Methodology for Vulnerability Research and Exploit …
Methodology for Vulnerability Research and Exploit Development
m-r Mane Piperevski
IT Security Consultant and OWASP Macedonia Chapter leader
Piperevski & Associates, Skopje, Macedonia
mane@
Abstract: Vulnerability researchers are facing new era where actually they can make more money from discovery of new vulnerabilities that makes this job in high demand. An array of publicly available bug bounty programs give opportunity to any researcher with knowledge of used technology to test and find zero days. Many of the activities done during the research are pointing absence of methodology for vulnerability research and exploit development. Trough analysis of activities and looking at the problems that appear during the research procedures, this paper develops methodology that incorporates all elements that a researcher faces in his work and categorising them in five phases. With this methodological approach, researchers can easily orient their activity increasing productivity and decreasing time to achieve their goals. As for existing, this methodology will have more benefit for new security researchers.
Keywords: Vulnerability Research, Exploit Development, Methodology, Hacking, Fuzzing, Testing, Exploit Development, Zero Day.
Introduction
Witnessing appearance of vulnerability researcher as high demand job in IT security industry, a need for development of methodology for this job is on rise. Through use of defined standardised approach, this paper shows developed methodology for vulnerability research and exploit development. With incorporating elements that are seen in vulnerability research procedures and involving exploit development, this methodology overview and integrate full picture of demanded work in IT security industry.
Difficulties and multiple execution paths that can change due to different outcome on every researcher activity is challenge in vulnerability research and exploit development. Considering as clear path and defined way to overcome difficulties, this methodology will benefit the IT industry making the work of vulnerability researchers faster and efficient in discovery of new vulnerabilities.
Phases in vulnerability research and exploit development
Analysing publicly available procedures, example and results from vulnerability research and exploit development, we come to total of five phases that categorise elements coming from executed activities.
Figure 1
[pic]
Figure 2
1 Phase 1 - Approach method
There are few dilemmas occurring during the start of vulnerability research. Based on opportunity conditions that are set by the target IT asset vendor, researcher might be put in position to choose among automated testing and manual testing. Main reason of this choice is possible demand that can be set by the vendor to avoid detection or not. Avoid detection means existence of conditions on or around target IT asset that prevents known testing activities mainly generated by automated tools. For example, this can be web application firewall or vendor demand to isolate unpredictable actions or responses by target IT asset that may disrupt their service. In some cases it can be exclusive right of the vendor to demand only manual testing. For researcher, both of testing elements are demanding knowledge base for type of technology specific to target IT asset. The outcome from this phase should be identification and understanding what kind of technology is used, asset implementation diagram, business logic and other reconnaissance information that are precisely identifying target IT asset.
2 Phase 2 - Way to find a door
After knowing the nature of target IT asset, researcher faces a challenge in finding possible weakness by identifying all entrances into target IT asset in form of input, list of actions/functions, visible and hidden functionalities, linked known components and other target door entry’s. All activities and procedures in this phase are grouped into three elements that share their findings among them which increases target IT asset visibility and enlarges playground for next phase activities. With use of enumeration as first element, the researcher identifies obvious inputs on already identified functions and processes from previous phase or ones that comes from other two elements in this phase. Enumeration goal is to identify the nature of every input and extract its details that might lead to more clarification. Second element is thinking on how target IT asset works and following execution flow to unlock new functions and processes that can be passed to first element for enumeration. Diffing is the third element with goal to identify differences between functions and processes and figure out how they differ. Using that knowledge, researcher might find weakness or possibility to do something that thinking confirms opposite, for example horizontal or vertical privilege escalation. All of inputs, possibilities and potential weaknesses from enumeration, thinking and diffing are taken into target door entry’s database as outcome from this phase.
