Approaches to Reverse Engineering
As we said earlier, sometimes source code is
available for a reverse engineer and sometimes it is not. White box
and black box testing and analysis methods both attempt to
understand the software, but they use different approaches
depending on whether the analyst has access to source code.
Regardless of the method, there are several key
areas that an attacker should examine to find vulnerabilities in
software:
Functions that do improper (or no) bounds
checking
Functions that pass through or consume
user-supplied data in a format string
Functions meant to enforce bounds checking in a
format string (such as %20s)
Routines that get user input using a loop
Low-level byte copy operations
Routines that use pointer arithmetic on
user-supplied buffers
"Trusted" system calls that take dynamic
input
This somewhat tactical list is useful when you
are "in the weeds" with binary code.
White Box Analysis
White box analysis involves analyzing and
understanding source code. Sometimes only binary code is available,
but if you decompile a binary to get source code and then study the
code, this can be considered a kind of white box analysis as well.
White box testing is typically very effective in finding
programming errors and implementation errors in software. In some
cases this activity amounts to pattern matching and can even be
automated with a static analyzer. One drawback to this
kind of whitebox testing is that it may report a potential
vulnerability where none actually exists (called a false positive). Nevertheless, using
static analysis methods on source code is a good approach to
exploiting some kinds of software.
There are two types of white box analysis tools,
those that require source code and those that automatically
decompile the binary code and continue from there. One powerful and
commercially available white box analysis platform, called IDA-Pro,
does not require source code access. SourceScope, which includes an
extensive database of source code-related problems and issues
commonly encountered in Java, C, and C++, does require source code.
The knowledge encapsulated in these tools is extremely useful in
security analysis (and, of course, in exploiting software).
Black Box Analysis
Black box analysis refers to analyzing a running
program by probing it with various inputs. This kind of testing
requires only a running program and does not make use of source
code analysis of any kind. In the security paradigm, malicious
input can be supplied to the program in an effort to cause it to
break. If the program does break during a particular test, then a
security problem may have been discovered.
Note that black box testing is possible even
without access to binary code. That is, a program can be tested
remotely over a network. All that is required is a program running
somewhere that is accepting input. If the tester can supply input
that the program consumes (and can observe the effect of the test),
then black box testing is possible. This is one reason that real
attackers often resort to black box techniques.
Black box testing is not as effective as white
box testing in obtaining knowledge of the code and its behavior,
but black box testing is much easier to accomplish and usually
requires much less expertise than white box testing. During black
box testing, an analyst attempts to evaluate as many meaningful
internal code paths as can be directly influenced and observed from
outside the system. Black box testing cannot exhaustively search a
real program's input space for problems because of theoretical
constraints, but a black box test does act more like an actual
attack on target software in a real operational environment than a
white box test usually can.
Because black box testing happens on a live
system, it is often an effective way of understanding and
evaluating denial-of-service problems. And because black box
testing can validate an application within its runtime environment (if
possible), it can be used to determine whether a potential problem
area is actually vulnerable in a real production system. Sometimes problems that are
discovered in a white box analysis may not be exploitable in a
real, deployed system. A firewall may block the attack, for
example.
Cenzic's Hailstorm is a commercially available
black box testing platform for networked software. It can be used
to probe live systems for security problems. For testing network
routers and switches, special hardware devices are available, such
as SmartBits and IXIA. A freeware tool called ISICS can be used to
probe TCP/IP stack integrity. Protocol attack systems that use
black box techniques include PROTOS and Spike.
Gray Box Analysis
Gray box analysis combines white box techniques
with black box input testing. Gray box approaches usually require
using several tools together. A good example of a simple gray box
analysis is running a target program within a debugger and then
supplying particular sets of inputs to the program. In this way,
the program is exercised while the debugger is used to detect any
failures or faulty behavior. Rational's Purify is a commercial tool
that can provide detailed runtime analysis focused on memory use
and consumption. This is particularly important for C and C++
programs (in which memory problems are rampant). A freeware
debugger that provides runtime analysis for Linux is called
Valgrind.
All testing methods can reveal possible
software risks and potential exploits. White box analysis directly
identifies more bugs, but the actual risk of exploit is hard to
measure. Black box analysis identifies real problems that are known
to be exploitable. The use of gray box techniques combines both
methods in a powerful way. Black box tests can scan programs across
networks. White box tests require source code or binaries to
analyze statically. In a typical case, white box analysis is used
to find potential problem areas, and black box testing is then used
to develop working attacks against these areas.
Black Box
|
|
White Box
|
|---|
Audit software runtime environment
External threats
Denial of service
Cascade failure
Security policy and filters
Scales and runs across enterprise network
Valuable to security/systems administrators
|
|
Audit software code
Programming errors
Central code repository required
Valuable to developers and testers
|
One problem with almost all kinds of security
testing (regardless of whether such testing is black box or white
box) is that there really isn't any. That is, most QA organizations
concern themselves with functional testing and spend very little
time understanding or probing for security risks. The QA process is
almost always broken in most commercial software houses anyway
because of time and budget constraints and the belief that QA is
not an essential part of software development.
As software becomes more important, more
emphasis is being placed on software quality management—a
unified approach to testing and analysis that encompasses security,
reliability, and performance. Software quality management uses both
white box and black box techniques to identify and manage software
risks as early as possible in the software development life
cycle.
Using Gray Box Techniques to Find
Vulnerabilities in Microsoft SQL Server 7
Gray box techniques usually leverage several
tools. We provide an example using runtime debugging tools combined
with a black box input generator. Using runtime error detection and
debugging tools is a powerful way of finding problem software. When
combined with black box injection tools, debuggers help catch
software faults. In many cases, disassembly of the program can
determine the exact nature of a software bug like the one we will
show you.
One very powerful tool that examines software
dynamically as it runs is Rational's Purify. In this example, we
perform black box injection against Microsoft's SQL Server 7 using
Hailstorm, while monitoring the target instrumented under Purify.
By combining Purify and Hailstorm, the test is able to uncover a
memory corruption problem occurring in the SQL server as a result
of malformed protocol input. The corruption results in a software
exception and subsequent failure.
To start, a remote input point is identified in
the SQL server. The server listens for connections on TCP port
1433. The protocol used over this port is undocumented for the most
part. Instead of reverse engineering the protocol, a simple test is
constructed that supplies random inputs interspersed with numerical
sequences. These data are played against the TCP port. The result
is the generation of many possible "quasilegal" inputs to the port,
which thus covers a wide range of input values. The inputs are
injected for several minutes at a rate of around 20 per second.
The data injected pass through a number of
different code paths inside the SQL server software. These
locations, in essence, read the protocol header. After a short
time, the test causes a fault, and Purify notes that memory
corruption has occurred.
The screen shot in Figure 3-2 illustrates the SQL server
failure, the Purify dump, and the Hailstorm testing platform all in
one place. The memory corruption noted by Purify occurs before the
SQL server crashes. Although the attack does result in a server
crash, the point of memory corruption would be hard to determine
without the use of Purify. The data supplied by Purify allow us to
locate the exact code path that failed.
[View full size
image]
The detection of this failure occurs well before
an actual exploit has occurred. If we wanted to find this exploit
using only black box tools, we might spend days trying input tests
before this bug is exercised. The corruption that is occurring
might cause a crash in an entirely different code location, making
it very hard to identify which input sequence causes the error.
Static analysis might have detected a memory corruption problem,
but it would never be able to determine whether the bug could be
exploited in practice by an attacker. By combining both
technologies as we do in this example, we save time and get the
best of both worlds.
| 
No comments:
Post a Comment