Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Reverse-Engineer Dropbox, Cracking Heavily Obfuscated Python App

Posted by Soulskill on from the turns-out-it's-just-23,000-nested-if-statements dept.

rjmarvin writes "Two developers were able to successfully reverse-engineer Dropbox to intercept SSL traffic, bypass two-factor authentication and create open-source clients. They presented their paper, 'Looking inside the (Drop) box' (PDF) at USENIX 2013, explaining step-by-step how they were able to succeed where others failed in reverse-engineering a heavily obfuscated application written in Python. They also claimed the generic techniques they used could be applied to reverse-engineer other Frozen python applications: OpenStack, NASA, and a host of Google apps, just to name a few..."

39 of 242 comments (clear)

  1. Well, there goes Eve Online by Anonymous Coward · · Score: 3, Interesting

    Good thing I stopped playing the game.
    It's hosed now.

    1. Re:Well, there goes Eve Online by marcansoft · · Score: 4, Informative

      EVE doesn't use IronPython. It uses Stackless Python. And yes, it is possible to decompile the code, and it has been done in the past.

      http://evesupernerf.blogspot.co.uk/2012/05/decompiling-eve-client.html
      https://github.com/wibiti/evedec/blob/master/evedec.py

    2. Re:Well, there goes Eve Online by MBGMorden · · Score: 5, Funny

      And yes, it is possible to decompile the code, and it has been done in the past.

      Awesome. With any luck they'll get an alternative client working. Shouldn't be too hard to set it up as a plugin to Microsoft Excel.

      --
      "People who think they know everything are very annoying to those of us who do."-Mark Twain
    3. Re:Well, there goes Eve Online by Anonymous Coward · · Score: 5, Funny

      Awesome. With any luck they'll get an alternative client working. Shouldn't be too hard to set it up as a plugin to Microsoft Excel.

      You've already got a flight simulator, what more do you want??

    4. Re:Well, there goes Eve Online by Anonymous Coward · · Score: 5, Funny

      A spreadsheet simulat.... wait...

    5. Re:Well, there goes Eve Online by gweihir · · Score: 4, Insightful

      In addition, it uses Stackless Python on the _server_, not the client. Not affected by this thing at all, just some people that think word-associations make insights. Hint: They do not.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Obfuscated python code? by You're+All+Wrong · · Score: 5, Insightful

    Sounds remarkably like security through obscurity to me. With the predictable outcome.

    You have no right to feel secure if you only think you're secure assuming noone else examines your source code.
    http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

    --
    Your head of state is a corrupt weasel, I hope you're happy.
    1. Re:Obfuscated python code? by odie5533 · · Score: 4, Insightful

      This sounds remarkably like security + obfuscation to me. The two are not necessarily mutually exclusive. If they had released it open source, one could argue that with more eyes reading the code they would be able to find and eliminate bugs or security issues. But this is not necessarily true. And they clearly did not want to release the software open source.

    2. Re:Obfuscated python code? by You're+All+Wrong · · Score: 5, Informative

      Reading the paper, googling for the debug hash, lead to this from 2012 which covers a lot of the same ground:

      http://archive.hack.lu/2012/Dropbox%20security.pptx
      "A critical analysis of Dropbox software security", Florian LEDOUX

      --
      Your head of state is a corrupt weasel, I hope you're happy.
    3. Re:Obfuscated python code? by epyT-R · · Score: 4, Insightful

      Actually, it's not dependent on whether the code is open or not. It's dependent on the design. If the design requires secret bits to stay hidden in the client, then open sourcing it would make it even more trivial to break, but with such designs, it would not matter whether it was open source or not. The huge library of cracked software out there speaks volumes to this.

    4. Re:Obfuscated python code? by six025 · · Score: 4, Interesting

      Sounds remarkably like security through obscurity to me. With the predictable outcome.

      You have no right to feel secure if you only think you're secure assuming noone else examines your source code.

      To what level do you take the paranoia, though?

      As early as 1984 (hah!) it has been known that a compiler could be developed in such a way as to produce binaries containing a back door:

      http://c2.com/cgi/wiki?TheKenThompsonHack

      The next level is CPU microcode. Where does it end? One day we can fab our own CPUs from Open Source designs ... but will that be enough?

