The Wallstreet of Windows Binaries

March 19, 2015 (at 4 p.m.) in Attack & Research

Nowadays common ways to find exploitable vulnerabilities include but are not limited to fuzzing, static and dynamic analysis and patch reversing. All common approaches have advantages and limits. Fuzzers tend to only find a limited number of bugs, depending on the sophistication of the fuzzer which is indirectly dependent on the development time invested. Reverse engineering a binary for finding bugs, regardless whether statically or with a debugger, is tedious and requires a lot of time and expertise. As we are lazy bastards, we refuse to do all the work by hand and brain. And, as we are greedy bastards, we want a maximum scope of vulnerabilities we can cover and not be limited to what we see from a fuzzers perspective. So as you know – in general the lazy greedy bastards have the better ideas. We present you with our idea, which is built after the model of the Wallstreet. We built a tool which weighs the value of a function in a Windows binary as the Wallstreet values a stock; the value telling us the likability of a function to be exploitable. The Wallstreet technique works with two different evaluation methods, for once the likability that a function is vulnerable and also the likability that it is exploitable. We collect indicators, which help us evaluate that a specific function is potentially vulnerable. Such could be a present memory allocation or conversion function, a lacking sanitization check or a suspicious pattern in the functionname such as 'create', 'convert' or 'set'. A combination of these and a handful more indicators lets us calculate what we call the speculation value.
For the validation of the exploitability we traverse the call tree of a suspicious candidate, to verify its accessibility in an automated way. Only functions which we can influence as an attacker are interesting for us; thus we rate these accessible functions with a price-to-earnings value. Finally putting speculation value and price-to-earnings value in context, we evaluate a function with either 'buy' if we believe it comes with an exploitable vulnerability, or with 'sell' when we are certain it is not interesting to us. No worries, the presentation will not contain advanced mathematical equations. Our tool parses binaries and persists all the gathered information to a database, from where we can retrieve highly suspicious functions in an automated way. Without getting our hands dirty, that is. And because we are lazy bastards who like colors, a lot, we use visuals to make evaluation even easier. The tool is dubbed Wallstreet, free after the most famous stock market on the planet. It is based on Python, C and SQLite and will be released under the WTFPL license (http://www.wtfpl.net/). Also, there will be demos :D Wrapping it up, this presentation shows an easy to use approach which makes the complicated topic of binary exploitation more accessible. Wallstreet of Windows Binaries provides beginners with better understanding of the challenges and practitioners with a hands-on tool.

Marion Marschalek

Marion Marschalek is a Security Researcher, focusing on the analysis of emerging threats and exploring novel methods of threat detection. Marion started her career within the anti-virus industry and also worked on advanced threat protection systems where she built a thorough understanding of how threats and protection systems work and how both occasionally fail. Next to that Marion teaches malware analysis at University of Applied Sciences St. Pölten and has presented at a number of international conferences, among others Blackhat, RSA, SyScan, hack.lu and Troopers. She also serves as a review board member for Black Hat Europe and was listed as one of Forbes’ "30 under 30" in the technology Europe division in 2016. Once year, Marion runs BlackHoodie, a reverse engineering workshop for women, in order to increase the number of femgineers in the field of low level technology.

Joseph Moti

Moti Joseph has been involved in computer security. In the last few years he has been working on reverse engineering exploit code and developing security products. Moti has been speaking at Black Hat Las Vegas 2007, CONF2009 & CONF2010 in Poland, POC 2009 & 2010 in South Korea, ShakaCon 2009 in USA, CHINA 2011 at Shanghai Jiao Tong University, NopCON 2012 in Istanbul and SysCan2010 Taiwan, Taipe. Also, Moti's work is so secret, he never publishes anything.

Twitter: @gamepe