Retrieving exploit-level semantics from malicious scripts using program memory analysis

Abstract

Memory corruption errors make script-hosting applications vulnerable to exploita- tion by malicious scripts. Although script statements do not have direct access to native-level operations, exploit writers use them to manipulate application objects and indirectly make changes to the memory layout. Analysing these exploits is often a manual process requiring expertise and vast technical skills due to the gap between the script statements and the native-level operations generated in executing them. Exploit primitives, defined as script statements that provide access to native-level operations, are used by exploit writers to achieve their goal. This work suggests putting exploit primitives at the centre of malicious script analysis aiming at bridg- ing the gap between the script statements and native-level consequences when these are interpreted by the script engine. A framework that uses Dynamic Binary Translation is proposed to analyse the memory of script-hosting applications during script execution. The framework detects native-level patterns, based on instruction traces and process memory layout, to identify primitives. These primitives trigger memory management operations or execute injected code. Markers, which produce identifiable patterns, are inserted in the script and used to correlate the detected primitive patterns to the script statements. The framework output provides the analyst with a version of the original script with added labels highlighting exploit primitive statements. A representative set of case studies was analysed using this framework under various testing environments. A number of environment characteristics that determine whether an exploit is successful were identified. The results obtained validate the approach and encourage further research.