      Peace,
      Andy.

    5. Re:Obfuscated python code? by black3d · · Score: 5, Insightful

      A lot of the commentators in this article are mentioning "security through obscurity" as if the fact it doesn't work long-term should be some revelation to the Dropbox team, or that Dropbox has somehow dropped the ball through using this method. It's an unfair stance to take, considering that outside of hardware based platforms like TPM, *ALL* client-side software security is at best security through obscurity.

      The only news here is that Dropbox is the latest fairly major player to have their client reverse-engineered. Obfuscation is merely a means of delaying the inevitable, and for all we know it has done it's job wonderfully. Plenty of other people may have tried to reverse-engineer the code before but gave up because of the complexity of the obfuscation. The fact that an 'adversary' has dedicated sufficient time and commitment to the effort is news to be sure, but the news shouldn't be turned into "Dropbox did a bad". Anyone with any reasonable experience in IT (which I'd hope most readers here have) should know by now that there are no means to secure software on a computer which someone has control of.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    6. Re:Obfuscated python code? by aaaaaaargh! · · Score: 5, Insightful

      You're missing the point, which is that Dropbox did bad by obfuscating the code, because they should have made it Open Source right from the start and focus on selling their server-side hosting services. Keeping client code proprietary when it involves security and encryption of possibly confidential data is virtually always bad practise (outside the realm of embedded military applications using tamper-proof chips, perhaps).

    7. Re:Obfuscated python code? by Millennium · · Score: 4, Insightful

      "Always" is a strong word to use and speaks more of ideology than of reality.

      Not always.

    8. Re:Obfuscated python code? by Yaur · · Score: 3, Insightful

      The advantage of keeping client code closed is that you can make breaking API changes much more easily. If you have an open client and an open API you are stuck with them and you need to spend a lot more time making sure that they are correct and complete. With a client based on reverse engineering you have no right to be surprised when it suddenly breaks.

    9. Re:Obfuscated python code? by DigitAl56K · · Score: 4, Insightful

      You're missing the point, which is that Dropbox did bad by obfuscating the code, because they should have made it Open Source right from the start and focus on selling their server-side hosting services.

      Wrong.

      Sure, that's easy to say in hindsight, now that they have built an extremely well established business out of it and are the premiere brand in the space. If they had open sourced it right from the start then they would have all the client and client-server development costs on their plate, meanwhile Joe Shmoe could have come along and copied it, pointed it at his own servers, and took a substantial chunk of the business opportunity with much less investment overhead.

      In business you have to find a compromise between your ideals and reality. "Your ideals" perhaps not being the same as their ideals, either.

  3. Re:Python? Really? by epyT-R · · Score: 5, Informative

    even then, all it takes is someone versed in the assembly language of the platform your application runs on, a copy of IDA pro or something similar, and a few hours of his time. I know this is a bit of a lost art in today's world of python and javascript, but it's still valid.

  4. Re:Where is your god now? by Anonymous Coward · · Score: 5, Funny

    Better delete your dropbox-hosted /copporn

  5. Re:Doesn't the Dropbox EULA... by epyT-R · · Score: 4, Insightful

    Lawyers have trouble understanding that law doesn't dictate the limits of curiosity, greed, mathematics, or physics. If there is sufficient incentive, it WILL be cracked. In this case, I think they wanted to demonstrate that drop box is not secure. This should be a 'duh' experience for anyone in IT worth their salt.

  6. Wow, amazing. by RightSaidFred99 · · Score: 5, Funny

    They also claimed the generic techniques they used could be applied to reverse-engineer other Frozen python applications: OpenStack...

    Wow, they can reverse engineer OpenStack? That's amazing - what do they use, an obscure set of commands called "wget", "git", and "tar"?

  7. Re:Python? Really? by You're+All+Wrong · · Score: 4, Informative

    I hope your sarcasm is understood, it's a dangerous technique to use on the internet.

    However, there's an interesting twist to the pcode vs. native code dichotomy, from reverse engineering standpoint, as anyone who's well versed in the brain-mangling line noise that calls itself the IOCCC will know. One of the best obfuscations is to embed an interpreter into your code, and then do all the hard work in the bytecode.

