Tim Newsham and Alex Stamos Stanford CS155 April 6, 2010 Bug Finding Techniques.

Slides:

Advertisements

Similar presentations

Where do security bugs come from? Any how do you find them in the real world? Stanford CS 155 Spring 2014 Alex Stamos CISO, Yahoo.

Advertisements

Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.

Test Yaodong Bi.

Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.

Test process essentials Riitta Viitamäki,

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers.

Debugging Techniques1. 2 Introduction Bugs How to debug Using of debugger provided by the IDE Exception Handling Techniques.

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Testing and Debugging CS221 – 2/13/09. Airline Program.

Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén.

Java Review 2 – Errors, Exceptions, Debugging Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

JavaScript, Fourth Edition

09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.

SRE  Introduction 1 Software Reverse Engineering (SRE)

Lecture 1: Overview of Java. What is java? Developed by Sun Microsystems (James Gosling) A general-purpose object-oriented language Based on C/C++ Designed.

System/Software Testing

Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Application Security Tom Chothia Computer Security, Lecture 14.

© 2012 IBM Corporation Rational Insight | Back to Basis Series Chao Zhang Unit Testing.

CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.

CMSC 345 Fall 2000 Unit Testing. The testing process.

Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

What Happens In Windows 8 Stays In Windows 8 Moti Joseph & Marion Marschalek Defcamp 2014.

Software Testing Damian Gordon.

Introduction and Features of Java. What is java? Developed by Sun Microsystems (James Gosling) A general-purpose object-oriented language Based on C/C++

CS266 Software Reverse Engineering (SRE) Reversing and Patching Java Bytecode Teodoro (Ted) Cipresso,

EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

1 Debugging: Catching Bugs ( II ) Ying Wu Electrical Engineering & Computer Science Northwestern University EECS 230 Lectures.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

Testing. 2 Overview Testing and debugging are important activities in software development. Techniques and tools are introduced. Material borrowed here.

Software Testing Reference: Software Engineering, Ian Sommerville, 6 th edition, Chapter 20.

Cs2220: Engineering Software Class 6: Defensive Programming Fall 2010 University of Virginia David Evans.

Module 6: Debugging a Windows CE Image.  Overview Debug Zones IDE Debug Setup IDE Debug Commands Platform Builder Integrated Kernel Debugger Other Debugging.

CS 460/660 Compiler Construction. Class 01 2 Why Study Compilers? Compilers are important – –Responsible for many aspects of system performance Compilers.

Amit Malik SecurityXploded Research Group FireEye Labs.

Design - programming Cmpe 450 Fall Dynamic Analysis Software quality Design carefully from the start Simple and clean Fewer errors Finding errors.

Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.

Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.

Fuzzing And Oracles By: Thomas Sidoti. Overview Introduction Motivation Fuzzable Exploits Oracles Implementation Fuzzing Results.

Random Test Generation of Unit Tests: Randoop Experience

Week 6 MondayTuesdayWednesdayThursdayFriday Testing III Reading due Group meetings Testing IVSection ZFR due ZFR demos Progress report due Readings out.

Lecture 10 Anti-debugger techniques. Anti-debuggers Making reverse-engineering and disassembly painful –Polymorphism –Encryption –Interrupt disabling.

Software Testing Reference: Software Engineering, Ian Sommerville, 6 th edition, Chapter 20.

Software Testing By Souvik Roy. What is Software Testing? Executing software in a simulated or real environment, using inputs selected somehow.

Software Engineering Lecture 11 Software Testing Presenter: Josef Hallberg 1.

CHAPTER 4 Methodology.

CSCE 548 Secure Software Development Risk-Based Security Testing

Static and dynamic analysis of binaries

CS5123 Software Validation and Quality Assurance

Introduction to Information Security

Where do security bugs come from?

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

CSE 303 Concepts and Tools for Software Development

Reverse engineering through full system simulations

Engineering Secure Software

White Box testing & Inspections

Hello World Program In Visual Studio and Debugging

Presentation transcript:

Tim Newsham and Alex Stamos Stanford CS155 April 6, 2010 Bug Finding Techniques

2 Your Humble Narrators Tim Newsham Security Researcher ISS, SNI, NAI, iSEC U of Hawaii BSEE, U of Arizona MSCS Alex Stamos Co-Founder and Partner LBNL, UC Berkeley BS EECS

3 Agenda Why are you finding bugs? Overview of common techniques Fuzzing Debugging and Process Stalking Reverse Engineering Demo Discussion

4 Why are you finding bugs? Black Hat ResearcherSecurity Engineer Disassembly Fuzzing Source Review Stolen Source Review Static Analysis Debugging

5 Bertha the Black Hat of Ill Repute Goal Dependable Exploitation Stealthy Thoroughness Usually only need one bug No need to document coverage Access Often no source

6 Marvin the Megalomaniacal Researcher Goal Column inches from press, props from friends Preferably in a trendy platform Make money from ZDI/Pwn2Own Thoroughness Don’t need to be perfect, don’t want to be embarrassed Access Casual access to engineers Source == Lawyers

7 Sally the Stressed Security Engineer Goal Find as many flaws as possible Reduce incidence of exploitation* Thoroughness Must have coverage metrics Should at least find low-hanging fruit Access Source code, debug symbols, engineers Money for tools and staff

8 The Difficulty of Defense So, oft in theologic wars The disputants, I ween, Rail on in utter ignorance Of what each other mean, And prate about an Elephant Not one of them has seen!

