Bug finding in the real world
This presentation is the property of its rightful owner.
Sponsored Links
1 / 47

Bug Finding In The Real World PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on
  • Presentation posted in: General

Bug Finding In The Real World. Alex Stamos Aaron Grattafiori Stanford CS155 April 17, 2012. Your Humble Narrators. Alex Stamos Co-Founder and CTO LBNL, Loudcloud , @stake UC Berkeley BS EECS Aaron Grattafiori Senior Security Consultant Security Innovation, MyBasement

Download Presentation

Bug Finding In The Real World

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Bug finding in the real world

Bug Finding In The Real World

Alex Stamos

Aaron Grattafiori

Stanford CS155

April 17, 2012


Your humble narrators

Your Humble Narrators

  • Alex Stamos

    • Co-Founder and CTO

    • LBNL, Loudcloud, @stake

    • UC Berkeley BS EECS

  • Aaron Grattafiori

    • Senior Security Consultant

    • Security Innovation, MyBasement

    • UC HardKnox BS


Agenda

Agenda

  • Why are you finding bugs?

  • Overview of common techniques

    • Fuzzing

    • Debugging and Process Stalking

    • Reverse Engineering

  • Real World Examples

  • Ethics and Advice

  • Discussion


Why are you finding bugs

Why are you finding bugs?

Stolen Source Review

Disassembly

Fuzzing

Debugging

Static Analysis

Source Review


Bertha the black hat of ill repute

Bertha the Black Hat of Ill Repute

  • Goal

    • Dependable Exploitation

    • Stealth

  • Thoroughness

    • Usually only need one bug

    • No need to document coverage

  • Access

    • Often no source


Marvin the megalomaniacal researcher

Marvin the Megalomaniacal Researcher

  • Goal

    • Column inches from press, props from friends

    • Preferably in a trendy platform

    • Make money from ZDI/Pwn2Own

  • Thoroughness

    • Don’t need to be perfect, don’t want to be embarrassed

  • Access

    • Casual access to engineers

    • Source == Lawyers


Sally the stressed security engineer

Sally the Stressed Security Engineer

  • Goal

    • Find as many flaws as possible

    • Reduce incidence of exploitation*

  • Thoroughness

    • Must have coverage metrics

    • Should at least find low-hanging fruit

  • Access

    • Source code, debug symbols, engineers

    • Money for tools and staff


The difficulty of defense

The Difficulty of Defense

So, oft in theologic wars The disputants, I ween,Rail on in utter ignorance Of what each other mean,And prate about an ElephantNot one of them has seen!


The difficulty of defense1

The Difficulty of Defense

  • Asymmetric Warfare

    • Defenders always have to be perfect

    • Attackers can be good and lucky

  • Knowing this, is bug finding an efficient defense strategy?


Limitations of today s lecture

Limitations of Today’s Lecture

  • The most important flaws we find are NOT implementation flaws

  • Common problems:

    • Trusting untrusted components

    • Poor use of cryptography

    • Overreliance on DRM

    • Forgotten or cut security features


Black box bug finding

Black Box Bug Finding

  • Basic goal is to exercise all states of software while watching for a response that indicates vulnerability


Fuzzing

Fuzzing


Smarter fuzzing

“Smarter Fuzzing”

  • Record or implement path through gating functions

  • Utilize knowledge of protocol or file format

  • Use process hooking


Debugging

Debugging


Reverse engineering

Reverse Engineering

  • Decompilation

    • Often used for semi-compiled code

      • .Net CLR

      • Java

      • Flash

    • Can work with C++ w/ symbols

  • Disassembly

    • 1:1 matching with machine code

    • Modern disassemblers allow for highly automated analysis process

  • Protocol Reverse Engineering


Disassembly ida pro

Disassembly - IDA Pro


Reversing patches bindiff

Reversing Patches - BinDiff


Defeating black box bug analysis

Defeating Black Box Bug Analysis

  • Many programs include anti-debug functionality

    • Check PDB

    • System calls, monitor process space

    • Throw INTs, test for catch

    • Timing tests

  • Anti-Reversing

    • Dynamic Unpacking

    • Pointer Arithmetic

    • Encrypted and obfuscated function calls


Anti anti debug snitch

Anti-Anti-Debug - Snitch


Snitch output on wmp

Snitch Output on WMP

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f9fc (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential OutputDebugString debugger check at 0x7c812aeb

