Presentation is loading. Please wait.

Presentation is loading. Please wait.

A software analysis framework built on Phoenix.  Matt Miller  Leviathan Security Group  Metasploit Framework  Uninformed Journal  Not a static analysis.

Published byCollin Skinner Modified over 9 years ago

Similar presentations

Presentation on theme: "A software analysis framework built on Phoenix.  Matt Miller  Leviathan Security Group  Metasploit Framework  Uninformed Journal  Not a static analysis."— Presentation transcript:

1 A software analysis framework built on Phoenix

2  Matt Miller  Leviathan Security Group  Metasploit Framework  Uninformed Journal  Not a static analysis expert

3  Cthulhu software analysis framework  Very high-level architectural overview  Interesting features  Case study

4  Software optimization and analysis  Basis for future Microsoft compilers and tools  Robust and extensible architecture ◦ Plugins ◦ Phases  Check out Richard Johnson’s talk to learn more

5  RDK/SDK not yet completely solidified ◦ Encapsulation can help here  API is feature rich but verbose ◦ No simplified wrapper  No solution for large-scale analysis ◦ LTCG is not enough

6  Software analysis framework  Hobby project started in June, 2006  Written in C#  Currently around 28KLOC

7  Simplified Programming Interface ◦ Simple and extensible API ◦ Fundamental independence  Large-scale analysis ◦ Modeling behavior of large systems ◦ Pie in the sky: Windows Vista  Research Sandbox ◦ A playground for experimentation ◦ Phoenix can also be used directly for this purpose

8 Fundamentals Analysis Engine Peons Tools IDA Phoenix Control Flow Data Flow Rendering Analysis DB

9 Fundamentals Analysis Engine Peons Tools IDA Phoenix Control Flow Data Flow Rendering Analysis DB

10  Uses a fundamental to load assemblies  Runs phases ◦ Import ◦ Analyze ◦ Render  Peons register to be notified on certain events

11 Analysis Engine Phoenix Fundamental 1. Load Assembly DB Importing Peons Control Flow Data Flow 2. Assembly Loaded 4. Normalize Information 3. Import Event 5. Import Event Basic Types

12 Analysis Engine Database Fundamental 1. Load Assembly DB Analyzing Peons Analyzing Peons Path Discovery Leak Check 3. Assembly Loaded 5. Normalize and Denormalize Information 4. Analysis Event 6. Analysis Event 2. Denormalize Assembly Information

13 Analysis Engine Rendering Peons Rendering Peons Console GUI 1. Render DB 2. Denormalize Output Store Output Store 3. Display

14  Extensible and flexible way to represent binary information  May be used to support large-scale analysis ◦ Hundreds of modules ◦ More work needs to be done  Performance overhead is non-trivial ◦ Processing time can be high ◦ Volatile memory usage can be kept low

15 Simplified API Version-independent modeling Conceptual modeling

16 Assembly Module Data Type Method Module Data Type Method Module Data Type Method DB Abstract classes provide fundamental independence … … Concrete Implementations Phoenix

17 Modeling version independent relationships between software elements in the database void CallExitProcess() { ExitProcess(0); } CallExitProcess 1 ExitProcess ExitProcess 1 ExitProcess 2 ExitProcess 3 ExitProcess 4 Appropriate versions can be selected at analysis time Call to version independent kernel32!ExitProcess Distinct versions of kernel32!ExitProcess

18 Universe VPN Client VPN Server Device Driver User Interface Daemon vpn.sys vpngui.exe dialogs.dll daemon.exe

19 Finding inter-component data flow paths

20  Web Services is a simple remoting interface ◦ Clients invoke methods hosted on a web server ◦ Server handles requests and provides responses  Problematic for static analysis ◦ Clients pass data to the server indirectly (network) ◦ Limits the scope at which analysis can be performed  Let’s walk through an example

21 [WebService] public class WebService { [WebMethod] public void ExecuteCommand(string command) { Process.Start(command); } Simple web service that invokes a process using the supplied command string

22 [WebServiceBinding] public class WebClient : SoapHttpClientProtocol { [SoapDocumentMethod] public void ExecuteCommand(string command) { Invoke("ExecuteCommand", new object[] { command ); } Simple web client that wraps the invocation of the web service method

23  To illustrate a relationship, the client invocation and server method must be bridged  Bridging can take a few different forms ◦ Automatic detection of relationships ◦ Manual description of relationships  Bridging is an abstract concept though ◦ How do we make it concrete?

24  A concrete relationship can be shown by linking formal parameters fin(ExecuteCommand, 0) WebClient WebService

25 Web Application Web Client WebClient.dll WebClient ExecuteCommand Enter Block fin(0) Web Service WebService.dll WebService ExecuteCommand Enter Block fin(0)

26  Describing indirect relationships improves the quality of analysis information  Widens the scope for control flow and data flow analysis  The Path Discovery peon can help illustrate this

27  Designed to find reachable flow paths ◦ From a set of sources ◦ To a set of sinks ◦ Within a set of target assemblies  Current restrictions ◦ Requires the database fundamental ◦ Only operates on data flow information

28  Command Injection represents one type of security flaw found in managed applications  This can happen when user-controlled data is used in conjunction with launching a process  For example, data passing… ◦ From HttpRequest.get_QueryString ◦ To Process.Start  This should be easy to detect, right?

29  Finding data flow paths from get_QueryString to Start can be problematic  Lowest level data flow information is conveyed with respect to instructions  What if hundreds of assemblies are being analyzed? ◦ Not enough physical memory!