9 The Difficulty of Defense Asymmetric Warfare Defenders always have to be perfect Attackers can be good and lucky Knowing this, is bug finding an efficient defense strategy?

10 Limitations of Today’s Lecture The most important flaws we find are NOT implementation flaws Common problems: Trusting untrusted components Poor use of cryptography Overreliance on DRM Forgotten or cut security features

11 Black Box Bug Finding Basic goal is to exercise all states of software while watching for a response that indicates vulnerability Exercise Manual manipulation Fuzzing Process hooking Watch for response Process stalking Debugging Emulation Determine exploitability Disassembly Debugging

12 Fuzzing

13 “Smarter Fuzzing” Record or implement path through gating functions Utilize knowledge of protocol or file format Use process hooking

14 Debugging

15 Reverse Engineering Decompilation Often used for semi-compiled code.Net CLR Java Flash Can work with C++ w/ symbols Disassembly 1:1 matching with machine code Modern disassemblers allow for highly automated analysis process Protocol Reverse Engineering

16 Disassembly - IDA Pro

17 Reversing Patches - BinDiff

18 Defeating Black Box Bug Analysis Many programs include anti-debug functionality Check PDB System calls, monitor process space Throw INTs, test for catch Timing tests Anti-Reversing Dynamic Unpacking Pointer Arithmetic Encrypted and obfuscated function calls

19 Anti-Anti-Debug - Snitch

20 Snitch Output on WMP Potential break-point debugger check at 0x4bf9f889 (blackbox.dll) Exception handler 1 is at 0x4bf9fe71 (blackbox.dll) Exception handler 2 is at 0x7c839ac0 (kernel32.dll) Potential break-point debugger check at 0x4bf9f9fc (blackbox.dll) Exception handler 1 is at 0x4bf9fe71 (blackbox.dll) Exception handler 2 is at 0x7c839ac0 (kernel32.dll) Potential break-point debugger check at 0x4bf9f889 (blackbox.dll) Exception handler 1 is at 0x4bf9fe71 (blackbox.dll) Exception handler 2 is at 0x7c839ac0 (kernel32.dll) Potential break-point debugger check at 0x4bf9f889 (blackbox.dll) Exception handler 1 is at 0x4bf9fe71 (blackbox.dll) Exception handler 2 is at 0x7c839ac0 (kernel32.dll) Potential break-point debugger check at 0x4bf9f889 (blackbox.dll) Exception handler 1 is at 0x4bf9fe71 (blackbox.dll) Exception handler 2 is at 0x7c839ac0 (kernel32.dll) Potential OutputDebugString debugger check at 0x7c812aeb Module: \Device\HarddiskVolume1\WINDOWS\system32\kernel32.dll Potential break-point debugger check at 0x4df75f36 (drmv2clt.dll) Exception handler 1 is at 0x4dfda68e (drmv2clt.dll) Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

21 White Box Bug Finding Black Box techniques always work better with more context More quickly triage flaws Patch flaws much faster Analysis can start with source code Look at sensitive areas Use lexical analysis to give pointers Flawfinder RATS Use semantic analysis Coverity Fortify Most White Box techniques also increase false positive count

22 Hard to Find Bugs MS – Remote Code Execution in IE 5-8 function window :: onload () { var SourceElement = document.createElement ("div"); document.body.appendChild (SourceElement); var SavedEvent = null; SourceElement.onclick = function () { SavedEvent = document.createEventObject (event); document.body.removeChild (event.srcElement); } SourceElement.fireEvent ("onclick"); SourceElement = SavedEvent.srcElement; }

23 Hard to Find Bugs How does this become a reliable exploit? Heap spraying allows for predictable control of memory space IE Small Block Manager Reuses Pages Asynchronous Garbage Collection can be synchronized by attacker: CollectGarbage() How about on more modern OSes? ASLR and DEP defeated with Flash JIT Return Oriented Programming Good analyses of Aurora Exploit:

24 Future of Bug Finding How could you find this bug? Requires understanding of IE code Difficult to triage Low-Hanging Fruit is Gone This bug has existed since IE5 Initial flaw can be found by smart fuzzing. How would you do that? Exploitation should require 2-3 flaws for reliability

25 More Reading Shellcoder’s Handbook

Thank you for coming!