of Carnegie Mellon University, Dawn Song of the University of California, Berkeley and Jiang Zheng of the University of Pittsburgh -- said software updates that stagger patch distributions over long periods of time could allow attackers who receive the patch first to compromise vulnerable systems. In their research paper, Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications, the researchers say software updates should be redesigned to be distributed to protect against patch-based exploit generation.
"Our research shows this intuition means an attacker can reverse engineer an input demonstrating the bug in as little as a few seconds," Brumley said in an email exchange. "It previously had not been demonstrated that given a buggy program and the patch, one could generate an exploit automatically."
The research was published in the IEEE Symposium on Security and Privacy in May. A team of researchers with the BitBlaze Binary Analysis Platform Project also contributed to the project.
The research has been greeted with much skepticism from security pros, who dispute that an active exploit could be generated quickly and easily.
Robert Graham, president of Atlanta-based Errata Security, called the paper "a bit overstated" in his company's blog, and said patch engineering is a time consuming process.
"Generating fully functional exploits by reverse engineering a patch takes a lot of steps, this paper automates only one of them, and only in certain cases," Graham said.
Brumley said the research team specifically wrote in the introduction of the paper that an attacker can't automatically create an exploit for an arbitrary vulnerability.
"A fundamental tenet of security is to conservatively estimate the capabilities of attackers," Brumley said. "Under this assumption, automatic patch-based exploit generation should be considered practical, and those who have received a patch should be considered armed with an exploit."
Still, it may not be worth the investment for attackers to create a robust auto-exploit generating engine, wrote Gunter Ollmann, head of IBM's ISS X-Force security assessment services for EMEA in the company's blog.
"The probability that an auto-exploit-generator (working off newly released patches) actually changing the threat landscape is pretty small," he wrote. "For one thing, the dangerous vulnerabilities lying in contemporary operating systems tend to be real pigs to exploit reliably and require a considerable amount of elbow grease to develop and get right, and they're not really getting any easier."
Using their techniques, the research team was able to generate exploits on the Microsoft vulnerabilities in a matter of minutes. "The fastest end-to-end time we were able to generate a verifiable exploit is under 30 seconds," the researchers said. The team members said they successfully developed polymorphic exploit variants and targeted vulnerabilities that had no previously published exploits in the wild.
The researchers said a new patch reveals enough information to design an exploit that could successfully target vulnerable systems. They developed both dynamic and static analysis techniques to analyze the coding in patches to determine the correct path.
The team used software from Irvine, Calif.-based eEye Digital Security and off-the-shelf safety checkers to conduct taint analysis to successfully develop the exploit. For example, it took the researchers less than a minute to develop an exploit for one of the Microsoft vulnerabilities, MS05-025, an image rendering flaw in Internet Explorer. The exploit caused the browser to crash and also allowed the research team to gain control of the vulnerable machine.
"In the paper, we precisely describe what we achieved from the experiments, and we acknowledge that the technique may not work for all vulnerabilities," said UC Berkeley's Song. "The point is more about raising the concern that from a security point of view, better methods that do not give attackers such a big advantage from patches are needed."
The researchers recommend that vendors release patches using encryption so it can be downloaded by everyone before anyone can apply the patch. Peer-to-peer patch distribution could also aid in thwarting this type of attack by allowing customers to download the patch at the same time. Software vendors could also use a code obfuscation technique to hide lines of code in the patch, making it more difficult for an attacker to quickly generate an exploit.
"We are very direct in saying that this is not a solved issue: We don't have a single solution that works for everyone," Brumley said. "However, we do encourage vendors to work on solutions, and to work with us to help research better technologies."