30  Path Discovery makes use of generalized data flow relationships ◦ Block-tier, method-tier, type-tier, etc…  Reachable paths are identified using a simple algorithm ◦ Progressive Qualified Elaboration (PQE)  PQE is designed to reduce the amount of analysis information that must be considered

31 Reachable paths are progressively found between source and sink flow descriptors within a set of target assemblies

32 TierInformation Component fout(Undefined) Assembly fout(System.Web) Data Type fout(System.Web.HttpRequest) Method fout(get_QueryString, 0) Basic Block fout(get_QueryString, 0) Instruction fout(get_QueryString, 0) TierInformation Component fin(Undefined) Assembly fin(System) Data Type fin(System.Dia…Process) Method fin(Start, 0) Basic Block fin(Start, 0) Instruction fin(Start, 0) Source flow descriptor Sink flow descriptor

33  Suppose there is some code in the web client that does the following ◦ client.ExecuteCommand(request.QueryString[x]);  Bridging makes it possible to show a complete data flow path from get_QueryString to Start  Let’s see how we get there using PQE ◦ PQE starts from a macro-tier, such as the component tier

34 Data flow Def-Use relationships between components Interpretation: In at least one situation, v uses data defined by u

35 Data flow Def-Use relationships between assemblies

36 Data flow Def-Use relationships between data types

37 Data flow Def-Use relationships between methods

38 Data flow Def-Use relationships between blocks

39 Data flow Def-Use relationships between instructions

40  A complete data flow path is identified  Data flows across an indirect boundary  Without bridging, it would not be possible to seamlessly perform this analysis ◦ This means the security issue would be missed  Note that the security issue exists in the web service independent of the web client ◦ Example was meant to show simple indirect data flow

41  Import and analyze large data sets ◦ All PE modules from Windows Vista?  Improve database performance ◦ Optimization work has not started yet ◦ It is currently very slow  Implement additional peons ◦ Leak Check  And the list goes on…

42  Phoenix is an exciting project  Software analysis is fun & challenging  Hopefully the database stuff pans out  Questions?

Download ppt "A software analysis framework built on Phoenix.  Matt Miller  Leviathan Security Group  Metasploit Framework  Uninformed Journal  Not a static analysis."

Similar presentations

Network II.5 simulator ..

Network II.5 simulator ..
.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.

.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.
TSpaces Services Suite: Automating the Development and Management of Web Services Presenter: Kevin McCurley IBM Almaden Research Center Contact: Marcus.

TSpaces Services Suite: Automating the Development and Management of Web Services Presenter: Kevin McCurley IBM Almaden Research Center Contact: Marcus.
Tahir Nawaz Introduction to.NET Framework. .NET – What Is It? Software platform Language neutral In other words:.NET is not a language (Runtime and a.

Tahir Nawaz Introduction to.NET Framework. .NET – What Is It? Software platform Language neutral In other words:.NET is not a language (Runtime and a.
CIM2564 Introduction to Development Frameworks 1 Overview of a Development Framework Topic 1.

CIM2564 Introduction to Development Frameworks 1 Overview of a Development Framework Topic 1.
Technical Architectures

Technical Architectures
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
CS 501: Software Engineering Fall 2000 Lecture 16 System Architecture III Distributed Objects.

CS 501: Software Engineering Fall 2000 Lecture 16 System Architecture III Distributed Objects.
Java Programming, 3e Concepts and Techniques Chapter 1 An Introduction to Java and Program Design.

Java Programming, 3e Concepts and Techniques Chapter 1 An Introduction to Java and Program Design.
Interpret Application Specifications

Interpret Application Specifications
Outline. 1-2 25 Chapter 1 Hardware, Software, Programming, Web surfing, email… Chapter Goals –Describe the layers of a computer system –Describe the concept.

Outline Chapter 1 Hardware, Software, Programming, Web surfing, … Chapter Goals –Describe the layers of a computer system –Describe the concept.
Course Instructor: Aisha Azeem

Course Instructor: Aisha Azeem
Architectural Design Establishing the overall structure of a software system Objectives To introduce architectural design and to discuss its importance.

Architectural Design Establishing the overall structure of a software system Objectives To introduce architectural design and to discuss its importance.
1. 2 Chapter 1 Introduction to Computers, Programs, and Java.

1. 2 Chapter 1 Introduction to Computers, Programs, and Java.
An external perspective.  Matt Miller  Consultant with Leviathan Security Group  Core developer for the Metasploit Framework  Uninformed Journal editor.

An external perspective.  Matt Miller  Consultant with Leviathan Security Group  Core developer for the Metasploit Framework  Uninformed Journal editor.
Automatic Software Testing Tool for Computer Networks ARD Presentation Adi Shachar Yaniv Cohen Dudi Patimer www.cs.bgu.ac.il/~adishach.

Automatic Software Testing Tool for Computer Networks ARD Presentation Adi Shachar Yaniv Cohen Dudi Patimer
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 13 Slide 1 Application architectures.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 13 Slide 1 Application architectures.
A Free sample background from www.powerpointbackgrounds.com © 2001 By Default!Slide 1.NET Overview BY: Pinkesh Desai.

A Free sample background from © 2001 By Default!Slide 1.NET Overview BY: Pinkesh Desai.
Java Programming, 2E Introductory Concepts and Techniques Chapter 1 An Introduction to Java and Program Design.

Java Programming, 2E Introductory Concepts and Techniques Chapter 1 An Introduction to Java and Program Design.
A First Program Using C#

A First Program Using C#

Similar presentations

Ads by Google