Module: \Device\HarddiskVolume1\WINDOWS\system32\kernel32.dll

Potential break-point debugger check at 0x4df75f36 (drmv2clt.dll)

Exception handler 1 is at 0x4dfda68e (drmv2clt.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)


White box bug finding

White Box Bug Finding

  • Black Box techniques always work better with more context

    • More quickly triage flaws

    • Patch flaws much faster

  • Analysis can start with source code

    • Look at sensitive areas

    • Use lexical analysis to give pointers

      • Flawfinder

      • RATS

    • Use semantic analysis

      • Coverity

      • Fortify

  • Most White Box techniques also increase false positive count


Hard to find bugs

Hard to Find Bugs

  • MS10-002 – Remote Code Execution in IE 5-8

    function window :: onload ()

    {

    varSourceElement = document.createElement ("div");

    document.body.appendChild (SourceElement);

    varSavedEvent = null;

    SourceElement.onclick = function () {

    SavedEvent = document.createEventObject (event);

    document.body.removeChild (event.srcElement);

    }

    SourceElement.fireEvent ("onclick");

    SourceElement = SavedEvent.srcElement;

    }


Hard to find bugs1

Hard to Find Bugs

  • How does this become a reliable exploit?

    • Heap spraying allows for predictable control of memory space

    • IE Small Block Manager Reuses Pages

    • Asynchronous Garbage Collection can be synchronized by attacker: CollectGarbage()

  • How about on more modern OSes?

    • ASLR and DEP defeated with Flash JIT

    • Return Oriented Programming

      http://cseweb.ucsd.edu/~hovav/talks/blackhat08.html

  • Good analyses of Aurora Exploit:

    http://www.geoffchappell.com/viewer.htm?doc=notes/security/aurora/index.htm

    http://www.hbgary.com/wp-content/themes/blackhat/images/hbgthreatreport_aurora.pdf


Future of bug finding

Future of Bug Finding

  • How could you find this bug?

    • Requires understanding of IE code

    • Difficult to triage

  • Low-Hanging Fruit is Gone

    • This bug has existed since IE5

  • Initial flaw can be found by smart fuzzing. How would you do that?

  • Exploitation should require 2-3 flaws for reliability


Jailbreaking honorable exploitation

Jailbreaking; honorable exploitation

  • A tale of incentives

  • Apple continues to take steps to prevent jailbreaks.

  • Android takes a somewhat different approach, still is jailbroken

  • Jailbreaking of: TVs? Cars? Houses? Robots?

    (ps. comex now works at Apple)


Bugs and exploits in the wild

Bugs and Exploits in the Wild

Crypto doesn’t fail, the implementations do…*

  • Browsers don’t know a site is SSL unless it forces them to use it.

  • Middle man attacks are possible… but… my site is over SSL you say!

    • SSL typically works via 302 HTTP redirect

  • UI’s are hard to get right…

    • Browsers only indicate insecurity only when security is used in the first place

  • Moxie Marlinspike pointed out the gorilla in the room. Enter SSL Stripping:

    • https://github.com/moxie0/sslstrip

    • http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

* http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/

* https://en.wikinews.org/wiki/Predictable_random_number_generator_discovered_in_the_Debian_version_of_OpenSSL


Solution

Solution??

  • Tricky problem to solve…

  • HTTP Strict Transport Security (HSTS) is gaining traction

  • Google’s SPDY requires the use of SSL

  • Security at lower OSI layers?


