Bug finding in the real world
1 / 47

Bug Finding In The Real World - PowerPoint PPT Presentation

  • Uploaded on

Bug Finding In The Real World. Alex Stamos Aaron Grattafiori Stanford CS155 April 17, 2012. Your Humble Narrators. Alex Stamos Co-Founder and CTO LBNL, Loudcloud , @stake UC Berkeley BS EECS Aaron Grattafiori Senior Security Consultant Security Innovation, MyBasement

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Bug Finding In The Real World' - anisa

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Bug finding in the real world

Bug Finding In The Real World

Alex Stamos

Aaron Grattafiori

Stanford CS155

April 17, 2012

Your humble narrators
Your Humble Narrators

  • Alex Stamos

    • Co-Founder and CTO

    • LBNL, Loudcloud, @stake

    • UC Berkeley BS EECS

  • Aaron Grattafiori

    • Senior Security Consultant

    • Security Innovation, MyBasement

    • UC HardKnox BS


  • Why are you finding bugs?

  • Overview of common techniques

    • Fuzzing

    • Debugging and Process Stalking

    • Reverse Engineering

  • Real World Examples

  • Ethics and Advice

  • Discussion

Why are you finding bugs
Why are you finding bugs?

Stolen Source Review




Static Analysis

Source Review

Bertha the black hat of ill repute
Bertha the Black Hat of Ill Repute

  • Goal

    • Dependable Exploitation

    • Stealth

  • Thoroughness

    • Usually only need one bug

    • No need to document coverage

  • Access

    • Often no source

Marvin the megalomaniacal researcher
Marvin the Megalomaniacal Researcher

  • Goal

    • Column inches from press, props from friends

    • Preferably in a trendy platform

    • Make money from ZDI/Pwn2Own

  • Thoroughness

    • Don’t need to be perfect, don’t want to be embarrassed

  • Access

    • Casual access to engineers

    • Source == Lawyers

Sally the stressed security engineer
Sally the Stressed Security Engineer

  • Goal

    • Find as many flaws as possible

    • Reduce incidence of exploitation*

  • Thoroughness

    • Must have coverage metrics

    • Should at least find low-hanging fruit

  • Access

    • Source code, debug symbols, engineers

    • Money for tools and staff

The difficulty of defense
The Difficulty of Defense

So, oft in theologic wars The disputants, I ween,Rail on in utter ignorance Of what each other mean,And prate about an ElephantNot one of them has seen!

The difficulty of defense1
The Difficulty of Defense

  • Asymmetric Warfare

    • Defenders always have to be perfect

    • Attackers can be good and lucky

  • Knowing this, is bug finding an efficient defense strategy?

Limitations of today s lecture
Limitations of Today’s Lecture

  • The most important flaws we find are NOT implementation flaws

  • Common problems:

    • Trusting untrusted components

    • Poor use of cryptography

    • Overreliance on DRM

    • Forgotten or cut security features

Black box bug finding
Black Box Bug Finding

  • Basic goal is to exercise all states of software while watching for a response that indicates vulnerability

Smarter fuzzing
“Smarter Fuzzing”

  • Record or implement path through gating functions

  • Utilize knowledge of protocol or file format

  • Use process hooking

Reverse engineering
Reverse Engineering

  • Decompilation

    • Often used for semi-compiled code

      • .Net CLR

      • Java

      • Flash

    • Can work with C++ w/ symbols

  • Disassembly

    • 1:1 matching with machine code

    • Modern disassemblers allow for highly automated analysis process

  • Protocol Reverse Engineering

Defeating black box bug analysis
Defeating Black Box Bug Analysis

  • Many programs include anti-debug functionality

    • Check PDB

    • System calls, monitor process space

    • Throw INTs, test for catch

    • Timing tests

  • Anti-Reversing

    • Dynamic Unpacking

    • Pointer Arithmetic

    • Encrypted and obfuscated function calls

Snitch output on wmp
Snitch Output on WMP

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f9fc (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential break-point debugger check at 0x4bf9f889 (blackbox.dll)

