State of Windows Application Security - Pwn2Own · Example:Panda Internet Security...
Transcript of State of Windows Application Security - Pwn2Own · Example:Panda Internet Security...
StateofWindowsApplicationSecurity:SharedLibraries
Aboutthespeaker
• Previouslyasoftwaredeveloper• Chromiumbasedbrowserwithsecurityfeatures
• JoinedTencent in2014• Securityresearcher• XuanwuLabresearchesrealworldsecurityproblems
• CanSecWest 2016speaker• QCon 2016speaker
Previously…
• AtCanSecWest 2016• 55%ofpopularAV’scanbeexploitedtoescapebrowsersandbox• Reportedandfixed…hopefully
BrowserSandboxes… Whatisitfor?
• Itcontainsthedamageofthecodeexecutionexploits• Makeitmuchharderforexploitstogainhigherprivileges
SandboxWhitelist:ElevationPolicy
BrowserRenderer
BrowserBroker ElevationPolicyMedium
IntegrityLevelProcess
SecurityBoundary
LowIntegrityLevelProcess
Example: PandaInternetSecurity
\Pandasecuritytb\dtuser.exe
• ElevationpolicywithsilentMediumIL• Runarbitrarycommand
dtuser.exe runappasadmin calc.exe
• Copyarbitraryfiledtuser.exe copyfile <origin> <target>
Howtodetectitautomatically?
ProjectA'Tuin
• Automatedinstallation• Detectinsecurecharacteristicsandbehaviors• Providesearchableresults
Crawl Install TriggerBehavior Log
ClusterOfflineComputation
FrontendInterface
ProjectA'Tuin
Example:PandaInternetSecurity
DiversityisInstallers’Strength
Automated installation
• Searchesalltoplevelwindowscreatedbytheinstaller• Inallscreenareacoveredbyrecordedwindows,findpolygonsthathasthelargestareaandhighestcontrastratio• Simulateinputtoscreenareainsidethepolygon• Successrate95%+,specialcasetherest
Whatelsedid wefound?
TypicalWindowsApplication
MainCode SharedLibraries
MFC/Qt OpenSSL
Image/Video/Audio
Decoders
NetworkLibraries WebKit …
TheOpenSSLLandscape
TheOpenSSLLandscape:Heartbleed
TheOpenSSLLandscape:CVSS>=9
Doesyourapplicationhaveanembeddedwebbrowser?
Mostlikely.
ChromiumEmbeddedFramework
• “CEFisaBSD-licensedopensourceprojectfoundedbyMarshallGreenblattin2008andbasedonthe GoogleChromium project”• “CEFfocusesonfacilitatingembeddedbrowserusecasesinthird-partyapplications”• “Therearecurrentlyover100million installedinstancesofCEFaroundtheworldembeddedinproductsfromawiderangeofcompaniesandindustries”
TheCEFLandscape
QtWebKit
Howcanwefindunknown sharedlibraries?
• Brainstorming?• OpenSSL,zlib,Qt,whatelse?• Manylibrariesaredevelopedin-houseandusedinsideonecompany• Libraryissuemayshareamongmultiplesoftware• Outdatedparsing/rendering/decodinglibrariesalmostalwaysindicatesecurityissues
Howcan wefindunknownsharedlibraries?
• Installeverysoftware• ExtractallPEfiles• Useadisassemblertoextractfunctioninformation• IDAPython
• Recordandcomparefunctionsignaturesacrossdifferentsoftware
TheResult
Recap
• Asystemthatcanautomaticallydetectpossiblesecurityissues• ManyapplicationsstillhaveoldOpenSSLlibrariesthatareaffectedbyoldvulnerabilities• Anewwaytoautomaticallydetectsharedlibrariesusedinapplications• Detectedover4000sharedlibrariesinoursample,manyofthemunknown
Futureworks
• Morebehavior detection• Gomobile• Cross-platformclusteringofresults
Acomprehensivereportaboutsharedlibrarysecuritywillbereleasedpubliclylaterthisyear.
Andthesystemmaybeopentopublicinthefuture.
Thanks.Chuanda Ding
Tencent XuanwuLabxlab.tencent.com