1 / 47

Bug Finding In The Real World

Bug Finding In The Real World. Alex Stamos Aaron Grattafiori Stanford CS155 April 17, 2012. Your Humble Narrators. Alex Stamos Co-Founder and CTO LBNL, Loudcloud , @stake UC Berkeley BS EECS Aaron Grattafiori Senior Security Consultant Security Innovation, MyBasement

anisa
Download Presentation

Bug Finding In The Real World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bug Finding In The Real World Alex Stamos Aaron Grattafiori Stanford CS155 April 17, 2012

  2. Your Humble Narrators • Alex Stamos • Co-Founder and CTO • LBNL, Loudcloud, @stake • UC Berkeley BS EECS • Aaron Grattafiori • Senior Security Consultant • Security Innovation, MyBasement • UC HardKnox BS

  3. Agenda • Why are you finding bugs? • Overview of common techniques • Fuzzing • Debugging and Process Stalking • Reverse Engineering • Real World Examples • Ethics and Advice • Discussion

  4. Why are you finding bugs? Stolen Source Review Disassembly Fuzzing Debugging Static Analysis Source Review

  5. Bertha the Black Hat of Ill Repute • Goal • Dependable Exploitation • Stealth • Thoroughness • Usually only need one bug • No need to document coverage • Access • Often no source

  6. Marvin the Megalomaniacal Researcher • Goal • Column inches from press, props from friends • Preferably in a trendy platform • Make money from ZDI/Pwn2Own • Thoroughness • Don’t need to be perfect, don’t want to be embarrassed • Access • Casual access to engineers • Source == Lawyers

  7. Sally the Stressed Security Engineer • Goal • Find as many flaws as possible • Reduce incidence of exploitation* • Thoroughness • Must have coverage metrics • Should at least find low-hanging fruit • Access • Source code, debug symbols, engineers • Money for tools and staff

  8. The Difficulty of Defense So, oft in theologic wars The disputants, I ween,Rail on in utter ignorance Of what each other mean,And prate about an ElephantNot one of them has seen!

  9. The Difficulty of Defense • Asymmetric Warfare • Defenders always have to be perfect • Attackers can be good and lucky • Knowing this, is bug finding an efficient defense strategy?

  10. Limitations of Today’s Lecture • The most important flaws we find are NOT implementation flaws • Common problems: • Trusting untrusted components • Poor use of cryptography • Overreliance on DRM • Forgotten or cut security features

  11. Black Box Bug Finding • Basic goal is to exercise all states of software while watching for a response that indicates vulnerability

  12. Fuzzing

  13. “Smarter Fuzzing” • Record or implement path through gating functions • Utilize knowledge of protocol or file format • Use process hooking

  14. Debugging

  15. Reverse Engineering • Decompilation • Often used for semi-compiled code • .Net CLR • Java • Flash • Can work with C++ w/ symbols • Disassembly • 1:1 matching with machine code • Modern disassemblers allow for highly automated analysis process • Protocol Reverse Engineering

  16. Disassembly - IDA Pro

  17. Reversing Patches - BinDiff

  18. Defeating Black Box Bug Analysis • Many programs include anti-debug functionality • Check PDB • System calls, monitor process space • Throw INTs, test for catch • Timing tests • Anti-Reversing • Dynamic Unpacking • Pointer Arithmetic • Encrypted and obfuscated function calls

  19. Anti-Anti-Debug - Snitch

  20. Snitch Output on WMP Potential break-point debugger check at 0x4bf9f889 (blackbox.dll) Exception handler 1 is at 0x4bf9fe71 (blackbox.dll) Exception handler 2 is at 0x7c839ac0 (kernel32.dll) Potential break-point debugger check at 0x4bf9f9fc (blackbox.dll) Exception handler 1 is at 0x4bf9fe71 (blackbox.dll) Exception handler 2 is at 0x7c839ac0 (kernel32.dll) Potential break-point debugger check at 0x4bf9f889 (blackbox.dll) Exception handler 1 is at 0x4bf9fe71 (blackbox.dll) Exception handler 2 is at 0x7c839ac0 (kernel32.dll) Potential break-point debugger check at 0x4bf9f889 (blackbox.dll) Exception handler 1 is at 0x4bf9fe71 (blackbox.dll) Exception handler 2 is at 0x7c839ac0 (kernel32.dll) Potential break-point debugger check at 0x4bf9f889 (blackbox.dll) Exception handler 1 is at 0x4bf9fe71 (blackbox.dll) Exception handler 2 is at 0x7c839ac0 (kernel32.dll) Potential OutputDebugString debugger check at 0x7c812aeb Module: \Device\HarddiskVolume1\WINDOWS\system32\kernel32.dll Potential break-point debugger check at 0x4df75f36 (drmv2clt.dll) Exception handler 1 is at 0x4dfda68e (drmv2clt.dll) Exception handler 2 is at 0x7c839ac0 (kernel32.dll)

  21. White Box Bug Finding • Black Box techniques always work better with more context • More quickly triage flaws • Patch flaws much faster • Analysis can start with source code • Look at sensitive areas • Use lexical analysis to give pointers • Flawfinder • RATS • Use semantic analysis • Coverity • Fortify • Most White Box techniques also increase false positive count

  22. Hard to Find Bugs • MS10-002 – Remote Code Execution in IE 5-8 function window :: onload () { varSourceElement = document.createElement ("div"); document.body.appendChild (SourceElement); varSavedEvent = null; SourceElement.onclick = function () { SavedEvent = document.createEventObject (event); document.body.removeChild (event.srcElement); } SourceElement.fireEvent ("onclick"); SourceElement = SavedEvent.srcElement; }

