SlideShare a Scribd company logo

Finding The Weak Link in Windows Binaries

Download as PPTX, PDF
Ollie Whitehouse
Ollie Whitehouse

The document discusses analyzing Windows binaries to identify weaknesses without access to debug symbols or source code. It describes checking the binaries for compiler/linker protections like ASLR, DEP, stack cookies; banned and dangerous API usage; .NET security settings; and defensive coding practices. The author then demonstrates their tool for performing this analysis on binaries, noting existing tools' limitations, and concludes some binaries may have lower defenses without symbol information.

Technology
1 of 44
Finding the Weak Link in Binaries Ollie Whitehouse
Agenda •What •Why •How •Conclusions
What?
What? Without debug symbols or source code identify Windows binaries that do not leverage the available defenses … easily and quickly
What? •OS provided defenses •Compiler provided defenses •Compiler enabled defenses •Linker enabled defenses •Developer enabled defenses •Developer secure coding practices
What? •Version of compiler / linker •Compiler / linker enabled protections • ASLR • DEP (NX) • Stack cookies • Safe Structured Exception Handling •Developer used defensive APIs • Heap corruption behavior, DEP policy • DLL planting, pointer encoding
What? •SDL banned APIs •Dangerous APIs • undermining compiler/linker protections •UAC / Integrity Level - Developer •.NET security - Developer • Unmanaged code • Strong names • Partially trusted callers
Why?
Why? - Defensive •A product == many vendors •e.g. Adobe Reader 10.0 == [guess?] •License != source code •License != private symbols •SDL assurance… • getting the free security features enabled •End user assurance / threat awareness • Understanding where you need EMET
Or put another way •A vendors SDL is not enough • doesn’t always flow upstream •A vendor who ships doesn’t assure • all third party components •End user organisations taking ownership • of risk • of mitigations
Why? - Offensive •Mitigations are expensive / difficult •Application specific bugs are expensive •Maximize research ROI •if your goal is to exploit •… find the weak link •… reduce headaches
Or put another way •IIS 7.5 FTP DoS •Chris Valasek / Ryan Smith school us • ‘Modern Heap Exploitation using the Low Fragmentation Heap’ •Achieved EIP • … still no win … ASLR • … try an minimize the need for info leaks … • … lets minimize the tears … • … unless you want to info leak to win …
How?
Version of Compiler / Linker •Linker version in the PE header •‘Rich’ header • Microsoft compiler specific • documented in 29a virus e-zine in 2004 • further documented in 2008 • embeds compiler IDs • XOR encoded
Version of Compiler / Linker
Version of Compiler / Linker •Version mapping exercise undertaken in January 2010 •Visual Studio 6 -> Visual Studio 2010 mapped •Why? •Missing compiler protections •Weaker compiler protections
Compiler / Linker Protections •ASLR compatibility – PE header •Data Execution Prevention – PE header * always on for 64bit no matter what
Compiler / Linker Protections •Stack Cookies – PE Header, Imports and Heuristics •imports • _crt_debugger_hook •heuristics – GS function epilogue / prologue • allows versioning • using FLIRT like signatures
Compiler / Linker Protections •SafeSEH – PE header (32bit only) •SEH == Structured Exception Handling
Compiler / Linker Protections •Load Configuration Directory size • If size of directory entry <> 64 then MS12- 001 • NOT the size field in the LCD! • Microsoft Visual C msvcr71.dll == 72 • Anything built with Microsoft Visual C++ .NET 2003 RTM •suprising amount of stuff
Default Process Heap •Default process heap executable •PE header
Shared Sections •Shared sections executable & writeable • PE header • would be mapped across processes
Defensive APIs •HeapSetInformation •HeapEnableTerminationOnCor ruption •SetProcessDEPPolicy •PROCESS_DEP_ENABLE •EncodePointer
Banned APIs •Microsoft SDL banned APIs •parse the Import Address Table •145 or them •indication of security awareness
Dangerous APIs •VirtualAlloc • doesn’t benefit from ASLR • if mapping pages executable == win • released VirtualAlloc_s.h at Recx •LoadLibrary • if DLL planting mitigations aren’t used
DLL / Executable Planting •Use of LoadLibrary / CreateProcess •But doesn’t use • SetDLLDirectory • SetDefaultDllDirectories • AddDllDirectory •There is also a registry key • … more on this later
UAC / Integrity Level •In the binaries manifest
.NET Security •Strong name checks •Allow partially trusted callers •AllowPartiallyTrustedCalle rsAttribute
.NET Security
Windows 8 Containers •New for Windows 8 •a new DLL characteristic •Manifest •detailing capabilities •… for more information refer to http://recxltd.blogspot.com/2012/03/wind ows-8-app-container-security-notes.html …
Miscellaneous •Force Integrity •Company •File Version resource section •Signer •Signature type
Existing tools…
Existing Tools – Looking Glass •from Errata Security • http://www.erratasec.com/ •.NET Based PE Scanner •Scans the file system or running processes •Limitations in checks (some) • No /SafeSEH • No /GS • No HeapSetInformation / SetProcessDEPPolicy
Existing Tools - BinScope •from Microsoft • http://www.microsoft.com/download/en/detai ls.aspx?id=11910 •Lots of checks • some of what I’ve discussed, but not all! •Some Extra • non-GS friendly initialization / coverage • ATL version and vulnerable check •Needs private symbols!
How I did it…
Demo
Beyond binaries •Defense in depth features via the registry •Needs installer teams buy-in •or after market adoption •Image Execution Options • MitigationOptions • CWDIllegalInDllSearch • DisableExceptionChainValidation
But…
Even with all these… we don’t mitigate vtable overwrites…
Bonus Material - ELF •Similar(ish) tool exists for ELF • readelf && a shell script (checksec.sh @ trapkit.de) •RPATH / RUNPATH • contained in a section of an ELF • can override library locations • path doesn’t exist and you can create == win
Summary / Conclusions
Summary / Conclusions •First pass binaries analysis doesn’t have to be rocket science •Help with assurance / assessment • for vendors and / or end organisations •Help with target identification • target lower hanging fruit • less SDL aware components •Without the use of symbols…
There is still more to do… Detect the use of the /sdl switch http://blogs.msdn.com/b/sdl/arc hive/2011/12/02/security.aspx
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Chicago Atlanta New York Seattle Boston Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Thanks! Questions? Ollie Whitehouse ollie.whitehouse@nccgroup.com

