A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit...
-
Upload
collin-skinner -
Category
Documents
-
view
221 -
download
1
Transcript of A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit...
![Page 1: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/1.jpg)
A software analysis framework built on Phoenix
![Page 2: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/2.jpg)
Matt Miller
Leviathan Security Group
Metasploit Framework
Uninformed Journal
Not a static analysis expert
![Page 3: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/3.jpg)
Cthulhu software analysis framework
Very high-level architectural overview
Interesting features
Case study
![Page 4: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/4.jpg)
Software optimization and analysis
Basis for future Microsoft compilers and tools
Robust and extensible architecture◦ Plugins◦ Phases
Check out Richard Johnson’s talk to learn more
![Page 5: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/5.jpg)
RDK/SDK not yet completely solidified◦ Encapsulation can help here
API is feature rich but verbose◦ No simplified wrapper
No solution for large-scale analysis◦ LTCG is not enough
![Page 6: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/6.jpg)
Software analysis framework
Hobby project started in June, 2006
Written in C#
Currently around 28KLOC
![Page 7: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/7.jpg)
Simplified Programming Interface◦ Simple and extensible API◦ Fundamental independence
Large-scale analysis◦ Modeling behavior of large systems◦ Pie in the sky: Windows Vista
Research Sandbox◦ A playground for experimentation◦ Phoenix can also be used directly for this purpose
![Page 8: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/8.jpg)
FundamentalsFundamentalsAnalysis EngineAnalysis EnginePeonsPeons
ToolsTools
IDAIDA
PhoenixPhoenixControl FlowControl Flow
Data FlowData Flow
RenderingRenderingAnalysisAnalysis
DBDB
![Page 9: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/9.jpg)
FundamentalsFundamentalsAnalysis EngineAnalysis EnginePeonsPeons
ToolsTools
IDAIDA
PhoenixPhoenixControl FlowControl Flow
Data FlowData Flow
RenderingRenderingAnalysisAnalysis
DB
![Page 10: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/10.jpg)
Uses a fundamental to load assemblies
Runs phases◦ Import◦ Analyze◦ Render
Peons register to be notified on certain events
![Page 11: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/11.jpg)
Analysis EngineAnalysis Engine
Phoenix Fundamenta
l
Phoenix Fundamenta
l1. Load Assembly
DBDB
Importing Peons
Importing Peons
Control FlowControl Flow
Data FlowData Flow
2. Assembly Loaded
4. Normalize Information
3. Import Event
5. Import Event Basic TypesBasic Types
![Page 12: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/12.jpg)
Analysis EngineAnalysis Engine
Database Fundamenta
l
Database Fundamenta
l1. Load Assembly
DBDB
AnalyzingPeons
AnalyzingPeons
Path Discovery
Path Discovery
Leak CheckLeak Check
3. Assembly Loaded
5. Normalize and Denormalize Information
4. Analysis Event
6. Analysis Event
2. Denormalize Assembly Information
![Page 13: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/13.jpg)
Analysis Engine
Analysis Engine
RenderingPeons
RenderingPeons
ConsoleConsole
GUIGUI
1. Render
DBDB
2. Denormalize
OutputStore
OutputStore
3. Display
![Page 14: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/14.jpg)
Extensible and flexible way to represent binary information
May be used to support large-scale analysis◦ Hundreds of modules◦ More work needs to be done
Performance overhead is non-trivial◦ Processing time can be high◦ Volatile memory usage can be kept low
![Page 15: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/15.jpg)
Simplified APIVersion-independent modelingConceptual modeling
![Page 16: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/16.jpg)
AssemblyAssembly
AssemblyAssembly AssemblyAssembly
ModuleModuleData TypeData Type
MethodMethod
ModuleModuleData TypeData Type
MethodMethod
ModuleModuleData TypeData Type
MethodMethod
DB
Abstract classes provide fundamental independence
……
ConcreteImplementations
Phoenix
![Page 17: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/17.jpg)
Modeling version independent relationships between software elements in the database
void CallExitProcess(){ ExitProcess(0);}
CallExitProcess 1CallExitProcess 1 ExitProcessExitProcess
ExitProcess 1
ExitProcess 1
ExitProcess 2
ExitProcess 2
ExitProcess 3
ExitProcess 3
ExitProcess 4
ExitProcess 4
Appropriate versions can be selected at analysis time
Call to version independent kernel32!ExitProcess
Distinct versions of kernel32!ExitProcess
![Page 18: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/18.jpg)
UniverseUniverse
VPN ClientVPN Client VPN ServerVPN Server
Device DriverDevice Driver
User InterfaceUser Interface
DaemonDaemon
vpn.sysvpn.sys
vpngui.exevpngui.exe
dialogs.dlldialogs.dll
daemon.exedaemon.exe
![Page 19: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/19.jpg)
Finding inter-component data flow paths
![Page 20: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/20.jpg)
Web Services is a simple remoting interface◦ Clients invoke methods hosted on a web server◦ Server handles requests and provides responses
Problematic for static analysis◦ Clients pass data to the server indirectly
(network)◦ Limits the scope at which analysis can be
performed
Let’s walk through an example
![Page 21: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/21.jpg)
[WebService]public class WebService{
[WebMethod]public void ExecuteCommand(string command){
Process.Start(command);}
}
Simple web service that invokes a process using the suppliedcommand string
![Page 22: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/22.jpg)
[WebServiceBinding]public class WebClient : SoapHttpClientProtocol{
[SoapDocumentMethod]public void ExecuteCommand(string command){
Invoke("ExecuteCommand", new object[] { command );
}}
Simple web client that wraps the invocation of the web service method
![Page 23: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/23.jpg)
To illustrate a relationship, the client invocation and server method must be bridged
Bridging can take a few different forms◦ Automatic detection of relationships◦ Manual description of relationships
Bridging is an abstract concept though◦ How do we make it concrete?
