Extending Microsoft’s Phoenix Framework
Download
Report
Transcript Extending Microsoft’s Phoenix Framework
A software analysis framework
built on Phoenix
Matt Miller
Leviathan Security Group
Metasploit Framework
Uninformed Journal
Not a static analysis expert
Cthulhu software analysis framework
Very high-level architectural overview
Interesting features
Case study
Software optimization and analysis
Basis for future Microsoft compilers and tools
Robust and extensible architecture
◦ Plugins
◦ Phases
Check out Richard Johnson’s talk to learn
more
RDK/SDK not yet completely solidified
◦ Encapsulation can help here
API is feature rich but verbose
◦ No simplified wrapper
No solution for large-scale analysis
◦ LTCG is not enough
Software analysis framework
Hobby project started in June, 2006
Written in C#
Currently around 28KLOC
Simplified Programming Interface
◦ Simple and extensible API
◦ Fundamental independence
Large-scale analysis
◦ Modeling behavior of large systems
◦ Pie in the sky: Windows Vista
Research Sandbox
◦ A playground for experimentation
◦ Phoenix can also be used directly for this purpose
Data Flow
IDA
DB
Control Flow
Peons
Phoenix
Analysis Engine
Tools
Analysis
Rendering
Fundamentals
Data Flow
IDA
DB
Control Flow
Peons
Phoenix
Analysis Engine
Tools
Analysis
Rendering
Fundamentals
Uses a fundamental to load assemblies
Runs phases
◦ Import
◦ Analyze
◦ Render
Peons register to be notified on certain events
Phoenix
Fundamental
1. Load Assembly
DB
2. Assembly Loaded
Analysis Engine
3. Import Event
4. Normalize
Information
Importing
Peons
5. Import Event
Basic Types
Control Flow
Data Flow
Database
Fundamental
2. Denormalize
Assembly
Information
DB
1. Load Assembly
3. Assembly Loaded
Analysis Engine
4. Analysis Event
5. Normalize and
Denormalize
Information
Analyzing
Peons
6. Analysis Event
Path Discovery
Leak Check
DB
2. Denormalize
Rendering
Peons
Analysis
Engine
1. Render
Console
GUI
3. Display
Output
Store
Extensible and flexible way to represent
binary information
May be used to support large-scale analysis
◦ Hundreds of modules
◦ More work needs to be done
Performance overhead is non-trivial
◦ Processing time can be high
◦ Volatile memory usage can be kept low
Simplified API
Version-independent modeling
Conceptual modeling
Abstract classes
provide fundamental
independence
Assembly
Module
Data Type
Method
…
Assembly
Assembly
Module
Module
Data Type
Data Type
Method
Method
Phoenix
DB
Concrete
Implementations
Modeling version independent
relationships between software
elements in the database
Appropriate versions can
be selected at analysis time
void CallExitProcess()
{
ExitProcess(0);
}
ExitProcess 1
ExitProcess 2
CallExitProcess 1
ExitProcess
ExitProcess 3
ExitProcess 4
Call to version independent
kernel32!ExitProcess
Distinct versions of
kernel32!ExitProcess
Universe
VPN Client
VPN Server
Device Driver
Daemon
vpn.sys
daemon.exe
User Interface
vpngui.exe
dialogs.dll
Finding inter-component data
flow paths
Web Services is a simple remoting interface
◦ Clients invoke methods hosted on a web server
◦ Server handles requests and provides responses
Problematic for static analysis
◦ Clients pass data to the server indirectly (network)
◦ Limits the scope at which analysis can be performed
Let’s walk through an example
[WebService]
public class WebService
{
[WebMethod]
public void ExecuteCommand(string command)
{
Process.Start(command);
}
}
Simple web service that invokes a process using the supplied
command string
[WebServiceBinding]
public class WebClient : SoapHttpClientProtocol
{
[SoapDocumentMethod]
public void ExecuteCommand(string command)
{
Invoke("ExecuteCommand",
new object[] { command );
}
}
Simple web client that wraps the invocation of the web service
method
To illustrate a relationship, the client
invocation and server method must be
bridged
Bridging can take a few different forms
◦ Automatic detection of relationships
◦ Manual description of relationships
Bridging is an abstract concept though
◦ How do we make it concrete?
A concrete relationship can be shown by
linking formal parameters
fin(ExecuteCommand, 0)
WebClient
WebService
fin(ExecuteCommand, 0)
Web Application
Web Client
Web Service
WebClient.dll
WebService.dll
WebClient
WebService
ExecuteCommand
ExecuteCommand
Enter Block
Enter Block
fin(0)
fin(0)
Describing indirect relationships improves the
quality of analysis information
Widens the scope for control flow and data
flow analysis
The Path Discovery peon can help illustrate
this
Designed to find reachable flow paths
◦ From a set of sources
◦ To a set of sinks
◦ Within a set of target assemblies
Current restrictions
◦ Requires the database fundamental
◦ Only operates on data flow information
Command Injection represents one type of
This can happen when user-controlled data is
used in conjunction with launching a process
For example, data passing…
security flaw found in managed applications
◦ From HttpRequest.get_QueryString
◦ To Process.Start
This should be easy to detect, right?
Finding data flow paths from get_QueryString
to Start can be problematic
Lowest level data flow information is
conveyed with respect to instructions
What if hundreds of assemblies are being
analyzed?
◦ Not enough physical memory!
Path Discovery makes use of generalized data
flow relationships
◦ Block-tier, method-tier, type-tier, etc…
Reachable paths are identified using a simple
algorithm
◦ Progressive Qualified Elaboration (PQE)
PQE is designed to reduce the amount of
analysis information that must be considered
Reachable paths are progressively found between source and
sink flow descriptors within a set of target assemblies
Tier
Information
Component
fout(Undefined)
Assembly
fout(System.Web)
Data Type
fout(System.Web.HttpRequest)
Method
fout(get_QueryString, 0)
Basic Block
fout(get_QueryString, 0)
Instruction
fout(get_QueryString, 0)
Sink flow
descriptor
Source flow
descriptor
Tier
Information
Component
fin(Undefined)
Assembly
fin(System)
Data Type
fin(System.Dia…Process)
Method
fin(Start, 0)
Basic Block
fin(Start, 0)
Instruction
fin(Start, 0)
Suppose there is some code in the web client
that does the following
◦ client.ExecuteCommand(request.QueryString[x]);
Bridging makes it possible to show a
complete data flow path from
get_QueryString to Start
Let’s see how we get there using PQE
◦ PQE starts from a macro-tier, such as the
component tier
Data flow Def-Use
relationships
between components
Interpretation:
In at least one
situation,
v uses data
defined by u
Data flow Def-Use
relationships
between assemblies
Data flow Def-Use
relationships
between data types
Data flow Def-Use
relationships
between methods
Data flow Def-Use
relationships
between blocks
Data flow Def-Use
relationships
between instructions
A complete data flow path is identified
Data flows across an indirect boundary
Without bridging, it would not be possible to
seamlessly perform this analysis
◦ This means the security issue would be missed
Note that the security issue exists in the web
service independent of the web client
◦ Example was meant to show simple indirect data flow
Import and analyze large data sets
◦ All PE modules from Windows Vista?
Improve database performance
◦ Optimization work has not started yet
◦ It is currently very slow
Implement additional peons
◦ Leak Check
And the list goes on…
Phoenix is an exciting project
Software analysis is fun & challenging
Hopefully the database stuff pans out
Questions?