Analysing binaries of programs for security vulnerabilities is extremely important when they are used in critical applications. Since computers execute binaries, not source code, analysing binaries gives more truthful results compared to analysing source code. However, binary analysis is challenging task, particularly due to the lack of higher-level semantics information such as type information in the binaries.
This challenge aims at developing a software application that analyses security vulnerabilities in 64-bit linux binaries.
The following templates that indicate security vulnerabilities should be identified
Decryption loop in a polymorphic virus/binary – In malicious binary, decryption loops may appear (may search for email addresses in a user’s mail folder or may decrypt the contents of the .rodata or .text section in ELF binaries). For example, figure below demonstrates a possible decryption loop.
The decryption loop generally starts at two constant address denoted by register rax and rbx indicates in the figure. The challenge is to find this kind of decryption loop in the binary.
- Buffer overflow vulnerability – In malicious binary or binary (where secure coding rules are not followed), when a program writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory location and user can execute any unwanted code by properly crafting the buffer. The challenge is to track the tainted memory locations (when a register or a memory location is getting affected by the user input; called as tainted locations) in the binary which may cause buffer overflow.
- Format string vulnerability – This vulnerability occurs from the use of unchecked user input as the format string parameter in certain C (like all printf family, syslog etc.) functions which performs formatting. A malicious user may use the %x format token, or others, to print data from the call stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which printf() family write the number of bytes formatted to an address stored on the stack. The challenge is to do taint analysis in all the functions in the binary for possible vulnerability.
List of Tools that may be used for development of the software – i) Objdump, ii) Gdb, iii) strace
Target system – x86_64 Linux
The challenge is to develop an software application which may use the above mentioned tools and perform the taint analysis on the input executable. The command may be developed as
Cbinana <input program> -o <Taint analysis report>. If –o option is not given, the output will be on stdout.
- ERESI – The ELF reverse engineering system interface
- Exploiting Format String Vulnerabilities by teso team
- Smashing The Stack For Fun And Profit by Aleph one
Sample data: Yes; Contact Shri A.K. Bhattacharya, firstname.lastname@example.org