Information Technology Reference
In-Depth Information
to the native instruction context. The client/server architecture enables parallel develop-
ment and optimization of CBASS and TREE, and makes it easy to port either subsystem
to a different platform without affecting the other.
Currently, CBASS and TREE are able to run on Windows and Linux, and support
target programs running on the x86 and Android/ARM platforms. CBASS is written
in Jython, a Python-based language that can access Java objects and call Java libraries.
CBASS interfaces with REIL through the REIL Java library for IR translation. TREE is
implemented as an
IDA Pro
plug-in. TREE also uses Qt/Pyside and extends the IDA
graph to support a number of visualization features and user interaction. During the
process of developing TREE, we have found a number of bugs in both IDA and REIL
related tools. In most cases, the IDA and REIL developers have responded to our bug
reports promptly and provided fixes in their latest releases.
In the remainder of this section, we will first provide an overview of our detailed
evaluation and then present a case study with a real-world application. Together, they
demonstrate the effectiveness of our system in supporting cross-platform interactive
security analysis.
5.1
Overview
We have conducted two sets of experiments. The first set consists of unit level tests for
the CBASS and TREE subsystems. The second set consists of case studies using real-
world applications. At the unit testing level, we have used a large number of binary pro-
grams (each around 100 LOC) to check if the core analysis algorithms in TREE/CBASS
are implemented correctly. We have designed various transformation functions to pro-
cess the input (taint source) and created the corresponding test oracles to ensure that
TREE and CBASS produce correct results. The test programs are compiled on different
platforms (Windows, Linux, and Android) using different compilers (VC, GCC) with
various optimization settings. This also allows us to evaluate the effectiveness of our
front-end subsystems, which are crucial for the cross-platform analysis.
With real-world applications, the goal of our case study is to evaluate the effective-
ness of TREE/CBASS in analyzing vulnerabilities. More specifically, we would like to
know whether security analysts, armed with our tool, can quickly discover the chain
of critical events leading to the real vulnerability. Toward this end, we have selected
a set of Windows/Linux applications with known vulnerabilities. Table 4 shows the
statistics of the benchmark programs. In the following, we shall briefly describe each
vulnerability and then focus on using WMF (CVE-2005-4560) to explain in details how
TREE/CBASS can help reduce the analysis time required to identify the root cause.
The first two columns in Table 4 show the application name, version, and vulnera-
bility identifier. Both the WMF (CVE-2005-4560) and the ANI (CVE-2007-0038) vul-
nerabilities were present on many Windows versions prior to Windows Vista, and could
be triggered by applications including Picture and Fax Viewers, Internet Explorer, Win-
dows Explorer, and various email viewers. Audio Code 0.8.18 has a buffer overflow
vulnerability that can be triggered when adding a crafted play list (.lst) file. This vul-
nerability can enable arbitrary code execution. Streamcast 0.9.75 has a stack buffer
overflow, allowing attackers to use the http
User-Agent
field to overwrite the return
address of a function call. POP Peeper 3.4.0.0, an email agent, has a vulnerability in
