Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» уязвимости

1,403 views

Published on

Ведущий: Асука Накадзима (Asuka Nakajima)

Практика повторного использования исходного кода позволяет сократить расходы на разработку программного обеспечения. Тем не менее, если в оригинальном исходном коде кроется уязвимость, она будет перенесена и в новое приложение. Докладчик расскажет о необычном способе обнаружения «наследуемых» уязвимостей в бинарных файлах без необходимости обращаться к исходному коду или символьным файлам.

Published in: Technology
  • Be the first to comment

Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» уязвимости

  1. 1. If You Find One, There are Probably More!: A Detection Method of “Reproduced” Vulnerability Asuka Nakajima @ Positive Hack Days VI
  2. 2. 1Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential # whoami Asuka Nakajima - Researcher at NTT Secure Platform Laboratories - Vulnerability Discovery / Reverse Engineering Organizer of SECCON CTF - Thank you for playing SECCON CTF  Founder of “CTF for GIRLS” - The first security engineer community for woman in Japan
  3. 3. 2Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential What is “reproduced” vulnerability ? Software 1 Software 2 Vulnerability which is copied to other source code or software for some reason Vulnerable part copy
  4. 4. 3Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Why it happens? Copy & Paste Source Code Sharing Fork Project Source A Source B Ctrl + C Ctrl + V
  5. 5. 4Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Why it happens? Copy & Paste Source Code Sharing Fork Project Source A Source B Ctrl + C Ctrl + V
  6. 6. 5Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential The risk of reproduced vulnerability Software 1 Software 2 TIME Patch release date differs maximum 118days[1] vulnerable vulnerable Patch distribution for reproduced vulnerability New Vulnerability discovered Patch distributed Patch distributed vulnerable Attacker can analyze the patch & develop the exploit code for unpatched one [1] A. Nappa, R. Johnson, L. Bilge, J. Caballero, and T. Dumitraș, “The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching,” in IEEE Symposium on Security and Privacy, San Jose, CA, 2015.
  7. 7. 6Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential About the research Source code based approach? Can not be applied for proprietary software product ・ReDeBug[2] Detection method that targets binary executable is necessary [2] Jiyong Jang, Abeer Agrawal, and David Brumley,”ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions”, In Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012
  8. 8. 7Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Previous Works TEDEM[3] Cross-Architecture Bug Search in Binary Executables - Represent the assembly codes (per basic block) as a S-expression (Tree structure) - Targets reproduced vulnerability which resides in different architecture - Basic Block I/O based similarity calculation - Uses tree edit distance to specify the reproduced vulnerability Can not detect reproduced vulnerability when some types of source code modification(add multiple lines, I/O Change) occurs [3] Jannik Pewny, Felix Schuster, Lukas Bernhard, Thorsten Holz, Christian Rossow, “Leveraging semantic signatures for bug search in binary programs”, Annual Computer Security Applications Conference , New Orleans, USA, December 2014. [4] Jannik Pewny, Behrad Garmany, Robert Gawlik, Christian Rossow, Thorsten Holz “Cross-Architecture Bug Search in Binary Executables”36th IEEE Symposium on Security and Privacy (Oakland), San Jose, May 2015.
