Search

KR-102962749-B1 - DOMAIN-SPECIFIC PROGRAMMING LANGUAGE FOR REPRESENTING MEANING OF EXPLOIT

KR102962749B1KR 102962749 B1KR102962749 B1KR 102962749B1KR-102962749-B1

Abstract

A domain-specific programming language capable of expressing the meaning of an exploit is disclosed. A computer program according to one embodiment may include exploit code written in a domain-specific programming language. The exploit code may be configured to include a declaration section according to the structure of the domain-specific programming language, and such declaration section may include an action section that defines an action interacting with a target program and a submission section that calls the action section and returns the result. Additionally, expressions of the exploit code written in the domain-specific programming language may be represented as bit vectors.

Inventors

  • 차상길
  • 김정현
  • 구스타만 스티브 베잘렐 이만

Assignees

  • 한국과학기술원

Dates

Publication Date
20260508
Application Date
20241202

Claims (15)

  1. In a computer program comprising instructions executable by a computer to exploit a vulnerability of a target program, The above computer program includes exploit code written in a domain-specific programming language, and For processing the above domain-specific programming language, the exploit code is interpreted by an interpreter installed on the computer, and the instructions included in the exploit code are provided to the computer, and The above exploit code is configured to include a declaration section according to the structure of the domain-specific programming language, and The above declaration unit comprises an action unit that defines an action interacting with the target program and a submission unit that calls the action unit and returns the result. Includes, The expression of the above exploit code written in the above domain-specific programming language is represented as a bit vector. A computer program characterized by
  2. In paragraph 1, The above action unit is a special type of function that starts a new session whenever the target program is called, and the interaction with the target program is controlled by command-line options provided to the interpreter. A computer program characterized by
  3. In paragraph 1, The above exploit code is configured to further include a command section according to the structure of the above domain-specific programming language, and The above command unit includes a statement for structured programming and a solve statement for SMT (Satisfiability Modulo Theories) processing. A computer program characterized by
  4. In paragraph 3, The above solve statement is implemented to compute a solution set such that a condition containing variables becomes true. A computer program characterized by
  5. In paragraph 1, The above domain-specific programming language is implemented such that compilation is possible only if it satisfies type safety of assigning a single bit value to a bit position. A computer program characterized by
  6. In paragraph 1, The above exploit code further includes inline assembly code that can be written directly on the domain-specific programming language without dependency on an external assembler, and The above inline assembly code is converted into a byte sequence and represented as a bit vector value. A computer program characterized by
  7. In paragraph 1, The above interpreter defines built-in functions that are provided as built-in functions without dependency on external libraries, and The above built-in function is, A function for receiving or transmitting a bit vector through a communication channel with the above-mentioned target program, A function that finds the address of a given function or string in a library, A function for converting at least one of a string expression, a numeric expression, a little-endian expression (endianness representation), and a big-endian expression, A function for manipulating bit vectors, and function for debugging Includes at least one of the functions A computer program characterized by
  8. In a computer-readable recording medium on which a computer program including instructions executable by a computer to attack a vulnerability of a target program is recorded, The above computer program includes exploit code written in a domain-specific programming language, and For processing the above domain-specific programming language, the exploit code is interpreted by an interpreter installed on the computer, and the instructions included in the exploit code are provided to the computer, and The above exploit code is configured to include a declaration section according to the structure of the domain-specific programming language, and The above declaration unit comprises an action unit that defines an action interacting with the target program and a submission unit that calls the action unit and returns the result. Includes, The expression of the above exploit code written in the above domain-specific programming language is represented as a bit vector. A recording medium characterized by
  9. In paragraph 8, The above action unit is a special type of function that starts a new session whenever the target program is called, and the interaction with the target program is controlled by command-line options provided to the interpreter. A recording medium characterized by
  10. In paragraph 8, The above exploit code is configured to further include a command section according to the structure of the above domain-specific programming language, and The above command unit includes a statement for structured programming and a solve statement for SMT (Satisfiability Modulo Theories) processing, and The above solve statement is implemented to compute a solution set such that a condition containing variables becomes true. A recording medium characterized by
  11. In paragraph 8, The above domain-specific programming language is implemented such that compilation is possible only if it satisfies type safety of assigning a single bit value to a bit position, and The above exploit code further includes inline assembly code that can be written directly on the domain-specific programming language without dependency on an external assembler, and The above inline assembly code is converted into a byte sequence and represented as a bit vector value. A recording medium characterized by
  12. In paragraph 8, The above interpreter defines built-in functions that are provided as built-in functions without dependency on external libraries, and The above built-in function is, A function for receiving or transmitting a bit vector through a communication channel with the above-mentioned target program, A function that finds the address of a given function or string in a library, A function for converting at least one of a string expression, a numeric expression, a little-endian expression (endianness representation), and a big-endian expression, A function for manipulating bit vectors, and function for debugging Includes at least one of the functions A recording medium characterized by
  13. In computer systems, At least one processor implemented to execute computer-readable instructions; A computer program containing exploit code written in a domain-specific programming language; An interpreter that provides a processing environment for the domain-specific programming language to enable the computer system to attack vulnerabilities in the target program according to the above exploit code. Equipped with, The exploit code is interpreted by the above interpreter, and the instructions included in the exploit code are provided to the at least one processor, and The above exploit code is configured to include a declaration section according to the structure of the domain-specific programming language, and The above declaration unit comprises an action unit that defines an action interacting with the target program and a submission unit that calls the action unit and returns the result. Includes, The expression of the above exploit code written in the above domain-specific programming language is represented as a bit vector. A computer system characterized by
  14. In Paragraph 13, The above action unit is a special type of function that starts a new session whenever the target program is called, and the interaction with the target program is controlled by command-line options provided to the interpreter. A computer system characterized by
  15. In Paragraph 13, The above exploit code is configured to further include a command section according to the structure of the above domain-specific programming language, and The above command unit includes a statement for structured programming and a solve statement for SMT (Satisfiability Modulo Theories) processing, and The above solve statement is implemented to compute a solution set such that a condition containing variables becomes true. A computer system characterized by

