Slashdot Mirror

← Back to Stories (view on slashdot.org)

Analyzing Binaries For Security Problems

Posted by CowboyNeal on from the look-ma-no-source-code dept.

Matt writes "At the last talk at BlackHat in Las Vegas, Greg Hoglund demonstrated a product for sale by his new company that analyzes binaries for security vulnerabilities. He showed the analysis of several commercial products, the results of which were shockingly insecure. This product should help end the debate of closed source or open source applications being more or less secure."

13 of 304 comments (clear)

  1. Hmm. by Anonymous Coward · · Score: 5, Insightful

    Isn't it kind of strange how they make such big claims but present no actual evidence?

  2. At least the advantage with open source.... by jamieswith · · Score: 5, Insightful

    Is that, provided you have the ability, then you don't have to sit around and wait for someone else to fix the problems in the programs you use...

    Still, politics aside, perhaps with more applications like this freely available, perhaps more bugs will actually be fixed - rather than relying on security through obscurity - sitting tight and hoping no-one notices...

    Leave me alone! - I can dream can't I ??

  3. How does this thing really work? by wazlaf · · Score: 5, Insightful

    I can't imagine this program to work very well - finding buffer overflows and other possible security vulnerabilities can be an immensely hard task when you actually _do_ have access to the source code. Also, the available compilers produce quite different assembly for the same code. This just all sounds a little bit too good to be true...

    --
    Homepage
  4. Re:Binary vs open source by ftvcs · · Score: 3, Insightful

    Judging from the url, they don't have a lot of faith in open source software.

  5. when it sound too good to be true, it is. by nietsch · · Score: 5, Insightful
    from the faq:

    Q: Does BugScan make it easy for hackers to develop new attacks?

    A: No. The information BugScan gives optimizes a small part of the exploit development process, but it still requires a very skilled person to do the additional work to produce a working exploit. That being said, BugScan is used in HBGary's exploit development process, and some customers are using BugScan for similar purposes.

    Q: Does BugScan determine if a security coding error creates an exploitable vulnerability?

    A: No. While we are working to enable this kind of functionality in the product in response to customer demand, it is a difficult to determine with any amount of certainty if a problem detected is truly exploitable.


    So actually you will end up with a report that cannot mention if you are safe or not, and no way to change the application if you think you are.

    Snake oil. Very good against any kind of bugs, esp security bug whatever those may be.
    --
    This space is intentionally staring blankly at you
  6. Does it really work by Dexter77 · · Score: 5, Insightful

    The webpage says "report is created for each program identifying the specific locations of potential security vulnerabilities"

    All programmers know that high level languages create very large binary files. A small program that prints few lines written in Visual Basic, might take hundreds of kilobytes space. Hundreds of kilobytes might mean even millions of lines of assembly code.

    Let's take an example. The bugscan reports that there are bugs on lines 24.234, 93.234, 134.834, 342.234, 534.444, 767.835 and 822.511 out of 1.023.890 lines. The BugScan might even report that those lines are from abcd.dll, efgh.dll, ijkl.dll and aaaa.dll. Do you now feel reliefed? No, I didn't think so either. I mean that BugScan might be very useful on low level languages, but when there are ten layers of different libraries between your code and the machine code, I bet the usefulness is not that high.

    1. Re:Does it really work by BenjyD · · Score: 3, Insightful

      Exactly what I thought. I imagine things like inlining and other compiler optimisations might confuse things further.

      From looking at the report generated on Trillian (in the whitepaper on the site), most of what it seems to do is check for bad function calls (sprintf etc). I'm not sure who their target market is - not developers, as they can use automatic auditing tools on the source which would tell them more useful information.

  7. no... by Anonymous Coward · · Score: 4, Insightful

    "This product should help end the debate of closed source or open source applications being more or less secure"

    how so? who's to say *this* tool is an official measure of security? its *a* measure. and how would you actually do the comparison? that statement just doesn't make sense.

  8. It doesn't by i_really_dont_care · · Score: 4, Insightful

    Looks like a lot of hot air.

    The PDF presentation tells us things that we know already (buffer overflow, race conditions, whatever).

    Two screenshots show debuggers and disassemblers. Another screenshot shows the "analysis results" of the "tool": "wsprintf: This function is insecure, use another function." Even this info is useless, because wsprintf is insecure only if it is used the wrong way, and I bet the "tool" doesn't check that. Besides, everyone uses std::string these days (or at least should do so).

    It's also worth to note that about every University in the world has one or more groups working on topics like "automatic code verification", "code path analysis" and other things. This stuff is nowhere rocket science, but there's a lot to happen until it will go usable by the mainstream of developers.

  9. Re:There are fundamental limits to this stuff by Anonymous Coward · · Score: 5, Insightful

    The halting problem isn't NP-complete (that would be bad but not that bad) but actually intractable -- it can be proved that you can't solve it at all, in general.

    Which indeed does not mean that you can't make interesting inroads using a suitable tool that calls your attention to problematic areas in code.

  10. Open Source rules by gonvaled · · Score: 3, Insightful

    Security problems are often inteoperation issues. You can make sure a program is bug free, but this will not guarantee that your program is not going to fail if the rest of the pieces are not functionning properly. To analyze the interconnections, Open Source is required.

  11. Re:Nice double edged tool by kinnell · · Score: 4, Insightful
    If this can be used to detect for example buffer overflows than does n't it also help speed up a crackers turn around rate?

    All the more reason for companies to buy this product - if crackers can find the bugs easily using this program, it's much more important that the developers do to.

    --
    If I seem short sighted, it is because I stand on the shoulders of midgets
  12. Re:Like the concept, but... by BlackHawk-666 · · Score: 4, Insightful
    Compiled code has been used intentionally by programmers as a sort of encryption/stenography

    Speaking as a programmer I can say this is a load of horse pucky. Firstly, if we wanted to use encryption, we would simply use encryption. Secondly, stenograhpy is deliberating hiding information within outher information, but that's not what compiled code is doing. Sheesh, I can't believe anyone modded this crap up.

    Code is actually compiled from human readable form (text, source code, ASM) into a binary form that may be loaded and executed by the computer. This process is not designed to obscure it from humans, but make it readable by computers. Since any decent decompiler can take that binary and get a working (or mostly working) set of source from it (just not the same as the original, and usually only in assembler) it makes both a lousy form of encryption and steganography.

    --
    All those moments will be lost in time, like tears in rain.