Description: Nowadays common ways to find exploitable vulnerabilities include but are not limited to fuzzing, static and dynamic analysis and patch reversing. All common approaches have advantages and limits. Fuzzers tend to only find a limited number of bugs, depending on the sophistication of the fuzzer which is indirectly dependent on the development time invested. Reverse engineering a binary for finding bugs, regardless whether statically or with a debugger, is tedious and requires a lot of time and expertise. As we are lazy bastards, we refuse to do all the work by hand and brain. And, as we are greedy bastards, we want a maximum scope of vulnerabilities we can cover and not be limited to what we see from a fuzzers perspective. So as you know – in general the lazy greedy bastards have the better ideas. We present you with our idea, which is built after the model of the Wallstreet. We built a tool which weighs the value of a function in a Windows binary as the Wallstreet values a stock; the value telling us the likability of a function to be exploitable. The Wallstreet technique works with two different evaluation methods, for once the likability that a function is vulnerable and also the likability that it is exploitable. We collect indicators, which help us evaluate that a specific function is potentially vulnerable. Such could be a present memory allocation or conversion function, a lacking sanitization check or a suspicious pattern in the functionname such as 'create', 'convert' or 'set'. A combination of these and a handful more indicators lets us calculate what we call the speculation value.
For the validation of the exploitability we traverse the call tree of a suspicious candidate, to verify its accessibility in an automated way. Only functions which we can influence as an attacker are interesting for us; thus we rate these accessible functions with a price-to-earnings value. Finally putting speculation value and price-to-earnings value in context, we evaluate a function with either 'buy' if we believe it comes with an exploitable vulnerability, or with 'sell' when we are certain it is not interesting to us. No worries, the presentation will not contain advanced mathematical equations. Our tool parses binaries and persists all the gathered information to a database, from where we can retrieve highly suspicious functions in an automated way. Without getting our hands dirty, that is. And because we are lazy bastards who like colors, a lot, we use visuals to make evaluation even easier. The tool is dubbed Wallstreet, free after the most famous stock market on the planet. It is based on Python, C and SQLite and will be released under the WTFPL license (http://www.wtfpl.net/). Also, there will be demos :D Wrapping it up, this presentation shows an easy to use approach which makes the complicated topic of binary exploitation more accessible. Wallstreet of Windows Binaries provides beginners with better understanding of the challenges and practitioners with a hands-on tool.
Marion Marschalek
Marion is malware reverse engineer. Some say she also does marketing, but at the time of writing she could not be reached to further comment on that. At daytime she hunts malware for Cyphort Inc., at nighttime she hunts rabbits. Two years ago Marion won Halvar Flake's reverse engineering challenge for females, since then she set out to rock and roll the industry. She practices martial arts and has a vivid passion to take things apart. Preferably, other people's things.
For More Information Please Visit: - https://www.troopers.de/troopers/
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.