csw2017 chuanda ding_state of windows application security
TRANSCRIPT
![Page 1: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/1.jpg)
StateofWindowsApplicationSecurity:SharedLibraries
![Page 2: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/2.jpg)
Aboutthespeaker
• Previouslyasoftwaredeveloper• Chromiumbasedbrowserwithsecurityfeatures
• JoinedTencent in2014• Securityresearcher• XuanwuLabresearchesrealworldsecurityproblems
• CanSecWest 2016speaker• QCon 2016speaker
![Page 3: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/3.jpg)
Previously…
• AtCanSecWest 2016• 55%ofpopularAV’scanbeexploitedtoescapebrowsersandbox• Reportedandfixed…hopefully
![Page 4: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/4.jpg)
BrowserSandboxes… Whatisitfor?
• Itcontainsthedamageofthecodeexecutionexploits• Makeitmuchharderforexploitstogainhigherprivileges
![Page 5: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/5.jpg)
SandboxWhitelist:ElevationPolicy
BrowserRenderer
BrowserBroker ElevationPolicyMedium
IntegrityLevelProcess
SecurityBoundary
LowIntegrityLevelProcess
![Page 6: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/6.jpg)
Example: PandaInternetSecurity
\Pandasecuritytb\dtuser.exe
• ElevationpolicywithsilentMediumIL• Runarbitrarycommand
dtuser.exe runappasadmin calc.exe
• Copyarbitraryfiledtuser.exe copyfile <origin> <target>
![Page 7: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/7.jpg)
Howtodetectitautomatically?
![Page 8: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/8.jpg)
ProjectA'Tuin
• Automatedinstallation• Detectinsecurecharacteristicsandbehaviors• Providesearchableresults
Crawl Install TriggerBehavior Log
ClusterOfflineComputation
FrontendInterface
![Page 9: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/9.jpg)
ProjectA'Tuin
![Page 10: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/10.jpg)
Example:PandaInternetSecurity
![Page 11: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/11.jpg)
DiversityisInstallers’Strength
![Page 12: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/12.jpg)
Automated installation
• Searchesalltoplevelwindowscreatedbytheinstaller• Inallscreenareacoveredbyrecordedwindows,findpolygonsthathasthelargestareaandhighestcontrastratio• Simulateinputtoscreenareainsidethepolygon• Successrate95%+,specialcasetherest
![Page 13: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/13.jpg)
Whatelsedid wefound?
![Page 14: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/14.jpg)
TypicalWindowsApplication
MainCode SharedLibraries
MFC/Qt OpenSSL
Image/Video/Audio
Decoders
NetworkLibraries WebKit …
![Page 15: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/15.jpg)
TheOpenSSLLandscape
![Page 16: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/16.jpg)
TheOpenSSLLandscape:Heartbleed
![Page 17: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/17.jpg)
TheOpenSSLLandscape:CVSS>=9
![Page 18: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/18.jpg)
Doesyourapplicationhaveanembeddedwebbrowser?
Mostlikely.
![Page 19: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/19.jpg)
ChromiumEmbeddedFramework
• “CEFisaBSD-licensedopensourceprojectfoundedbyMarshallGreenblattin2008andbasedonthe GoogleChromium project”• “CEFfocusesonfacilitatingembeddedbrowserusecasesinthird-partyapplications”• “Therearecurrentlyover100million installedinstancesofCEFaroundtheworldembeddedinproductsfromawiderangeofcompaniesandindustries”
![Page 20: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/20.jpg)
TheCEFLandscape
![Page 21: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/21.jpg)
QtWebKit
![Page 22: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/22.jpg)
Howcanwefindunknown sharedlibraries?
• Brainstorming?• OpenSSL,zlib,Qt,whatelse?• Manylibrariesaredevelopedin-houseandusedinsideonecompany• Libraryissuemayshareamongmultiplesoftware• Outdatedparsing/rendering/decodinglibrariesalmostalwaysindicatesecurityissues
![Page 23: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/23.jpg)
Howcan wefindunknownsharedlibraries?
• Installeverysoftware• ExtractallPEfiles• Useadisassemblertoextractfunctioninformation• IDAPython
• Recordandcomparefunctionsignaturesacrossdifferentsoftware
![Page 24: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/24.jpg)
TheResult
![Page 25: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/25.jpg)
Recap
• Asystemthatcanautomaticallydetectpossiblesecurityissues• ManyapplicationsstillhaveoldOpenSSLlibrariesthatareaffectedbyoldvulnerabilities• Anewwaytoautomaticallydetectsharedlibrariesusedinapplications• Detectedover4000sharedlibrariesinoursample,manyofthemunknown
![Page 26: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/26.jpg)
Futureworks
• Morebehavior detection• Gomobile• Cross-platformclusteringofresults
![Page 27: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/27.jpg)
Acomprehensivereportaboutsharedlibrarysecuritywillbereleasedpubliclylaterthisyear.
Andthesystemmaybeopentopublicinthefuture.
![Page 28: CSW2017 chuanda ding_state of windows application security](https://reader031.vdocuments.mx/reader031/viewer/2022022205/58d0e9131a28abba558b58e5/html5/thumbnails/28.jpg)
Thanks.Chuanda Ding
Tencent XuanwuLabxlab.tencent.com