Recommended

CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)
Sam Bowne
 
Know Your Security Model
Know Your Security ModelKnow Your Security Model
Know Your Security Model
Mikhail Shcherbakov
 
CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)
Sam Bowne
 
IntelliJ IDEA Architecture and Performance
IntelliJ IDEA Architecture and PerformanceIntelliJ IDEA Architecture and Performance
IntelliJ IDEA Architecture and Performance
intelliyole
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
Sam Bowne
 
Dos and Don'ts of Android Application Security (Security Professional Perspec...
Dos and Don'ts of Android Application Security (Security Professional Perspec...Dos and Don'ts of Android Application Security (Security Professional Perspec...
Dos and Don'ts of Android Application Security (Security Professional Perspec...
Bijay Senihang
 

Recommended

CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)
Sam Bowne
 
Know Your Security Model
Know Your Security ModelKnow Your Security Model
Know Your Security Model
Mikhail Shcherbakov
 
CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)
Sam Bowne
 
IntelliJ IDEA Architecture and Performance
IntelliJ IDEA Architecture and PerformanceIntelliJ IDEA Architecture and Performance
IntelliJ IDEA Architecture and Performance
intelliyole
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
Sam Bowne
 
Dos and Don'ts of Android Application Security (Security Professional Perspec...
Dos and Don'ts of Android Application Security (Security Professional Perspec...Dos and Don'ts of Android Application Security (Security Professional Perspec...
Dos and Don'ts of Android Application Security (Security Professional Perspec...
Bijay Senihang
 
General introduction to intellij idea
General introduction to intellij ideaGeneral introduction to intellij idea
General introduction to intellij idea
Yusup
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2
Sam Bowne
 
From Renamer Plugin to Polyglot IDE
From Renamer Plugin to Polyglot IDEFrom Renamer Plugin to Polyglot IDE
From Renamer Plugin to Polyglot IDE
intelliyole
 
Introduction to Windows 8 Development
Introduction to Windows 8 DevelopmentIntroduction to Windows 8 Development
Introduction to Windows 8 Development
Jeff Bramwell
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
Lalit Kale
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
Sam Bowne
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
Aditya K Sood
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
Positive Hack Days
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Developing On the IntelliJ Platform
Developing On the IntelliJ PlatformDeveloping On the IntelliJ Platform
Developing On the IntelliJ Platform
Yann Cébron
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
NetSPI
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
How to Build Developer Tools on Top of IntelliJ Platform
How to Build Developer Tools on Top of IntelliJ PlatformHow to Build Developer Tools on Top of IntelliJ Platform
How to Build Developer Tools on Top of IntelliJ Platform
intelliyole
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 
NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory Services
Ollie Whitehouse
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
Ollie Whitehouse
 

More Related Content

What's hot

General introduction to intellij idea
General introduction to intellij ideaGeneral introduction to intellij idea
General introduction to intellij idea
Yusup
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2
Sam Bowne
 
From Renamer Plugin to Polyglot IDE
From Renamer Plugin to Polyglot IDEFrom Renamer Plugin to Polyglot IDE
From Renamer Plugin to Polyglot IDE
intelliyole
 
Introduction to Windows 8 Development
Introduction to Windows 8 DevelopmentIntroduction to Windows 8 Development
Introduction to Windows 8 Development
Jeff Bramwell
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
Lalit Kale
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
Sam Bowne
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
Aditya K Sood
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
Positive Hack Days
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Developing On the IntelliJ Platform
Developing On the IntelliJ PlatformDeveloping On the IntelliJ Platform
Developing On the IntelliJ Platform
Yann Cébron
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
NetSPI
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
How to Build Developer Tools on Top of IntelliJ Platform
How to Build Developer Tools on Top of IntelliJ PlatformHow to Build Developer Tools on Top of IntelliJ Platform
How to Build Developer Tools on Top of IntelliJ Platform
intelliyole
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
 

What's hot (20)

General introduction to intellij idea
General introduction to intellij ideaGeneral introduction to intellij idea
General introduction to intellij idea
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2
 
From Renamer Plugin to Polyglot IDE
From Renamer Plugin to Polyglot IDEFrom Renamer Plugin to Polyglot IDE
From Renamer Plugin to Polyglot IDE
 
Introduction to Windows 8 Development
Introduction to Windows 8 DevelopmentIntroduction to Windows 8 Development
Introduction to Windows 8 Development
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 
Developing On the IntelliJ Platform
Developing On the IntelliJ PlatformDeveloping On the IntelliJ Platform
Developing On the IntelliJ Platform
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
How to Build Developer Tools on Top of IntelliJ Platform
How to Build Developer Tools on Top of IntelliJ PlatformHow to Build Developer Tools on Top of IntelliJ Platform
How to Build Developer Tools on Top of IntelliJ Platform
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 

Viewers also liked

NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory Services
Ollie Whitehouse
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
Ollie Whitehouse
 
Designing and building post compromise recoverable services
Designing and building post compromise recoverable servicesDesigning and building post compromise recoverable services
Designing and building post compromise recoverable services
Ollie Whitehouse
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assurance
Ollie Whitehouse
 
Smart grid in the Critical National Infrastructure
Smart grid in the Critical National InfrastructureSmart grid in the Critical National Infrastructure
Smart grid in the Critical National Infrastructure
Ollie Whitehouse
 
Threat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive CapabilityThreat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive Capability
Ollie Whitehouse
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
Ollie Whitehouse
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)
Ollie Whitehouse
 
Countering the Cyber Threat
Countering the Cyber ThreatCountering the Cyber Threat
Countering the Cyber Threat
Ollie Whitehouse
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply Chain
Ollie Whitehouse
 
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Ollie Whitehouse
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat Assessment
Ollie Whitehouse
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
Ollie Whitehouse
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber Forensics
Ollie Whitehouse
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
Ollie Whitehouse
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodes
Ollie Whitehouse
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Ollie Whitehouse
 

Viewers also liked (19)

NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory Services
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
 
Designing and building post compromise recoverable services
Designing and building post compromise recoverable servicesDesigning and building post compromise recoverable services
Designing and building post compromise recoverable services
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assurance
 
Smart grid in the Critical National Infrastructure
Smart grid in the Critical National InfrastructureSmart grid in the Critical National Infrastructure
Smart grid in the Critical National Infrastructure
 
Threat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive CapabilityThreat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive Capability
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
 
Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)
 
