Slashdot Mirror

← Back to Stories (view on slashdot.org)

Analyzing Binaries For Security Problems

Posted by CowboyNeal on from the look-ma-no-source-code dept.

Matt writes "At the last talk at BlackHat in Las Vegas, Greg Hoglund demonstrated a product for sale by his new company that analyzes binaries for security vulnerabilities. He showed the analysis of several commercial products, the results of which were shockingly insecure. This product should help end the debate of closed source or open source applications being more or less secure."

10 of 304 comments (clear)

  1. Presentation slides by bartc · · Score: 5, Informative

    You can get the slides of his presentation here:

    http://www.blackhat.com/presentations/bh-usa-03/bh -us-03-hoglund.pdf

  2. Re:Like the concept, but... by msgmonkey · · Score: 4, Informative

    Nope, the contract may say that you may not do this nor that you and you could only be sued for breaking a contract.

    If it was illegal ie there was a law against reverse engineering, benchmarking, etc it would not be in the EULA.

    Also just because something is in a contract does n't make it legally binding if the clause breaks laws.

  3. obfuscation by doofusclam · · Score: 5, Informative

    I'd like to know exactly how it does this, considering how much of a mess compiled/optimised c++ code can look at an assembler level. It's also unlikely to be any use on a semi-compiled runtime, such as those used by Visual Basic, .NET etc as the only 'code' is the runtime, the actual program is held in a data section.

  4. Rubbish... by MosesJones · · Score: 4, Informative


    So this analyses binaries and will find all issues where the code will halt and will exceed its resource requests, thus eliminating the need for testing...

    I call Snake Oil.

    For those who don't know about the Halting Problem or Busy Beaver Problem then you should really know about what computers can or cannot do.

    I dare say these people have some basic pattern matching, but this is NOT a reason to stop testing.

    --
    An Eye for an Eye will make the whole world blind - Gandhi
  5. Re:Like the concept, but... by quigonn · · Score: 5, Informative

    Not in most parts of Europe. The copyright there explicitly permits disassembling and reverse engineering.

    --
    A monkey is doing the real work for me.
  6. Re:Hmm. by archeopterix · · Score: 5, Informative

    Indeed, even finding what code gets actually executed is by no way a simple task. Easy to follow from the main entry point of the executable? Not always. Some compilers/interpreters create tables of entry points for some functions then call the functions via entries in the table. Moreover, the table doesn't have to be present in the executable, but created at runtime instead (calculated from offsets or something). That's only one of many problems with static analysis of machine code. I don't think their program does much more than scanning for a set of known patterns produced by a set of known compilers.

  7. Re:How does this thing really work? by leuk_he · · Score: 5, Informative

    Howabout checking thewhitepaper?

    It tells how it works, and it also tells it does not have the abilty to smell at the data users provide.

    It just smells at the code, looks if it uses vulnerable calls like strcpy, an reports this. But it completely puzzels me how you can use the report to report "this is good" or "this is good enough" or "this is a piece of shit".

    finding buffer overflows and other possible security vulnerabilities can be an immensely hard task when you actually _do_ have access to the source code. Also, the available compilers produce quite different assembly for the same code.

    This is the part they did right. They can analyze all kind of assembly, also non-x86. (It does not produce C, no they ananlyze function calls and backtrack them. The problem is that it analyzes "compiled source code", but not the user input.

  8. Re:Like the concept, but... by t123 · · Score: 5, Informative

    Because this is /. and nobody RTFA

    Q: Does BugScan decompile programs?
    A: No. BugScan does analysis of assembly code and does not need to decompile the program.

    Q: Does BugScan "reverse engineer" programs?
    A: No. Reverse engineering is a process where a program or device is taken apart to understand how it works, generally for the purpose of reimplementing, complementing, or modifying a behavior of the system. BugScan doesn't try to understand how the program works, what algorithms it employs, or anything else. BugScan analyzes usage of known APIs and the dataflow to and from those APIs.

  9. Re:Like the concept, but... by BlueWonder · · Score: 5, Informative
    Not in most parts of Europe. The copyright there explicitly permits disassembling and reverse engineering.

    I don't know what you mean by most parts of Europe, but an EU directive makes disassembling and reverse engineering explicitly illegal. This directive must be made the law by all EU member countries, and already has by many.

  10. Re:Like the concept, but... by LarsG · · Score: 5, Informative

    an EU directive makes disassembling and reverse engineering explicitly illegal.

    Which directive? According to directive 91/250/EEC, reverse engineering is expliclitly legal in EU/EEC.

    --
    If J.K.R wrote Windows: Puteulanus fenestra mortalis!