• Home

  • Documents

  • State of Windows Application Security - Pwn2Own · Example:Panda Internet Security...
28
State of Windows Application Security: Shared Libraries

State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

StateofWindowsApplicationSecurity:SharedLibraries

Page 2: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Aboutthespeaker

• Previouslyasoftwaredeveloper• Chromiumbasedbrowserwithsecurityfeatures

• JoinedTencent in2014• Securityresearcher• XuanwuLabresearchesrealworldsecurityproblems

• CanSecWest 2016speaker• QCon 2016speaker

Page 3: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Previously…

• AtCanSecWest 2016• 55%ofpopularAV’scanbeexploitedtoescapebrowsersandbox• Reportedandfixed…hopefully

Page 4: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

BrowserSandboxes… Whatisitfor?

• Itcontainsthedamageofthecodeexecutionexploits• Makeitmuchharderforexploitstogainhigherprivileges

Page 5: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

SandboxWhitelist:ElevationPolicy

BrowserRenderer

BrowserBroker ElevationPolicyMedium

IntegrityLevelProcess

SecurityBoundary

LowIntegrityLevelProcess

Page 6: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Example: PandaInternetSecurity

\Pandasecuritytb\dtuser.exe

• ElevationpolicywithsilentMediumIL• Runarbitrarycommand

dtuser.exe runappasadmin calc.exe

• Copyarbitraryfiledtuser.exe copyfile <origin> <target>

Page 7: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Howtodetectitautomatically?

Page 8: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

ProjectA'Tuin

• Automatedinstallation• Detectinsecurecharacteristicsandbehaviors• Providesearchableresults

Crawl Install TriggerBehavior Log

ClusterOfflineComputation

FrontendInterface

Page 9: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

ProjectA'Tuin

Page 10: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Example:PandaInternetSecurity

Page 11: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

DiversityisInstallers’Strength

Page 12: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Automated installation

• Searchesalltoplevelwindowscreatedbytheinstaller• Inallscreenareacoveredbyrecordedwindows,findpolygonsthathasthelargestareaandhighestcontrastratio• Simulateinputtoscreenareainsidethepolygon• Successrate95%+,specialcasetherest

Page 13: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Whatelsedid wefound?

Page 14: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

TypicalWindowsApplication

MainCode SharedLibraries

MFC/Qt OpenSSL

Image/Video/Audio

Decoders

NetworkLibraries WebKit …

Page 15: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

TheOpenSSLLandscape

Page 16: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

TheOpenSSLLandscape:Heartbleed

Page 17: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

TheOpenSSLLandscape:CVSS>=9

Page 18: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Doesyourapplicationhaveanembeddedwebbrowser?

Mostlikely.

Page 19: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

ChromiumEmbeddedFramework

• “CEFisaBSD-licensedopensourceprojectfoundedbyMarshallGreenblattin2008andbasedonthe GoogleChromium project”• “CEFfocusesonfacilitatingembeddedbrowserusecasesinthird-partyapplications”• “Therearecurrentlyover100million installedinstancesofCEFaroundtheworldembeddedinproductsfromawiderangeofcompaniesandindustries”

Page 20: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

TheCEFLandscape

Page 21: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

QtWebKit

Page 22: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Howcanwefindunknown sharedlibraries?

• Brainstorming?• OpenSSL,zlib,Qt,whatelse?• Manylibrariesaredevelopedin-houseandusedinsideonecompany• Libraryissuemayshareamongmultiplesoftware• Outdatedparsing/rendering/decodinglibrariesalmostalwaysindicatesecurityissues

Page 23: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Howcan wefindunknownsharedlibraries?

• Installeverysoftware• ExtractallPEfiles• Useadisassemblertoextractfunctioninformation• IDAPython

• Recordandcomparefunctionsignaturesacrossdifferentsoftware

Page 24: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

TheResult

Page 25: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Recap

• Asystemthatcanautomaticallydetectpossiblesecurityissues• ManyapplicationsstillhaveoldOpenSSLlibrariesthatareaffectedbyoldvulnerabilities• Anewwaytoautomaticallydetectsharedlibrariesusedinapplications• Detectedover4000sharedlibrariesinoursample,manyofthemunknown

Page 26: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Futureworks

• Morebehavior detection• Gomobile• Cross-platformclusteringofresults

Page 27: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Acomprehensivereportaboutsharedlibrarysecuritywillbereleasedpubliclylaterthisyear.

Andthesystemmaybeopentopublicinthefuture.

