StateofWindowsApplicationSecurity:SharedLibraries

Aboutthespeaker

• Previouslyasoftwaredeveloper• Chromiumbasedbrowserwithsecurityfeatures

• JoinedTencent in2014• Securityresearcher• XuanwuLabresearchesrealworldsecurityproblems

• CanSecWest 2016speaker• QCon 2016speaker

Previously…

• AtCanSecWest 2016• 55%ofpopularAV’scanbeexploitedtoescapebrowsersandbox• Reportedandfixed…hopefully

BrowserSandboxes… Whatisitfor?

• Itcontainsthedamageofthecodeexecutionexploits• Makeitmuchharderforexploitstogainhigherprivileges

SandboxWhitelist:ElevationPolicy

BrowserRenderer

BrowserBroker ElevationPolicyMedium

IntegrityLevelProcess

SecurityBoundary

LowIntegrityLevelProcess

Example: PandaInternetSecurity

\Pandasecuritytb\dtuser.exe

• ElevationpolicywithsilentMediumIL• Runarbitrarycommand

dtuser.exe runappasadmin calc.exe

• Copyarbitraryfiledtuser.exe copyfile <origin> <target>

Howtodetectitautomatically?

ProjectA'Tuin

• Automatedinstallation• Detectinsecurecharacteristicsandbehaviors• Providesearchableresults

Crawl Install TriggerBehavior Log

ClusterOfflineComputation

FrontendInterface

ProjectA'Tuin

Example:PandaInternetSecurity

DiversityisInstallers’Strength

Automated installation

• Searchesalltoplevelwindowscreatedbytheinstaller• Inallscreenareacoveredbyrecordedwindows,findpolygonsthathasthelargestareaandhighestcontrastratio• Simulateinputtoscreenareainsidethepolygon• Successrate95%+,specialcasetherest

Whatelsedid wefound?

TypicalWindowsApplication

MainCode SharedLibraries

MFC/Qt OpenSSL

Image/Video/Audio

Decoders

NetworkLibraries WebKit …

TheOpenSSLLandscape

TheOpenSSLLandscape:Heartbleed

TheOpenSSLLandscape:CVSS>=9

Doesyourapplicationhaveanembeddedwebbrowser?

Mostlikely.

ChromiumEmbeddedFramework

• “CEFisaBSD-licensedopensourceprojectfoundedbyMarshallGreenblattin2008andbasedonthe GoogleChromium project”• “CEFfocusesonfacilitatingembeddedbrowserusecasesinthird-partyapplications”• “Therearecurrentlyover100million installedinstancesofCEFaroundtheworldembeddedinproductsfromawiderangeofcompaniesandindustries”

TheCEFLandscape

QtWebKit

Howcanwefindunknown sharedlibraries?

• Brainstorming?• OpenSSL,zlib,Qt,whatelse?• Manylibrariesaredevelopedin-houseandusedinsideonecompany• Libraryissuemayshareamongmultiplesoftware• Outdatedparsing/rendering/decodinglibrariesalmostalwaysindicatesecurityissues

Howcan wefindunknownsharedlibraries?

• Installeverysoftware• ExtractallPEfiles• Useadisassemblertoextractfunctioninformation• IDAPython

• Recordandcomparefunctionsignaturesacrossdifferentsoftware

TheResult

Recap

• Asystemthatcanautomaticallydetectpossiblesecurityissues• ManyapplicationsstillhaveoldOpenSSLlibrariesthatareaffectedbyoldvulnerabilities• Anewwaytoautomaticallydetectsharedlibrariesusedinapplications• Detectedover4000sharedlibrariesinoursample,manyofthemunknown

Futureworks

• Morebehavior detection• Gomobile• Cross-platformclusteringofresults

Acomprehensivereportaboutsharedlibrarysecuritywillbereleasedpubliclylaterthisyear.

Andthesystemmaybeopentopublicinthefuture.

Thanks.Chuanda Ding

Tencent XuanwuLabxlab.tencent.com