서버쪽(remote)
http, ftp, smb
클라이언트(local)
ie, acrobat reader, flash
overflow,
use after freebug
format string, double
등등
finding 0-day
이뮤니티, 셜리, 다이나노 리오, 발그린, Pin
taint tool!!
static analysis tool
ida, 010 editer
dynamic analysis tool
ollydug, cheat engine
=============================================
exploit db
zero day init, rapid 7
-hwo to find 0day-
source code auditing
binary auditing
binary diffing
fuzzing
taint analysis
=============================================
static analysis
so easy
oly when source code is(open source)
-- 소스 존재!
binary auditing
static analysis
so slow
Fuzzing
send invalid random data into a system
mutatiion fuzzing -> 갈수 없는 루틴이 존재
take valid data and add random data
just change random bytes to random values
remove bytes
generation fuzzing -> 빠지는 루틴이 없지만 pdf
generate test cases from protocol spcficatino
explores every detail of protocol
=fuzzing lifecycle=
identify target
identify inputs
generate fuzzed data
sending fuzzed data
monitering for exceptions
reporting
====================
=identify target=
File, Network
Past Vulnerabilities
====================
identify input
file fuzzing
=monitoring for exceptions=
error messages
blue screen
logs
============================
=Reporting=
Filtering
============================
Exploitable?
what is input data?
============================
Taint analysis
Information flow
============================
full virtualization
-cpu
shadow memory
propagation control
manage taint object
handling thread
...
external taint source
network, file, other
taint objects on x86
-memory object
address and size of the memory
=============================
intermediate languages
It becomes much more easy to parse and identify the instructions and operands
=============================
Taint Propagation
4칙연산으로 구분지어 나눔
mov [esp], eax
-eax is tainted?
-esp is tainted?
-[esp] is tainted?
push eax
-sub esp,4
-mov [esp], eas
==========================
overflow
-strcpy
-rep movs
interger overflow
-lea eax, [eax*4] => 메모리 할당시 문제
Tainted EIP register
-ret
-call register
Etc..
==========================
Taint Log -> 너무 많아
Taint Map!! -> 뒤 -> 위
=>Backward Taint Log
==========================
==========================
=symbolic execution=
==========================
static
-if ((x+z)>(y*9))
-if(x+z)>(y*9):
dynamic
-jnz addr
==========================
shellcode
cmd, calc shell code
no brute forcing
-os version
-software version
==========================
Demo
gom player taint anlaysis -> chocoplayer에도 역시
==========================
dynamic rio paper
ring3