Application Security and Vulnerability Analysis

Lecture

• Slides

Homework

Similar to the discussion in class, the homework-re-fall2011 binary implements a basic network service. Find and describe the buffer overflow vulnerability in this service.

Required Reading

• x86 Win32 Reverse Engineering Cheatsheet (useful reference for the homework)
• IDA Pro Shortcuts Cheatsheet (useful reference for the homework)
• Low-level Software Security: Attacks and Defenses (section three)
• Gray Hat Hacking, 3rd Edition: Chapter 22: Advanced Reverse Engineering

Lecture

• Slides

Homework

There is no homework or reading this week. Students should study for the upcoming exam instead.

Required Reading

• Common WinDBG Commands
• Any previous readings that you missed

General Purpose References

• Assembly Community
• TippingPoint DVLabs Blog
• Security Research Presentations by Alex Sotirov
• Compiler Optimizations for Reverse Engineers by Rolf Rolles
• OpenRCE
• Crackmes.de
• The ReverseEngineering reddit
• The Binary Auditor, Dr. Thorsten Schneider

Walkthroughs

• Tuts 4 You: Lena's Reversing for Newbies
• Mac OS X Reversing Tutorial for Newbies, by Fractal Guru
• From Patch to Proof-of-Concept: MS10-081

The University of Helsinki and F-Secure 'Malware Analysis and Antivirus Technologies' open course

• Introduction to Reverse Engineering
• Reverse Engineering Basics
• The PE File Format
• Using Debuggers to Analyze Malware
• Emulators and Disassemblers
• Unpacking and Decrypting Malware

Fall 2010

• Reverse Engineering 101 video and slides (download)
• Reverse Engineering 102 video and slides (download)

The homework this semester was to identify certain aspects of the GreenMan executable in IDA.

1. Show the upgraph and downgraph of the _strcpy function and take a screenshot
   To do this, open the GreenMan executable in IDA and go to the Names windows (View -> Open Subviews -> Names). Find the _strcpy function (use alt+t to search and ctrl+t to advance to the next search result). Double-click _strcpy once you've located it. You should notice that the entire strcpy function is defined within the binary due to static linking. At this point, show the upgraph and the downgraph and take a screenshot.
2. Identify a buffer that is being manipulated in a function that uses strcpy and take a screenshot
   Now, we want to check out all the functions that call _strcpy. Close the upgraph and then show the xrefs to _strcpy by pressing X with the _strcpy function selected. Go to the first call to _strcpy. Determine the size of the buffer passed to _strcpy. Double-click the stack variable, do you remember how to resize arrays? Resize the array and take a screenshot of the resized array in the stack view.
3. Identify a programming flaw in a function that uses strcpy and take a screenshot
   Finally, we know the function calling _strcpy is passing a char * as the dest buffer, and the source buffer is passed as an argument to the function. We know the source buffer is a char * as well so change the function prototype of the function that calls _strcpy. You can change the prototype by pressing Y on the function. Take a screen shot of the changed prototype.

NOTE: Due to a discrepancy in features between IDA Free and IDA Pro, the _strcpy function will not be automatically recognized in IDA Free. To find it, press 'g' and enter the address '004013A0' to jump to the beginning of the _strcpy function (IDA Free is not able to recognize this function, so it generically names it sub_4013A0). You can press 'n' to rename the function to _strcpy. The _strcpy function name should now appear in the Names window.

If you want to follow the original instructions, you can download the IDA Pro Demo but watch out for the timeouts if you do this.

Fall 2009

• Reverse Engineering 101 video and slides
• Reverse Engineering 102 videos part 1 and part 2 and slides

The homework this semester was to answer the following five questions with the lab VM (Windows 2000):

1. Describe the process you would follow to investigate whether the "Print Spooler" service would be an interesting service to audit (list all tools, gathered information). Google for 'foo.exe vulnerability' where foo.exe is the Print Spooler process name. What is the first result?
2. Locate and identify the process that maintains a handle to the wkssvc named pipe. What is the name of its parent process?
3. Describe why it is important to locate an object's constructor and destructor methods within a binary when looking for vulnerabilities. (hint: the Fortify VulnCat might be able to help again)
4. In IDA Pro, open C:\Windows\system32\ieframe.dll. When the 'load a new file' dialog pops up, just click OK. Give IDA a minute to analyze the binary. Then go to the Exports view (View -> Open subviews->Exports). Sort them by name by clicking on the Name column. What is the name of the first exported function in that list?
5. Double-click that function to jump to the function definition in the disassembly. How many arguments does this function take? Which function does this function call in to? (note the only call instruction in the function)