Chainspotting: Building Exploit Chains with Logic Bugs

By Georgi Geshev and Robert Miller on 13 June, 2018

Georgi Geshev and Robert Miller

13 June, 2018

Last year at CanSecWest, we celebrated the advantages of logic bugs over memory corruptions and showcased a nice and shiny bug in Chrome on Android from Mobile Pwn2Own 2016. But did we overstate the merits of this bug class?

After all, logic flaws come in all shapes and sizes. You may occasionally need to combine logic bugs into an extraordinarily long and convoluted exploit chain, which is exactly what happened to us at the competition this year. So how does this compare to chaining memory corruption bugs? Is it still an advantage to use logic bugs in these situations?

We used a whopping chain of 11 bugs across 6 unique applications including Chrome, several Samsung and AOSP components. The chain was glued together using virtually every possible means of Android IPC including activities, broadcast receivers, content and file providers. We even threw in a remote DoS bug in the chain for good measure!

This presentation covered how to hunt for logic bugs at scale, the types of exploit primitives we used, and the way they fit together to achieve a malicious action such as silently installing an arbitrary APK. We reviewed the approach we use for discovering these types of bugs and discussed our effort into speeding up and automating this process through both static and dynamic analysis tools. This talk also covered the limitations of these bugs along with some of the Android mitigations that hindered the exploitation process.