What’s wrong with the following C code?
It’s a classic and easy to make off-by-one error, caused by the willy-nilly inconsistency of common C functions regarding whose responsibility the null terminator is and whether it’s included in a passed count of bytes. In this case,
scanf() will read up to 32 bytes from standard input and then append a null terminator, which overflows the buffer of 32 characters and writes a null byte to whatever happens to be next on the stack.
Everyone has had that dreaded experience: you open up the task manager on your computer… and there’s a program name you don’t recognize. It gets worse when you google the name and can’t find a concrete answer on what it is and why it’s there. It gets even worse when you remove it from Autoruns and it comes back. It gets terrible when you realize it has keylogger functionality. The icing on the cake, however, is when the mystery program is also eating up all your RAM.
I’ll be speaking at Black Hat Briefings in Las Vegas this year, on “Lessons Of Static Binary Analysis”. The talk will be a two hour intensive workshop covering the details of binary transformation that make Veracode possible.
The topics will range from an introduction to decompilation theory, to the details of how to build an effective intermediate structural model. We’ll be covering control flow and data flow analysis and transformation, and you’ll come away from the talk with an understanding of how variable lifetimes are assessed, procedure arguments and returns discovered, and how to determine the targets of indirect jumps and …
No source code? No problem! That’s the motto of the binary analyst.
We at Veracode have pushed the limits of static analysis (studying a program’s behavior without running it) to automatically detect and report security vulnerabilities in our customers’ codebases. Doing binary static analysis by hand is still a worthwhile skill, however, with myriad practical uses:
- Uncovering the behavior of malware
- Patching bugs in old, unsupported programs
- Verifying a program does what it claims it does
- Looking for evidence of stolen code
- Reverse engineering protocols and file formats for product compatibility
- Realizing just how much other people can learn about your own code!
Laws concerning reverse engineering third-party …
One of the great things about the Veracode platform is the insight we get from examining our anonymized customer data – not only information about the vulnerability landscape (as published in the State of Software Security report) but insight into the composition of the applications that we scan. As I alluded in my last post, one of the things we record when scanning applications is the presence of frameworks and other supporting technologies, and we’ve been at work mining that data to understand what developers use to …
Let’s not mince words: this rambling diatribe from Oracle’s CSO is aimed directly at Veracode. No need for a cutesy acronym; we’re the only company with true static binary analysis technology, delivered as a service. Now that we’ve got that out of the way, let’s try to cut through the rhetoric (in just over a thousand words, to boot).
The recurring theme in her manifesto is the notion that certain software suppliers are “too big to test”. It’s fine for the little guys, but not the 800-pound gorillas. Instead, software purchasers should blindly trust companies with security …
[UPDATE! April 15: Pandora removes all advertising libraries from its Android and iPhone apps!]
The blog post we made earlier this week entitled, Mobile Apps Invading Your Privacy, gives detail around the information being requested by the advertisement libraries embedded inside a popular online radio application. There have been a number of great posts and comments that got us thinking more about the issues and the types of data being requested.
First off we want to thank some people who commented about the Pandora application not having permission to actually access the GPS on the device. Below are the …
[April 8: We've added some more information in a follow-up post]
An article in the Wall Street Journal, dated April 5, 2011, disclosed that Federal prosecutors in New Jersey are investigating numerous smart phone application manufacturers for allegedly, illegally obtaining and distributing personal private information to third party advertisement groups. The allegations state that mobile applications are gathering data such as GPS location, device identifiers, gender, and even user age without proper notice or authorization from the end user. The Journal tested 101 applications and found that 56 of them transmitted the device unique identifier off the device, while …
In this final part of the anti-debugging series we’re going to discuss process and thread block based anti-debugging. Processes and threads must be maintained and tracked by the operating system. In user space, information about the processes and threads are held in memory in structures known as the process information block (PIB), process environment block (PEB) and the thread information block (TIB). These structures hold data pertinent to the operation of that particular process or thread which is read by many of the API based anti-debugging methods we discussed previously.
When a debugger or reverse engineer tries …
It’s time for part three in the Anti-Debugging Series. With this post we will stay in the realm of “API based” anti-debugging techniques but go a bit deeper into some techniques that are more complex and significantly more interesting. Today we will analyze one method of detecting an attached debugger, and a second method that can be used to detach a debugger from our running process.
Advanced API Based Anti-Debugging
There are a number of functions and API calls within the Windows operating system that are considered internal to the operating system and thus not documented well for the average developer. Many …