Wednesday, March 28, 2012

Windows Malware: a reversing engineering document.

Today I'd like to share an interesting PDF found while surfing on some of my favorite feeds. The PDF is titled: "Deep dive into OS internals with WinDB" . Well, you might think this is going to be the same document explaining windows malware analysis, but not ; it is not the "always the same document". What I liked about it, is the easy way it shows information, small document with a lot of information. You could read it as a cheat sheet or as a little manual as well.

There is more than one reason to reverse malwares these days. As time passes by, the awareness about Reverse Engineering is spreading. However, there are few obstacles encountered for a person new in the field of Reversing Viruses. Unlike other domains of security where you can make your way through with the reliance on some security tools, this field demands a strong understanding of the Operating System Internals and Assembly Language Programming.

The author covers many of the most important arguments in the field of the reverse engineering by giving the essential flavors of the following topics: basic concepts of reversing, a very brief summary of PE anatomy, DDI and importing tables, exporting table (those sections are very intensive;) and so on.. Well, I personally suggest this reading to averybody aims to know more about reversing engineering stuff, but have not much time to read whole manuals, and to everybody working on hardsecurity topics but not everyday practitioners. And obviously to " security students" who should be avid readers of such things. :)


Saturday, March 24, 2012

ROP and deROP

I ve been writing a lot about ROP in my past posts ( Here for a collection) covering some of the principal anti ROP techniques used by modern operative systems. Today I 'd like to suggest another great reading from Kanjie Lu et Al. From Peking University, Cina titled "deROP: removing return oriented programming from malware."

Many different researches put theirs efforts in finding a good ways to fight ROP malware, for example Davi et Al. And Chen et Al. Implemented a threshold system able to count how many buckets of instruction followed by RETN are present in a executable, once the threshold is reached the security mechanism alerts the user about that. Another direction is to look for violations of last-in, first-out invariants of the stack data structure that call and return instructions usually maintain in normal benign programs. Francillion Et Al. Implemented shadow return address in hardware stack such that only call and return instructions can modify the return- address stack.Davi et al. claim that it is possible to extend their ROP defender with a frequency measurement unit to detect attacks with return-less ROP. The idea is that pop-jump sequences are uncommon in ordinary programs, while returnless ROP invokes such a sequence after each instruction sequence.Most recently, Onarlioglu et al. propose G-Free, which is a compiler-based approach to defeat against any possible form of ROP.

Kanjie Lu in this paper propose a "conversion tool" able to transform the most advanced ROP-Based payloads into equivalent non-ROP Payloads able to being analyzed from normal Malware analysis tools.

Instead, we propose an automatic converter, called deRop, to convert ROP shellcode into its semantically equivalent non-ROP shellcode so that any of the existing malware analysis tools can ana- lyze it.
The following image (taken from the paper ) shows an high level overview of the designed deRop system.

The paper well describes all the process behind the development of the tool underlining main difficulties and structural choices. The authors tested their work by applying their tool on 4 real Payloads obtaining great results.

Even if the idea behind the entire work is surprising good, the developed tool presents some limitations if applied in real wokrld, for example its output is one running instance specific in ASLR, and again deRop needs dynamically executing the vulnerable application in order to locate the gadgets in the ROP exploit. But to know more about that please read the whole paper it is really a good reading ! Have fun.



Friday, March 23, 2012

Android bug hunting framework

Hi folks,

today I'd like to share a very promising framework called Mercury. Mercury is a free framework for bug hunters to find vulnerabilities, write proof-of-concept exploits and play in Android. Use dynamic analysis on Android applications and devices for quicker security assessments. Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices. The easy extensions interface allows users to write custom modules and exploits for Mercury Replace custom applications and scripts that perform single tasks with a framework that provides many tools.

To know more about it here, and here (documentation). Actually I am not an android security expert, so far I have never been involved in some security related android projects, but from what is my knowledge about security trends and little bit of security history I would bet on it, it seemed very promising and user friendly! Great job guys, keep going on it !






Wednesday, March 21, 2012

Book Review: The Tangled Web. A guide to Securing Modern Web Applications

Everybody who reads this blog should be familiar with the computer security science. Computer security strongly depends from complexity, by meaning that much more complex is a system much high is the probability to have a vulnerability on it. Web applications, from simple HTTP requests to browser-side plugins, strongly interact with other applications making alive a very complex system. Each complex system comes with vulnerabilities. Due to the flexibility, adaptability and availability web applications make some of the most complex system available on the digital era, and for this specific reason are one of the most bugged systems.


Michal Zalewski is one of the most talented browser security expert. He wrote many books but today I am going to suggest his last book titled : "The Tagled Web A Guide to Securing Modern Web Applications", published by No Starch Press

Definitely Michal Zalewski wrote one of the most interesting book on the topic, it does not describe techniques to attack or how to defense applications by giving advices or simple examples, it really goes deep on the core problem analyzing almost all the Web technologies. He underlines weakness and why web browsers are fundamentally insecure pointing it out during his very deep working analysis. The reader will learn how things really works and why there will always be vulnerabilities in such a models.  

A very interesting tool offered by the author is the "Security Engineering Cheat Sheet" available at the end of every chapter, it offers a quick way to sum up what the reader has learned so far. It's very useful even for a posteriori reading or for a quick search on contents.