  9. 9. 8Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Approach (Overview) Calculate the similarity between the assembly code by using similar string search algorithm Workflow push REG mov REG REG mov REG VAL call MEM ・・・ mov REG REG push REG mov REG REG push REG push REG mov REG MEM mov REG MEM lea REG MEM ・・・ Similarity Calculation Similarity 80% Same vulnerability? 1.Disassemble& Normalization 2.Similarity Calculation 3.Discriminate “patched” or “unpatched” Unpatched part Assembly Target Binary Assembly 4. Check Attack Vector Future Work
  10. 10. 9Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Approach 1.Disassemble& Normalization 2.Similarity Calculation Disassemble ※Example Normalization (Operand) ・Binary File(unpatched vuln) ・Target Binary File Different assembly(operand) will be generated even the source code is same※ VAL MEM REG Immediate val Memory Register Before After mov eax ecx mov REG REG 3.Discriminate “patched” or “unpatched” Original Copy shr rdx,1 lea rdi,[rdx+0x4] call 3f3d0 shr rdx,1 lea rdi,[rdx+0x4] call 41d630 Original Copy xor ebx, ebx add rsp, 38h mov eax, ebx pop rbx pop rbp pop r12 pop r13 retn xor r12d, r12d add rsp, 38h mov eax, r12d pop rbx pop rbp pop r12 pop r13 retn 1 2
  11. 11. 10Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Approach 1.Disassemble& Normalization 2.Similarity Calculation 3.Discriminate “patched” or “unpatched” Similarity Calculation push REG mov REG REG mov REG VAL call MEM ・・・ mov REG REG push REG mov REG REG push REG push REG mov REG MEM mov REG MEM lea REG MEM ・・・ Similarity Calculation Similarity N% Unpatched part Assembly Target Binary Assembly ・ Needleman-Wunsch (Semi-global alignment algorithm) →Apply “Affine Gap Penalty” Similar string search algorithm which is used in bioinformatics
  12. 12. 11Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Approach -Why Needleman-Wunsch?- Search similar region between two given strings LCS (Global Alignment) Smith-Waterman (Local Alignment) Needleman-Wunsch (Semi-Global Alignment) mov REG REG mov REG REG call MEM test REG REG push REG REG push REG REG call MEM test REG REG jmp MEM xor REG REG pop REG pop REG ・ ・ mov REG REG mov REG REG call MEM test REG REG push REG REG push REG REG call MEM test REG REG jmp MEM xor REG REG pop REG pop REG ・ ・ mov REG REG mov REG REG call MEM test REG REG mov REG REG push REG REG push REG REG call MEM test REG REG jmp MEM xor REG REG pop REG pop REG ・ String1 (source) String2 (dest) String1 (source) String2 (dest) String1 (source) String2 (dest) Search all similar part between two given string Search the region (in string2) that best matches to string1 1.Disassemble& Normalization 2.Similarity Calculation 3.Discriminate “patched” or “unpatched” Needleman-Wunsch is most suitable
  13. 13. 12Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Approach Similarity = 𝑺𝒄𝒐𝒓𝒆 𝒐𝒇 𝑴𝒐𝒔𝒕 𝑺𝒊𝒎𝒊𝒍𝒂𝒓 𝑷𝒂𝒓𝒕 𝑴𝒂𝒙𝒊𝒎𝒖𝒎 𝑺𝒄𝒐𝒓𝒆(𝑨𝒍𝒍 𝑴𝒂𝒕𝒄𝒉𝒆𝒅 𝑪𝒂𝒔𝒆) Needleman-Wunsch(Normal Gap) match +2point mismatch –2point gap –1point ■Match ■Mismatch ■Gap pop rax pop rax pop rax push rcx pop rax call rax pop rax Needleman-Wunsch (AffineGap) match +2point mismatch -2point open gap※ -3point extended gap -0.5point Score Calculation Distinct the Gap ※Open gap:The first gap of multiple gaps 1.Disassemble& Normalization 2.Similarity Calculation 3.Discriminate “patched” or “unpatched”
  14. 14. 13Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Approach Score Calculation 𝑠 𝑎𝑖 , 𝑏𝑗 = 𝑚𝑎𝑡𝑐ℎ 𝑖𝑓 𝑎𝑖 = 𝑏𝑗, 𝑚𝑖𝑠𝑚𝑎𝑡𝑐ℎ 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒. A → Unpatched Part Assembly Calculate ScoreMatrix X,Y, Z B → Target Binary Assembly 𝑋 = 𝑥𝑖𝑗 0 ≤ 𝑖 < 𝑀, 0 ≤ 𝑗 < 𝑁 𝑌= 𝑦𝑖𝑗 0 ≤ 𝑖 < 𝑀, 0 ≤ 𝑗 < 𝑁 𝑍 = 𝑧𝑖𝑗 0 ≤ 𝑖 < 𝑀, 0 ≤ 𝑗 < 𝑁 Matrix Calculation Formula 𝐴 = 𝑎1 𝑀 = 𝑎1, 𝑎2, 𝑎3 … 𝑎 𝑀 𝐵 = 𝑏1 𝑁 = 𝑏1, 𝑏2, 𝑏3 … 𝑏 𝑁 ※|A|=M,|B|=N 𝑗 𝑚𝑎𝑥= argmax 1≤𝑗≤𝑁 𝑥 𝑀𝑗 Calculate the similarity based on the max score of matrix X 1.Disassemble& Normalization 2.Similarity Calculation 3.Discriminate “patched” or “unpatched” 𝑥𝑖𝑗 = 0 𝑖𝑓 𝑖 = 0 𝑎𝑛𝑑 𝑗 ≠ 0 , 𝑖 × 𝑚𝑖𝑠𝑚𝑎𝑡𝑐ℎ 𝑖𝑓 𝑗 = 0, 𝑚𝑎𝑥 𝑥𝑖−1,𝑗−1 +𝑠 𝑎𝑖 , 𝑏𝑗 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒. 𝑦𝑖 ,𝑗 𝑧𝑖 ,𝑗 𝑦𝑖𝑗 = − ∞ 𝑖𝑓 𝑖 = 0, 0 𝑖𝑓 𝑗 = 0 𝑎𝑛𝑑 𝑖 ≠ 0, 𝑚𝑎𝑥 𝑦𝑖−1,𝑗 + 𝑒 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒. 𝑥𝑖−1,𝑗 + 𝑜 + 𝑒 𝑧𝑖𝑗 = 0 𝑖𝑓 𝑖 = 0 𝑎𝑛𝑑 𝑗 ≠ 0, −∞ 𝑖𝑓 𝑗 = 0, 𝑚𝑎𝑥 𝑧𝑖,𝑗−1 + 𝑒 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒. 𝑥𝑖,𝑗−1 + 𝑜 + 𝑒
