WASHINGTON--A pair of security engineers on Thursday unveiled a new Ruby-based framework that can be used to discover and exploit vulnerabilities in common applications running on OS X, Unix and other operating systems.
The new framework, called RE:trace, takes advantage of the inclusion of the DTrace performance-monitoring tool in Apple Computer Inc.'s Leopard operating system to give security professionals and reverse engineers the ability to find flaws in both the stack and the heap and then perform all kinds of interesting tricks. DTrace, developed by Sun Microsystems Inc., originally was meant to help troubleshoot applications and the OS, but security professionals have taken to using it for other tasks, as well.
In their talk at the Black Hat D.C. conference here, Tiller Beauchamp, a senior security engineer, and David Weston, a security engineer, both with SAIC in San Diego, showed how they could use RE:trace, which is based on DTrace, to not only find overflows in both the stack and the heap, but to detect buffer overflows and stop them before the overflow actually crashes the vulnerable application. The framework also enables users to track data as it flows all the way through a given application.
"The time it takes for vulnerability analysis is greatly reduced," Weston said.
DTrace is implemented in the kernel and as such it has easy access to the entire operating system, Weston said. And given its extensive feature set, it is essentially "a friendly, programmable rootkit." But DTrace was not specifically written to be used as a reverse-engineering tool and it therefore doesn't include some handy tools that reverse engineers might need. So Weston and Beauchamp, through the use of the Ruby language added some of those features, including the ability to dump a search in memory and tracing application in an object-oriented manner.
RE:trace also gives users quite a bit of feedback about what's going on in the applications that they're looking at. For example, the framework can tell the user who allocated a specific bit of memory, who used it, how much memory was overflowed during an attack and whether the memory was ever freed.
Weston and Beauchamp plan to continue development on RE:trace and will be adding more features and functionality in the next few months.