bug hunting with structural code search
play

Bug Hunting with Structural Code Search Rijnard van Tonder @rvtond - PowerPoint PPT Presentation

Dec 03, 2023 •367 likes •1.03k views

Bug Hunting with Structural Code Search Rijnard van Tonder @rvtond grep Regular expression search for plain text Good for bug hunting 2 grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); 3 [1]

  1. Bug Hunting with Structural Code Search Rijnard van Tonder @rvtond

  2. grep ‣ Regular expression search for plain text ‣ Good for bug hunting � 2

  3. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); � 3 [1] https://papers.put.as/papers/macosx/2013/SyScan2013_Stefan_Esser_Mountain_Lion_iOS_Vulnerabilities_Garage_Sale.pdf

  4. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); � 4

  5. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); s += 4; if(session->userauth_kybd_num_prompts) { session->userauth_kybd_num_prompts); } session->userauth_kybd_prompts = LIBSSH2_ALLOC(session, LIBSSH2_ALLOC(session, sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * session->userauth_kybd_num_prompts); if (!session->userauth_kybd_prompts) { _libssh2_error(session, LIBSSH2_ERROR_ALLOC, The bug: attacker controlled alloc size => integer overflow � 5

  6. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); s += 4; if(session->userauth_kybd_num_prompts) { session->userauth_kybd_num_prompts); } session->userauth_kybd_prompts = LIBSSH2_ALLOC(session, LIBSSH2_ALLOC(session, sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * session->userauth_kybd_num_prompts); if (!session->userauth_kybd_prompts) { _libssh2_error(session, LIBSSH2_ERROR_ALLOC, � 6

  7. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); s += 4; if(session->userauth_kybd_num_prompts) { session->userauth_kybd_num_prompts); } session->userauth_kybd_prompts = LIBSSH2_ALLOC(session, LIBSSH2_ALLOC(session, sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * session->userauth_kybd_num_prompts); if (!session->userauth_kybd_prompts) { _libssh2_error(session, LIBSSH2_ERROR_ALLOC, � 7

  8. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); METASYNTAX (REPEAT) � 8

  9. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); TEXT (MULTIPLY OP) � 9

  10. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); s += 4; TEXT TEXT if(session->userauth_kybd_num_prompts) { session->userauth_kybd_prompts = (MULTIPLY OP) (MULTIPLY OP) LIBSSH2_ALLOC(session, LIBSSH2_ALLOC(session, sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * session->userauth_kybd_num_prompts); session->userauth_kybd_num_prompts); if (!session->userauth_kybd_prompts) { _libssh2_error(session, LIBSSH2_ERROR_ALLOC, � 10

  11. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); s += 4; if(session->userauth_kybd_num_prompts) { session->userauth_kybd_prompts = LIBSSH2_ALLOC(session, LIBSSH2_ALLOC(session, sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * sizeof(LIBSSH2_USERAUTH_KBDINT_PROMPT) * session->userauth_kybd_num_prompts); session->userauth_kybd_num_prompts); if (!session->userauth_kybd_prompts) { _libssh2_error(session, LIBSSH2_ERROR_ALLOC, � 11

  12. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ‣ Code structure matters � 12

  13. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ‣ Code structure matters � 13

  14. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ‣ Code structure matters ‣ Can we do better? � 14

  15. grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); � 15

  16. comby grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); � 16

  17. comby grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ALLOC(:[1],:[2]*:[3]); � 17

  18. comby grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ALLOC(:[1],:[2]*:[3]); HOLES BIND IDENTIFIERS TO SYNTAX � 18

  19. comby grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ALLOC(:[1],:[2]*:[3]); CONCRETE SYNTAX � 19

  20. comby grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ALLOC(:[1],:[2]*:[3]); BALANCED DELIMITERS � 20

  21. comby grep example on libssh2 ALLOC\([^,]*,[^;]*[*][^;]*\); ALLOC(:[1],:[2]*:[3]); BALANCED NESTED CODE STRUCTURES. DELIMITERS LANGUAGE-AWARE. � 21

  22. comby supports ~all the languages Assembly, Bash, C/C++, C#, Clojure, CSS, Dart, Elm, Elixir, Erlang, Fortran, F#, Go, Haskell, HTML/XML, Java, Javascript, JSX, JSON, Julia, LaTeX, Lisp, Nim, OCaml, Pascal, PHP, Python, Reason, Ruby, Rust, Scala, SQL, Swift, Plain Text, TSX, Typescript � 22

