attack_surface_approximation is the CRS module that deals with the approximation of the attack surface in a vulnerable program.
Some input mechanisms are omitted: elements of the user interface, signals, devices and interrupts. At the moment, the supported mechanisms are the following:
- Files;
- Arguments;
- Standard input;
- Networking; and
- Environment variables.
In addition, a custom fuzzer is implemented to discover arguments that trigger different code coverage. It takes arguments from a dictionary which can be handcrafted or generated with an exposed command, with an implemented heuristic.
Examples of arguments dictionaries can be found in examples/dictionaries:
man.txt, generated with theman_parsingheurstic and having 6605 entries; andgeneration.txt, generated with thegenerationheuristic and having 62 entries.
- ELF format
- x86 architecture
- Non-static binaries
- Symbols present (namely, no stripping is involved)
- No obfuscation technique involved
The module works by automating Ghidra for static binary analysis. It extracts information and apply heuristics to determine if a given input stream is present.
Examples of such heuristics are:
- For standard input, calls to
getc()andgets() - For networking, calls to
recv()andrecvfrom() - For arguments, occurrences of
argcandargvin themain()'s decompilation.
The argument fuzzer uses Docker and QBDI to detect basic block coverage.
- Ensure you have Docker installed.
- Install the required Python 3 packages via
poetry install --no-dev. - Ensure the Docker API is accessible by:
- Running the module as
root; or - Changing the Docker socket permissions (unsecure approach) via
chmod 777 /var/run/docker.sock.
- Running the module as
โ poetry run attack_surface_approximation generate --heuristic man --output args.txt --top 10
Successfully generated dictionary with 10 arguments
โ cat args.txt
--and
--get
--get-feedbacks
--no-progress-meter
--print-name
-input
-lmydep2
-miniswhite
-nM
-prune
โ ./crackme
Enter the password: pass
Wrong password!
โ poetry run attack_surface_approximation detect --elf crackme
Several input mechanisms were detected for the given program:
โโโโโโโโโโโโโโโโโโโโโโโโโณโโโโโโโโโโ
โ Stream โ Present โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ files โ No โ
โ arguments โ No โ
โ stdin โ Yes โ
โ networking โ No โ
โ environment_variables โ No โ
โโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโ
โ poetry run attack_surface_approximation fuzz --elf /bin/uname --dictionary args.txt
Several arguments were detected for the given program:
โโโโโโโโโโโโโณโโโโโโโโโโโโโโโโโ
โ Argument โ Role โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ - โ FLAG โ
โ -a โ FLAG โ
โ -a string โ STRING_ENABLER โ
โ -i โ FLAG โ
โ -i string โ STRING_ENABLER โ
โ -m โ FLAG โ
โ -m string โ STRING_ENABLER โ
โ -n โ FLAG โ
โ -n string โ STRING_ENABLER โ
โ -o โ FLAG โ
โ -o string โ STRING_ENABLER โ
โ -p โ FLAG โ
โ -p string โ STRING_ENABLER โ
โ -r โ FLAG โ
โ -r string โ STRING_ENABLER โ
โ -s โ FLAG โ
โ -s string โ STRING_ENABLER โ
โ -v โ FLAG โ
โ -v string โ STRING_ENABLER โ
โโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโ
โ poetry run attack_surface_approximation
Usage: attack_surface_approximation [OPTIONS] COMMAND [ARGS]...
Discovers the attack surface of vulnerable programs.
Options:
--help Show this message and exit.
Commands:
analyze Analyze with all methods.
detect Statically detect what input streams are used by an executable.
fuzz Fuzz the arguments of an executable.
generate Generate dictionaries with arguments, based on heuristics.
from attack_surface_approximation.static_input_streams_detection import \
InputStreamsDetector
detector = InputStreamsDetector(elf_filename)
streams_list = detector.detect_all()from attack_surface_approximation.arguments_fuzzing import ArgumentsFuzzer
fuzzer = ArgumentsFuzzer(elf_filename, fuzzed_arguments)
detected_arguments = fuzzer.get_all_valid_arguments()