Definitely a "must have" in any computer security engineer library.

Thursday, March 15, 2012

Free iPhone Security Reader

Hi Folks,
in the past days I have been traveling a lot and I needed a specific security feedreader for my mobile device. I have an iPhone and while I was looking into the APP-Store I was unable to find a free security specific feed reader, I got the chance to find out only generic feed readers and most of all were not for free. So I decided to build one Security specific reader and,  exploiting the new SDK feature (distributing it without the need of the APP-Store), I decide to put it freely available from this post.

The following screenshots show how the reader woks: Just type on it and it will load security feeds from most of the well-known security web sites. It is extremely easy to use and simple. You won't have any kind of options and no configurations are needed (only Internet is needed). The goal of this very very simple project is to have a "Tap-and-GO" security reader, nothing more nothing less.

If you have your own feed to put on it please feel free to contact me, I'll release some upgrade from time to time, depending of your appreciation. The file you are going to download is a classic IPA file.To install it just use your iTunes ;).

Download !

Have fun !

Friday, March 9, 2012

Steganography Tools: a non exhaustive survey

Yesterday, talking about steganography with CeSeNA group, came out that some people were not familiar with some of the most significative tools in the steganography field. Thanks to Luca Mella, who shared with me a quite exhaustive list, I am going to post some interesting steganography resources to have a place where to find them all.

According to wikipedia Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. In other words the art of hiding informations over the obscurity principle (please don't confuse it with cryptography, which is totally another topic)

The first tool that I am going to list is called: webStego (and its Open version). WebStego offers steganography in bitmaps, text files, HTML files and PDF files. It is has two very user-friendly interfaces and is ideal for securely transmitting data online or adding copyright information, especially with the copyright information manager.

OutGuess is another in great tool to detect steganographic content in images. It implements different steganographic algorithms. Based on clustering techniques it is able to detect on JPEG images the following algorithms: jsteg, jphide (unix and windows), invisible secrets, outguess 01.3b, F5 (header analysis), appendX and camouflage.

Talking about steganography on audio file a great resource is the following one provided by snot monkey. It offers a great survey with the most used techniques such as: LSB Coding, Parity Coding, Phase Coding, Spread Spectrum coding and Echo Hiding. MP3Stego is a tool woking on audio files. Specifically it works on MP3 filetypes. It is able to hide and to extract content from MP3 files.

VSL: Virtual Steganographic Laboratory (VSL) is a graphical block diagramming tool that allows complex using, testing and adjusting of methods both for image steganography and steganalysis. VSL provides simple GUI along with modular, plug-in architecture. 

The Digital Invisible Ink Toolkit is a Java steganography tool that can hide any sort of file inside a digital image (regarding that the message will fit, and the image is 24 bit colour). It works on most of the Operative Systems since Java Based.

Specifically,  Digital Invisible Ink Toolkit has a great analysis feature in which you decide what image to be analyzed, which algorithm to check (even all) anywhere to stamp the results. This tool is great to find out what tripe of steganography has been used in a given image. The following image (click to make it bigger) shows the analysis section.

Another interesting way to hide information is trough the Text. This techniques consists in hiding information into ascii characters. There are several ways to do that such as: (a) hiding information in spaces, (b) tabs and (c) peculation marks. Spammimic is one of the best exponents of this techniques. Finally I conclude this absolutely not exhaustive review of Steganography tools with a website containing most of the stego tools out there. 

Thursday, March 8, 2012

Where are the best engineers ?

I folks, today I came across this interesting paper about the top ranked Engineers in the world. I found it very interesting since "proved" exactly my personals opposite thoughts on this topic (which BTW it is not focused on Security at all), and for such a reason I decide to post it here even if it is a total off topic post.

I don't know why in my mind I always been believing that best Engineers  (obviously I am referring to Computer Engineers ) where in Universities. In my personal ranking list there were something like Stanford, MIT and Berkeley Universities  as places where some of the top Engineers were gathered. My logical flow was pretty clear, best universities produce best engineers this means that best University tends to be rounded by best Engineers. Well I was wrong. Best engineers , like most of the people out there, are attracted by good working positions, which include (but not limited to) good salaries, benefits and free time, and so they tend to "move out" from Universities that often (but not always) are not able to compete with big giants like Apple, Google, Oracle, Microsoft etc... According to this research the top ranked Engineers work for companies and not for Universities as shown in the following fancy diagram.

Personally I think  it is normal, as said, often (but not always) Universities cannot compete with giants in terms of good job positions, so I don't have to say that I agree or that I do not agree. It is a statistic.

As you might see from the above diagram Palantir seems to be the company with the top ranked Engineers. For sure Palantir interview processes are very hard and only a few percentage sees "the end". This is not a surprise for me, Palantir works with "delicate" agencies such as secret services and high finance, they need for sure the top ranked Engineers. Surprisingly (for me) Dropbox engineers come in the second place while Google and Apple are respectively in the 4th and 6th position. Sincerely I  was supposed to see Google and Apple in the top of this list. On the other side the first Universities in the list (with score 77) are Stanford University and MIT. If compared to the companies would be in the 6th position, before Apple and Twitter. This makes me reflecting a lot specifically for European companies and universities ...