  23. comby supports ~all the languages Assembly, Bash, C/C++, C#, Clojure, CSS, Dart, Elm, Elixir, Erlang, Fortran, F#, Go, Haskell, HTML/XML, Java, Javascript, JSX, JSON, Julia, LaTeX, Lisp, Nim, OCaml, Pascal, PHP, Python, Reason, Ruby, Rust, Scala, SQL, Swift, Plain Text, TSX, Typescript � 23

  24. comby on the command line Find video file at the link https://drive.google.com/open?id=1Ba-sOhmhRKCrUbdJVvh7mCyoj1aHMMZz � 24

  25. comby on the Linux Kernel � 25 [1] https://en.wikipedia.org/wiki/Tux_(mascot)#/media/File:Tux.png

  26. comby on the Linux Kernel � 26 [1] https://en.wikipedia.org/wiki/Tux_(mascot)#/media/File:Tux.png [2] https://securitylab.github.com/disclosures

  27. comby on the Linux Kernel � 27 [1] https://en.wikipedia.org/wiki/Tux_(mascot)#/media/File:Tux.png [2] https://securitylab.github.com/disclosures [3] https://lkml.org/lkml/2019/9/9/487

  28. comby on the Linux Kernel _ alloc workqueue is not getting checked � 28 [1] https://en.wikipedia.org/wiki/Tux_(mascot)#/media/File:Tux.png [2] https://securitylab.github.com/disclosures [3] https://lkml.org/lkml/2019/9/9/487

  29. comby on the Linux Kernel alloc_workqueue(:[args]); _ alloc workqueue is not getting checked � 29 [1] https://en.wikipedia.org/wiki/Tux_(mascot)#/media/File:Tux.png [2] https://securitylab.github.com/disclosures [3] https://lkml.org/lkml/2019/9/9/487

  30. comby on the Linux Kernel alloc_workqueue(:[args]); WON’T MATCH COMMENTS � 30

  31. comby on the Linux Kernel alloc_workqueue(:[args]); 274 CALLS � 31

  32. comby on the Linux Kernel alloc_workqueue(:[args]); ppd->hfi1_wq = alloc_workqueue( "hfi%d_%d", WQ_SYSFS | WQ_HIGHPRI | WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM, HFI1_MAX_ACTIVE_WORKQUEUE_ENTRIES, dd->unit, pidx); if (!ppd->hfi1_wq) goto wq_error; USUALLY FOLLOWED BY AN ‘IF’ CHECK � 32

  33. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if” RULES PLACE CONSTRAINTS ON MATCHES � 33

  34. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if” cgroup_destroy_wq = alloc_workqueue("cgroup_destroy", 0, 1); BUG_ON(!cgroup_destroy_wq); SOMETIMES A DIFFERENT FLAVOR � 34

  35. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if”, :[[word]] != “BUG_ON” � 35

  36. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if”, :[[word]] != “BUG_ON” ‣ 38 calls left � 36

  37. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if”, :[[word]] != “BUG_ON” ‣ 38 calls left ‣ 1.5 minutes � 37

  38. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if”, :[[word]] != “BUG_ON” ‣ 38 calls left ‣ 1.5 minutes drivers/scsi/lpfc/lpfc_init.c 45 /* The lpfc_wq workqueue for deferred irq use */ 46 phba->wq = alloc_workqueue("lpfc_wq", WQ_MEM_RECLAIM, 0); � 38

  39. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] where :[[word]] != “if”, :[[word]] != “BUG_ON” ‣ 38 calls left ‣ 1.5 minutes drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c 4500 adapter->priv_checkbt_wq = alloc_workqueue("sdio_wq", 0, 0); 4501 INIT_DELAYED_WORK(&adapter->checkbt_work, (void *)check_bt_status_work); � 39

  40. comby on the Linux Kernel logger->log_workqueue = create_singlethread_workqueue("cros_usbpd_log"); + if (!logger->log_workqueue) + return -ENOMEM; � 40 [1] https://lore.kernel.org/lkml/20190911201100.11483-1-navid.emamdoost@gmail.com/

