Everyone has had that dreaded experience: you open up the task manager on your computer… and there’s a program name you don’t recognize. It gets worse when you google the name and can’t find a concrete answer on what it is and why it’s there. It gets even worse when you remove it from Autoruns and it comes back. It gets terrible when you realize it has keylogger functionality. The icing on the cake, however, is when the mystery program is also eating up all your RAM.
I’ll be speaking at Black Hat Briefings in Las Vegas this year, on “Lessons Of Static Binary Analysis”. The talk will be a two hour intensive workshop covering the details of binary transformation that make Veracode possible.
The topics will range from an introduction to decompilation theory, to the details of how to build an effective intermediate structural model. We’ll be covering control flow and data flow analysis and transformation, and you’ll come away from the talk with an understanding of how variable lifetimes are assessed, procedure arguments and returns discovered, and how to determine the targets of indirect jumps and …
No source code? No problem! That’s the motto of the binary analyst.
We at Veracode have pushed the limits of static analysis (studying a program’s behavior without running it) to automatically detect and report security vulnerabilities in our customers’ codebases. Doing binary static analysis by hand is still a worthwhile skill, however, with myriad practical uses:
- Uncovering the behavior of malware
- Patching bugs in old, unsupported programs
- Verifying a program does what it claims it does
- Looking for evidence of stolen code
- Reverse engineering protocols and file formats for product compatibility
- Realizing just how much other people can learn about your own code!
Laws concerning reverse engineering third-party …
One of the great things about the Veracode platform is the insight we get from examining our anonymized customer data – not only information about the vulnerability landscape (as published in the State of Software Security report) but insight into the composition of the applications that we scan. As I alluded in my last post, one of the things we record when scanning applications is the presence of frameworks and other supporting technologies, and we’ve been at work mining that data to understand what developers use to …
Let’s not mince words: this rambling diatribe from Oracle’s CSO is aimed directly at Veracode. No need for a cutesy acronym; we’re the only company with true static binary analysis technology, delivered as a service. Now that we’ve got that out of the way, let’s try to cut through the rhetoric (in just over a thousand words, to boot).
The recurring theme in her manifesto is the notion that certain software suppliers are “too big to test”. It’s fine for the little guys, but not the 800-pound gorillas. Instead, software purchasers should blindly trust companies with security …
[UPDATE! April 15: Pandora removes all advertising libraries from its Android and iPhone apps!]
The blog post we made earlier this week entitled, Mobile Apps Invading Your Privacy, gives detail around the information being requested by the advertisement libraries embedded inside a popular online radio application. There have been a number of great posts and comments that got us thinking more about the issues and the types of data being requested.
First off we want to thank some people who commented about the Pandora application not having permission to actually access the GPS on the device. Below are the …
[April 8: We've added some more information in a follow-up post]
An article in the Wall Street Journal, dated April 5, 2011, disclosed that Federal prosecutors in New Jersey are investigating numerous smart phone application manufacturers for allegedly, illegally obtaining and distributing personal private information to third party advertisement groups. The allegations state that mobile applications are gathering data such as GPS location, device identifiers, gender, and even user age without proper notice or authorization from the end user. The Journal tested 101 applications and found that 56 of them transmitted the device unique identifier off the device, while …
In this final part of the anti-debugging series we’re going to discuss process and thread block based anti-debugging. Processes and threads must be maintained and tracked by the operating system. In user space, information about the processes and threads are held in memory in structures known as the process information block (PIB), process environment block (PEB) and the thread information block (TIB). These structures hold data pertinent to the operation of that particular process or thread which is read by many of the API based anti-debugging methods we discussed previously.
When a debugger or reverse engineer tries …
It’s time for part three in the Anti-Debugging Series. With this post we will stay in the realm of “API based” anti-debugging techniques but go a bit deeper into some techniques that are more complex and significantly more interesting. Today we will analyze one method of detecting an attached debugger, and a second method that can be used to detach a debugger from our running process.
Advanced API Based Anti-Debugging
There are a number of functions and API calls within the Windows operating system that are considered internal to the operating system and thus not documented well for the average developer. Many …
Welcome back to the series on anti-debugging. Hopefully you have your debugger and development environment handy as we are about to dive into the first round of anti-debugging code. In the first post to this series we discussed six different types of anti-debugging techniques that are in common use today. To refresh, the classifications buckets that we chose to use are:
- API Based Anti-Debugging
- Exception Based Anti-Debugging
- Process and Thread Block Anti-Debugging
- Modified Code Anti-Debugging
- Hardware and Register Based Anti-Debugging
- Timing and Latency Anti-Debugging
Basic API Anti-Debugging
We’ll continue this series of posts by going into a bit more depth on the easiest of API based anti-debugging techniques. …
For those that don’t know, anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target process. Typically this is achieved by detecting minute differences in memory, operating system, process information, latency, etc. that occur when a process is started in or attached to by a debugger compared to when it is not. Most research into anti-debugging has been conducted from the vantage point of a reverse engineer attempting to bypass the techniques that have been implemented. Limited data has been presented that demonstrates anti-debugging methods in a high …
Another BlackHat has come and gone. As usual, it was a very busy week juggling customer meetings, recruiting, conference planning, vendor parties, and, oh yes, the actual BlackHat presentations. I had a fantastic time catching up with old friends and finally getting the opportunity to meet more of the Security Twits and others in the security community. I didn’t submit a talk this year, but nevertheless, fake Dan Kaminsky was still excited to see me.
My favorite talk, as expected, was the Sotirov/Dowd talk on …
I spent the weekend in Berlin attending a conference called PH-Neutral, run primarily by the Phenoelit crew. This was the first European security conference I’ve attended and I found it quite different from any North American security gathering I’ve been to, such as BlackHat, CanSecWest, SOURCE Boston, BlueHat, or RSA. Everything was far more casual and laid back, which is something I had heard about European conferences but hadn’t experienced until now (even EUSecWest is held in a club whereas CanSecWest is in a Marriott).
Yesterday, Dave Lewis over at LiquidMatrix Security Digest cried foul at Core Security for releasing too much detail about a recent DoS vulnerability they had discovered. His specific gripe was that they provided an IDA Pro excerpt that showed where the vulnerability was triggered. The excerpt is short, so I’ll even copy/paste it here:
.text:00405C1B mov esi, [ebp+dwLen] ; Our value from packet
.text:00405C20 push edi
.text:00405C21 test esi, esi ; Check value != 0
.text:00405C31 push esi …
Finally getting around to posting our materials from the talk that Chris Wysopal and I gave at BlackHat this year entitled “Static Detection of Application Backdoors.” Here are the slide deck and the accompanying whitepaper:
Static Detection of Application Backdoors (slides)
Static Detection of Application Backdoors (whitepaper)
Also, as a proof-of-concept, we had demonstrated using IDA Pro’s scripting framework to detect one of the backdoor examples that we discussed — suspicious cryptographic API calls. Specifically, it flags calls to known encryption, decryption, and/or key management functions where a constant value is passed to a specific argument position. This …