Article

RE:trace framework aids in OS X, Unix flaw discovery

Dennis Fisher

WASHINGTON--A pair of security engineers on Thursday unveiled a new Ruby-based framework that can be used to discover and exploit vulnerabilities in common applications running on OS X, Unix and other operating systems.

    Requires Free Membership to View

The time it takes for vulnerability analysis is greatly reduced.
David Weston,
security engineerSAIC

The new framework, called RE:trace, takes advantage of the inclusion of the DTrace performance-monitoring tool in Apple Computer Inc.'s Leopard operating system to give security professionals and reverse engineers the ability to find flaws in both the stack and the heap and then perform all kinds of interesting tricks. DTrace, developed by Sun Microsystems Inc., originally was meant to help troubleshoot applications and the OS, but security professionals have taken to using it for other tasks, as well.

In their talk at the Black Hat D.C. conference here, Tiller Beauchamp, a senior security engineer, and David Weston, a security engineer, both with SAIC in San Diego, showed how they could use RE:trace, which is based on DTrace, to not only find overflows in both the stack and the heap, but to detect buffer overflows and stop them before the overflow actually crashes the vulnerable application. The framework also enables users to track data as it flows all the way through a given application.

"The time it takes for vulnerability analysis is greatly reduced," Weston said.

DTrace is implemented in the kernel and as such it has easy access to the entire operating system, Weston said. And given its extensive feature set, it is essentially "a friendly, programmable rootkit." But DTrace was not specifically written to be used as a reverse-engineering tool and it therefore doesn't include some handy tools that reverse engineers might need. So Weston and Beauchamp, through the use of the Ruby language added some of those features, including the ability to dump a search in memory and tracing application in an object-oriented manner.

RE:trace also gives users quite a bit of feedback about what's going on in the applications that they're looking at. For example, the framework can tell the user who allocated a specific bit of memory, who used it, how much memory was overflowed during an attack and whether the memory was ever freed.

Weston and Beauchamp plan to continue development on RE:trace and will be adding more features and functionality in the next few months.

Video - RE:trace: Security researchers discuss flaw discovery project


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: