The Secret Life of Pwns: Characterizing and Predicting Exploit Weaponization

Octavian Suciu, Erin Avllazagaj, Tudor Dumitras

In recent years it has become challenging to weaponize the exploits of software vulnerabilities, so that they are effective in real-world attacks. However, the functionality added during the weaponization process has not been studied systematically, as it is difficult to infer, automatically, how close an exploit is to becoming weaponized. While the CVSS v3 standard specifies an Exploit Code Maturity metric---which captures the development status of exploits for each vulnerability, to assess the associated risks more accurately---this metric must be updated manually and is currently not published in the National Vulnerability Database.

In this work, we combine program analysis and data mining techniques to decompose exploit code into constituent micro-functionalities, and we conduct a quantitative and qualitative study of functionality reuse among 38,000 public PoC exploits. Our analysis aims to uncover statistical associations between reused components and existence of functional variants of exploits. From these observations, we propose a method to automatically predict whether vulnerabilities get weaponized, based on the micro-functionalities present in the exploit code.
Finally, we apply our prediction method to a corpus of 32M samples collected from Pastebin, a code-sharing platform popular among hackers, discovering that the existence of these variants is highly indicative of weaponization.
These results suggest that functionality-reuse patterns among exploits provide useful signals for assessing the maturity of exploit code and they open new avenues for reasoning about the risk of weaponized exploits.