Finding Bugs in Closed-source Software: An Open-source Static Binary Analysis Tool (written in Rust) (froscon2024) episode artwork

EPISODE · Aug 18, 2024 · 55 MIN

Finding Bugs in Closed-source Software: An Open-source Static Binary Analysis Tool (written in Rust) (froscon2024)

from Chaos Computer Club - archive feed · host vo

Building a product with an entirely open-source software stack is still challenging at best - sometimes even infeasible. The past has shown that vulnerabilities in closed-source components may be exploited by attackers to undermine the security of a system. Attackers invest a considerable amount of effort and expertise into reverse-engineering these components to uncover complex vulnerabilities. Manufacturers that rely on closed source components oftentimes have neither the resources not the expertise to perform the same level of auditing. This imbalance leads to security issues in the final product that may directly impact its users. The cwe_checker is an open-source research prototype that performs static analysis of binary code to find potential vulnerabilities. It currently supports the analysis of Linux user space programs and kernel modules as well as bare-metal firmwares. Our goal is to reduce the time and expertise needed by vendors to thoroughly audit their closed-source dependencies. The talk will start with a short introduction to the general problem area, as outlined in the abstract, and proceed by introducing the goals behind the cwe_checker. It continues with a presentation of the idea, requirements, and high-level architecture of the cwe_checker. In its main part, the talk will walk through the development of a simple data-flow analysis that detects instances of CWE252 (Unchecked Return Value). It will cover both, conceptual aspects behind the static analysis algorithm and the concrete code that implements it using the internal cwe_checker APIs. Finally, the algorithm will be used to find unchecked return values of `copy_from_user`, a programming error that is almost certainly exploitable, in non-upstream Linux device drivers taken from embedded device firmware images. To conclude the talk, an overview of other available analyses as well as possible directions for future research will be given. Students interested in Rust and program analysis are invited to contact us for thesis projects and internship opportunities. External contributions to the cwe_checker have unfortunately been uncommon due to the steep learning curve and absence of walkthrough-style documentation. (There is detailed rustdoc documentation of all APIs.) It is hoped that this talk will equip interested listeners with information to start developing their own analysis ideas within the cwe_checker. about this event: https://programm.froscon.org/2024/events/3064.html

Episode metadata supplied by the publisher feed · Published Aug 18, 2024

Building a product with an entirely open-source software stack is still challenging at best - sometimes even infeasible. The past has shown that vulnerabilities in closed-source components may be exploited by attackers to undermine the security of a system. Attackers invest a considerable amount of effort and expertise into reverse-engineering these components to uncover complex vulnerabilities. Manufacturers that rely on closed source components oftentimes have neither the resources not the expertise to perform the same level of auditing. This imbalance leads to security issues in the final product that may directly impact its users. The cwe_checker is an open-source research prototype that performs static analysis of binary code to find potential vulnerabilities. It currently supports the analysis of Linux user space programs and kernel modules as well as bare-metal firmwares. Our goal is to reduce the time and expertise needed by vendors to thoroughly audit their closed-source dependencies. The talk will start with a short introduction to the general problem area, as outlined in the abstract, and proceed by introducing the goals behind the cwe_checker. It continues with a presentation of the idea, requirements, and high-level architecture of the cwe_checker. In its main part, the talk will walk through the development of a simple data-flow analysis that detects instances of CWE252 (Unchecked Return Value). It will cover both, conceptual aspects behind the static analysis algorithm and the concrete code that implements it using the internal cwe_checker APIs. Finally, the algorithm will be used to find unchecked return values of `copy_from_user`, a programming error that is almost certainly exploitable, in non-upstream Linux device drivers taken from embedded device firmware images. To conclude the talk, an overview of other available analyses as well as possible directions for future research will be given. Students interested in Rust and program analysis are invited to contact us for thesis projects and internship opportunities. External contributions to the cwe_checker have unfortunately been uncommon due to the steep learning curve and absence of walkthrough-style documentation. (There is detailed rustdoc documentation of all APIs.) It is hoped that this talk will equip interested listeners with information to start developing their own analysis ideas within the cwe_checker. about this event: https://programm.froscon.org/2024/events/3064.html

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Finding Bugs in Closed-source Software: An Open-source Static Binary Analysis Tool (written in Rust) (froscon2024)

0:00 55:21

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

LIGHTS, CAMERA, SMILE! Creatives Club Media Lights, Camera, Smile, is a podcast for anyone with a dream to share something with the world, out of the overflow of themselves - be it their mind, their heart, their personalities, and much more. Each of us are alive in this moment in time, with an innate ability to have ideas and create various things to benefit both ourselves and the people around us for a reason, and here, you will find the encouragement, the inspiration, and the motivation to do just that. Hosted by Cicily, founder of Creatives Club, she dives into various topics surrounding creativity and business. Exploring entrepreneurship for creatives in a corporate reality, sharing tips and tricks in a media centered company, answering questions regarding what a creative actually is are just a few of the things discussed on this podcast. Be encouraged to create for yourself as Cicily gets vulnerable by pivoting the camera to herself for the first time.To submit questions for Cicily to answer, or have her address certain t The PFN Cincinnati Bengals Podcast Pro Football Network The PFN Cincinnati Bengals Podcast is where you can stay up-to-date with the latest news and analysis on the Cincinnati Bengals! Our hosts, industry experts Jay Morrison and Dallas Robinson, provide weekly coverage of all the latest rumors and updates about the Bengals. Don’t forget to follow the show to receive new episodes directly in your podcast feed and leave a rating and review to let us know your thoughts. Piramidi Club The Bitcoin Butcher La Migliore Pizza di Firenze Blue Light News Archive Blue Light News is an innovative new Internet radio show devoted to covering the news of Unicoi County in a unique and interesting way.

Frequently Asked Questions

How long is this episode of Chaos Computer Club - archive feed?

This episode is 55 minutes long.

When was this Chaos Computer Club - archive feed episode published?

This episode was published on August 18, 2024.

What is this episode about?

Building a product with an entirely open-source software stack is still challenging at best - sometimes even infeasible. The past has shown that vulnerabilities in closed-source components may be exploited by attackers to undermine the security of a...

Can I download this Chaos Computer Club - archive feed episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!