I. static analysis tools A. two purposes ------------------------------------------ TWO KINDS OF STATIC ANALYSIS TOOLS 1. For vulnerability analysis code implementation problems attempts to find: - SQL and command injection - buffer overflow - format string - race conditions - failure to handle errors properly - integer overflows - XSS 2. For investigating possible malware finds information about a program: - if it is known malware (hash code) - what strings it uses - if the file is "packed" (obfuscated) - what it imports (links to) ------------------------------------------ Will a vulnerability analysis find design flaws? Will a tool tell if a program is malware? II. analysis tools for detecting vulnerabilities A. goals ------------------------------------------ GOALS OF VULNERABILITY CHECKERS - Report all potential vulnerabilities (100% recall, no false negatives) for - Order warnings by severity ------------------------------------------ 1. examples a. flawfinder ------------------------------------------ FLAWFINDER Simple static analysis for C/C++ security vulnerabilities See http://www.dwheeler.com/flawfinder/ Can install on a PC using cygwin (if has python) run by giving it a directory name containing code: flawfinder --context --html hw3 \ > flawfinder-output.html ------------------------------------------ Does the output match what you found in homework 3? ------------------------------------------ LIMITATIONS OF FLAWFINDER Mostly looks for dangereous function names Will this have false positiives? Consider: void testfmt() { const char *name = "my name"; printf(name); } What does flawfinder say? testfmt.c:3 [4] (format) printf: If format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant ... printf(name); From the manual: "Not every hit is actually a security vulnerability, and not every security vulnerability is necessarily found." ------------------------------------------ Do we still need a trained human to look at the ouput? ------------------------------------------ CAREFUL WITH DISABLING WARNINGS Actual flaw in RealNetworks code: char tmp[256]; /* Flawfinder: ignore */ strcpy(tmp, pScreenSize); /* Flawfinder: ignore */ When should warnings be disabled? - if ------------------------------------------ b. CodeSonar ------------------------------------------ CODE SONAR FROM GRAMMATECH UCF has a license for this software Download from shared drive: \\lorentz.cs.ucf.edu\Shared\ When you start it, it will ask for the server's location. Use 10.173.215.113:7340 From outside UCF, must use the VPN ------------------------------------------ c. Clang ------------------------------------------ CLANG STATIC ANALYZER Finds problems in C/C++/Objective-C Works on Macs, and with Xcode! See http://clang-analyzer.llvm.org/ ------------------------------------------ d. SPLINT ------------------------------------------ SPLINT - SECURE PROGRAMMING LINT See http://splint.org/ There is a windows installer Uses annotations that give specifications Able to state and check: - pre-conditions - post-conditions - invariants Looks for bugs in: - bounds of array accesses - bad use of functions (gets, printf, etc.) - memory usage (malloc and free) - improper use of abstract data types - suspicious statements (with no effects) - unused declarations ------------------------------------------ B. summary of advice for using audit tools ------------------------------------------ ADVICE FOR USING AUDIT TOOLS Remember the limits of static analysis: - there will be false positives - vulnerabilities identified are only possible ones Don't skim the output too lightly - high priority warnings need attention - consider as many warnings as possible - learn about problems before: fixing them or dismissing them - don't just turn off warnings It will take time - experts more efficient, but still slow Overall tools can help find real bugs ------------------------------------------ III. tools for analysis of potential malware in binaries A. context ------------------------------------------ CONTEXT FOR MALWARE ANALYSIS You have isolated a program - seems suspicious (bad effects) - not sure if it's malware (could be) - need to: ------------------------------------------ B. tools 1. antivirus scanning ------------------------------------------ ANTIVIRUS SCANNING A good first step Can use VirusTotal to try several: See http://www.virustotal.com Reports from all engines ------------------------------------------ 2. hashing ------------------------------------------ HASHING Use a hashing program (MD5 or SHA-1) Allows one to: - use the hash as a label - share the hash to identify malware - search for the hash online ------------------------------------------ 3. strings ------------------------------------------ STRINGS Gives hints about program's functionality - normal programs have lots of strings e.g., URLs Strings utility from Microsoft - download from bit.ly/ic4plL i.e., https://technet.microsoft.com/ en-us/sysinternals/bb897439 - or run from https://live.sysinternals.com/ ------------------------------------------ 4. packed and obfuscated malware (PEiD) ------------------------------------------ PACKED AND OBFUSCATED MALWARE Packing idea: |-----------|\ | | \ | original | \-->+---------+ | code | | wrapper | | | |---------| | | | packed | | | | code | | | | | | | /-->+---------+ | | / |-----------|/ - The wrapper unpacks the code to the original size before execution Benefits: - smaller size - information compressed (obfuscated) Used by some legitimate software, and by lots of malware A popular packer is UPX See http://upx.sourceforge.net/ which can also be used for unpacking ------------------------------------------ ------------------------------------------ DETECTING PACKERS PEiD is a program that can detect packers See woodmann.com/BobSoft/ But best to run it in a VM as some plug-ins may run the programs! ------------------------------------------ 5. dependencies (dynamically linked functions) ------------------------------------------ KINDS OF LINKING static linking: libraries put into executable (PE file) before runtime dynamic linking: libraries found at runtime dynamic linking is common Functions for dynamic linking (Windows): - LoadLibrary - GetProcAddress - LdrGetProcAddress - LdrLoadDll ------------------------------------------ ------------------------------------------ DEPENDENCIES ON DYNAMICALLY LINKED LIBS DependencyWalker (from MS Visual Studio) Shows dependencies from the PE file - can give information about functionality ------------------------------------------ ------------------------------------------ COMMON DLLS (Table 1.1 of PMA) DLL Description ========================================== Kernel32.dll core functionality (memory, files, hardware) Advapi32.dll advanced Windows components (service manager, registry) User32.dll UI components (buttons, scroll bars) Gdi32.dll graphics functions Ntdll.dll interface to kernel (suspicious) WSock32.dll networking Ws2_32.dll (connecting to network) Wininet.dll high-level networking (HTTP, FTP, NTP protocols) ------------------------------------------ ------------------------------------------ WINDOWS FUNCTION NAMING CONVENTIONS Ex suffix (e.g., CreateWindowEx) extends old version in incompatible way Suffixes for string types (don't appear in MS documentation) - A (e.g., CreateDirectoryA) = takes ASCII strings - W (e.g., CreateDirectoryW) = takes wide character strings ------------------------------------------ 6. text segments (PEview) ------------------------------------------ DETAILS OF THE PE FILE PEview tool See http://wjradburn.com/software/ Sections may be informative Look in IMAGE_NT_HEADERS under IMAGE_FILE_HEADER compare to IMAGE_SECTION_HEADER vritual size vs. size of raw data if a section has no space on disk (raw data) but has a large virtual size, then may be unpacking into that section ------------------------------------------ 7. resources segment ------------------------------------------ VIEWING RESOURCES SEGMENT WITH RESOURCE HACKER This is the .rsrc segment Use ResourceHacker from http://angusj.com/ ------------------------------------------ C. exercise ------------------------------------------ EXERCISE ANALYSIS OF A FILE Obtain samples from http://practicalmalwareanalysis.com/labs/ use files Lab01-01.exe and Lab01-01.dll 1. Do they match any existing virus sigs? 2. When were they compiled? 3. Are they packed or obfuscated? 4. Any hints from the imports? 5. What could you look for to find them? - file activity - network activity 6. What is their purpose? ------------------------------------------