Bug finding in the real world
Sponsored Links
This presentation is the property of its rightful owner.
1 / 47

Bug Finding In The Real World PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Bug Finding In The Real World. Alex Stamos Aaron Grattafiori Stanford CS155 April 17, 2012. Your Humble Narrators. Alex Stamos Co-Founder and CTO LBNL, Loudcloud , @stake UC Berkeley BS EECS Aaron Grattafiori Senior Security Consultant Security Innovation, MyBasement

Download Presentation

Bug Finding In The Real World

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Bug finding in the real world

Bug Finding In The Real World

Alex Stamos

Aaron Grattafiori

Stanford CS155

April 17, 2012

Your humble narrators

Your Humble Narrators

  • Alex Stamos

    • Co-Founder and CTO

    • LBNL, Loudcloud, @stake

    • UC Berkeley BS EECS

  • Aaron Grattafiori

    • Senior Security Consultant

    • Security Innovation, MyBasement

    • UC HardKnox BS



  • Why are you finding bugs?

  • Overview of common techniques

    • Fuzzing

    • Debugging and Process Stalking

    • Reverse Engineering

  • Real World Examples

  • Ethics and Advice

  • Discussion

Why are you finding bugs

Why are you finding bugs?

Stolen Source Review




Static Analysis

Source Review

Bertha the black hat of ill repute

Bertha the Black Hat of Ill Repute

  • Goal

    • Dependable Exploitation

    • Stealth

  • Thoroughness

    • Usually only need one bug

    • No need to document coverage

  • Access

    • Often no source

Marvin the megalomaniacal researcher

Marvin the Megalomaniacal Researcher

  • Goal

    • Column inches from press, props from friends

    • Preferably in a trendy platform

    • Make money from ZDI/Pwn2Own

  • Thoroughness

    • Don’t need to be perfect, don’t want to be embarrassed

  • Access

    • Casual access to engineers

    • Source == Lawyers

Sally the stressed security engineer

Sally the Stressed Security Engineer

  • Goal

    • Find as many flaws as possible

    • Reduce incidence of exploitation*

  • Thoroughness

    • Must have coverage metrics

    • Should at least find low-hanging fruit

  • Access

    • Source code, debug symbols, engineers

    • Money for tools and staff

The difficulty of defense

The Difficulty of Defense

So, oft in theologic wars The disputants, I ween,Rail on in utter ignorance Of what each other mean,And prate about an ElephantNot one of them has seen!

The difficulty of defense1

The Difficulty of Defense

  • Asymmetric Warfare

    • Defenders always have to be perfect

    • Attackers can be good and lucky

  • Knowing this, is bug finding an efficient defense strategy?

Limitations of today s lecture

Limitations of Today’s Lecture

  • The most important flaws we find are NOT implementation flaws

  • Common problems:

    • Trusting untrusted components

    • Poor use of cryptography

    • Overreliance on DRM

    • Forgotten or cut security features

Black box bug finding

Black Box Bug Finding

  • Basic goal is to exercise all states of software while watching for a response that indicates vulnerability



Smarter fuzzing

“Smarter Fuzzing”

  • Record or implement path through gating functions

  • Utilize knowledge of protocol or file format

  • Use process hooking



Reverse engineering

Reverse Engineering

  • Decompilation

    • Often used for semi-compiled code

      • .Net CLR

      • Java

      • Flash

    • Can work with C++ w/ symbols

  • Disassembly

    • 1:1 matching with machine code

    • Modern disassemblers allow for highly automated analysis process

  • Protocol Reverse Engineering

Disassembly ida pro

Disassembly - IDA Pro

Reversing patches bindiff

Reversing Patches - BinDiff

Defeating black box bug analysis

Defeating Black Box Bug Analysis

  • Many programs include anti-debug functionality

    • Check PDB

    • System calls, monitor process space

    • Throw INTs, test for catch

    • Timing tests

  • Anti-Reversing

    • Dynamic Unpacking

    • Pointer Arithmetic

    • Encrypted and obfuscated function calls

Anti anti debug snitch

Anti-Anti-Debug - Snitch

Snitch output on wmp

Snitch Output on WMP

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f9fc (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential OutputDebugString debugger check at 0x7c812aeb

Module: \Device\HarddiskVolume1\WINDOWS\system32\kernel32.dll

Potential break-point debugger check at 0x4df75f36 (drmv2clt.dll)

Exception handler 1 is at 0x4dfda68e (drmv2clt.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

White box bug finding

White Box Bug Finding

  • Black Box techniques always work better with more context

    • More quickly triage flaws

    • Patch flaws much faster

  • Analysis can start with source code

    • Look at sensitive areas

    • Use lexical analysis to give pointers

      • Flawfinder

      • RATS

    • Use semantic analysis

      • Coverity

      • Fortify

  • Most White Box techniques also increase false positive count

Hard to find bugs

Hard to Find Bugs

  • MS10-002 – Remote Code Execution in IE 5-8

    function window :: onload ()


    varSourceElement = document.createElement ("div");

    document.body.appendChild (SourceElement);

    varSavedEvent = null;

    SourceElement.onclick = function () {

    SavedEvent = document.createEventObject (event);

    document.body.removeChild (event.srcElement);


    SourceElement.fireEvent ("onclick");

    SourceElement = SavedEvent.srcElement;


Hard to find bugs1

Hard to Find Bugs

  • How does this become a reliable exploit?

