Casting exploit analysis as a Weird Machine reconstruction problem

TL;DR

This paper introduces a novel method to analyze exploits by reconstructing 'Weird Machines' in memory, aiding understanding of exploit behavior through dynamic analysis of browser-based JavaScript exploits.

Contribution

It presents the first algorithm for reconstructing Weird Machine bytecode from memory layout during exploit execution, focusing on web browsers and JavaScript exploits.

Findings

Successfully identifies exploit primitives during dynamic analysis.

Reconstructs WM bytecode segments with recognizable semantics.

Demonstrates feasibility on browser-based JavaScript exploits.

Abstract

Exploits constitute malware in the form of application inputs. They take advantage of security vulnerabilities inside programs in order to yield execution control to attackers. The root cause of successful exploitation lies in emergent functionality introduced when programs are compiled and loaded in memory for execution, called `Weird Machines' (WMs). Essentially WMs are unexpected virtual machines that execute attackers' bytecode, complicating malware analysis whenever the bytecode set is unknown. We take the direction that WM bytecode is best understood at the level of the process memory layout attained by exploit execution. Each step building towards this memory layout comprises an exploit primitive, an exploit's basic building block. This work presents a WM reconstruction algorithm that works by identifying pre-defined exploit primitive-related behaviour during the dynamic analysis of target binaries, associating it with the responsible exploit segment - the WM bytecode. In this manner any analyst familiar with exploit programming will immediately recognise the reconstructed WM bytecode's semantics. This work is a first attempt at studying the feasibility of this method and focuses on web browsers when targeted by JavaScript exploits.