  15. 15. 14Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Approach push REG mov REG REG mov REG REG call MEM mov REG REG mov REG REG mov REG REG push REG push REG mov REG REG mov REG REG call MEM Max Score 4.5 p Similarity 45% 𝟒. 𝟓 𝟏𝟎 ※all matched case 2p×5=10 = 45% 1.Disassemble& Normalization 2.Similarity Calculation 3.Discriminate “patched” or “unpatched” Unpatched Part Assembly Target Binary Assembly Matrix X Matrix Y Matrix Z
  16. 16. 15Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Approach Affine Gap penalty can mitigate the significant score drop due to the source code modification int main(int argc, char* argv[]){ if(argc !=2){ printf("Usage:%s <your name>¥n", argv[0]); return 1; } printf(“Argument:%d,%s¥n",argc,argv[1]); printf("Hello World! %s¥n", argv[1]); return 0; } push ebp mov ebp,esp and esp,0xfffffff0 sub esp,0x10 cmp DWORD PTR [ebp+0x8],0x2 je 0x8048448 <main+43> mov eax,DWORD PTR [ebp+0xc] mov eax,DWORD PTR [eax] mov DWORD PTR [esp+0x4],eax mov DWORD PTR [esp],0x8048520 call 0x80482f0 <printf@plt> mov eax,0x1 jmp 0x8048484 <main+103> mov eax,DWORD PTR [ebp+0xc] add eax,0x4 mov eax,DWORD PTR [eax] mov DWORD PTR [esp+0x8],eax mov eax,DWORD PTR [ebp+0x8] mov DWORD PTR [esp+0x4],eax mov DWORD PTR [esp],0x8048536 call 0x80482f0 <printf@plt> mov eax,DWORD PTR [ebp+0xc] add eax,0x4 mov eax,DWORD PTR [eax] mov DWORD PTR [esp+0x4],eax mov DWORD PTR [esp],0x8048546 call 0x80482f0 <printf@plt> mov eax,0x0 leave ret ■ Normal gap ■ Affine Gap Total36p 22×2 = 44 Total37.5p Adding 1L Source Code = Adding 8L Assembly Code 8 ×-1 = -8 22×2 = 44 1 ×-3 =-3 7×-0.5 =-3.5 1.Disassemble& Normalization 2.Similarity Calculation 3.Discriminate “patched” or “unpatched” Source Code Assembly
  17. 17. 16Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Approach Extract when Unpatched part(Sim①) > Patched part (Sim②) push REG mov REG REG mov REG VAL call MEM ・・・ push REG mov REG REG mov REG VAL call MEM ・・・ mov REG REG push REG mov REG REG push REG push REG mov REG MEM mov REG MEM lea REG MEM ・・・ Unpatched Part Assembly Patched Part Assembly Similarity Calculation① Similarity Calculation② Sim①:80% Sim②:55% Extract Target Binary Assembly 1.Disassemble& Normalization 2.Similarity Calculation 3.Discriminate “patched” or “unpatched” vulnerability candidate
  18. 18. 17Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Calculate the similarity between original and copied binary Vuln1 (CVE-2008-4314) Original Vuln2 (CVE-2008-5023) Original Vuln1 (CVE-2008-4314) Copy Vuln2 (CVE-2008-5023) Copy ?% Vuln1 (CVE-2008-4314) Original Vuln2 (CVE-2008-5023) Original ?% Dataset(432 binary) Ubuntu12.04 /bin,/usr/lib (x86-64/ELF) [GOAL] Evaluate the validity of the approach [score setting] Match2p, Mismatch -2p, Opengap-3p, Extendedgap-0.5p Experiment 1 [Overview] Calculate the similarity between original and dataset binary
  19. 19. 18Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Case1: CVE-2008-4316 (Source Code) g_base64_encode (const guchar *data,gsize len){ gchar *out; gint state = 0, outlen; gint save = 0; g_return_val_if_fail (data != NULL, NULL); g_return_val_if_fail (len > 0, NULL); out = g_malloc (len * 4 / 3 + 4); outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save); outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save); out[outlen] = '¥0'; return (gchar *) out; } seahorse_base64_encode (const guchar *data,gsize len){ gchar *out; gint state = 0, outlen; gint save = 0; out = g_malloc (len * 4 / 3 + 4); outlen = seahorse_base64_encode_step (data, len, FALSE, out, &state, &save); outlen += seahorse_base64_encode_close (FALSE,out + outlen,&state,&save); out[outlen] = '¥0'; return (gchar *) out; } 2 lines are deletedOriginal [Glib] Copy [Seahorse]
