title WebLog #535 Topic: 2007-01-02 22.47.42 matt: automated code analysis audience prep (updated)
user matt
ip 65.57.245.11
vol 1
lock ********

Our classes on finding exploitable bugs with automated code analysis are in demand. We'll be teaching it again, as well as doing talks, at various points during the year. For people attending some or all of these things, here's some reading to prepare you.

/more

The current upcoming classes are at
/link http://www.rsaconference.com/2007/us/content/tutorials/ RSA 2007
and
/link http://blackhat.com/html/bh-europe-07/train-bh-eu-07-index.html BlackHat Europe 2007
. There was also a talk on the subject at the
/link http://events.ccc.de/congress/2006/Fahrplan/events/1694.en.html Chaos Computer Congress
in Germany.

The class has been retooled from when we gave it at BlackHat USA in 2006, based upon feedback from students. We now use several open source binary code analyzers for our examples, including
/link http://findbugs.sf.net findbugs
 and
/link http://bugreport.sf.net bugreport
, among others. There is less material on the coding process for a given piece of analysis and more material on theory and explanation of existing implementation, mainly for pacing reasons. We have also enhanced our slides and presentation with more diagrams and detail.

On the static analysis side, there are just a few papers that I recommend:

/list(
/link http://citeseer.ist.psu.edu/venet04precise.html The legendary "Venet and Brat" paper.
Does a good job of talking about bottom-up analysis.

/link http://www.cs.wisc.edu/wisa/papers/ccs03/p351-ganapathy.pdf Buffer Overrun Detection.
Has a great discussion of finding exploits in wuftpd and introduces the idea of constraints.

/link http://suif.stanford.edu/~livshits/papers/pdf/usenixsec05.pdf Finding Security Vulnerabilities in Java Applications with Static Analysis

/link http://findbugs.sourceforge.net/docs/oopsla2004.pdf A paper with some background on the inner workings of findbugs.
We use the source code of findbugs as the implementation example in the class. We go over it in a very comprehensive manner, but reading this paper beforehand may be helpful.
/list)

These are pretty accessible and practical for academic papers, and they will both provide a good context for the static analysis portions BlackHat class and Defcon talk. If you don't grok it all at first, just having the conceptual seeds planted will help prepare you for the class and/or talk. The first is based in C, the second in Java. A lot of people think that analyzing native x86 binaries and Java bytecode binaries are amazingly different -- they actually aren't. We'll get into that in the BlackHat class, but probably not too much in the Defcon talk due to time constraints. Note that none of the details in the classes or talks are proprietary in any way, every concept discussed will be attributed to their public sources, most of which are the links above.


/link http://jeru.ringzero.net Luis Miras
wrote illustrative code in C# for the
/link http://www.blackhat.com/html/bh-usa-06/train-bh-us-06-mh.html BlackHat class
and
/link http://www.defcon.org/html/defcon-14/dc-14-speakers.html#Hargett Defcon talks,
 completely clean-room separated from me for legal and personal reasons. I've been having him go through a kind of C# and Test-Driven Development crash course similar to the one I've used successfully with several teams and individuals over the last few years. Going through some of the materials below will also help prepare the attendees of these events to participate in optional programming material more effectively, if they choose to do so. Don't be scared off -- it's suggested reading for attendance, only required to participate in optional programming. Knowledge of C# is *NOT* required for the class.

/link http://www.amazon.com/exec/obidos/ASIN/0974514020/matthargettbl-20/104-4343743-2975935?%5Fencoding=UTF8&camp=1789&link%5Fcode=xm2 Pragmatic Unit Testing in C#
 (p1-70)

and if you get through those,

/link http://www.amazon.com/exec/obidos/ASIN/0735621632/matthargettbl-20/002-0958200-4608060?ie=UTF8&camp=1789&link%5Fcode=xm2 CLR via C#, 2nd Edition
 (pages 3-32, 97-238, 285-386)


The code examples all appear to all work with
/link http://www.mono-project.com mono 1.2.x
and
/link http://sharpdevelop.net SharpDevelop 2.1
as well as Visual Studio .NET and Microsoft .NET, so no whining. ;>


/dis