3 Phase 3 - First doorstep activity
Previous phase resulted with database of raw material that is taken as input into all three elements from this phase. The first element is bruteforce, it uses different techniques like fuzzing that force injection of various type of data targeting discovery of buffer overflow, program instability and exception rise or other vulnerability. Using analytics and knowledge on vendor applied technology, second element hapax is targeting execution of activity that is unique and can be done only once in testing scenarios with different conditions in place. This activity or execution step might lead to discovery of vulnerability that is often a flaw in business logic or flaw in target IT asset design. The last third element is incantation which means execution of predefined series of activities specific for business logic or used technology by target IT asset resulting with discovery of vulnerability. This element can combine smart fuzzing technique where execution is chosen trough conditional setup parameters. All three elements can share their findings of new inputs, possibilities and potential weaknesses that might appear during their execution and update target door entry’s database. In this phase, the database of discovered vulnerabilities is returning the attention of the researcher to review again door entry’s database with knowledge of existing vulnerabilities. This is crucial for discovery of additional vulnerabilities that can rise from researcher’s changed point of view on target IT asset by newly acquired vulnerability knowledge. This process of returning the attention of the researcher will loop until there is no new vulnerability discovered in this phase.
4 Phase 4 - Ending infinity
Researchers often face exhaustion on resources and techniques to discover vulnerability. In that direction, this phase gives two elements as last resort to end infinity and close the door with or without discovered vulnerability. First element is bonanza, meaning luck has come finally. This element relies on time needed to pass in order to change the researchers view and perception on target IT asset resulting with new ideas for activities that can lead to discovery of vulnerability or close the door as dead-end. Second element is breakdown of the knowledge that was acquired during previous phases and look for relations and connections between functions and processes linked with target door entry. As result, we can see discovery of new vulnerability or simply conclude it’s a dead-end and close the door. In this phase, the database of discovered vulnerabilities is returning the attention of the researcher to again review door entry’s database with knowledge of existing vulnerabilities. This is crucial for discovery of additional vulnerabilities that can rise from researcher’s changed point of view on target IT asset by newly acquired vulnerability knowledge. This process of returning the attention of the researcher will loop until there is no new vulnerability discovered in this phase.
5 Phase 5 - Engineering Exploit Code
The last phase defines ways to build working exploit that will confirm vulnerability existence and its possibility to be exploited. The goal of this exploit is to serve as proof of concept. Here we have two elements where the first element named totum means using only custom build code for exploit development that give unique engineered exploit. This element demands researcher to develop its own program code for all parts of the exploit. The other element is pars, meaning involving third party tools and already existing code ready for use as building blocks and support on exploit development and its execution. When using this element, the researcher need to have knowledge and access to open source scripts, use of hacking frameworks like Metasploit, Empire PowerShell, Core Impact in order to engineer exploit code that will be seen as separate module in database of exploits used by hacking frameworks.
Future development and vision
This methodology presents draft version of newly born project at Open Web Application Security Project named OWASP Vulnerability Research and Exploit Development Methodology. For future development, this project roadmap plan to produce libraries like:
• building testing guide for every element that will have different target IT asset technology testing procedures;
• create multiple practical examples that will give learning material to future researchers with goal to make them easily understand this methodology and get their work done faster and with high rate of success and
• integrating learning tutorial that incorporates other OWASP projects into this methodology.
The IT security industry demand more vulnerability researchers and it faces problem finding ones good enough in what they do. In order security researcher to be good enough and to have good performance it must have years of experience in IT security and to think like a hacker. This means, big rise in demand and slow rise in creation of security researchers make IT products more insecure. But, with use of this methodology we now open new window on easy learning and sharping the picture for new coming security researchers that faster can achieve better performance in their work fulfilling that gap inside IT industry.
-----------------------
Approach method
Way to find a door
First doorstep activity
Ending infinity
Engineering Exploit Code
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- research and teaching statement sample
- statement of research and teaching
- good research and bad research
- good topics to research and write about
- methodology for dissertations
- kpi for research and development
- sample methodology for research proposal
- agile methodology for dummies
- examples of methodology for thesis
- research methodology for research proposal
- research and methodology pdf
- methodology example in research paper