慢性代孕炎如何根治代孕糜烂-慢性代.ppt

1、Klicken Sie,um das Titelformat zu bearbeiten,Klicken Sie,um die Formate des Vorlagentextes zu bearbeiten,Zweite Ebene,Dritte Ebene,Vierte Ebene,Fnfte Ebene,*,Auditing Closed-Source Software,Using reverse engineering in a security context,2001 by HalVar Flake,Speech Outline(I):,Introduction to the to

2、pic:Different,approaches to auditing binaries,Review of C/C+programming mistakes,and how to spot them in the binary,Demonstration of finding a vulnerability in,a binary,Legal considerations,-Break-,Auditing Closed-Source Software,Using reverse engineering in a security context,2001 by HalVar Flake,S

3、peech Outline(II):,Problems encountered in the OOP world,manual structure&class reconstruction,automated structure&class reconstruction,automating the process of scanning for,suspicious constructs,Free time to answer questions and discuss,the topic,2001 by HalVar Flake,Legal considerations,Technical

4、ly,the reverse engineer breaks the license,agreement between him and the software vendor,as,he is forced to accept upon installation that he will not,reverse engineer the program.,The vendor could theoretically sue the reverse engineer,and revoke the license.,Depending on your local law,there are di

5、fferent ways,to defend your situation:,2001 by HalVar Flake,Legal considerations(EU),EU Law:,1991 EC Directive on the Legal Protection of,Computer Programs,Section 6,grants the right to decompilation for,interoperability purposes,Section 5.3,grants the right to decompilation for,error correction pur

6、poses,Under EU Law,these rights cannot be contracted away.,2001 by HalVar Flake,Legal considerations(USA),US Law:,Final form of DMCA includes exceptions to,copyright for:,Reverse engineering for interoperability,Encryption research,Security testing,One should ask his lawyer if these rights can be,co

7、ntracted away.,2001 HalVar Flake,Why audit binaries?,If youre a blackhat:,If youre a whitehat:,Many interesting systems(Firewalls)run closed-source software,New security vulnerabilities are every Administrators nightmare,You can annoy vendors by finding problems in their code,You can get an idea how

8、 secure a particular applications code is,2001 by HalVar Flake,Approach C:Looking for suspicious constructs,The reverse engineer tries to identify suspicious code construcs,then works,his way backwards through the application to determine how this code is reached.,Pros:,Reasonable depth:Even relativ

9、ely complex issues can,be uncovered,Saves time/work in comparison to Approach B,The process of identifying suspicious code constructs,can be partially automated,Cons:,Not all problems will be uncovered,Needs highly specialized auditor,Reading code backwards is very time consuming and,can be frustrat

10、ing,If nothing is found,the auditor is back to Approach B,2001 by HalVar Flake,Skills the auditor needs,A good understanding of assembly language,and compiler internals,Good knowledge of C/C+and the coding,mistakes that lead to security vulnerabilities,Only a good C/C+code auditor can be a,good bina

11、ry auditor,Lots and lots of endurance,patience and,time,2001 by HalVar Flake,Tools the auditor needs,As Disassembler:,IDA Pro by Ilfak Guilfanov,Can disassemble x86,SPARC,MIPS and much more.,Includes a powerful scripting language,Can recognize statically linked library calls,Features a powerful plug

12、in interface,Features CPU Module SDK for self-developed CPU modules,Automatically reconstructs arguments to standard calls via,type libraries,allows parsing of C-headers for adding new,standard calls&types,.much more.,2001 by HalVar Flake,strcpy(),and,strcat(),Old news:,Any call to,strcpy(),or,strc

13、at(),copying non-static,strings without proper bounds checking beforehand,has to be considered dangerous.,C/C+code auditing recap,2001 by HalVar Flake,sprintf(),and,vsprintf(),Old news:,Any call to,sprintf(),or a homemade function that,uses,vsprintf(),and expands user-supplied data into,a buffer by

14、just using,“%s“,in the format string,is dangerous.,C/C+code auditing recap,2001 by HalVar Flake,The,*scanf(),function family,Old news:,Any call to any member of the*scanf()function,family which uses the,%s“,format character in the,format string to parse user-supplied data into a,buffer is dangerous.

