GUIDE to (mostly)
More on Shortcuts to Discovering New Ways
to Break into Computers
*** Disassemblers and Decompilers
Many companies, for example Microsoft, ship products that
hide what appear to be an almost infinite number of break-in
vulnerabilities. They try to hide these problems by keeping their
source code secret. Indeed, this does make your job harder but
not impossible. In fact, it might even be easier because these
programs usually have many more hidden flaws than programs for
which you can get source code.
One solution to lack of source code is get it anyhow. Nope,
I am not suggesting that you steal code. There are legal, fun
ways to get it (sometimes). A disassembler program can take a
compiled program and convert it into assembly language, which
a sufficiently talented programmer can analyze. The problem with
disassemblers is that they can only process small programs. Despite
this, they are still the tools of choice to analyze worms, viruses,
CGI and other small programs.
Newbie note: Assembly language is specific
to a type of central processing unit (CPU). The assembly language
for a Motorola PowerPC CPU (used by Apple computers) is different
from that used by the Intel compatible CPUs, and both of these
are different from the assembly language used by Sun SPARC CPUs.
The big problem with using a disassembler is that assembly
code takes a lot of brain power to understand. If at all possible,
you want to get source code in a high level language because
it is much easier to understand. They have obvious commands such
as "goto" (for example in FORTRAN), "include"
(for example in C) or "macrocopy" (MS Office macro
programming). By contrast, examples of assembly language commands
are "je" and "lea".
Some free decompilers and disassemblers are:
· The SourceTec Java decompiler: http://www.sothink.com/decompiler/index.htm
· Interactive Disassembler: http://www.datarescue.com
· IDA-Pro: http://www.idapro.com
It's pretty hard go through the output of a disassembler or
even a decompiler and figure our what represents security flaws.
Oftentimes it is easier to find flaws by running a program through
a debugger, which operates a program one step at a time and allows
you to view what is in memory at each step. Of course, you need
to understand what all those things in memory mean: another good
excuse to get that college degree!
Some examples of debuggers are:
· SoftIce: http://www.compuware.com
· Dumpbin, a Windows program that is bundled with the
Microsoft C++ compiler
· Free Microsoft debugging tool for 32-bit systems: http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
· Free Microsoft debugging tool for 64-bit systems: http://www.microsoft.com/whdc/devtools/debugging/install64bit.mspx
· OllyDbg: http://www.ollydbg.de/
· Microsoft Visual C++ Debugger
· WinDbg: http://support.microsoft.com/kb/q201793/
Tutorials on how to use debuggers:
· Tutorial on WinDbg debugging tool: http://www.codeproject.com/debug/windbg_part1.asp
· Tutorial on Windows debugging: http://www.microsoft.com/whdc/devtools/debugging/default.mspx
*** Fault Injection
Some programs are staggeringly large. The Windows XP operating
systems confront the analyst/hacker with forty million lines
of code. No decompiler or even debugger can do much with such
a big program. Nevertheless, there are ways to get around this.
A program that automatically tests suspect code with "fault
injection" tools will often discover security flaws. Fault
injection means entering data or commands to the program that
cause bugs to show up. Examples are a database query that commands
the server to erase everything, or a ridiculously long web browser
URL that infects a webserver with a worm, as was the case with
the Nimda and various Code Red worms.
An excellent book on the topic is Software Fault Injection: Innoculating Programs
Against Errors, by Jeffrey Voas and Gary McGraw. Actually,
that's Gary McGraw, Ph.D. He's one of the most brilliant people
at finding computer security flaws, and his Ph.D. has something
to do with it.
Some examples of fault injection tools are:
· Hailstorm: http://Cenzic.com
· Failure Simulation Tool: http://Cigital.com (McGraw's company)
· Holodeck: http://www.securityinnovation.com/holodeck/index.shtml
Back to the Guides to (mostly)
Harmless Hacking --->>