Sunday, March 13, 2016

Programming the Weird Machine

Halvar Flake tends to put things quite beautifully, as he did near the end of a recent talk he did in Singapore per Rowhammer. At the end, he went on to explain to the audience, in the simplest terms, what exploitation actually was.

You can take a look here if you like. I've just tried to elaborate on his words.

Think of a state machine. It has states and transitions between those states. When writing software, developers tend to take the state machine in their head (or as described in the design documents) and implement it in code. They then logically account for states to which they intend.

If they make a mistake during design or implementation where they didn't or cannot account for other state transitions the software might make, and it is possible to put the program into these states, the result could be considered a bug. A security bug (eg. vulnerability) would be putting the software into a weird state that impacts the security of the system and exploitation is programming the weird machine. The weird machine being the series of new states that was found.

Transforming this into security-speak, a proof-of-concept is something that uses a bug to drive the program in a weird state, therefore proving there the concept usually describing the bug. An exploit fully programs at least one path of the weird machine to a useful destination weird state.

Here's some examples for just one bug:

- A bug which has a provided PoC that crashes that program, but is theorized for only a denial of service impact; it's weird state is driven somewhat to fruition.

- The same bug and modified PoC which another theorizes that the impact can be code execution; it's weird state is partially driven.

- An exploit is written for the bug that claims to execute an arbitrary payload; it's weird state has been fully realized in one direction.

- Another exploit is written and not only executes arbitrary code, but does so after transitioning to a state which runs privileged code; it's weird state may been fully realized at this point, unless someone else comes along and finds an even more useful transition, or it's proved there isn't one, or even if it's proved somehow the state was false.

I found these words very tasteful and an excellent mindset to have when reasoning about vulnerabilities and exploitation. The best part is that these words have the potential to used as foundations that make new ideas so more much clear and precise.