  20. 20. 19Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Case2: CVE-2008-5023 (Source Code) PRBool nsXBLBinding::AllowScripts(){ PRBool result; mPrototypeBinding->GetAllowScripts(&result); … nsCOMPtr<nsIDocument> ourDocument; mPrototypeBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(ourDocument)); PRBool canExecute; nsresult rv = mgr->CanExecuteScripts(cx, ourDocument->NodePrincipal(), &canExecute); return NS_SUCCEEDED(rv) && canExecute; } PRBool nsXBLBinding::AllowScripts(){ PRBool result; mPrototypeBinding->GetAllowScripts(&result); … nsCOMPtr<nsIDocument> ourDocument; mPrototypeBinding->XBLDocumentInfo()->GetDocument(getter_AddRefs(ourDocument)); nsIPrincipal* principal = ourDocument->GetPrincipal(); if (!principal) { return PR_FALSE; } PRBool canExecute; nsresult rv = mgr->CanExecuteScripts(cx, principal, &canExecute); return NS_SUCCEEDED(rv) && canExecute; } Original [Firefox] Copy [Seamonkey] 4 lines are added & 1 line is modified
  21. 21. 20Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Experiment 1 [Result] CVE-ID Original Copy Similarity (unpatched) Similarity (patched) Max similarity (Dataset) CVE- 2008-4316 Glib Seahorse 60.7% 11.5% 9.2% CVE- 2008-5023 Firefox Seamonkey 68.8% 38.0% 9.7% The extracted part was the copied vulnerable part Threshold should be around 20% Similarity between the dataset was maximum 9.7% Detected reproduced vulnerability in binary executables, even there was source code modification
  22. 22. 21Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Experiment 2 [Overview] 21 Vulnerabilities 40945 binary files CVE-2015-1635 CVE-2014-0301 CVE-2013-5058 CVE-2013-0030 CVE-2011-2005 CVE-2011-0658 CVE-2010-0816 ?% CVE-2010-0028 CVE-2008-4250 CVE-2008-4028 CVE-2007-1794 CVE-2007-0024 CVE-2006-4691 CVE-2006-0021 Windows XP. Windows Vista, Windows 7 Windows 8.1 Windows Server Virus Total(NSRL) [Score setting]match2p,mismatch-2p,opengap-3p,extendedgap-0.5p [Threshold] 20% CVE-2015-1793 CVE-2015-1790 CVE-2015-1789 CVE-2015-0292 CVE-2015-0288 CVE-2015-0287 CVE-2015-0286 14vulnerabilitiesfromWindows 7 vulnerabilitiesfromOpenSSL [GOAL] Detect reproduced vulnerability from real world software product
  23. 23. 22Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Details of the vulnerabilities 14 vulnerabilities from Windows CVE-ID Type of Vuln Function name File name CVE-2015-1635 Integer Over Flow UlpParseRange http.sys CVE-2014-0301 Double Free LoadJPEGImageNewBuffer qedit.dll CVE-2013-5058 Integer Over Flow RFONTOBJ::bTextExtent win32k.sys CVE-2013-0030 Buffer Over Flow SavePathSeg vgx.dll CVE-2011-2005 Memory error AfdJoinLeaf afd.sys CVE-2011-0658 Integer Under Flow _PictLoadMetaFileRaw oleaut32.dll CVE-2010-0816 Integer Over Flow CPOP3Transport::ResponseSTAT inetcomm.dll CVE-2010-0028 Integer Over Flow CBMPStream::Write mspaint.exe CVE-2008-4250 Buffer Over Flow sub_5925A26B netapi32.dll CVE-2008-4028 Buffer Under Flow SrvIssueQueryDirectoryRequest srv.sys CVE-2007-1794 Integer Under Flow CDownloadSink::OnDataAvailable vgx.dll CVE-2007-0024 Integer Over Flow CVMLRecolorinfo::InternalLoad vgx.dll CVE-2006-4691 Buffer Over Flow NetpManageIPCConnect netapi32.dll CVE-2006-0021 DoS IGMPRcvQuery tcpip.sys
  24. 24. 23Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Details of the vulnerabilities Collected unpatched & patched part which resides in single function CVE-ID Type of Vuln Function name File name CVE-2015-1793 Certificate forgery X509_verify_cert libeay32.dll CVE-2015-1790 DoS(Null pointer) PKCS7_dataDecode libeay32.dll CVE-2015-1789 DoS X509_cmp_time libeay32.dll CVE-2015-0292 Integer Underflow EVP_DecodeUpdate libeay32.dll CVE-2015-0288 DoS(Null pointer) X509_to_X509_REQ libeay32.dll CVE-2015-0287 DoS ASN1_item_ex_d2i libeay32.dll CVE-2015-0286 DoS ASN1_TYPE_cmp libeay32.dll 7 vulnerabilities from OpenSSL