    --
    Your head of state is a corrupt weasel, I hope you're happy.
  8. Trying to obfuscate python was never going to work by Anonymous Coward · · Score: 5, Funny

    They should have written it in perl.

  9. Waste of resources by xenobyte · · Score: 4, Insightful

    Why do so many developers waste time on obfuscation and other ways of hiding the source in scripting languages?

    Using utilities like IonCube to 'protect' PHP-code will never stop the dedicated people from reverse engineering the application or re-engineering it. I've seen that countless times. It is security-through-obscurity at best and it will prevent people from both fixing bugs and re-submitting the fixed code to the developers, and finding security issues from simple code reviewing.

    If developers of competing applications needs to steal code they're really crappy developers and whatever that makes their application unique will be equally crappy and thus not a threat.

    --
    "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
    1. Re:Waste of resources by cerberusss · · Score: 4, Interesting

      Using utilities like IonCube to 'protect' PHP-code will never stop the dedicated people from reverse engineering the application or re-engineering it.

      No, but it will stop support calls from clients that are the result of messing with the code.

      --
      8 of 13 people found this answer helpful. Did you?
    2. Re:Waste of resources by Anonymous Coward · · Score: 5, Funny

      To lock the crazy people inside.

    3. Re:Waste of resources by SJ · · Score: 5, Insightful

      Bad analogy.

      Code obfuscation is more akin to locking your door, and then hiding the key behind the pot plant.

    4. Re:Waste of resources by smash · · Score: 4, Informative

      Because if you can raise the bar in terms of effort required to be equal to, or more than just writing your own damn product, then you'll get less people freeloading off your development.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    5. Re:Waste of resources by Errol+backfiring · · Score: 3, Interesting

      Why do you paint bricks and fake keyholes on your door when you leave the house?

      There, fixed that for you. Obfuscation is more like dazzle painting. It works somewhat, but don't expect it to work well.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  10. Re:Doesn't the Dropbox EULA... by epyT-R · · Score: 5, Interesting

    Why? If you're looking for the selfish angle, maybe he/they just wanted the notoriety. However, he/they might've just wanted to do a public service. Most people trust dropbox to be secure. Of course, slashdot users should all know better than to trust the 'cloud' for anything sensitive, but a way to get this info to people who would not otherwise know this is to make a splash about a successful pen-test.

    Lots of guys see it as a challenge; the digital equivalent of saying 'you can't have this.' Well, challenge accepted.

  11. Re:Python? Really? by davester666 · · Score: 4, Informative

    Been there. Done that.

    I believe it was EA that was doing that way back as part of their DRM for their Commodore 64 disk-based games. It would load the interpreter and a script, then execute the script [drawing it's fancy startup screens, checking for various bad sectors on their disk, over-writing parts of the script and interpreter, loading the game from various parts of the disk].

    --
    Sleep your way to a whiter smile...date a dentist!
  12. Insecure by design by nomaddamon · · Score: 5, Insightful

    The point of the article wasn't to crack it, it was to show that if something sounds insecure by design, it is insecure...

    DropBox allows you to "log in" to it's website via click in the application -> no credentials required. Therefore it must either store user credentials or some other secret(s) on client side (host_id and host_int in this case).

    Any process running under privileges accessible to you can be cracked (albeit sand-boxing, in which case you need system privileges) and it can't hide data from end-user / other processes in same privilege space (albeit sand-boxing....).
    They can make it more difficult though (extracting Bluray key from windows media player will take anyone at least a few days)

    More and more big companies think they can hide data on client side and be secure. Dropbox, Windows Live (LiveConnect) and numerous others are now relying on fast exchange of nonces in addition to client-side secret storing to make it secure "enough".. But breaking the nonce handshake and authenticating in programmatic fashion will add maybe 10% more cracking/programming effort on top of the regular cracking effort.

    TLDR: If it is insecure by design, it is insecure and no amount of obfuscation will help you....

    1. Re:Insecure by design by Anonymous Coward · · Score: 5, Informative

      http://en.wikipedia.org/wiki/Cryptographic_nonce

      It is a crypto term.

