Skip to main content
August 28, 2007

BlackHat 2007 Materials

Finally getting around to posting our materials from the talk that Chris Wysopal and I gave at BlackHat this year entitled "Static Detection of Application Backdoors." Here are the slide deck and the accompanying whitepaper:

Also, as a proof-of-concept, we had demonstrated using IDA Pro's scripting framework to detect one of the backdoor examples that we discussed -- suspicious cryptographic API calls. Specifically, it flags calls to known encryption, decryption, and/or key management functions where a constant value is passed to a specific argument position. This can help identify situations such as an application encrypting data with a hard-coded key. We had numerous requests to post the code, so here it is:

Cryptoconst IDC script (requires IDA Pro)

Veracode's binary analysis technology uses similar (but more sophisticated) techniques. We build our own intermediate representation of the binary's data flows, control flows, and range propagation which is not based on IDA Pro. We then scan that representation for backdoors in ways similar to the cryptoconst script. However, at BlackHat you're not allowed to promote your own products/services, so it wasn't appropriate for us to use it for demonstration purposes.

Related Content

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.