by Antriksh Shah
Binary code analysis is a fairly new approach in application security domain and it is changing the way of software security perception. These topic and tools are quite complex and hence not widely used by the security researchers. Nullcon got a unique opportunity to interview Nilo Redini, Ph.D. student in the computer science department (SecLab) at UCSB, Santa Barbara, who has chosen binary analysis as his primary research area. In a freewheeling chat with Nullcon, Nilo answered questions about his upcoming Nullcon Goa 2018 talk and his ongoing research in binary analysis:
The key idea is to analyze bootloaders and try to understand if they are resilient against malicious data, which might be written on persistent storage. In other words, the question we wanted to answer was: “Is the booting process on smartphone reliable regardless of whatever data is present on the hard drive?” Note that, with reliable we do not necessarily mean that the booting process must succeed, but if something is not ok, the user must be at least informed.
The main challenge is to execute the bootloader in a virtualized environment. In order to run the bootloaders you often need the device mounting it. This fact makes static analysis the only viable solution, unless one is willing to buy the device, of course.
Yes, binary analysis is my main research interest. The main idea behind it is to try to answer questions like "is the program vulnerable to xyz attacks?", "can the program be forced to access sensitive data without a valid login?" and so forth, only relying on the information an analyst can get from the binary itself. This is like the worst-case scenario for a security analyst, as they cannot rely on several information, such as data structures or variable names.
Well, honestly, I think it is binary exploitation. There are other cases, though. For example, one would want to be able to hook some functions in a proprietary program and add additional security checks.
I would say having a sound yet precise analysis. This is a problem of program analysis in general, but in binary analysis is usually much harder. This is due to the fact that some information are lost after compilation. For example: variable names, data structures and sometimes function names. This makes the analysis of a program more difficult as one could extract some valuable (often semantic) information if these three were present. Generally speaking, the analysis are usually more precise if one can rely on the application source code.
If one could (potentially) retrieve all and only the possible flow transitions of the program (soundness and completeness) just relying on the binary, one could answer a great deal of interesting questions, such as "can this program state be ever reached if property X is not satisfied". In theory, one could rely on this sound and complete analysis to check whether a proprietary program is secure. Unfortunately this is, in the general case, impossible.
I would say memory corruption vulnerabilities (such as buffer overflow, format string vulnerability and so forth), denial of service attacks due to non-adequately controlled user inputs and so on. Usually the problem is not "what one can detect", rather how precise the results of the analysis are. For example, one can detect buffer overflows relying on binaries as well as relying on source code. Usually the second option, if available, is preferred as the former might provide more false positives (meaning that several of the generated alarms are not possible buffer overflows). In some cases though, like for bootloader, the source code is not available to a security analyst, therefore the former option is the only one available.
BootStomp works completely on a binary level. It does not need source code. So I would say that BootStomp is all about binary analysis :)
I think it is important to organize and to attend such events in order to share ideas and solutions and push research forward.
Nilo Redini will be presenting his research at Nullcon Goa 2018. To meet him or know more about binary analysis, book your tickets for Nullcon 2018 here.
Experience of Attendees at Nullcon Goa 2022
Nov 18, 2022
Antriksh is a Security Analyst from Goa. He is associated with null The Open Security Communities initiatives and organizing its annual flagship conference called as nullcon. His area of interest lies in VAPT, Web Application Security, Network Auditing & Forensics. He is very active with Pune Cyber Crime Branch and assisting them with investigation cases.