Last week the OWASP AppSecUSA 2013 conference was held in the legendary New York City , where I had the pleasure of giving a talk on security software development title “Verify Your Software for Security Bugs” and present my new project BinSecSweeper, a technology that allows you to verify the security posture of any binary on different platforms.
The development of BinSecSweeper was possible thanks to an R&D grant from the DARPA Cyber Fast Track (CFT) program to improve the security in software development. For more information, I recommend to read the description of the project here.
The conference took place at the Marriot Marquis hotel in Times Square, in the heart of Manhattan, and more than 1500 people interested in security did attend! As always in the OWASP events we could see well-known faces in the world of security with which I had the pleasure of chatting as well as new faces. A greeting to all those people!
As expected, this year many talks focused on mobile security, mainly Android and iPhone. Also there were many talks about Web security and OWASP projects, although I have to admit that some talks were not up to par.
Please find below some screenshots of BinSecSweeper, that will be published soon ;)
Fig. 1 – BinSecSweeper auditing a Windows binary under Linux
Fig. 2 – BinSecSweeper auditing a Linux binary under Linux
Thanks to the AppSecUSA team for a great event organization, it has been a pleasure to participate! See you in future editions!
I have been wanting to read this book for a long time, finally I managed to make time and I have to admit that it has exceeded my expectations. This magnificent work written by reputed experts in iOS, one of the top mobile platforms, on mobile security such as Charlie Miller, Dion Blazakis, Dino DaiZovi, Stefan Esser, Vincenzo Iozzo, Ralf-Philip Weinmann reveals the secrets of Apple mobile operating system.
iOS Hacker’s Handbook (ISBN: 978-1-118-20412-2) is a fascinating and very technical reading that takes us into the inner working and security of iOS to find vulnerabilities and develop exploits.
Its 11 chapters are full of source code (recommended to understand C and ASM) describing the security architecture of iOS such as encryption, sandboxing, different types of memory protections and code signing to find vulnerabilities through reverse engineering and fuzzing and develop exploits using modern techniques such as ROP.
Some of the crown jewels include the study of real vulnerabilities which have been used to win the mythical Pwn2Own contest, understanding and development of our own jailbreaks and debugging and exploitation of iOS kernel.
Taking into account that the rise of exploits sale and the price of iOS 0day for sure is a very serious and lucrative business, you must read this book (check the Forbes article on the subject)!
The work is focused on the iOS platform so no vulnerabilities and exploitation of Apps are covered, anyway for this topic there are plenty of references so we don’t miss it at all.
Without a doubt this book is a compulsory reading for any security expert who wants to delve into the bowels of iOS at the lowest level. I recommend reading the book few times to assimilate the concepts well and downloading the enclosed source code as it contains various interesting tools that we would need to exploit iOS.
I will take the opportunity of this post to mention that the company VULNEX is offering training on mobile hacking that I am sure may interest you :)
Score (1 rose, very bad / 5 roses, very good): 5 Roses (Recommended Reading)
Python is an easy and powerful programming language that allows us to write sophisticated programs: Dropbox and BitTorrent are excellent examples. It is common that Python programs are delivered in source code, but in some cases different techniques like obfuscation and compilation are applied to protect the code from curious eyes. But do these techniques really work?
In this article we will see some tools that supposedly help us to protect our code and how easily they are subverted.
We have two example programs written in Python: the first one is a simple function that asks for a password and shows a message; the second one is the same but this time we have used a class.
def main():
a = "toomanysecrets"
res = raw_input("Please enter your password: ")
if res == a:
print "ACCESS GRANTED"
else:
print "ACCESS DENIED"
if __name__ == "__main__":
main()
secretapp1.py
class DoMain:
def __init__(self):
self.a = "toomanysecrets"
def Ask(self):
res = raw_input("Please enter your password: ")
if res == self.a:
print "ACCESS GRANTED"
else:
print "ACCESS DENIED"
if __name__ == "__main__":
dm = DoMain()
dm.Ask()
secretapp2.py
Suppose I don’t want to deliver these programs code, then I have several options. Our first option is to obfuscate the code, thus making it difficult to read.
