Friday, June 21, 2019

Dr. Binary: searching statically linked vulnerable functions in minutes

1. Introduction

 A complex software product often contains packages, libraries, or modules made by third parties, and these third-party components may again contain components from other sources. This is known as the software supply chain. Software supply chains are increasingly complicated, and it can be hard to detect statically-linked copies of vulnerable third-party libraries in executables. 

This blog post discusses how to use Dr. Binary to search statically linked vulnerable functions in executables.  We built httpd with statically linked OpenSSL library 1.0.2a. This OpenSSL has many known vulnerabilities (e.g., CVE-2015-1788). They are statically linked so such vulnerability cannot be detected simply by version based detection approaches. The following paragraphs will illustrate how to use Dr. Binary to identify this statically linked vulnerable function. 

2. Conduct the Scan

  • Create an account on Dr. Binary 

  • Create vulnerability information

As discussed in last blog, users can create their only vulnerability database, or use the vulnerability database provided by Dr. Binary.  In this example, we use the OpenSSL vulnerability database provided by Dr. Binary.

  • Click projects on left aside menu and create a new project named httpd and upload the httpd binary file [1] to this project.

  • Now create the scan, and in the popup windows, you can specify the file (httpd) and vulnerability (OpenSSL) you want to scan, click "OK".

Figure 1: add a scan. 

Now you can see a status update.  Dr. Binary take the binary and running the analysis.  It may take several minutes to get the results.

3. Analyze the results

Figure 2 Analysis Results
Click the scan name, and enter the analysis results. Now you will see a list of potential vulnerabilities found by Dr. Binary.   Click any one of them, for example, CVE-2015-1788.

Figure 3 CVE-2015-1788
Now you see the details about the CVE-2015-1788.  The right column displays the actual control flow graph of  CVE-2015-1788 that Dr. Binary extracted from the vulnerability database. The left column displays a list of functions' control flow graphs that are most similar to the vulnerability CVE-2015-1788.  By comparing the CFGs, you can identify that the uploaded binary httpd does have the vulnerability CVE-2015-1788.  Repeat this process for every CVE, and finally, we confirmed that the scanned binary httpd contains the vulnerability CVE-2015-1788, CVE-2003-0107, and CVE-2014-5119.

No comments:

Post a Comment