June 15, 2007 - C++
by Dominique Brezinski
A lot of work has been done in the areas of reverse-engineering, exploitation and code review of applications written in C. However, a majority of application development is done in C++ and has been for many years. Over the past five years a few researchers have looked at C++ specific issues, like Halvar Flake, but there has not been a lot of focus on security-related aspects of C++ in the public arena.
This year is different. Several presentations bring C++ issues and techniques to the foreground: "Breaking C++ Applications" by Mark Dowd, John McDonald and Neel Mehta and "Reversing C++" by Paul Vincent Sabanal. I like it when an unintentional plan comes together.
Breaking C++ Applications
by Mark Dowd, John McDonald & Neel Mehta
Have you ever noticed that nearly all discussions regarding finding vulnerabilities or secure programming for C/C++ focus almost exclusively on C? The reasoning for this is most likely that the authors want to capture behavior that affects both of the languages, thus providing knowledge applicable to more developers/auditors and can be applied to more projects. This has resulted in an in-depth knowledge base of C-based issues that most security professionals know and an ever-increasing number of developers are aware of. But what about those issues specific to C++? Many applications are built largely in C++, and as such there is a need to understand the security implications of the extra language features. Despite this necessity, C++-specific issues have been largely ignored in public security forums up to this point, leaving the potential for applications to contain vulnerabilities that are different in nature to those issues that are commonly referred to as C++ issues (dangerous string APIs, integer related vulnerabilities, etc).
Our presentation will examine the security impact of many C++-specific language constructs, and delve into specific examples of vulnerabilities that can result form them. We will present exampes to help demonstrate the validity of the problems we are discussing. These will include both vulnerabilities from real applications and concocted examples, with the goal of highlighting the security impact of C++-specific language constructs.
by Paul Vincent Sabanal
We have been doing reverse engineering work professionally for several years now, and during the course of our career, we've seen an increasing number of malware using C++ year after year.
Now, we were also guilty of this, but reversers tend to analyze C++ code in the assembly level without understanding OOP concepts, doing it instead the way they analyze straight forward C code. We soon realized that obviously,
this is not an efficient approach. Thanks to the work of Halvar and the guys at openrce.org, some light has been shed into the subject of C++ reversing. This talk is our contribution to this subject.
In this talk, we will try to explain the steps in reversing a C++ binary, starting from the high level abstraction point view, down to the low level implementation details. We will then present ways to automate these steps, and we will also demonstrate the tools we developed.
It is that time again: Black Hat in the hot LV summer. It always comes sooner than I expect. We have been working like mad to get the schedule together, which is basically done. One of the underlying themes this year is timing. I don't pick these things; it is really a reflection of the direction of research in our community. Another theme is nuance... read more
I am so relieved. It has finally happened: the forensic field is transitioning from techniques that satisfy the needs of law enforcement to techniques that satisfy the needs of everyone else. We are now seeing a focus on post-intrusion incident response versus seizure and disk analysis. The two areas are very different, and post-intrusion incident response actually has many more difficult technical problems by a large margin... read more
The Black Page is always looking for concise and interesting comments from researchers and experts about issues that affect the security community. Contact us here to learn more about submission rules