plans for a code vulnerabilty scanner ...

For other topics related to the FreeBASIC project or its community.
Mihail_B
Posts: 271
Joined: Jan 29, 2008 11:20
Location: Romania
Contact:

plans for a code vulnerabilty scanner ...

Postby Mihail_B » Dec 11, 2015 20:43

Hay guys ! Long time no see :D

Been out for a while, but still tracked freebasic community from time to time...

Now I'm back for serious stuff ...

I have plans to write a vulnerability scanner and I thought to ask U guys a few questions;
but before let me detail what the hack i am trin' to do...

So you might all heard about the 1Mil $ prize for rooting iOS just by only using the safari browser ... (meaning the user surfs a malicious web site and his phone get's hijacked to the deepest level possible )

I got tired of all openssl vulnerabilities updates so i planned to create a vulnerability scanner that can go even deep into OS' kernel core functions & root drivers.

What are the bases ?
A function has inputs and outputs.
Inside the function goes on some stuff that has or has not constraints.
The scanner will detect all possible memory writes/reads (+registers) as a mathematical list of segments.
For instance

function AVulnerableFunc (a as integer) as integer
dim as integer ptr b
dim as integer c(100)
b = @c(0)
return b[a]
end function

will have an associated list :
[0x00 00 00 00 00 00 00 00 to 0x ff ff ff ff ff ff ff ff ] initial = @c(0)


and another example :
function aHeapReader(a as integer) as ubyte
dim as ubyte ptr x
dim as ubyte ptr y = new ubyte[100];
dim as integer i
for i = 0 to 99
y[i] = i or ((i shr 1) and i)
if (a >= 0) then
return x[a]
else
return 0
end if
end function
will have the associated list
[ pointer new(100 bytes), 0xff ff ff ff ff ff ff ff]
unreleased heap memory
pointer ubyte [100]

and so on ..

In the end we'll have a list like
AVulnerableFunc (a as integer) returns 4bytes: reads [0x00 00 00 00 00 00 00 00 to 0x ff ff ff ff ff ff ff ff ] initial = @c(0)
aHeapReader(a as interger) returns 1byte: reads [ pointer new(100 bytes), 0xff ff ff ff ff ff ff ff] ; unrelease new(100 bytes) inited at program_address
aVirtualFunction(a as integer, b as dword) return 3 bytes: writes 4bytes [function stack + 0x100, function stack - 0xff]


This first list can reveal any unsafe program read/writes (unbounded,unchecked, unconstrained read/write to code/heap/stack).

For this step we only need to analyze the code from files without the need of real time debugging.

The second step is to simulate different chain of actions having a snapshot of the PC's memory (from inside a virtual machine like VirtualBox). We try to find if by chaining known vulnerabilities from the above list ... if we could do a Remote Code Execution, Information disclosure (like getting ssl session private keys) and so on.

The mathematical intersection of the segmets listed above will provide the whole map of memory locations with which the program can interact (read and/or write to).

With such a program one can scan it's own program and find floods in his own code.


I plan for the program to be portable to Win/Linux/Mac, 32bit/64bit
--
My question to u guys is :
- did any of you (already) coded a library analyzer (.dll, .so. .a) that lists all callable functions (+ function address in file) that could serve to my purposes ... ? this will spear me the time of building my own library or interacting with 3rd party c++ libs.

Thx .
suggestions appreciated.

PS: the actual algorithm is much more complex and the number of vulnerabilities is much wider ... i should open a different forum thread just to discuss coding vulnerabilities and good practices.
Also the program will have all the functionalities of a memory leak analyzer (like functionalities already known from valgrind, deleaker, etc) because we track all memory allocations whether they are heap allocations, stack or shared memory etc
- but it will not replace the use of memory leak analyzer
marcov
Posts: 2814
Joined: Jun 16, 2005 9:45
Location: Eindhoven, NL
Contact:

Re: plans for a code vulnerabilty scanner ...

Postby marcov » Dec 11, 2015 21:23

Mihail_B wrote:This first list can reveal any unsafe program read/writes (unbounded,unchecked, unconstrained read/write to code/heap/stack).


So, basically what call/valgrind does?

suggestions appreciated.


How do you add code to existing functions to check them? Even checking the pre/post conditions of OS functions needs control to pass to your code to check the result.
Mihail_B
Posts: 271
Joined: Jan 29, 2008 11:20
Location: Romania
Contact:

Re: plans for a code vulnerabilty scanner ...

Postby Mihail_B » Dec 12, 2015 7:23

marcov wrote:How do you add code to existing functions to check them? Even checking the pre/post conditions of OS functions needs control to pass to your code to check the result.


You don't add code. You trace the code step by step and discover which and where.

For example:

mov eax,[esp + 8h] # eax will contain variable from stack
mov edi, [esp + 4h] # edi will contain other variable from stack
mov dword ptr [edi], eax

as from :

sub afunc( i as dword ptr, k as dword )
*i = k
end sub

This gives us this segment [0x00 00 00 00 00 00 00 00 to 0xFF FF FF FF FF FF FF FF] initial @ i

So program will scan code at byte-code level
i as dword ptr will be dynamically labeled "afunc_stack_variable_0]
etc :)

OS functions. I mentioned Oracle Virtual Box... and a memory snapshot.
So yes the actual stuff is complex - we have to translate virtual memory, gdt translations and other stuff:
didn't mention them 'cause i wrote a small summary not the actual algorithm.

So:
pass 1: disassembly library and just find pre initial segments...
pass 2: for each compiled library/binary in our system do step 1 ... resulting in pre' for all known libraries
...
pass k: step by step in memory snapshot ( which includes Processor snapshot too - all registers for all CPUs if multi core Processor)
...
and so on


In the final steps we trace the life in it's wild state :)

Return to “Community Discussion”

Who is online

Users browsing this forum: No registered users and 1 guest