15、C/C+code auditing recap,2001 by HalVar Flake,The,strncpy(),pitfall,C/C+code auditing recap,While strncpy supports size checking,it does not,guarantee NUL-termination of the destination buffer.,So in cases where the code includes something like,strncpy(destbuff,srcbuff,sizeof(destbuff);,problems wil

16、l arise.,2001 by HalVar Flake,The,strncpy(),pitfall,C/C+code auditing recap,Source string,x0,data,After copying the source into a smaller buffer,the,destination string is not properly terminated any more.,Destination string,data with a x0 somewhere,Any subsequent operations which expect the string t

17、o,be terminated will work on the data behind our original,string as well.,2001 by HalVar Flake,The,strncat(),pitfall,As with,strncpy(),strncat(),supports size checking,but guarantees the proper termination of the string,after,the last byte has been written.,Furthermore,the fact that,strncat(),will u

18、sually need,to handle with dynamic values for,len,increases the,risk for cast screwups.,C/C+code auditing recap,2001 by HalVar Flake,The,strncat(),pitfall,Consider code like this:,strncat(dest,src,sizeof(dest)-strlen(dest);,This will write an extra NUL behind the end of dest if,the maximum size is f

19、ully utilized.,(so-called poison-null-byte),C/C+code auditing recap,2001 by Thomas Dullien aka HalVar Flake,The,strncat(),pitfall,Furthermore,one has to be careful about handling the,dynamic size_t len parameter:,voidfoo(char*source1,char*source2),charbuff100;,strncpy(buff,source1,sizeof(buff)-1);,s

20、trncat(buff,source2,sizeof(buff)-strlen(source1)-1);,C/C+code auditing recap,void func(char*dnslabel),char buffer256;,char *indx=dnslabel;,int count;,count=*indx;,buffer0=x00;,while(count!=0&(count+strlen(buffer)sizeof(buffer)-1),strncat(buffer,indx,count);,indx+=count;,count=*indx;,2001 by HalVar F

21、lake,Cast Screwups,C/C+code auditing recap,2001 by HalVar Flake,Format String Vulnerabilities,C/C+code auditing recap,Any call that passes user-supplied input directly to a,*printf(),-family function is dangerous.These calls can,Also be identified by their argument deficiency.,Consider this code:,pr

22、intf(%s“,userdata);,printf(userdata);,Argument deficiency,2001 by HalVar Flake,-x86 Assembly Recap-,C/C+code auditing recap,void*memcpy(void*dest,void*src,size_t n);,Assembly representation:,push4,moveax,unkn_40D278,pusheax,leaeax,ebp+var_458,pusheax,call_memcpy,2001 by HalVar Flake,strcpy(),and,str

23、cat(),Finding it in the disassembly,This call targets a stack buffer,The source is variable,not a static string,2001 by HalVar Flake,sprintf(),and,vsprintf(),Finding it in the disassembly,Target buffer is a stack buffer,Expanded strings are not static and not fixed in length,Format string containing

24、s“,2001 by HalVar Flake,The,*scanf(),function family,Finding it in the disassembly,Format string contains%s“,Data is parsed into stack buffers,2001 by HalVar Flake,The,strncpy()/strncat(),pitfall,Finding it in the disassembly,If the source is larger than,n,(4000 bytes),no NULL will be appended,Copy

25、ing data into a stack buffer again.,2001 by HalVar Flake,The,strncpy()/strncat(),pitfall,Finding it in the disassembly,The target buffer is only,n,bytes long,2001 by HalVar Flake,The,strncat(),pitfall,Finding it in the disassembly,Dangerous handling of,len,parameter,2001 by HalVar Flake,Cast Screwup

26、s,Finding it in the disassembly,Generally any function that uses a,size_t,for copying memory into a buffer.(,strncpy(),strncat(),fgets(),),The,size_t,has to be generated on run-time and must not be hardcoded,The,size_t,has be subtracted from or it has to be loaded via a,movsx,assembler instruction b

27、eforehand,2001 by HalVar Flake,Format String Vulnerabilities,Finding it in the disassembly,Argument deficiency,Format string is a dynamic variable,2001 by HalVar Flake,Why go after iWS SHTML again?,An Example:iWS 4.1 SHTML,Earlier research has shown that the“improved“SHTML parsing code has not been

28、written with security in mind,Since it was written before the wide publication of format string bugs,it has probably not been audited for it yet,I already had the file disassembled and on my box,disassembly takes way too long,2001 by HalVar Flake,The,INTlog_error(),call,An Example:iWS 4.1 SHTML,prin

29、tf(),-like parsing of arguments,Minimum stack correction for a dynamic format,string is 0 x1C 4=0 x18,2001 by HalVar Flake,A suspicious construct,An Example:iWS 4.1 SHTML,The format string is dynamic,We have an argument deficiency as 0 x14 0),lpCall=RfirstB(lpCall);,if(GetMnem(lpCall)=push),n=n-1;,i

30、f(GetOpType(lpCall,0)=1),TempReg=GetOpnd(lpCall,0);,lpCall=RfirstB(lpCall);,while(GetOpnd(lpCall,0)!=TempReg),lpCall=RfirstB(lpCall);,return(GetOpnd(lpCall,1);,else return(GetOpnd(lpCall,0);,Trace back until the,n-th push is found,Is the pushed operand,a register?,Find where the,register was last,ac

31、cessed.,.and return the value,which was pushed.,(source),2001 by HalVar Flake,(source),staticAuditSprintf(lpCall),autofString,fStrAddr,buffTarget;,buffTarget=GetArg(lpCall,1);,fString=GetArg(lpCall,2);,if(strstr(fString,offset)!=-1),fString=substr(fString,7,-1);,fStrAddr=LocByName(fString);,fString=

32、BinStrGet(fStrAddr);,if(GetStackCorr(lpCall)12),if(strlen(fString)Format String Problem?n,lpCall);,if(strstr(fString,%s)!=-1),if(strstr(buffTarget,var_)!=-1),Message(%lx-Overflow problem?%sn,lpCall,fString);,Clean up the arguments,Check if the target is a stack variable,Check for a dynamic,format st

33、ring,Check for argument deficiency,Check for%s“in format string,2001 by HalVar Flake,(source),static main(),autoFuncAddr,xref;,FuncAddr=AskAddr(-1,Enter address:);,xref=Rfirst(FuncAddr);,while(xref!=-1),if(GetMnem(xref)=call),AuditSprintf(xref);,xref=Rnext(FuncAddr,xref);,xref=DfirstB(FuncAddr);,whi

34、le(xref!=-1),if(GetMnem(xref)=call),AuditSprintf(xref);,xref=DnextB(FuncAddr,xref);,Ask auditor to enter the,address of the sprintf(),Call the auditing function,once for each call to sprintf(),Repeat for all indirect calls,2001 by HalVar Flake,A simple,strncpy(),-scanning script,Advanced topics:Auto

35、mation,Things to check for in a,strncpy(),-call:,Is the target buffer a stack variable?,Is the,maxlen,parameter equal to the,estimated,size of the target buffer?,Is the source buffer a non-static string?,2001 by HalVar Flake,Estimating Stack Buffer size,Advanced topics:Automation,static StckBuffSize

36、lpCall,cName),auto frameID,ofs,count;,frameID=GetFrame(lpCall);,while(strstr(cName,+)!=-1),cName=substr(cName,strstr(cName,+)+1,strlen(cName);,cName=substr(cName,0,strlen(cName)-1);,ofs=GetMemberOffset(frameID,cName);,count=ofs+1;,while(GetMemberName(frameID,count)=),count=count+1;,count=count-ofs;

37、return count;,Clean up name,Walk stackframe,until another var is,found,2001 by HalVar Flake,The,AudStrncpy(),-function,Advanced topics:Automation,static AudStrncpy(lpCall),auto buffTarget,buffSrc,maxlen;,auto srcString;,buffTarget=GetArg(lpCall,1);,buffSrc=GetArg(lpCall,2);,maxlen=GetArg(lpCall,3);

38、if(StckBuffSize(lpCall,buffTarget)=xtol(maxlen),if(strlen(BinStrGet(LocByName(buffSrc)2),Message(Suspicious strncpy()at%lx!n,lpCall);,Retrieve arguments,Check stack buffer size,against,maxlen,Check for,non-static,source buffer,2001 by HalVar Flake,Structure reconstruction(I),Advanced topics,Frequen

39、tly,large structures on the heap are used to hold connection data,error strings and the like.,IDA cannot yet reconstruct those structures,In order to check strncpy()and similar calls one has to estimate the size of individual structure members,2001 by HalVar Flake,Structure reconstruction(II),Advanc

40、ed topics,Access to structure members,2001 by HalVar Flake,Automated,struc,reconstruction,Automating the boring parts,2001 by HalVar Flake,Reconstructed,struc,members which,can now be named as we wish,bas_objrec.idc,results,Automating the boring parts,2001 by HalVar Flake,Problems with auditing OOP,

41、C+specific topics,Since the class data structure is unknown,estimating buffer size is hard.This leads to problems when analyzing certain function calls(e.g.,strncpy(),),Most overflows/problems occur in heap memory,If dangerous constructs exist,it is hard to evaluate the risk they pose as it is diffi

42、cult to determine what is overwritten,2001 by HalVar Flake,Reconstructing classes,C+specific topics,Many classes have a,vtable,that list all methods for that class.This table gives the reverse engineer a list of functions that all operate upon the same structure(the class itself).By using something

43、like the,bas_objrec.idc,script,one can reconstruct the class data structure and thus reconstruct the member boundaries.,2001 by HalVar Flake,Further reading,RE-oriented webpages,Home of the IDA Pro disassembler,archive.csee.uq.edu.au/csm/decompilation/,Cristina Cifuentes Decompilation page,Reverse engineering compiler,2001 by HalVar Flake,2001 by HalVar Flake,Open discussion concerning reverse engineering,Advanced topics,