Pyobfuscate
This program allows you to obfuscate the code but it is still completely valid for the Python interpreter. Here is an example with SecretApp1 and SecretApp2.
Fig. 1 – Obfuscated secretapp1
Fig. 2 – Obfuscated secretapp2
At a glance our code makes no sense, but if you look closely at the result we see the text strings in the code and we can recognize Python syntax. It is not too difficult to reconstruct the original code from the obfuscated code.
Despite its limitations, I invite you to visit the tool website to check its possibilities.
Htibctobf
This tool was originally written to solve a challenge in a hacking competition at the Hack in the Box conference. I recommend reading this great article to learn more about it.
Unlike the previous tool, Htibctobf obfuscates Python code by modifying the AST (Abstract Syntax Trees). When you run this tool, we can see our obfuscated Python code in Fig. 3 and Fig. 4.
Fig. 3 – Obfucated secretapp1
Fig. 4 – Obfuscated secretapp2
We can see the obfuscated code, including text strings, despite that it is not too difficult to reconstruct the original code as well.
Without a doubt an interesting concept with many possibilities, nevertheless it requires improvements to be useful.
In some cases perhaps it is enough to obfuscate the code, but let’s look for other options to protect our code more effectively, therefore we will have to resort to compile our Python code to create an executable.
Py2exe
Possibly one of the most popular choices to turn Python code into a Windows executable. Py2exe
First we have to create a file called Setup that includes a reference to the program we want to build/compile. See setup script.
from distutils.core import setup
import py2exe
setup(console=['secretapp1.py'])
setup.py
We are now ready to compile our Python code into a Windows executable, so let’s run py2exe. See Fig. 5.
Fig. 5 – Build secretapp1.exe
Once the building process is completed, py2exe creates a directory called “dist” which includes our executable and some necessary libraries. In Fig. 6 we can see that py2exe completes successfully and we execute our program in exe format.
Fig. 6 – Build completed!
We could now distribute this binary without fear to give out our code or maybe not?
Py2exe_extract
This tool allows us to extract Python object file within the executable created using py2exe, basically inverting the process. Py2exe_extract
In Fig. 7 we can see how we use py2exe_extract to get the object file secretapp1.pyc (the content of this file is platform-independent and is known as Bytecode) from secretapp1.exe.
Fig. 7 – Exctracting object file
Now let’s explore ways to get the code from this object file.
Unwind
Unwind is a disassembler for Python Bytecode that can be used to analyze object files “.pyc”. For this example, I’ve written a simple script in Python, mytest.py, that imports the disassembler and analyzes the pyc file. See code below.
With this script you can run the following command and get a disassembly of the object file. See Fig. 8.
Fig. 8 – Python Bytecode
For low level lovers this will be your favorite choice ;)
Uncompyle2
Another option is to use a decompiler like uncompyle2 to get the code directly from the object file “.pyc” without having to go through the disassembly as we previously saw.
This tool is powerful and easy to use as you can see in Fig. 9 using a simple command we get the source code for secretapp1.pyc.
Fig. 9 – Secretapp1 code from object file
Wow, we got source code!
Throughout the article, we have seen some obfuscation and compilation techniques to protect Python code, but we have also been able to subvert the entire protection quite easily :)
The following are other Python compilers that can be used in Windows, Linux, or MacOS, but they suffer from the same problems described in this article.
We could also analyze and subvert binaries using tools such as IDA PRO or Immunity Debugger but I will leave it for a future post. Another interesting tool that I have not mentioned is pyREtic, which is an extensible framework for in-memory Python Bytecode reverse engineering.
For an attacker to get the Python code is a matter of time, however to make things really difficult from a defensive point of view we have to combine different protection techniques.
Do you protect your Python programs? Which methods do you use?
