publications

The Art of Software Security Testing: Identifying Software Security Flaws

Chris Wysopal, Luke Nelson, Dino Dai Zovi, Elfriede Dustin

Drawing on decades of experience in application and penetration testing, this book's authors can help you transform your approach from mere "verification" to proactive "attack." The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize software debugging tools to test the unique aspects of any program and then analyze the results to identify exploitable vulnerabilities.

  • Addison-Wesley Professional; 1st edition (December 10, 2006)
  • Order it at Amazon.com

Attacking Automatic Wireless Network Selection

Dino A. Dai Zovi, Shane Macaulay

Wireless 802.11 networking is becoming so prevalent that many users have become accustomed to having available wireless networks in their workplace, home, and many public places such as airports and coffee shops. Modern client operating systems implement automatic wireless network discovery and known network identification to facilitate wireless networking for the end-user. In order to implement known network discovery, client operating systems remember past wireless networks that have been joined and automatically look for these networks (referred to as Preferred or Trusted Networks) whenever the wireless network adapter is enabled. By examining these implementations in detail, we have discovered previously undisclosed vulnerabilities in the implementation of these algorithms under the two most prevalent client operating systems, Windows XP and MacOS X. With custom base station software, an attacker may cause clients within wireless radio range to associate to the attacker's wireless network without user interaction or notification. This will occur even if the user has never connected to a wireless network before or they have an empty Preferred/Trusted Networks List. We describe these vulnerabilities as well as their implementation and impact.

Randomized Instruction Set Emulation To Disrupt Binary Code Injection Attacks

Gabriela Barrantes, David H. Ackley, Dino Dai Zovi, Stephanie Forrest, Trek S. Palmer, Darko Stefanovic

Many remote attacks against computer systems inject binary code into the execution path of a running program, gaining control of the program's behavior. If each defended system or program could use a machine instruction set that was both unique and private, such binary code injection attacks would become extremely difficult if not impossible. A binary-to-binary translator provides an economic and flexible implementation path for realizing that idea. As a proof of concept, we describe a randomized instruction set emulator (RISE) based on the open-source Valgrind x86-to-x86 binary translator. Although currently very slow and memory-intensive, our prototype RISE can indeed disrupt binary code injection attacks against a program without requiring its recompilation, linking, or access to source code. We describe the RISE implementation, give evidence demonstrating that RISE defeats common attacks, consider consequences of the dense x86 instruction set on the method's effects, and discuss limitations of the RISE prototype as well as design tradeoffs and extensions of the underlying idea.

Security Applications of Dynamic Binary Translation

Dino Dai Zovi

The last 13 years have seen a large number of serious computer security vulnerabilities. Some of the most pernicious of these vulnerabilities have been buffer overflow and format string vulnerabilities in widely used software applications. A number of Internet worms have exploited these vulnerabilities to infect target hosts. The first part of this work introduces a framework for understanding and describing attacks that dynamically inject machine code into a process and the vulnerabilities that enable these attacks. The techniques used in these attacks are described in detail. The second part of this work describes the application of dynamic binary translation, previously a technique primarily for dynamic optimization, to stopping and mitigating these sorts of attacks. The implementations of several known techniques using a dynamic binary translation system are described in detail. Finally, some conclusions about the applicability of dynamic binary translation to computer security are made.

SIND: A Framework for Binary Translation

Trek Palmer, Dino Dai Zovi, and Darko Stefanovic

Recent work with dynamic optimization in platform independent, virtual machine based languages such as Java has sparked interest in the possibility of applying similar techniques to arbitrary compiled binary programs. Systems such as Dynamo, DAISY, and FX!32 exploit dynamic optimization techniques to improve performance of native or foreign architecture binaries. However, research in this area is complicated by the lack of openly licensed, freely available, and platform-independent experimental frameworks. SIND aims to fill this void by providing a easily-extensible and flexible framework for research and development of applications and techniques of binary translation. Current research focuses are dynamic optimization of running binaries and dynamic security augmentation and integrity assurance.

Kernel Rootkits

Dino Dai Zovi

Loadable Kernel Modules (LKMs) allow the running operating system kernel to be extended dynamically. Most modern UNIX-like systems, including Solaris, Linux, and FreeBSD, use or support loadable kernel modules. The facility offers more flexibility than the traditional method of recompiling the kernel to add new hardware support or functionality; new drivers or functionality can be loaded at any time. A loaded kernel module has the same capabilities as code compiled into the kernel. This gives loadable drivers a lot of flexibility and power. However, it also allows a maliciously written kernel module to subvert the entire operating system kernel.

  • SANS InfoSec Reading Room [ html ] [ pdf ]