a software analysis framework built on phoenix. matt miller leviathan security group metasploit...
TRANSCRIPT
A software analysis framework built on Phoenix
Matt Miller
Leviathan Security Group
Metasploit Framework
Uninformed Journal
Not a static analysis expert
Cthulhu software analysis framework
Very high-level architectural overview
Interesting features
Case study
Software optimization and analysis
Basis for future Microsoft compilers and tools
Robust and extensible architecture◦ Plugins◦ Phases
Check out Richard Johnson’s talk to learn more
RDK/SDK not yet completely solidified◦ Encapsulation can help here
API is feature rich but verbose◦ No simplified wrapper
No solution for large-scale analysis◦ LTCG is not enough
Software analysis framework
Hobby project started in June, 2006
Written in C#
Currently around 28KLOC
Simplified Programming Interface◦ Simple and extensible API◦ Fundamental independence
Large-scale analysis◦ Modeling behavior of large systems◦ Pie in the sky: Windows Vista
Research Sandbox◦ A playground for experimentation◦ Phoenix can also be used directly for this purpose
FundamentalsFundamentalsAnalysis EngineAnalysis EnginePeonsPeons
ToolsTools
IDAIDA
PhoenixPhoenixControl FlowControl Flow
Data FlowData Flow
RenderingRenderingAnalysisAnalysis
DBDB
FundamentalsFundamentalsAnalysis EngineAnalysis EnginePeonsPeons
ToolsTools
IDAIDA
PhoenixPhoenixControl FlowControl Flow
Data FlowData Flow
RenderingRenderingAnalysisAnalysis
DB
Uses a fundamental to load assemblies
Runs phases◦ Import◦ Analyze◦ Render
Peons register to be notified on certain events
Analysis EngineAnalysis Engine
Phoenix Fundamenta
l
Phoenix Fundamenta
l1. Load Assembly
DBDB
Importing Peons
Importing Peons
Control FlowControl Flow
Data FlowData Flow
2. Assembly Loaded
4. Normalize Information
3. Import Event
5. Import Event Basic TypesBasic Types
Analysis EngineAnalysis Engine
Database Fundamenta
l
Database Fundamenta
l1. Load Assembly
DBDB
AnalyzingPeons
AnalyzingPeons
Path Discovery
Path Discovery
Leak CheckLeak Check
3. Assembly Loaded
5. Normalize and Denormalize Information
4. Analysis Event
6. Analysis Event
2. Denormalize Assembly Information
Analysis Engine
Analysis Engine
RenderingPeons
RenderingPeons
ConsoleConsole
GUIGUI
1. Render
DBDB
2. Denormalize
OutputStore
OutputStore
3. Display
Extensible and flexible way to represent binary information
May be used to support large-scale analysis◦ Hundreds of modules◦ More work needs to be done
Performance overhead is non-trivial◦ Processing time can be high◦ Volatile memory usage can be kept low
Simplified APIVersion-independent modelingConceptual modeling
AssemblyAssembly
AssemblyAssembly AssemblyAssembly
ModuleModuleData TypeData Type
MethodMethod
ModuleModuleData TypeData Type
MethodMethod
ModuleModuleData TypeData Type
MethodMethod
DB
Abstract classes provide fundamental independence
……
ConcreteImplementations
Phoenix
Modeling version independent relationships between software elements in the database
void CallExitProcess(){ ExitProcess(0);}
CallExitProcess 1CallExitProcess 1 ExitProcessExitProcess
ExitProcess 1
ExitProcess 1
ExitProcess 2
ExitProcess 2
ExitProcess 3
ExitProcess 3
ExitProcess 4
ExitProcess 4
Appropriate versions can be selected at analysis time
Call to version independent kernel32!ExitProcess
Distinct versions of kernel32!ExitProcess
UniverseUniverse
VPN ClientVPN Client VPN ServerVPN Server
Device DriverDevice Driver
User InterfaceUser Interface
DaemonDaemon
vpn.sysvpn.sys
vpngui.exevpngui.exe
dialogs.dlldialogs.dll
daemon.exedaemon.exe
Finding inter-component data flow paths
Web Services is a simple remoting interface◦ Clients invoke methods hosted on a web server◦ Server handles requests and provides responses
Problematic for static analysis◦ Clients pass data to the server indirectly
(network)◦ Limits the scope at which analysis can be
performed
Let’s walk through an example
[WebService]public class WebService{
[WebMethod]public void ExecuteCommand(string command){
Process.Start(command);}
}
Simple web service that invokes a process using the suppliedcommand string
[WebServiceBinding]public class WebClient : SoapHttpClientProtocol{
[SoapDocumentMethod]public void ExecuteCommand(string command){
Invoke("ExecuteCommand", new object[] { command );
}}
Simple web client that wraps the invocation of the web service method
To illustrate a relationship, the client invocation and server method must be bridged
Bridging can take a few different forms◦ Automatic detection of relationships◦ Manual description of relationships
Bridging is an abstract concept though◦ How do we make it concrete?