Countering the Cyber Threat
Countering the Cyber ThreatCountering the Cyber Threat
Countering the Cyber Threat
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply Chain
 
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat Assessment
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber Forensics
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodes
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
 

Similar to Finding The Weak Link in Windows Binaries

Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
DefconRussia
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptx
Sameer Sapra
 
Open Source License Compliance with AGL
Open Source License Compliance with AGLOpen Source License Compliance with AGL
Open Source License Compliance with AGL
Paul Barker
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Qualcomm Developer Network
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
defconmoscow
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Diagnosing issues in your ASP.NET applications in production with Visual Stud...
Diagnosing issues in your ASP.NET applications in production with Visual Stud...Diagnosing issues in your ASP.NET applications in production with Visual Stud...
Diagnosing issues in your ASP.NET applications in production with Visual Stud...
Microsoft Developer Network (MSDN) - Belgium and Luxembourg
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NoSuchCon
 
Magento 2 Workflows
Magento 2 WorkflowsMagento 2 Workflows
Magento 2 Workflows
Ryan Street
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
Precisely
 
Magento Security and Us
Magento Security and UsMagento Security and Us
Magento Security and Us
Lee Saferite
 
2019 devconfza - legacy js
2019 devconfza - legacy js2019 devconfza - legacy js
2019 devconfza - legacy js
William Brander
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile World
LINE Corporation
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
Security for devs
Security for devsSecurity for devs
Security for devs
Abdelrhman Shawky
 

Similar to Finding The Weak Link in Windows Binaries (20)

Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptx
 
Open Source License Compliance with AGL
Open Source License Compliance with AGLOpen Source License Compliance with AGL
Open Source License Compliance with AGL
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
7.1. SDLC try me to implenment
7.1. SDLC try me to implenment7.1. SDLC try me to implenment
7.1. SDLC try me to implenment
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Diagnosing issues in your ASP.NET applications in production with Visual Stud...
Diagnosing issues in your ASP.NET applications in production with Visual Stud...Diagnosing issues in your ASP.NET applications in production with Visual Stud...
Diagnosing issues in your ASP.NET applications in production with Visual Stud...
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
 
Magento 2 Workflows
Magento 2 WorkflowsMagento 2 Workflows
Magento 2 Workflows
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
Magento Security and Us
Magento Security and UsMagento Security and Us
Magento Security and Us
 
2019 devconfza - legacy js
2019 devconfza - legacy js2019 devconfza - legacy js
2019 devconfza - legacy js
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile World
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
 
Security for devs
Security for devsSecurity for devs
Security for devs
 

Recently uploaded

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 

Recently uploaded (20)