![Page 24: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/24.jpg)
A concrete relationship can be shown by linking formal parameters
fin(ExecuteCommand, 0)fin(ExecuteCommand, 0)
fin(ExecuteCommand, 0)fin(ExecuteCommand, 0)WebClient
WebService
![Page 25: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/25.jpg)
Web ApplicationWeb Application
Web ClientWeb Client
WebClient.dllWebClient.dll
WebClientWebClient
ExecuteCommandExecuteCommand
Enter BlockEnter Block
fin(0)fin(0)
Web ServiceWeb Service
WebService.dllWebService.dll
WebServiceWebService
ExecuteCommandExecuteCommand
Enter BlockEnter Block
fin(0)fin(0)
![Page 26: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/26.jpg)
Describing indirect relationships improves the quality of analysis information
Widens the scope for control flow and data flow analysis
The Path Discovery peon can help illustrate this
![Page 27: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/27.jpg)
Designed to find reachable flow paths◦ From a set of sources◦ To a set of sinks◦ Within a set of target assemblies
Current restrictions◦ Requires the database fundamental◦ Only operates on data flow information
![Page 28: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/28.jpg)
Command Injection represents one type of security flaw found in managed applications
This can happen when user-controlled data is used in conjunction with launching a process
For example, data passing…◦ From HttpRequest.get_QueryString ◦ To Process.Start
This should be easy to detect, right?
![Page 29: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/29.jpg)
Finding data flow paths from get_QueryString to Start can be problematic
Lowest level data flow information is conveyed with respect to instructions
What if hundreds of assemblies are being analyzed?◦ Not enough physical memory!
![Page 30: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/30.jpg)
Path Discovery makes use of generalized data flow relationships◦ Block-tier, method-tier, type-tier, etc…
Reachable paths are identified using a simple algorithm◦ Progressive Qualified Elaboration (PQE)
PQE is designed to reduce the amount of analysis information that must be considered
![Page 31: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/31.jpg)
Reachable paths are progressively found between source and sink flow descriptors within a set of target assemblies
![Page 32: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/32.jpg)
Tier Information
Component fout(Undefined)
Assembly fout(System.Web)
Data Type fout(System.Web.HttpRequest)
Method fout(get_QueryString, 0)
Basic Block fout(get_QueryString, 0)
Instruction fout(get_QueryString, 0)
Tier Information
Component fin(Undefined)
Assembly fin(System)
Data Type fin(System.Dia…Process)
Method fin(Start, 0)
Basic Block fin(Start, 0)
Instruction fin(Start, 0)
Source flow descriptor
Sink flow descriptor
![Page 33: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/33.jpg)
Suppose there is some code in the web client that does the following◦ client.ExecuteCommand(request.QueryString[x]);
Bridging makes it possible to show a complete data flow path from get_QueryString to Start
Let’s see how we get there using PQE◦ PQE starts from a macro-tier, such as the
component tier
![Page 34: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/34.jpg)
Data flow Def-Use relationshipsbetween components
Interpretation:In at least one situation,v uses data defined by u
![Page 35: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/35.jpg)
Data flow Def-Use relationshipsbetween assemblies
![Page 36: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/36.jpg)
Data flow Def-Use relationshipsbetween data types
![Page 37: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/37.jpg)
Data flow Def-Use relationshipsbetween methods
![Page 38: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/38.jpg)
Data flow Def-Use relationshipsbetween blocks
![Page 39: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/39.jpg)
Data flow Def-Use relationshipsbetween instructions
![Page 40: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/40.jpg)
A complete data flow path is identified
Data flows across an indirect boundary
Without bridging, it would not be possible to seamlessly perform this analysis◦ This means the security issue would be missed
Note that the security issue exists in the web service independent of the web client◦ Example was meant to show simple indirect data flow
![Page 41: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/41.jpg)
Import and analyze large data sets◦ All PE modules from Windows Vista?
Improve database performance◦ Optimization work has not started yet◦ It is currently very slow
Implement additional peons◦ Leak Check
And the list goes on…
![Page 42: A software analysis framework built on Phoenix. Matt Miller Leviathan Security Group Metasploit Framework Uninformed Journal Not a static analysis.](https://reader035.fdocuments.us/reader035/viewer/2022062308/56649cc55503460f9498e29d/html5/thumbnails/42.jpg)
Phoenix is an exciting project
Software analysis is fun & challenging
Hopefully the database stuff pans out
Questions?