  23. Hard to Find Bugs • How does this become a reliable exploit? • Heap spraying allows for predictable control of memory space • IE Small Block Manager Reuses Pages • Asynchronous Garbage Collection can be synchronized by attacker: CollectGarbage() • How about on more modern OSes? • ASLR and DEP defeated with Flash JIT • Return Oriented Programming http://cseweb.ucsd.edu/~hovav/talks/blackhat08.html • Good analyses of Aurora Exploit: http://www.geoffchappell.com/viewer.htm?doc=notes/security/aurora/index.htm http://www.hbgary.com/wp-content/themes/blackhat/images/hbgthreatreport_aurora.pdf

  24. Future of Bug Finding • How could you find this bug? • Requires understanding of IE code • Difficult to triage • Low-Hanging Fruit is Gone • This bug has existed since IE5 • Initial flaw can be found by smart fuzzing. How would you do that? • Exploitation should require 2-3 flaws for reliability

  25. Jailbreaking; honorable exploitation • A tale of incentives • Apple continues to take steps to prevent jailbreaks. • Android takes a somewhat different approach, still is jailbroken • Jailbreaking of: TVs? Cars? Houses? Robots? (ps. comex now works at Apple)

  26. Bugs and Exploits in the Wild Crypto doesn’t fail, the implementations do…* • Browsers don’t know a site is SSL unless it forces them to use it. • Middle man attacks are possible… but… my site is over SSL you say! • SSL typically works via 302 HTTP redirect • UI’s are hard to get right… • Browsers only indicate insecurity only when security is used in the first place • Moxie Marlinspike pointed out the gorilla in the room. Enter SSL Stripping: • https://github.com/moxie0/sslstrip • http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf * http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/ * https://en.wikinews.org/wiki/Predictable_random_number_generator_discovered_in_the_Debian_version_of_OpenSSL

  27. Solution?? • Tricky problem to solve… • HTTP Strict Transport Security (HSTS) is gaining traction • Google’s SPDY requires the use of SSL • Security at lower OSI layers?

  28. Bugs and Exploits in the Wild • Hactivism • Anonymous vs <insert flavor of week> • “Hacktivist groups were responsible for 58% of all data stolen last year” – Verizon 2012 Data Breach report • Victims of opportunity • Outcomes • Exposure of client info, customer info, usernames, passwords, sensitive information • Damage focusing on the reputation and data exposure

  29. Bugs and Exploits in the Wild • Stuxnet • [ worm [ rootkit [ rootkit [ sabotage ] ] ] ] • Four zero-day vulnerabilities • Two stolen certificates • Eight propagation methods • Partridge in a malware pear tree

  30. Did you say… Four OH-days? Mixed MS Windows environment = Redundant Not exploiting memory corruption = Reliable

  31. Stuxnet http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

  32. Lets overview…

  33. http://arstechnica.com/business/news/2012/04/stuxnet-worm-reportedly-planted-by-iranian-double-agent-using-memory-stick.arshttp://arstechnica.com/business/news/2012/04/stuxnet-worm-reportedly-planted-by-iranian-double-agent-using-memory-stick.ars

  34. Vulnerability Fruit Punch • Zero-Day* Vulnerabilities: • MS08-067 (NetPathCanonicalize()), (Patched) • http://www.phreedom.org/blog/2008/decompiling-ms08-067/ • MS10-046 (Shell LNK / Shortcut) • MS10-061 (Print Spooler Service) • MS10-073 (Win32K Keyboard Layout) • MS08-092 (Task Scheduler) • CVE-2010-2772 (Siemens SIMATIC Static Password)

  35. MS 10-061 aka CVE-2010-2729 • Kaspersky mentioned to Microsoft they saw printer enumeration during network propagation • Using the guest account, Stuxnet “prints” to a file into: \Windows\System32 • This only allows file writing… not remote execution • Enter MOF (Managed Object Format)

  36. MOF • Confusing chain of microsoft buzzwords • Windows\System32\wbem\mof\ • Metasploit module available (ms10_061_spoolss.rb)

  37. MS 10-092 aka CVE-2010-3338 • Windows >= Vista scheduled tasks in an XML format • Pre Vista used ??? • Users can write and edit their tasks, CRC32 is used • …….. CRC32 ….

  38. MS 10-092 continued… • Created task as normal user, record CRC32 value • Modified user definition in the task to LocalSystem • Take CRC32 of the task XML, pad until the CRC32 matches original • ????? • Profit

  39. StuxnetRedux • Memory Corruption exploitation is difficult • Design exploitation is 99% reliable • Complex Systems will always have vulnerabilities • Was stuxnet a…. Cyb3R W34PoN? • Good Watching: • Bruce Dang, Microsoft “Adventures in Analyzing Stuxnet” @ 27C3 • https://www.youtube.com/watch?v=fVNHX1Hrr6w (NSFW Language) • Good reading: • http://www.symantec.com/connect/blogs/w32stuxnet-dossier • http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

  40. Ethics • Big ethical debates used to be: Responsible vs Full Disclosure • Debate has shifted to: Disclosure vs Selling Weapons

  41. Some Advice • Shape your job around your ethical standpoint, not vice versa • Take a startup job while this is your primary expense: • Find a stretch position… and stretch

  42. More Reading http://www.openrce.org/articles/ Shellcoder’s Handbook http://www.Rootkits.com http://phrack.org/ http://uninformed.org/?v=all http://peachfuzzer.com/

  43. Thank you for coming!alex@isecpartners.com aaron@isecpartners.com

More Related