Exception handler 1 is at 0x4bf9fe71 (blackbox.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

Potential OutputDebugString debugger check at 0x7c812aeb

Module: \Device\HarddiskVolume1\WINDOWS\system32\kernel32.dll

Potential break-point debugger check at 0x4df75f36 (drmv2clt.dll)

Exception handler 1 is at 0x4dfda68e (drmv2clt.dll)

Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

White box bug finding
White Box Bug Finding

  • Black Box techniques always work better with more context

    • More quickly triage flaws

    • Patch flaws much faster

  • Analysis can start with source code

    • Look at sensitive areas

    • Use lexical analysis to give pointers

      • Flawfinder

      • RATS

    • Use semantic analysis

      • Coverity

      • Fortify

  • Most White Box techniques also increase false positive count

Hard to find bugs
Hard to Find Bugs

  • MS10-002 – Remote Code Execution in IE 5-8

    function window :: onload ()


    varSourceElement = document.createElement ("div");

    document.body.appendChild (SourceElement);

    varSavedEvent = null;

    SourceElement.onclick = function () {

    SavedEvent = document.createEventObject (event);

    document.body.removeChild (event.srcElement);


    SourceElement.fireEvent ("onclick");

    SourceElement = SavedEvent.srcElement;


Hard to find bugs1
Hard to Find Bugs

  • How does this become a reliable exploit?

    • Heap spraying allows for predictable control of memory space

    • IE Small Block Manager Reuses Pages

    • Asynchronous Garbage Collection can be synchronized by attacker: CollectGarbage()

  • How about on more modern OSes?

    • ASLR and DEP defeated with Flash JIT

    • Return Oriented Programming


  • Good analyses of Aurora Exploit:



Future of bug finding
Future of Bug Finding

  • How could you find this bug?

    • Requires understanding of IE code

    • Difficult to triage

  • Low-Hanging Fruit is Gone

    • This bug has existed since IE5

  • Initial flaw can be found by smart fuzzing. How would you do that?

  • Exploitation should require 2-3 flaws for reliability

Jailbreaking honorable exploitation
Jailbreaking; honorable exploitation

  • A tale of incentives

  • Apple continues to take steps to prevent jailbreaks.

  • Android takes a somewhat different approach, still is jailbroken

  • Jailbreaking of: TVs? Cars? Houses? Robots?

    (ps. comex now works at Apple)

Bugs and exploits in the wild
Bugs and Exploits in the Wild

Crypto doesn’t fail, the implementations do…*

  • Browsers don’t know a site is SSL unless it forces them to use it.

  • Middle man attacks are possible… but… my site is over SSL you say!

    • SSL typically works via 302 HTTP redirect

  • UI’s are hard to get right…

    • Browsers only indicate insecurity only when security is used in the first place

  • Moxie Marlinspike pointed out the gorilla in the room. Enter SSL Stripping:

    • https://github.com/moxie0/sslstrip

    • http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

* http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/

* https://en.wikinews.org/wiki/Predictable_random_number_generator_discovered_in_the_Debian_version_of_OpenSSL


  • Tricky problem to solve…

  • HTTP Strict Transport Security (HSTS) is gaining traction

  • Google’s SPDY requires the use of SSL

  • Security at lower OSI layers?

Bugs and exploits in the wild1
Bugs and Exploits in the Wild

  • Hactivism

    • Anonymous vs <insert flavor of week>

    • “Hacktivist groups were responsible for 58% of all data stolen last year” – Verizon 2012 Data Breach report

    • Victims of opportunity

  • Outcomes

    • Exposure of client info, customer info, usernames, passwords, sensitive information

    • Damage focusing on the reputation and data exposure

Bugs and exploits in the wild2
Bugs and Exploits in the Wild

  • Stuxnet

    • [ worm [ rootkit [ rootkit [ sabotage ] ] ] ]

    • Four zero-day vulnerabilities

    • Two stolen certificates

    • Eight propagation methods

    • Partridge in a malware pear tree

Did you say four oh days
Did you say… Four OH-days?