    • Heap spraying allows for predictable control of memory space

    • IE Small Block Manager Reuses Pages

    • Asynchronous Garbage Collection can be synchronized by attacker: CollectGarbage()

  • How about on more modern OSes?

    • ASLR and DEP defeated with Flash JIT

    • Return Oriented Programming


  • Good analyses of Aurora Exploit:



Future of bug finding

Future of Bug Finding

  • How could you find this bug?

    • Requires understanding of IE code

    • Difficult to triage

  • Low-Hanging Fruit is Gone

    • This bug has existed since IE5

  • Initial flaw can be found by smart fuzzing. How would you do that?

  • Exploitation should require 2-3 flaws for reliability

Jailbreaking honorable exploitation

Jailbreaking; honorable exploitation

  • A tale of incentives

  • Apple continues to take steps to prevent jailbreaks.

  • Android takes a somewhat different approach, still is jailbroken

  • Jailbreaking of: TVs? Cars? Houses? Robots?

    (ps. comex now works at Apple)

Bugs and exploits in the wild

Bugs and Exploits in the Wild

Crypto doesn’t fail, the implementations do…*

  • Browsers don’t know a site is SSL unless it forces them to use it.

  • Middle man attacks are possible… but… my site is over SSL you say!

    • SSL typically works via 302 HTTP redirect

  • UI’s are hard to get right…

    • Browsers only indicate insecurity only when security is used in the first place

  • Moxie Marlinspike pointed out the gorilla in the room. Enter SSL Stripping:

    • https://github.com/moxie0/sslstrip

    • http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

* http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/

* https://en.wikinews.org/wiki/Predictable_random_number_generator_discovered_in_the_Debian_version_of_OpenSSL



  • Tricky problem to solve…

  • HTTP Strict Transport Security (HSTS) is gaining traction

  • Google’s SPDY requires the use of SSL

  • Security at lower OSI layers?

Bugs and exploits in the wild1

Bugs and Exploits in the Wild

  • Hactivism

    • Anonymous vs <insert flavor of week>

    • “Hacktivist groups were responsible for 58% of all data stolen last year” – Verizon 2012 Data Breach report

    • Victims of opportunity

  • Outcomes

    • Exposure of client info, customer info, usernames, passwords, sensitive information

    • Damage focusing on the reputation and data exposure

Bugs and exploits in the wild2

Bugs and Exploits in the Wild

  • Stuxnet

    • [ worm [ rootkit [ rootkit [ sabotage ] ] ] ]

    • Four zero-day vulnerabilities

    • Two stolen certificates

    • Eight propagation methods

    • Partridge in a malware pear tree

Did you say four oh days

Did you say… Four OH-days?

Mixed MS Windows environment = Redundant

Not exploiting memory corruption = Reliable




Bug finding in the real world

Lets overview…

Bug finding in the real world


Vulnerability fruit punch

Vulnerability Fruit Punch

  • Zero-Day* Vulnerabilities:

    • MS08-067 (NetPathCanonicalize()), (Patched)

      • http://www.phreedom.org/blog/2008/decompiling-ms08-067/

    • MS10-046 (Shell LNK / Shortcut)

    • MS10-061 (Print Spooler Service)

    • MS10-073 (Win32K Keyboard Layout)

    • MS08-092 (Task Scheduler)

    • CVE-2010-2772 (Siemens SIMATIC Static Password)

Ms 10 061 aka cve 2010 2729

MS 10-061 aka CVE-2010-2729

  • Kaspersky mentioned to Microsoft they saw printer enumeration during network propagation

  • Using the guest account, Stuxnet “prints” to a file into: \Windows\System32

  • This only allows file writing… not remote execution

  • Enter MOF (Managed Object Format)

Bug finding in the real world


  • Confusing chain of microsoft buzzwords

  • Windows\System32\wbem\mof\

  • Metasploit module available (ms10_061_spoolss.rb)

Ms 10 092 aka cve 2010 3338

MS 10-092 aka CVE-2010-3338

  • Windows >= Vista scheduled tasks in an XML format

    • Pre Vista used ???

  • Users can write and edit their tasks, CRC32 is used

  • …….. CRC32 ….

Ms 10 092 continued

MS 10-092 continued…

  • Created task as normal user, record CRC32 value

  • Modified user definition in the task to LocalSystem

  • Take CRC32 of the task XML, pad until the CRC32 matches original

  • ?????

  • Profit

Stuxnet redux


  • Memory Corruption exploitation is difficult

  • Design exploitation is 99% reliable

  • Complex Systems will always have vulnerabilities

  • Was stuxnet a…. Cyb3R W34PoN?

  • Good Watching:

    • Bruce Dang, Microsoft “Adventures in Analyzing Stuxnet” @ 27C3

      • https://www.youtube.com/watch?v=fVNHX1Hrr6w (NSFW Language)

  • Good reading:

    • http://www.symantec.com/connect/blogs/w32stuxnet-dossier

    • http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf



  • Big ethical debates used to be:

    Responsible vs Full Disclosure

  • Debate has shifted to:

    Disclosure vs Selling Weapons

Some advice

Some Advice

  • Shape your job around your ethical standpoint, not vice versa

  • Take a startup job while this is your primary expense:

  • Find a stretch position… and stretch

More reading

More Reading


Shellcoder’s Handbook





Bug finding in the real world

Thank you for coming!alex@isecpartners.com


  • Login