  41. comby on the Linux Kernel alloc_workqueue(:[args]); :[[word]] create_singlethread_workqueue(:[args]); logger->log_workqueue = create_singlethread_workqueue("cros_usbpd_log"); + if (!logger->log_workqueue) + return -ENOMEM; � 41 [1] https://lore.kernel.org/lkml/20190911201100.11483-1-navid.emamdoost@gmail.com/

  42. comby on cpython Modules/_io/winconsoleio.c ... 996 if (!wlen) 997 return PyErr_SetFromWindowsErr(0); 998 999 wbuf = (wchar_t*)PyMem_Malloc(wlen * sizeof(wchar_t)); 1000 1001 Py_BEGIN_ALLOW_THREADS 1002 wlen = MultiByteToWideChar(CP_UTF8, 0, b->buf, len, wbuf, wlen); 1003 if (wlen) { 1004 res = WriteConsoleW(self->handle, wbuf, wlen, &n, NULL); ... � 42 [1] https://commons.wikimedia.org/wiki/File:Python-logo-notext.svg

  43. comby on kubernetes � 43 [1] https://en.wikipedia.org/wiki/Kubernetes#/media/File:Kubernetes_logo_without_workmark.svg

  44. comby on kubernetes � 44

Recommend

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting PLC Global Footprint 2 2009 Corporate Highlights Completed three acquisitions 47.3m Sale of Hunting Energy France 11.1m Year end

857 views • 37 slides
Learning objectives Understand rationale for structural testing How structural (code-based

Learning objectives Understand rationale for structural testing How structural (code-based

Learning objectives Understand rationale for structural testing How structural (code-based or glass-box) testing complements functional (black-box) testing Structural Testing Recognize and distinguish basic terms Adequacy, coverage

560 views • 10 slides
Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and Stalk Hunting Techniques: Decoying Hunting Techniques: Pass Shooting Gauge Sizes Choke extracted from muzzle Choke lengths and wall diameters

783 views • 29 slides
The market, the consumer and the search Code the search Code www.designsonproperty.co.uk Agenda

The market, the consumer and the search Code the search Code www.designsonproperty.co.uk Agenda

The market, the consumer and the search Code the search Code www.designsonproperty.co.uk Agenda Whats happening in the property market now? Future trends Consumer protection What do people need? What do people need?

396 views • 26 slides
THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil the Lion, Hwange National Park, Zimbabwe, 2013 Yann Prisner-Levyne WILD FAUNA= NATURAL RESOURCES UNDER INTERNATIONAL LAW Principle of permanent

400 views • 21 slides
Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm Licensing (Briefly) Hunting on Traditional Territory Hunting off Traditional Territory Applying for a FWID and BCEID Metis Hunting in BC

377 views • 13 slides
Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den

Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den

Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den Broeck, Miryung Kim University of California, Los Angeles Tool and dataset: https://github.com/AishwaryaSivaraman/ALICE-ILP-for-Code-Search

618 views • 51 slides
Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den

Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den

Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den Broeck, Miryung Kim University of California, Los Angeles Tool and dataset: https://github.com/AishwaryaSivaraman/ALICE-ILP-for-Code-Search

607 views • 43 slides
Succeeding at Search A Job Search on Indeed Finding a job on Indeed Start your search Type the

Succeeding at Search A Job Search on Indeed Finding a job on Indeed Start your search Type the

Succeeding at Search A Job Search on Indeed Finding a job on Indeed Start your search Type the words that target what youre Place screenshot here looking for. Include job title, skill or company name. Include city, state or zip code.

296 views • 18 slides
Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

TABAKOV TROPHY HUNTING Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in Catalonia that the hunting area of El Vedat is situated, only 45mn of Barcelona. The territory extends on more than 3000 ha of

385 views • 10 slides
Recent Advances in Finite Element Methods for Structural Acoustics Dr. Saikat Dey Code 7130,

Recent Advances in Finite Element Methods for Structural Acoustics Dr. Saikat Dey Code 7130,

Recent Advances in Finite Element Methods for Structural Acoustics Dr. Saikat Dey Code 7130, Naval Research Laboratory, Washington D.C. USA (On contract from SFA Inc. Crofton, Maryland, USA) NIST Colloquium: March 28, 2006 Saikat Dey: Code