Description

A domain-specific programming language capable of expressing the meaning of an exploit The following description concerns domain-specific programming languages capable of expressing the meaning of exploits. Current advanced techniques for exploit development require writing code that interacts with the target system. Depending on the defense mechanisms enforced by the target system, code may need to be written carefully to bypass these defenses. For example, Just-In-Time Return-Oriented Programming (JIT ROP) attacks typically involve bypassing Address Space Layout Randomization (ASLR) by disclosing critical information, such as the address of a valid code gadget. Unfortunately, current exploits are written in an ad-hoc manner, making them difficult to analyze, maintain, or reuse. In particular, exploits are written in various programming languages such as Python, Ruby, or C using different conventions and libraries. Figure 1 is a graph illustrating an example of the distribution of exploit code in an exploit database. There are over 30 different programming languages used to write exploits, with the top five being Python, C, Perl, Ruby, and PHP (Hypertext Preprocessor). This diversity of exploits acts as a hindrance that impedes the ease of analysis for defenders. Furthermore, reproducing an attack presents difficulties, such as the need to set up an environment capable of compiling or interpreting the relevant language, or to resolve library dependencies. Due to this trend, not only is it difficult to analyze and understand exploits, but it is also difficult to reuse code snippets across various exploits. For example, if you have created general logic to generate an ROP chain in Python, other exploits written in Ruby or C cannot directly reuse this logic. While several frameworks for exploit development are well-maintained, they are not very helpful for reusing code snippets across various exploits. Although these frameworks are designed to provide a suite of tools and libraries to streamline the exploit development process, code must still be written in a specific language and in a specific manner. Proof of Vulnerability (POV) is a notable approach that aims to provide an integrated method for representing exploits in XML (eXtensible Markup Language) format. Introduced in the Cyber Grand Challenge (CGC) as a machine-understandable format, it has enabled the evaluation of the performance of cyber inference systems. Furthermore, there are automated exploit generation tools that automatically generate test cases from POV, allowing CGC systems to evaluate them. While POV represents a meaningful step in the right direction, it is not widely adopted by the security community because it is not designed to be human-readable or writable. For example, consider the sample program from CGC (CADET 00001) containing a simple buffer overflow vulnerability; triggering the bug requires sending a payload of 148 consecutive 'A's to the server, yet it requires POV code representing a simple exploit that is 727 characters long—4.9 times longer than the actual payload. The code is not only verbose but also unintuitive to read. Furthermore, expressing complex logic within nested XML tags is not intuitive and requires significant effort to understand. [Prior Art No.] Korean Registered Patent No. 10-2287394 Figure 1 is a graph illustrating an example of the distribution of exploit codes in an exploit database. FIG. 2 is a diagram illustrating an example of the overall syntax of PoE in one embodiment of the present invention. FIG. 3 is a diagram illustrating an example of a computer system for attacking a vulnerability of a target program in an embodiment of the present invention. FIG. 4 is a block diagram illustrating an example of a computer device according to an embodiment of the present invention. Hereinafter, embodiments will be described in detail with reference to the attached drawings. An exploit, which is code designed to attack vulnerabilities in a target program, typically consists of a single program. Embodiments of the present invention may provide a new Domain-Specific Language (DSL), Proof-of-Exploit (PoE), which can express exploits in a human-readable and writable manner. The PoE, as a DSL, can provide a simple and intuitive way to write exploits, while also providing a natural method for reusing exploit code. This PoE is the first DSL designed for writing exploits. PoE offers additional advantages over existing exploit development frameworks beyond the ease of writing exploits. These existing frameworks are limited by the expressiveness of their underlying programming languages, which are not inherently designed for writing exploits. In contrast, PoE features a language structure specifically designed for exploits, making it more expressive and concise. Having a DSL for writing exploits benefits the security community in several ways. First, PoE can help security researchers write, share, and reuse exploits more