Page 28: State of Windows Application Security - Pwn2Own · Example:Panda Internet Security \Pandasecuritytb\dtuser.exe •Elevation policy with silent Medium IL •Run arbitrary command dtuser.exerunappasadmincalc.exe

Thanks.Chuanda Ding

Tencent XuanwuLabxlab.tencent.com


Agilent 81150A and 81160A Pulse Function Arbitrary Noise ... · Pulse Function Arbitrary Noise Generators ... The Agilent 81150A and 81160A pulse function arbitrary noise generators

Agilent 81150A and 81160A Pulse Function Arbitrary Noise ... · Pulse Function Arbitrary Noise Generators ... The Agilent 81150A and 81160A pulse function arbitrary noise generators

Documents
Optimal Polarization Synthesis of Arbitrary Arrays With ... · Optimal Polarization Synthesis of Arbitrary Arrays ... Optimal Polarization Synthesis of Arbitrary Arrays ... where

Optimal Polarization Synthesis of Arbitrary Arrays With ... · Optimal Polarization Synthesis of Arbitrary Arrays ... Optimal Polarization Synthesis of Arbitrary Arrays ... where

Documents
AFG2021 Arbitrary-Function Generator Datasheet · 2019. 8. 14. · Arbitrary/Function Generator AFG2021 Datasheet The AFG2021 Arbitrary Function Generator gives you the power to create

AFG2021 Arbitrary-Function Generator Datasheet · 2019. 8. 14. · Arbitrary/Function Generator AFG2021 Datasheet The AFG2021 Arbitrary Function Generator gives you the power to create

Documents
Arbitrary Killings by Security Forces - Human Rights Watch · 2020. 5. 27. · the arbitrary killing of 59 men by the military. According to witnesses, all of these victims were Muslim

Arbitrary Killings by Security Forces - Human Rights Watch · 2020. 5. 27. · the arbitrary killing of 59 men by the military. According to witnesses, all of these victims were Muslim

Documents
OsmocomBB - Sending arbitrary protocol data to GSM networksgit.gnumonks.org/laforge-slides/plain/2010/osmocombb-phneutral20… · GSM/3G Network Security Introduction Security Problems

OsmocomBB - Sending arbitrary protocol data to GSM networksgit.gnumonks.org/laforge-slides/plain/2010/osmocombb-phneutral20… · GSM/3G Network Security Introduction Security Problems

Documents
TRB for AF: The Idea arbitrary failureslorenzo/corsi/cs380d/past/08S/notes/week7.pdf · arbitrary failures Crash Arbitrary failures with message authentication Arbitrary (Byzantine)

TRB for AF: The Idea arbitrary failureslorenzo/corsi/cs380d/past/08S/notes/week7.pdf · arbitrary failures Crash Arbitrary failures with message authentication Arbitrary (Byzantine)

Documents
Arbitrary Lagrangian–Eulerian Methods

Arbitrary Lagrangian–Eulerian Methods

Documents
Pwn2own 2013 - Java 7 Se Memory Corruption

Pwn2own 2013 - Java 7 Se Memory Corruption

Documents
Improved Security Evaluation Techniques for Imperfect … · 2019-01-18 · Improved Security Evaluation Techniques for Imperfect Randomness from Arbitrary Distributions Takahiro

Improved Security Evaluation Techniques for Imperfect … · 2019-01-18 · Improved Security Evaluation Techniques for Imperfect Randomness from Arbitrary Distributions Takahiro

Documents
Heat conduction in two dimensions - Aalborg · PDF fileHeat conduction in two dimensions ... Arbitrary angles Arbitrary orientation Isoparametric four-node element Four nodes Arbitrary

Heat conduction in two dimensions - Aalborg · PDF fileHeat conduction in two dimensions ... Arbitrary angles Arbitrary orientation Isoparametric four-node element Four nodes Arbitrary

Documents
AWG2021 Arbitrary Waveform Generator User ManualUser Manual AWG2021 Arbitrary Waveform Generator 070-9097-50

AWG2021 Arbitrary Waveform Generator User ManualUser Manual AWG2021 Arbitrary Waveform Generator 070-9097-50

Documents
Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM

Exploring RADIUS - Pwn2Own RADIUS v0.2.pdf · Title Blogging Author Network Associate Created Date 3/17/2014 9:23:07 AM

Documents
EITA25 Computer Security (Datasäkerhet) Cryptography · Simplified model (without source coding, channel coding, modulation etc.) Key Key Security primitives Unkeyed Arbitrary length

EITA25 Computer Security (Datasäkerhet) Cryptography · Simplified model (without source coding, channel coding, modulation etc.) Key Key Security primitives Unkeyed Arbitrary length

Documents
Function/Arbitrary Waveform Generator · Function Interface Dual-channel with the same performance 160 built-in arbitrary waveforms Arbitrary waveform function with Ⅱ the unique

Function/Arbitrary Waveform Generator · Function Interface Dual-channel with the same performance 160 built-in arbitrary waveforms Arbitrary waveform function with Ⅱ the unique

Documents
AFG2021 Arbitrary-Function Generator Datasheet - Tektronix · Arbitrary/Function Generator AFG2021 Datasheet The AFG2021 Arbitrary Function Generator gives you the power to create

AFG2021 Arbitrary-Function Generator Datasheet - Tektronix · Arbitrary/Function Generator AFG2021 Datasheet The AFG2021 Arbitrary Function Generator gives you the power to create