Bugs and exploits in the wild1

Bugs and Exploits in the Wild

  • Hactivism

    • Anonymous vs <insert flavor of week>

    • “Hacktivist groups were responsible for 58% of all data stolen last year” – Verizon 2012 Data Breach report

    • Victims of opportunity

  • Outcomes

    • Exposure of client info, customer info, usernames, passwords, sensitive information

    • Damage focusing on the reputation and data exposure


Bugs and exploits in the wild2

Bugs and Exploits in the Wild

  • Stuxnet

    • [ worm [ rootkit [ rootkit [ sabotage ] ] ] ]

    • Four zero-day vulnerabilities

    • Two stolen certificates

    • Eight propagation methods

    • Partridge in a malware pear tree


Did you say four oh days

Did you say… Four OH-days?

Mixed MS Windows environment = Redundant

Not exploiting memory corruption = Reliable


Stuxnet

Stuxnet

http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf


Bug finding in the real world

Lets overview…


Bug finding in the real world

http://arstechnica.com/business/news/2012/04/stuxnet-worm-reportedly-planted-by-iranian-double-agent-using-memory-stick.ars


Vulnerability fruit punch

Vulnerability Fruit Punch

  • Zero-Day* Vulnerabilities:

    • MS08-067 (NetPathCanonicalize()), (Patched)

      • http://www.phreedom.org/blog/2008/decompiling-ms08-067/

    • MS10-046 (Shell LNK / Shortcut)

    • MS10-061 (Print Spooler Service)

    • MS10-073 (Win32K Keyboard Layout)

    • MS08-092 (Task Scheduler)

    • CVE-2010-2772 (Siemens SIMATIC Static Password)


Ms 10 061 aka cve 2010 2729

MS 10-061 aka CVE-2010-2729

  • Kaspersky mentioned to Microsoft they saw printer enumeration during network propagation

  • Using the guest account, Stuxnet “prints” to a file into: \Windows\System32

  • This only allows file writing… not remote execution

  • Enter MOF (Managed Object Format)


Bug finding in the real world

MOF

  • Confusing chain of microsoft buzzwords

  • Windows\System32\wbem\mof\

  • Metasploit module available (ms10_061_spoolss.rb)


Ms 10 092 aka cve 2010 3338

MS 10-092 aka CVE-2010-3338

  • Windows >= Vista scheduled tasks in an XML format

    • Pre Vista used ???

  • Users can write and edit their tasks, CRC32 is used

  • …….. CRC32 ….


Ms 10 092 continued

MS 10-092 continued…

  • Created task as normal user, record CRC32 value

  • Modified user definition in the task to LocalSystem

  • Take CRC32 of the task XML, pad until the CRC32 matches original

  • ?????

  • Profit


Stuxnet redux

StuxnetRedux

  • Memory Corruption exploitation is difficult

  • Design exploitation is 99% reliable

  • Complex Systems will always have vulnerabilities

  • Was stuxnet a…. Cyb3R W34PoN?

  • Good Watching:

    • Bruce Dang, Microsoft “Adventures in Analyzing Stuxnet” @ 27C3

      • https://www.youtube.com/watch?v=fVNHX1Hrr6w (NSFW Language)

  • Good reading:

    • http://www.symantec.com/connect/blogs/w32stuxnet-dossier

    • http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf


Ethics

Ethics

  • Big ethical debates used to be:

    Responsible vs Full Disclosure

  • Debate has shifted to:

    Disclosure vs Selling Weapons


Some advice

Some Advice

  • Shape your job around your ethical standpoint, not vice versa

  • Take a startup job while this is your primary expense:

  • Find a stretch position… and stretch


More reading

More Reading

http://www.openrce.org/articles/

Shellcoder’s Handbook

http://www.Rootkits.com

http://phrack.org/

http://uninformed.org/?v=all

http://peachfuzzer.com/


Bug finding in the real world

Thank you for [email protected]

[email protected]


  • Login