A concrete relationship can be shown by linking formal parameters
fin(ExecuteCommand, 0)fin(ExecuteCommand, 0)
fin(ExecuteCommand, 0)fin(ExecuteCommand, 0)WebClient
WebService
Web ApplicationWeb Application
Web ClientWeb Client
WebClient.dllWebClient.dll
WebClientWebClient
ExecuteCommandExecuteCommand
Enter BlockEnter Block
fin(0)fin(0)
Web ServiceWeb Service
WebService.dllWebService.dll
WebServiceWebService
ExecuteCommandExecuteCommand
Enter BlockEnter Block
fin(0)fin(0)
Describing indirect relationships improves the quality of analysis information
Widens the scope for control flow and data flow analysis
The Path Discovery peon can help illustrate this
Designed to find reachable flow paths◦ From a set of sources◦ To a set of sinks◦ Within a set of target assemblies
Current restrictions◦ Requires the database fundamental◦ Only operates on data flow information
Command Injection represents one type of security flaw found in managed applications
This can happen when user-controlled data is used in conjunction with launching a process
For example, data passing…◦ From HttpRequest.get_QueryString ◦ To Process.Start
This should be easy to detect, right?
Finding data flow paths from get_QueryString to Start can be problematic
Lowest level data flow information is conveyed with respect to instructions
What if hundreds of assemblies are being analyzed?◦ Not enough physical memory!
Path Discovery makes use of generalized data flow relationships◦ Block-tier, method-tier, type-tier, etc…
Reachable paths are identified using a simple algorithm◦ Progressive Qualified Elaboration (PQE)
PQE is designed to reduce the amount of analysis information that must be considered
Reachable paths are progressively found between source and sink flow descriptors within a set of target assemblies
Tier Information
Component fout(Undefined)
Assembly fout(System.Web)
Data Type fout(System.Web.HttpRequest)
Method fout(get_QueryString, 0)
Basic Block fout(get_QueryString, 0)
Instruction fout(get_QueryString, 0)
Tier Information
Component fin(Undefined)
Assembly fin(System)
Data Type fin(System.Dia…Process)
Method fin(Start, 0)
Basic Block fin(Start, 0)
Instruction fin(Start, 0)
Source flow descriptor
Sink flow descriptor
Suppose there is some code in the web client that does the following◦ client.ExecuteCommand(request.QueryString[x]);
Bridging makes it possible to show a complete data flow path from get_QueryString to Start
Let’s see how we get there using PQE◦ PQE starts from a macro-tier, such as the
component tier
Data flow Def-Use relationshipsbetween components
Interpretation:In at least one situation,v uses data defined by u
Data flow Def-Use relationshipsbetween assemblies
Data flow Def-Use relationshipsbetween data types
Data flow Def-Use relationshipsbetween methods
Data flow Def-Use relationshipsbetween blocks
Data flow Def-Use relationshipsbetween instructions
A complete data flow path is identified
Data flows across an indirect boundary
Without bridging, it would not be possible to seamlessly perform this analysis◦ This means the security issue would be missed
Note that the security issue exists in the web service independent of the web client◦ Example was meant to show simple indirect data flow
Import and analyze large data sets◦ All PE modules from Windows Vista?
Improve database performance◦ Optimization work has not started yet◦ It is currently very slow
Implement additional peons◦ Leak Check
And the list goes on…
Phoenix is an exciting project
Software analysis is fun & challenging
Hopefully the database stuff pans out
Questions?