Extending Microsoft's Phoenix Framework - HiCK.ORG

Extending Microsoft's Phoenix Framework - HiCK.ORG

Cthulhu A software analysis framework built on Phoenix Who am I? Matt Miller Leviathan Security Group Metasploit Framework

Uninformed Journal Not a static analysis expert Whats this talk about? Cthulhu software analysis framework Very high-level architectural overview

Interesting features Case study Phoenix Overview Software optimization and analysis Basis for future Microsoft compilers and tools

Robust and extensible architecture Plugins Phases Check out Richard Johnsons talk to learn more Why extend Phoenix? RDK/SDK not yet completely solidified Encapsulation can help here API is feature rich but verbose

No simplified wrapper No solution for large-scale analysis LTCG is not enough Cthulhu Overview Software analysis framework Hobby project started in June, 2006

Written in C# Currently around 28KLOC Cthulhu Goals Simplified Programming Interface Simple and extensible API Fundamental independence Large-scale analysis Modeling behavior of large systems Pie in the sky: Windows Vista

Research Sandbox A playground for experimentation Phoenix can also be used directly for this purpose Cthulhu Architecture Data Flow IDA DB Control Flow Peons

Phoenix Analysis Engine Tools Analysis Rendering Fundamentals Cthulhu Architecture Data Flow IDA DB

Control Flow Peons Phoenix Analysis Engine Tools Analysis Rendering Fundamentals Analysis Engine Process

Uses a fundamental to load assemblies Runs phases Import Analyze Render Peons register to be notified on certain events Import Phase 1. Load Assembly

Phoenix Fundamenta l DB 2. Assembly Loaded Analysis Engine 4. Normalize Information 3. Import Event Importing

Peons 5. Import Event Basic Types Control Flow Data Flow Analysis Phase 1. Load Assembly Database Fundamenta l 2. Denormalize Assembly Information

DB 3. Assembly Loaded Analysis Engine 5. Normalize and Denormalize Information 4. Analysis Event Analyzing Peons 6. Analysis

Event Path Discovery Leak Check Render Phase DB 2. Denormalize Rendering Peons Analysis Engine 1. Render

Console GUI 3. Display Output Store Database Implications Extensible and flexible way to represent binary information May be used to support large-scale analysis Hundreds of modules

More work needs to be done Performance overhead is non-trivial Processing time can be high Volatile memory usage can be kept low A few cool features Simplified API Version-independent modeling Conceptual modeling Simplified API Abstract classes provide fundamental independence

Assembly Module Data Type Method Assembly Module Assembly Module Data Type Method Data Type Method

Phoenix DB Concrete Implementations Version-independent Modeling Modeling version independent Appropriate versions can relationships between software elements in the database be selected at analysis time void CallExitProcess()

{ ExitProcess(0); } CallExitProcess 1 ExitProcess Call to version independent kernel32!ExitProcess ExitProcess 1 ExitProcess 2 ExitProcess 3 ExitProcess 4 Distinct versions of kernel32!ExitProcess

Conceptual Modeling Universe VPN Client VPN Server Device Driver Daemon vpn.sys daemon.exe User Interface vpngui.exe dialogs.dll

Case Study: Web Services Finding inter-component data flow paths Overview Web Services is a simple remoting interface Clients invoke methods hosted on a web server Server handles requests and provides responses Problematic for static analysis Clients pass data to the server indirectly (network) Limits the scope at which analysis can be

performed Lets walk through an example Example Web Service [WebService] public class WebService { [WebMethod] public void ExecuteCommand(string command) { Process.Start(command); } } Simple web service that invokes a process using the supplied

command string Example Web Service Client [WebServiceBinding] public class WebClient : SoapHttpClientProtocol { [SoapDocumentMethod] public void ExecuteCommand(string command) { Invoke("ExecuteCommand", new object[] { command ); } } Simple web client that wraps the invocation of the web service method

Bridging the gap To illustrate a relationship, the client invocation and server method must be bridged Bridging can take a few different forms Automatic detection of relationships Manual description of relationships Bridging is an abstract concept though How do we make it concrete?

Bridging the gap A concrete relationship can be shown by linking formal parameters fin(ExecuteCommand, 0) WebClient WebService fin(ExecuteCommand, 0) Benefits of bridging Web Application Web Client

Web Service WebClient.dll WebService.dll WebClient WebService ExecuteCommand ExecuteCommand Enter Block Enter Block

fin(0) fin(0) Whats the point? Describing indirect relationships improves the quality of analysis information Widens the scope for control flow and data flow analysis The Path Discovery peon can help illustrate

this Path Discovery: Overview Designed to find reachable flow paths From a set of sources To a set of sinks Within a set of target assemblies Current restrictions Requires the database fundamental Only operates on data flow information Path Discovery: Scenario

Command Injection represents one type of security flaw found in managed applications This can happen when user-controlled data is used in conjunction with launching a process For example, data passing From HttpRequest.get_QueryString To Process.Start This should be easy to detect, right?

Path Discovery: Problem Finding data flow paths from get_QueryString to Start can be problematic Lowest level data flow information is conveyed with respect to instructions What if hundreds of assemblies are being analyzed? Not enough physical memory!

Path Discovery: Solution Path Discovery makes use of generalized data flow relationships Block-tier, method-tier, type-tier, etc Reachable paths are identified using a simple algorithm Progressive Qualified Elaboration (PQE) PQE is designed to reduce the amount of analysis information that must be considered

Progressive Qualified Elaboration Reachable paths are progressively found between source and sink flow descriptors within a set of target assemblies Flow descriptors for this scenario Tier Information Component fout(Undefined) Assembly fout(System.Web)

Data Type fout(System.Web.HttpRequest) Method fout(get_QueryString, 0) Basic Block fout(get_QueryString, 0) Instruction fout(get_QueryString, 0) Sink flow descriptor

Source flow descriptor Tier Information Component fin(Undefined) Assembly fin(System) Data Type

fin(System.DiaProcess) Method fin(Start, 0) Basic Block fin(Start, 0) Instruction fin(Start, 0) Applying this to web services

Suppose there is some code in the web client that does the following client.ExecuteCommand(request.QueryString[x]); Bridging makes it possible to show a complete data flow path from get_QueryString to Start Lets see how we get there using PQE PQE starts from a macro-tier, such as the component tier Reachability: Component Tier Data flow Def-Use

relationships between components Interpretation: In at least one situation, v uses data defined by u Reachability: Assembly Tier Data flow Def-Use relationships between assemblies Reachability: Data Type Tier Data flow Def-Use

relationships between data types Reachability: Method Tier Data flow Def-Use relationships between methods Reachability: Basic Block Tier Data flow Def-Use relationships between blocks Reachability: Instruction Tier Data flow Def-Use relationships

between instructions The end-result A complete data flow path is identified Data flows across an indirect boundary Without bridging, it would not be possible to seamlessly perform this analysis This means the security issue would be missed

Note that the security issue exists in the web service independent of the web client Example was meant to show simple indirect data flow Future Work Import and analyze large data sets All PE modules from Windows Vista? Improve database performance Optimization work has not started yet It is currently very slow

Implement additional peons Leak Check And the list goes on Conclusion Phoenix is an exciting project Software analysis is fun & challenging

Hopefully the database stuff pans out Questions?

Recently Viewed Presentations

  • The Ottoman Empire Class Notes

    The Ottoman Empire Class Notes

    The Pre-Mughal Empire. Hindu and Buddhist princes controlled India before the establishment of the Mughal Empire . Huge trade network with Middle East, Southeast Asia and China . Along the Silk Road and Maritime trade routes
  • Efficient XML Query Processing - Carleton University

    Efficient XML Query Processing - Carleton University

    BLAS: An Efficient XPath Processing System Zhimin Song Advanced Database System Professor: Dr. Mengchi Liu
  • William Shakespeare

    William Shakespeare

    An English poet and play writer. He was and he still is considered to have the greatest influence on Literature. William Shakespeare wrote many genres such as tragedy, comedy, and historical plays. During Shakespeare's time, he did not completely have...
  • Webmail - the new WING

    Webmail - the new WING

    Webmail - the new WING Tony Brett Oxford University Computing Services Agenda What is it? Why the upgrade - the competition. What's new Login Sending E-mail - attachments Folder View - replying & forwarding Searching & Sorting Filtering, especially SPAM...
  • The four fundamental forces

    The four fundamental forces

    WEAK NUCLEAR FORCE. ELECTROMAGNETISIM. ... STRONG NUCLEAR FORCE. 1038 x Gravity. Applies at the subatomic scale. What holds the nucleus of atoms together, also creates nuclear fusion. Journey into the QUANTUM REALM where the chance of anything happening has infinite...
  • Today - Monash University

    Today - Monash University

    Ask for participant responses re: their take-home messages from the workshop - and their own goals when it comes to improving feedback. It can be useful for participants to write down a key goal and take this away with them...
  • Creating a Culture of Performance to Support Continual

    Creating a Culture of Performance to Support Continual

    Read voraciously, and listen to learn, then teach and share everything you know. ... Define your distinctive strategic position. Support operational effectiveness - the nuts and bolts of management. Provide tools to reach targets and consequences for missing targets. Transformation...
  • Español - Comberton Village College

    Español - Comberton Village College

    A noun is a word which can be used after a determiner. They are words for a person, place, thing or idea. In Spanish they are classified as masculine or feminine, and singular or plural. ungato, unahermana, unosperros, unastías. A...