Mixed MS Windows environment = Redundant

Not exploiting memory corruption = Reliable



Bug finding in the real world


Vulnerability fruit punch
Vulnerability Fruit Punchhttp://arstechnica.com/business/news/2012/04/stuxnet-worm-reportedly-planted-by-iranian-double-agent-using-memory-stick.ars

  • Zero-Day* Vulnerabilities:

    • MS08-067 (NetPathCanonicalize()), (Patched)

      • http://www.phreedom.org/blog/2008/decompiling-ms08-067/

    • MS10-046 (Shell LNK / Shortcut)

    • MS10-061 (Print Spooler Service)

    • MS10-073 (Win32K Keyboard Layout)

    • MS08-092 (Task Scheduler)

    • CVE-2010-2772 (Siemens SIMATIC Static Password)

Ms 10 061 aka cve 2010 2729
MS 10-061 aka CVE-2010-2729http://arstechnica.com/business/news/2012/04/stuxnet-worm-reportedly-planted-by-iranian-double-agent-using-memory-stick.ars

  • Kaspersky mentioned to Microsoft they saw printer enumeration during network propagation

  • Using the guest account, Stuxnet “prints” to a file into: \Windows\System32

  • This only allows file writing… not remote execution

  • Enter MOF (Managed Object Format)

Bug finding in the real world
MOF http://arstechnica.com/business/news/2012/04/stuxnet-worm-reportedly-planted-by-iranian-double-agent-using-memory-stick.ars

  • Confusing chain of microsoft buzzwords

  • Windows\System32\wbem\mof\

  • Metasploit module available (ms10_061_spoolss.rb)

Ms 10 092 aka cve 2010 3338
MS 10-092 aka CVE-2010-3338http://arstechnica.com/business/news/2012/04/stuxnet-worm-reportedly-planted-by-iranian-double-agent-using-memory-stick.ars

  • Windows >= Vista scheduled tasks in an XML format

    • Pre Vista used ???

  • Users can write and edit their tasks, CRC32 is used

  • …….. CRC32 ….

Ms 10 092 continued
MS 10-092 continued… http://arstechnica.com/business/news/2012/04/stuxnet-worm-reportedly-planted-by-iranian-double-agent-using-memory-stick.ars

  • Created task as normal user, record CRC32 value

  • Modified user definition in the task to LocalSystem

  • Take CRC32 of the task XML, pad until the CRC32 matches original

  • ?????

  • Profit

Stuxnet redux

  • Memory Corruption exploitation is difficult

  • Design exploitation is 99% reliable

  • Complex Systems will always have vulnerabilities

  • Was stuxnet a…. Cyb3R W34PoN?

  • Good Watching:

    • Bruce Dang, Microsoft “Adventures in Analyzing Stuxnet” @ 27C3

      • https://www.youtube.com/watch?v=fVNHX1Hrr6w (NSFW Language)

  • Good reading:

    • http://www.symantec.com/connect/blogs/w32stuxnet-dossier

    • http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf


  • Big ethical debates used to be:

    Responsible vs Full Disclosure

  • Debate has shifted to:

    Disclosure vs Selling Weapons

Some advice
Some Advicehttp://arstechnica.com/business/news/2012/04/stuxnet-worm-reportedly-planted-by-iranian-double-agent-using-memory-stick.ars

  • Shape your job around your ethical standpoint, not vice versa

  • Take a startup job while this is your primary expense:

  • Find a stretch position… and stretch

More reading
More Readinghttp://arstechnica.com/business/news/2012/04/stuxnet-worm-reportedly-planted-by-iranian-double-agent-using-memory-stick.ars


Shellcoder’s Handbook





Bug finding in the real world

Thank you for coming!http://arstechnica.com/business/news/2012/04/stuxnet-worm-reportedly-planted-by-iranian-double-agent-using-memory-stick.arsalex@isecpartners.com