  25. 25. 24Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Collected binary files Source # of files Virus Total(NSRL) 7580 Windows XP 3479 Windows Vista 6933 Windows 7 5981 Windows8.1 5048 Windows Server 2003 3984 Windows Server 2008 7940 Details of 40945 binary files
  26. 26. 25Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Experiment 2 [Result] Candidate of reproduced vulnerability CVE-ID Original Copy Similarity Result CVE-2008-4250 netapi32.dll (5.1.2600.2952) netlogon.dll (5.2.3790.1830) 37.7%  CVE-2011-0658 oleaut32.dll (5.2.3790.4202) olepro32.dll (6.1.7601.17514) 75.1%  Deadcode CVE-2015-1789 libeay32.dll (0.9.8.31) JunosPulseVpnBg.dll (1.0.0.206) 43.9%  CVE-2015-1793 libeay32.dll (1.0.1.15) JunosPulseVpnBg.dll (1.0.0.206) 39.0%  No attack vector
  27. 27. 26Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2008-4520 (MS08-067) Details - It was real case “reproduced” BoF vulnerability ! - [original] netapi32.dll [copy] netlogon.dll Original Copy → Vulnerabilitywhichwas usedby ConfickerWorm
  28. 28. 27Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2008-4520 (MS08-067) Distribution of patch Patch for netapi32.dll KB958644 Patch for netlogon.dll KB961853 Oct/2008 Jan/2009 TIME Patch distribution date differs three month a part 3 month
  29. 29. 28Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2011-0658 (MS11-038) Details - [original] oleaut32.dll [copy] olepro32.dll - Integer Underflow Vulnerability Vulnerable part was dead code(function forwarding) Original Copy
  30. 30. 29Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2015-1789 (OpenSSL) Details - [original] libeay32.dll [copy] JunosPulseVpnBg.dll - Used by “Windows In-Box Junos Pulse Client (VPN Client)”※ ※“Microsoft Windows 8.1 introduced Junos Pulse client as part of the Windows operating system. (Microsoft calls this an “in-box” application.)” [5] [5]Windows In-Box Junos Pulse Client Quick Start Guide https://www.juniper.net/techpubs/software/pulse/guides/j-pulse-windows-inbox-client-qsg.pdf - Originally used by Pulse Client
  31. 31. 30Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2015-1789 (OpenSSL) Original Copy
  32. 32. 31Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2015-1789 (OpenSSL) Pulse(Desktop) Client: Resolved in 5.0R13/5.1R5 (CVE-2015-1789) Vulnerable
  33. 33. 32Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2015-1789 (OpenSSL) Vulnerability Fixed Date Vulnerability Fixed (OpenSSL) Update Released (Pulse Secure) June/2015 Aug/2015 TIME Fixed date differs two month a part 2 month When I found the vulnerability July/2015
  34. 34. 33Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2015-1793 (OpenSSL) Details - Alternative Chain Certificate Forgery - [original] libeay32.dll [copy] JunosPulseVpnBg.dll Original Copy
  35. 35. 34Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential CVE-2015-1793 (OpenSSL) “This issue does not affect Pulse Secure products as it only exists in very recent version of OpenSSL code that we do not utilize“
  36. 36. 35Copyright©2016 NTT corp. All Rights Reserved. NTT Confidential Conclusion & Future Work Conclusion - Proposed method can detect reproduced vulnerability in binary files, even there was source code modification - Found real world reproduced vulnerability ! Future Work - Consider the method which can find whether the attack vector exists or not - Consider the method which can detect reproduced vulnerability, which resides in multiple functions
  37. 37. nakajima.asuka@lab.ntt.co.jp Q&A

×