dynamic program analysis - unitrentore-trust.dit.unitn.it/files/20090319doc/pierre_girard... ·...
TRANSCRIPT
![Page 1: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/1.jpg)
Dynamic program analysis
RE-TRUST workshopMeudon, March 19, 2009
![Page 2: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/2.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Mission of the day
Give an overview of tools and procedures for dynamic software analysis in an
industrial security lab
![Page 3: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/3.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Agenda
IntroductionWho, what, why and how
AnalysisStatic analysis
– Software analysis– Hardware analysis
Dynamic analysis– Software tools– Input / output tools– Hardware tools
Automatic software attack
![Page 4: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/4.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
WHO ?
![Page 5: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/5.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Security labs, part of gemalto R&D
Mission: ensure that all gemalto products reach the targeted security level Activities
Research and innovation in cryptography and securityParticipate to standardisationSecurity architecture and design of products, protocols, OS, applications, VM, etc…Development and delivery of sensitive pieces of code (crypto. alg.)Preach best practices and train other departmentsConduct design specification and code auditsInternal or external evaluation of solutions and devicesSupport and services for customers
![Page 6: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/6.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
WHAT ?
![Page 7: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/7.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Cards of course !
![Page 8: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/8.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
But so many things …
![Page 9: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/9.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
And software, and solutions !
Desktop PC software
Server side software
Operated / hosted software
Software as a service (SaS)
![Page 10: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/10.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
WHY ?
![Page 11: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/11.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Security
![Page 12: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/12.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Software analysis of …
What we sellSecurity evaluation of final products
What we buy to build products or for internal useVerify security claims of vendors Compensate vulnerabilities by our software
What the hackers produceUnderstand the exploited vulnerabilities (cloning tools, DeSIMlocking tools, glitchers, unloopers, fake cards, etc.)Hacking tools are protected against analysis !
…
![Page 13: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/13.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
How ?
![Page 14: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/14.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Several type of analysis
Hacker like analysis (low hanging fruit, random search, creativity)
Penetration testing (test plan, check list, etc.), CC approach
Security validation: show that counter-measures work
White box / black box / grey box
Analysis interpretation : assets identification, security policy, threats, risk analysis
![Page 15: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/15.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Static software analysis
![Page 16: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/16.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Tools
In black boxIDA ProJAD
In white boxSource insightEclipse + plugins
Why ?Architecture overviewAlgorithms and data analysisAPI usedFirst security feeling (any obfuscation ?)
![Page 17: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/17.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Static hardware analysis
![Page 18: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/18.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Tools
Mechanical and chemical depackaging
Optical microscopy
WhyArchitecture overviewMemories type and size, processor typeSensors and peripheralsFirst security feeling
![Page 19: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/19.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Dynamic software analysis with software
![Page 20: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/20.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Tools
DebuggersClassic onesSoftICE (unfortunately discontinued !)
Monitoring toolsXXMon (filemon, etc)
Global monitoring
VirtualizationVirtualBox
Allow to control experimental condition an restore quickly a pristine state
![Page 21: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/21.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Dynamic software analysis: I/O
![Page 22: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/22.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Tools
SoftwareWireshark for IPFuzzing toolsPenetration test suites
Hard wareUSB chief for USBProprietary for APDUProxylab for contactless
![Page 23: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/23.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
I/O analysis goals
Traffic analysisProtocols analysisIdentify security building block: encryption, randomness, challenge response, message integrity, etc…
Fuzzing, penetration toolsCharacterize behaviour and protectionsFind sensible areas to explore latter on with hand crafted attacksFind directly vulnerabilities
![Page 24: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/24.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Dynamic software analysis with hardware
![Page 25: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/25.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Side-channel
Side channel- Timing (T)- Power (P)- Electro-Magnetic Field (EM)- Radio Frequency (RF)- Probing
Side channel- Timing (T)- Power (P)- Electro-Magnetic Field (EM)- Radio Frequency (RF)- Probing
APDUCommand
(ex: GenerateAC)
APDUCommand
(ex: GenerateAC)
80 AE 40 00 1D …80 AE 40 00 1D …
Card ResponseCard Response
17 A3 … 59 - 90 0017 A3 … 59 - 90 00
![Page 26: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/26.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
RSA attack - reference key
Key value : 00 FF 00 F0 00 0F
M
S
![Page 27: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/27.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
1 10 0 1 0 1 0 1 1 0 0 0 1 1 0 1 0 0 1 0 0 0 1 0 1 0 1 1 0 1 1 1 1 1 1 1 0 0 1 0 1 0 0 1 0 1 0
2E C6 91 5B F9 4A
Key value : 4A F9 5B 91 C6 2E
RSA attack - secret key
![Page 28: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/28.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Automatic software attacks
![Page 29: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/29.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
The idea: use SPA
The fault will be injected here
![Page 30: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/30.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
What is SPA for software
We need to measure something which is representative from an execution path
We chose to record the list of couples (address,opcode) executed by the processor
We call this an execution trace
But how to record this ?
Basically we wrote a custom debugger
![Page 31: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/31.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
The Windows’ debugging API
Custom debugger System Target code
CreateProcess
Debug eventDebug event
Continue…
![Page 32: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/32.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
In practice
The debugging event we need is the execution of a single opcode
Process– Stop the target process– Access the saved registers– Set the step bit from the debug register– Resume the process
![Page 33: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/33.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
First result traces
![Page 34: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/34.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Implemented enhancements
Track the created processes and threadsStop tracing in Windows APIDon’t debug the target code step by step, but interrupt at end of a linear code section
Need to implement a instruction decoderNon determinism (e.g active polling)
Dynamically patch the code when traces differ
Current tool statusWork only on protection at program start-upJust a proof of concept from 2002No plan for further developments
![Page 35: Dynamic program analysis - UniTrentore-trust.dit.unitn.it/files/20090319Doc/Pierre_Girard... · 2009-05-07 · Dynamic program analysis - Pierre Girard - March 19, 2009 Security labs,](https://reader033.vdocuments.us/reader033/viewer/2022060511/5f28c1900ec726203d382ec3/html5/thumbnails/35.jpg)
Dynamic program analysis - Pierre Girard - March 19, 2009
Conclusion
Numerous tools are needed for very different types of analysis
Few tools are really convenient and powerful
Most of the time custom tools are needed
Automation is mandatory if you are not a hacker working overnight for free or if you don’t have a lab in low labour cost countries