  13. Re:Doesn't the Dropbox EULA... by black3d · · Score: 5, Insightful

    How is Dropbox not secure? Do you mean the client you have control of isn't secure? That's all the article is speaking of - they haven't found a way to steal your data from Dropbox unless they already have a secret from your PC.

    In order to access your account, they need the secret host_id (which is generated per device and unique to that device) and host_int from your computer (although, if they already have host_id, they can get host_int from the server - so really, they only need host_id). Presuming they have access to your computer, they can use these keys to access your account. (ie, without actually having your password). If they already have access to your computer however - well, at this stage we're splitting hairs. Any software which stores your login credentials on your own computer is at best hiding an access method through obscurity.

    The only way to avoid this is to require you to enter your password each time you want to sync your files. Same with Google Drive. Same with .. every piece of software that stores login credentials on the client. Calling DropBox "insecure" when you actually mean "as secure as any client-side auto-login software can be" is a misnomer.

    --
    "The true measure of a person is how they act when they know they won't get caught." - DSRilk
  14. Re:Python? Really? by buchner.johannes · · Score: 3, Informative

    Use a non-compiled language, get what you deserve...

    Python is compiled, if you distribute *.pyc files only.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  15. Re:Trying to obfuscate python was never going to w by Buchenskjoll · · Score: 5, Funny

    Yes, only with Perl would they be able to implement security through obscurity and open-source it at the same time.

    --
    -- Make America hate again!
  16. Trusting trust is busted by tepples · · Score: 3, Informative

    The "trusting trust" attack that you linked already has countermeasures. One by David A. Wheeler, called diverse double compiling, involves bootstrapping the compiler using several independently developed compilers for the same language and seeing whether they ultimately produce the same binary. Of course, these countermeasures are no help for a proprietary language such as the Pascal variant used by Delphi.

  17. Re:Python? Really? by Anonymous Coward · · Score: 5, Insightful

    If there's one thing I can't stand, it's language elitism. Look, the language you choose to write your application in is completely irrelevant. Programming languages are tools to help you solve problems and, unless you're a compiler writer or theoretician, aren't really all that interesting in and of themselves. If you think you're a better programmer than someone because of the language you've chosen rather than the types of problems you're able to solve and the quality of your solutions, then you've completely missed the point.

  18. Re:NANDputer by ColdWetDog · · Score: 5, Funny

    How do you know the machine building your CPU will not inject a backdoor in it?

    Because Kevin Horton's NANDputer was built by hand out of a pile of 74HC00 (quad 2-input NAND gate) ICs on a breadboard. There isn't enough room in any single 7400 to insert a backdoor.

    Hell, a breadboard full of 7400's is big enough to put in a real back door, complete with hinges.

    --
    Faster! Faster! Faster would be better!
  19. ecryptfs+Dropbox is a nice solution by Orp · · Score: 4, Informative

    I've always assumed that data on Dropbox wasn't very secure, which is why I was happy to find that ecryptfs works well with dropbox across multiple machines (assuming they are all running Linux). To wit:

    chinook: ~orp df /home/orp/e
    Filesystem          1K-blocks      Used Available Use% Mounted on
    /home/orp/Dropbox/e 491451392 129077764 361240528  27% /home/orp/e
    chinook: ~orp ls Dropbox/e
    ./
    ../
    ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkw6-7kc4NR3-58yIKIxSsrgk--
    ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkw9VkRKmwOO95LV0W1qwwNHk--/
    ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkwKsqUWInaV2aVwzvhw6CcW---
    ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkwOggoYf2PUQpQQmgJLHwIaU--/
    ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkwQEdvushvgMYZ2uRpeRJ9EU--
    [etc]

    This works with the same partition mounted across multiple machines. Save a file to /home/orp/e, and it "magically" appears in its unencrypted form (name, content) on any other machine that was updated on Dropbox that has the encrypted partition mounted the same way. All dropbox ever sees is the encrypted stuff.

    The main disadvantage to this approach is that if you are trying to access files on a non-linux machine you are hosed; Lastpass and other password managers that have file encryption functionality can give you cross-platform encryption but not with the nice filesystem access that Dropbox provides.

    --
    A squid eating dough in a polyethylene bag is fast and bulbous, got me?