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 

Finding The Weak Link in Windows Binaries

  • 1. Finding the Weak Link in Binaries Ollie Whitehouse
  • 4. What? Without debug symbols or source code identify Windows binaries that do not leverage the available defenses … easily and quickly
  • 5. What? •OS provided defenses •Compiler provided defenses •Compiler enabled defenses •Linker enabled defenses •Developer enabled defenses •Developer secure coding practices
  • 6. What? •Version of compiler / linker •Compiler / linker enabled protections • ASLR • DEP (NX) • Stack cookies • Safe Structured Exception Handling •Developer used defensive APIs • Heap corruption behavior, DEP policy • DLL planting, pointer encoding
  • 7. What? •SDL banned APIs •Dangerous APIs • undermining compiler/linker protections •UAC / Integrity Level - Developer •.NET security - Developer • Unmanaged code • Strong names • Partially trusted callers
  • 9. Why? - Defensive •A product == many vendors •e.g. Adobe Reader 10.0 == [guess?] •License != source code •License != private symbols •SDL assurance… • getting the free security features enabled •End user assurance / threat awareness • Understanding where you need EMET
  • 10. Or put another way •A vendors SDL is not enough • doesn’t always flow upstream •A vendor who ships doesn’t assure • all third party components •End user organisations taking ownership • of risk • of mitigations
  • 11. Why? - Offensive •Mitigations are expensive / difficult •Application specific bugs are expensive •Maximize research ROI •if your goal is to exploit •… find the weak link •… reduce headaches
  • 12. Or put another way •IIS 7.5 FTP DoS •Chris Valasek / Ryan Smith school us • ‘Modern Heap Exploitation using the Low Fragmentation Heap’ •Achieved EIP • … still no win … ASLR • … try an minimize the need for info leaks … • … lets minimize the tears … • … unless you want to info leak to win …
  • 13. How?
  • 14. Version of Compiler / Linker •Linker version in the PE header •‘Rich’ header • Microsoft compiler specific • documented in 29a virus e-zine in 2004 • further documented in 2008 • embeds compiler IDs • XOR encoded
  • 16. Version of Compiler / Linker •Version mapping exercise undertaken in January 2010 •Visual Studio 6 -> Visual Studio 2010 mapped •Why? •Missing compiler protections •Weaker compiler protections
  • 17. Compiler / Linker Protections •ASLR compatibility – PE header •Data Execution Prevention – PE header * always on for 64bit no matter what
  • 18. Compiler / Linker Protections •Stack Cookies – PE Header, Imports and Heuristics •imports • _crt_debugger_hook •heuristics – GS function epilogue / prologue • allows versioning • using FLIRT like signatures
  • 19. Compiler / Linker Protections •SafeSEH – PE header (32bit only) •SEH == Structured Exception Handling
  • 20. Compiler / Linker Protections •Load Configuration Directory size • If size of directory entry <> 64 then MS12- 001 • NOT the size field in the LCD! • Microsoft Visual C msvcr71.dll == 72 • Anything built with Microsoft Visual C++ .NET 2003 RTM •suprising amount of stuff
  • 21. Default Process Heap •Default process heap executable •PE header
  • 22. Shared Sections •Shared sections executable & writeable • PE header • would be mapped across processes
  • 24. Banned APIs •Microsoft SDL banned APIs •parse the Import Address Table •145 or them •indication of security awareness
  • 25. Dangerous APIs •VirtualAlloc • doesn’t benefit from ASLR • if mapping pages executable == win • released VirtualAlloc_s.h at Recx •LoadLibrary • if DLL planting mitigations aren’t used
  • 26. DLL / Executable Planting •Use of LoadLibrary / CreateProcess •But doesn’t use • SetDLLDirectory • SetDefaultDllDirectories • AddDllDirectory •There is also a registry key • … more on this later
  • 27. UAC / Integrity Level •In the binaries manifest
  • 28. .NET Security •Strong name checks •Allow partially trusted callers •AllowPartiallyTrustedCalle rsAttribute
  • 30. Windows 8 Containers •New for Windows 8 •a new DLL characteristic •Manifest •detailing capabilities •… for more information refer to http://recxltd.blogspot.com/2012/03/wind ows-8-app-container-security-notes.html …
  • 31. Miscellaneous •Force Integrity •Company •File Version resource section •Signer •Signature type
  • 33. Existing Tools – Looking Glass •from Errata Security • http://www.erratasec.com/ •.NET Based PE Scanner •Scans the file system or running processes •Limitations in checks (some) • No /SafeSEH • No /GS • No HeapSetInformation / SetProcessDEPPolicy
  • 34. Existing Tools - BinScope •from Microsoft • http://www.microsoft.com/download/en/detai ls.aspx?id=11910 •Lots of checks • some of what I’ve discussed, but not all! •Some Extra • non-GS friendly initialization / coverage • ATL version and vulnerable check •Needs private symbols!
  • 35. How I did it…
  • 36. Demo
  • 37. Beyond binaries •Defense in depth features via the registry •Needs installer teams buy-in •or after market adoption •Image Execution Options • MitigationOptions • CWDIllegalInDllSearch • DisableExceptionChainValidation
  • 39. Even with all these… we don’t mitigate vtable overwrites…
  • 40. Bonus Material - ELF •Similar(ish) tool exists for ELF • readelf && a shell script (checksec.sh @ trapkit.de) •RPATH / RUNPATH • contained in a section of an ELF • can override library locations • path doesn’t exist and you can create == win
  • 42. Summary / Conclusions •First pass binaries analysis doesn’t have to be rocket science •Help with assurance / assessment • for vendors and / or end organisations •Help with target identification • target lower hanging fruit • less SDL aware components •Without the use of symbols…
  • 43. There is still more to do… Detect the use of the /sdl switch http://blogs.msdn.com/b/sdl/arc hive/2011/12/02/security.aspx
  • 44. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Chicago Atlanta New York Seattle Boston Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Thanks! Questions? Ollie Whitehouse ollie.whitehouse@nccgroup.com