Documents
iOS 6 - Pwn2Own...• iOS 6 is the new major version of iOS with tons of new security features • new kernel security mitigations already discussed by Mark Dowd/Tarjei Mandt • but

iOS 6 - Pwn2Own...• iOS 6 is the new major version of iOS with tons of new security features • new kernel security mitigations already discussed by Mark Dowd/Tarjei Mandt • but

Documents
Arbitrary Function Generators - RS Components · Arbitrary Function Generators AFG31000 Series Datasheet The Tektronix AFG31000 Series is a high-performance AFG with built-in arbitrary

Arbitrary Function Generators - RS Components · Arbitrary Function Generators AFG31000 Series Datasheet The Tektronix AFG31000 Series is a high-performance AFG with built-in arbitrary

Documents
Attacking NFC - AusCERT Conference...About me • First to hack the iPhone and G1 Android phone • Winner of CanSecWest Pwn2Own: 2008-2011 • Author • Fuzzing for Software Security

Attacking NFC - AusCERT Conference...About me • First to hack the iPhone and G1 Android phone • Winner of CanSecWest Pwn2Own: 2008-2011 • Author • Fuzzing for Software Security

Documents
408X Series Function and Arbitrary Function Generators€¦ · Function and Arbitrary/Function Generators . Model 4084AWG, 4086AWG, 4084, ... USER PROGRAMMABLE ARBITRARY WAVEFORM

408X Series Function and Arbitrary Function Generators€¦ · Function and Arbitrary/Function Generators . Model 4084AWG, 4086AWG, 4084, ... USER PROGRAMMABLE ARBITRARY WAVEFORM

Documents
Arbitrary Waveform Generator

Arbitrary Waveform Generator

Documents
Write-up of the Mobile Pwn2Own 2017 Android Huawei Mate … · Huawei Mate 9 Pro (LON-AL00) - PWN2OWN 2018-04-26 – Alex Plaskett & James Loureiro

Write-up of the Mobile Pwn2Own 2017 Android Huawei Mate … · Huawei Mate 9 Pro (LON-AL00) - PWN2OWN 2018-04-26 – Alex Plaskett & James Loureiro

Documents
FireWire - Pwn2Own · 2008-06-07 · Maximillian Dornseif • Laboratory for Dependable Distributed Systems Exploiting Reads • We can read arbitrary memory locations. So we can:

FireWire - Pwn2Own · 2008-06-07 · Maximillian Dornseif • Laboratory for Dependable Distributed Systems Exploiting Reads • We can read arbitrary memory locations. So we can:

Documents
Efficient Similarity Search : Arbitrary Similarity Measures, Arbitrary Composition

Efficient Similarity Search : Arbitrary Similarity Measures, Arbitrary Composition

Documents
PC OSCILLOSCOPES WITH ARBITRARY WAVEFORM GENERATOR · 2014. 10. 28. · Arbitrary waveform and function generators All PicoScope 2200A Series oscilloscopes have a built-in arbitrary

PC OSCILLOSCOPES WITH ARBITRARY WAVEFORM GENERATOR · 2014. 10. 28. · Arbitrary waveform and function generators All PicoScope 2200A Series oscilloscopes have a built-in arbitrary

Documents
Individual Losers and Collective Winners MICRO – individuals with arbitrary high death rate INTER – arbitrary low birth rate; arbitrary low density of

Individual Losers and Collective Winners MICRO – individuals with arbitrary high death rate INTER – arbitrary low birth rate; arbitrary low density of

Documents
Analytical study on arbitrary waveform generation by …apdsl.eng.uci.edu/RecentJournals/Analytical study on arbitrary... · Analytical study on arbitrary waveform generation by MEMS

Analytical study on arbitrary waveform generation by …apdsl.eng.uci.edu/RecentJournals/Analytical study on arbitrary... · Analytical study on arbitrary waveform generation by MEMS

Documents
Arbitrary Waveform Generators

Arbitrary Waveform Generators

Documents
Arbitrary Lagrangian-Eulerian Finite Element Modelling … · Arbitrary Lagrangian-Eulerian Finite ... Arbitrary Lagrangian-Eulerian Finite Element Modelling of the Human Heart

Arbitrary Lagrangian-Eulerian Finite Element Modelling … · Arbitrary Lagrangian-Eulerian Finite ... Arbitrary Lagrangian-Eulerian Finite Element Modelling of the Human Heart

Documents
Arbitrary Detention

Arbitrary Detention

Documents
AFD.sys Dangling Pointer Advisory - Pwn2Own 2014 · Elevation of Privilege to NT-Authority/SYSTEM. Pwn2Own 2014 - AFD.sys Dangling Pointer Vulnerability - 3 - TECHNICAL ANALYSIS The

AFD.sys Dangling Pointer Advisory - Pwn2Own 2014 · Elevation of Privilege to NT-Authority/SYSTEM. Pwn2Own 2014 - AFD.sys Dangling Pointer Vulnerability - 3 - TECHNICAL ANALYSIS The

Documents