Kiran A. Bandla

Kiran A. Bandla

Paper Title

"phoneypdf: A Virtual PDF Analysis Framework"

Abstract

PDF exploitation is never complete without JavaScript. Most PDF exploits that we come across are based on JavaScript. The attackers use JavaScript for various reasons - to obfuscate the payload, the shellcode or many other things. However, there are not many tools that have the capability to automatically analyze the JavaScript in a dynamic way.

This paper presents tools and techniques to analyze malicious PDF files. We also present phoneypdf, an open-source PDF analysis framework. The paper builds on existing work and presents some new work which allows us to leverage the Adobe PDF DOM and XFA. Emulating the Adobe PDF DOM gives us unique advantage over other tools that are currently available. It gives us a fine grained information on the PDF's layout, XFA and execution of JavaScript. Having the Adobe DOM gives us the ability to get deeper insights into exploitation than just pure static analysis.

As an example, we analyze CVE-2010-0188 and how it is detected by phoneypdf. An analyst can quickly extend phoneypdf by way of signatures or code to add detecting new exploits. We discuss the technical challenges and related solutions PDF analysis in a semi-dynamic way.

Speaker Bio

Kiran A. Bandla is an security engineer at iDefense. He works in the iDefense Vulnerability Contributor Program (VCP), analyzing 0-day vulnerabilities. He is also an engineer for the award winning Maldetector product.

Kiran's research interests include reverse code analysis, EEG research and robotics. He holds a MS in Information Security and Assurance from George Mason University. Prior to joining iDefense, he has worked as a security engineer and researcher in various capacities with Arbor Networks, CA Antivirus and Cigital Inc.

Copyright © 2018-19 | Nullcon India | International Security Conference | All Rights Reserved