775 views • 51 slides
Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in

Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in

Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in popularity; Several Youtube channels (THLR.NO, EuLRH) have attracted a considerable number of followers; A riflescope is a must-have ; Often

649 views • 11 slides
Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting

Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting

Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting in the mountains No need to overstretch the neck while using it Can be used without a tripod The user simply puts the scope on the top of

229 views • 9 slides
Satsy Input-Output Code Search Engine Carl Chapman Cole Groff Cody Hoover Trevor Lund Kaitlin

Satsy Input-Output Code Search Engine Carl Chapman Cole Groff Cody Hoover Trevor Lund Kaitlin

Satsy Input-Output Code Search Engine Carl Chapman Cole Groff Cody Hoover Trevor Lund Kaitlin McAbee Problem Statement Lots of open-source code is available for use. Instead of rewriting code that already exists, can we search to

444 views • 23 slides
THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal Intent Value Targets APT Approach & 4 Emergence of 3 Ransomware Ransomhacks 5 YARA Hunting for 5 Key Takeaways Crypto Implementations ~whoami

363 views • 32 slides
The state of Search API in Drupal 8 Joris Vercammen | @borisson | @dazzletheweb

The state of Search API in Drupal 8 Joris Vercammen | @borisson | @dazzletheweb

DRUPALCAMP GHENT 2016 GROW SOME IDEAS The state of Search API in Drupal 8 Joris Vercammen | @borisson | @dazzletheweb http://drupalcamp.be/node/86 Search API Search API Solr Facets More addon modules Custom code Search

778 views • 64 slides
Zip Code Search Tool Feature A database of Zip Codes (US and Canada) Allows SSRS Reports

Zip Code Search Tool Feature A database of Zip Codes (US and Canada) Allows SSRS Reports

Zip Code Search Tool Feature A database of Zip Codes (US and Canada) Allows SSRS Reports to determine the closest Accounts to a source Zip Code Used for Prospecting or Customer Service for Closest Repair Depot or other Tasks Zip

450 views • 9 slides
Squirrel Hunting for Beginners by John Martsh R-3 Program Manager Why Squirrel Hunt?

Squirrel Hunting for Beginners by John Martsh R-3 Program Manager Why Squirrel Hunt?

Squirrel Hunting for Beginners by John Martsh R-3 Program Manager Why Squirrel Hunt? Squirrels are hunted in the fall, when the weather isnt too cold or hot Not a lot of expensive gear/equipment required Hunting doesnt require

578 views • 26 slides
BUILDING SEISMIC INSTRUMENTATION USING STRONG MOTION ACCELEROGRAPHS National Structural Code of

BUILDING SEISMIC INSTRUMENTATION USING STRONG MOTION ACCELEROGRAPHS National Structural Code of

BUILDING SEISMIC INSTRUMENTATION USING STRONG MOTION ACCELEROGRAPHS National Structural Code of the Philippines 2010 Chapter 1, Section 105 105.2 Earthquake-Recording and Instrumentation 105.2.1 General Unless waived by the Building

225 views • 19 slides
What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda

What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda

What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda Effective Threat Hunting? Current state of threat hunting programs Graph Theory Definition Origins Types Graph

1.69k views • 75 slides
Dont Make These Common Job Search Mistakes macslist . org | # Macs_List | @Mac_Prichard

Dont Make These Common Job Search Mistakes macslist . org | # Macs_List | @Mac_Prichard

Dont Make These Common Job Search Mistakes macslist . org | # Macs_List | @Mac_Prichard macslist . org | @Macs_List | @Mac_Prichard Todays Agenda How to Land a Four job hunting mistakes to avoid My first job search How to find

642 views • 21 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

450 views • 34 slides
Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior

Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior

Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior Researcher CERT Polska/NASK/ Warsaw University of Technology piotr.bialczak@cert.pl Twitter: @bialczakp 2 Malware hunting A mouse and cat game? 3

828 views • 28 slides
Establishing the Get Outdoors Hunting and Fishing License Package Nate Pamplin, Director of

Establishing the Get Outdoors Hunting and Fishing License Package Nate Pamplin, Director of

Establishing the Get Outdoors Hunting and Fishing License Package Nate Pamplin, Director of Budget and Government Affairs September 13, 2019 1 Customer Profiles WDFW sells 654,000 fishing licenses and 172,000 hunting licenses. Approx.

199 views • 8 slides

More recommend