RE:trace framework aids in OS X, Unix flaw discovery

By Dennis Fisher, Executive Editor 21 Feb 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

WASHINGTON--A pair of security engineers on Thursday unveiled a new Ruby-based framework that can be used to discover and exploit vulnerabilities in common applications running on OS X, Unix and other operating systems.

The time it takes for vulnerability analysis is greatly reduced. David Weston, security engineer, SAIC

The new framework, called RE:trace, takes advantage of the inclusion of the DTrace performance-monitoring tool in Apple Computer Inc.'s Leopard operating system to give security professionals and reverse engineers the ability to find flaws in both the stack and the heap and then perform all kinds of interesting tricks. DTrace, developed by Sun Microsystems Inc., originally was meant to help troubleshoot applications and the OS, but security professionals have taken to using it for other tasks, as well.

In their talk at the Black Hat D.C. conference here, Tiller Beauchamp, a senior security engineer, and David Weston, a security engineer, both with SAIC in San Diego, showed how they could use RE:trace, which is based on DTrace, to not only find overflows in both the stack and the heap, but to detect buffer overflows and stop them before the overflow actually crashes the vulnerable application. The framework also enables users to track data as it flows all the way through a given application.

"The time it takes for vulnerability analysis is greatly reduced," Weston said.

DTrace is implemented in the kernel and as such it has easy access to the entire operating system, Weston said. And given its extensive feature set, it is essentially "a friendly, programmable rootkit." But DTrace was not specifically written to be used as a reverse-engineering tool and it therefore doesn't include some handy tools that reverse engineers might need. So Weston and Beauchamp, through the use of the Ruby language added some of those features, including the ability to dump a search in memory and tracing application in an object-oriented manner.

RE:trace also gives users quite a bit of feedback about what's going on in the applications that they're looking at. For example, the framework can tell the user who allocated a specific bit of memory, who used it, how much memory was overflowed during an attack and whether the memory was ever freed.

Weston and Beauchamp plan to continue development on RE:trace and will be adding more features and functionality in the next few months.

Video - RE:trace: Security researchers discuss flaw discovery project

Tags: Vulnerability Risk Assessment,  Security Testing and Ethical Hacking,  Alternative OS security: Mac, Linux, Unix, etc.,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability Risk Assessment Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management McAfee to acquire Solidcore Systems for whitelisting Vulnerability Risk Assessment Research Security Testing and Ethical Hacking Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Screencast: BackTrack 4 offers an arsenal of penetration testing tools Security testing firm uncovers XML vulnerabilities Screencast: Samurai offers pen-testing nirvana The requirements needed to make an external penetration test legal McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs Alternative OS security: Mac, Linux, Unix, etc. Machiavelli Mac OS X rootkit unveiled at Black Hat How secure is 'Platform as a Service (PaaS)?' Security comparison: Mac OS X vs. Windows Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method Alternative OS security: Mac, Linux, Unix, etc. Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary