Saturday, August 29, 2009

Obfuscated Code

When source code in programming language is transform to human unreadable form then it is known as Obfuscated Code.  The software that performs obfuscation on code are called as obfuscators.
Obfuscation on the source code can be used for good purpose as well as for bad purpose. Programmers can obfuscate there code to conceal its purpose, to avoid theft of there code. This is also known as security through obscurity. On other hand, attackers can use obfuscator to hide malicious program. 
The code written in languages which can be obfuscated  includes but not limited to are C, C++, Perl, JavaScript, etc.
Obfuscation by code morphing  refers to obfuscating machine language code or object code rather than obfuscating the source code.

Obfuscated code makes it difficult to reverse engineer the code, but it is not impossible to reverse engineer the obfuscated code.  Obfuscated code makes it difficult to debug, because the variable names no longer make sense, and the structure of code is hard to recognize.

In this post I will mainly focus on the JavaScript Obfuscators, techniques used for JavaScript Obfuscation, and JavaScript Obfuscation used in malicious software.

Obfuscated JavaScript code is mostly used by spammers in spam messages.   The obfuscation makes it difficult for investigators to identify what exactly the JavaScript code does? or where the link goes?. Attackers used JavaScript Obfuscation to conceal an entire or some part of code that runs browser exploit. 


The good news about JavaScript source code obfuscation techniques  is, they are limited to number of techniques (de-obfuscation) supported by Web browser. However the bad news is, it is not limited to number of levels of obfuscation on source code.   

Friday, August 28, 2009

While mixing C and C++ code, how to avoid name mangling done by C++ compiler for C Code

C language does not have overloading, that's why C  function names are not mangled by C compiler (such as GCC), but C++ has overloading. Overloading means the same function name can appear for more than two functions in C++ with different parameters. That's why C++ complier do name mangling to identify the function names uniquely. 
You may encounter a problem while writing you own library by mixing C and C++ code. because you  have to compile it with C++ compiler and it will mangled the function names. If you want to avoid the mangling of function names done by C++ compiler then you can use extern "C" keyword in the code. This will tell C++ compiler that do not mangled function names, variable names, defined in extern "C" brackets.
For example:
extern "C"
{
   int functionx();
}
The name of functionx will not be get mangled by C++ compiler. 

Wednesday, August 26, 2009

Firefox-3.5 debugging problem on Ubuntu9.04

I and my colleague Xinshu are working on Firefox-3.5 web browser and from last few months since Firefox-3.5 is released we were searching for how to debug Firefox-3.5 with gdb on ubuntu v9.04. We are able to debug Firefox-3.0 with gdb on ubuntu v9.04, but we were not be able to debug Firefox-3.5. Whenever we tried to debug Firefox-3.5 with gdb debugger, GDB sometimes terminated by giving "Segmentation Fault" error , or sometimes terminated by giving memory leak error. So we developed a wrong impression that Firefox-3.5 cannot be debug with gdb in Ubuntu v9.04, because official version of Firefox-3.5 for ubuntu is not yet released. Ubuntu has Firefox v3.0.13 in its repository. However for Fedora and Windows, Firefox v3.5.2 is available. We searched on many blogs/forums, etc for the solution or does somebody faced/facing the same problem as we do. Many of them misdirected by saying some package is missing on your machine, which is required for Firefox-3.5 to debug on Ubuntu v9.04. We installed all the packages named on those forums, but had no luck, till today.
My colleague (Xinshu) finally discovered the caused of error. And the solution was very simple, but not convenient for users who has many Firefox profiles for different purpose .
When we looked into terminal window, we found that GDB terminated after Firefox creates a new process. And new process is created when you have multiple profiles on your system, and selecting the one out of them each time Firefox starts, was the source of error. Firefox creates a new process whenever we select the profile.
So we tried by deleting all profiles, and it was miracle, it really worked. The solution is very simple, delete all Firefox profiles and then try Firefox-3.5 to debug with GDB on Ubuntu. It works!.
Although it is not convenient to users who have many profiles.

DOS attack on Firefox

Denial of Service (DOS) Attack for Firefox
It is caused by consuming memory on user computer.
The main reason, why this attack is possible on Firefox is insufficient memory check at document.write function.
The parser first builds DOM tree on received input before it is displayed to user (or it is given to rendering unit). Following code consumes all available memory on your system, if you have quad-core processor with 4GB RAM then following code will terminate on that machine after few hours. (approx, 8 to 10 hrs)

The sample code is given below:
var a;
for (var i=0; i < 32000; i++) {
document.write(a+=i));
}
document.write("Terminated");
 

Backtrace is as follows:
nsScannerString::AppendBuffer()
nsScanner::AppendToBuffer()
nsScanner::Append()
nsParser::Parse()
nsHTMLDocument::WriteCommon()
nsHTMLDocument::ScriptWriteCommon()
nsHTMLDocument::Write()

Chrome browser uses behavior analysis to detect unresponsive scripts/programs.
Function call analysis will not work correctly on such kind of examples, bcoz attacker can create the same effect (DOS attack) in many different ways.
Mozilla has dom.max_script_run_time variable which is set 10 by default. In debug mode, Firefox would prompt user with a warning against that unresponsive script; however, this warning does not appear in normal mode and the script hangs Firefox (or even the whole system) after some time. In another word, Firefox has built-in check for unresponsive script, but this mechanism somehow just won't work for this example in normal mode. 
I tested the above code in Internet Explorer, but IE show a pop-up window and ask user, he want to terminate the script  or want to continue the execution of script. I think that's the expected behaviour. 

Tuesday, August 25, 2009

Encrypted Virtual File System (EVFS): Building a encrypted Linux filesystem from an ordinary linux file

This tutorial will explain step-by-step process to create Encrypted Virtual Linux File System (EVFS).

First let me explain you, What are the advantages of EVFS:
1. You can take a disk file, format it as an vfat, ext3 filesystem, and then mount it, just like a physical drive. This is an excellent way to investigate different filesystems without hassle of reformatting a physical drive.

2. It protects unauthorized access to the information.

3. It is a single file which will acts as encrypted virtual disk, that will store files, directories inside it.

4. The big advantage is, it is Portable. The file we create here will open as encrypted virtual disk in windows, Linux, etc.


We will use LUKS (Linux Unified Key Setup) standard for creating encrypted virtual file system.
LUKS is a standard for hard disk encryption. Most disk encryption software implements different and incompatible formats, LUKS specifies a platform-independent standard on disk format for use in various tools on different operating systems such as Windows, Linux, etc

In this article, I will explain how to create encrypted virtual disk, how to use it on Linux and how to use it on windows.

A. How to create Encrypted Virtual Disk
  • Step1: Create a file with desired size. (The size you will specify here will be the size of your virtual disk.)
dd if=/dev/urandom of=disk.img bs=1M count=10

I used urandom to fill the file with random values. You can use if=/dev/zero instead of if=/dev/urandom to fill the file with zeros. Bydefault dd uses 512bytes as a size parameter. We define custom size using bs argument, as show in example (in blue colour). The bs argument accepts common suffixes (k, M, G) for large numbers. bs specifies the number of bytes read into memory with single read() system call and written out with s single write() system call. I created 10MB file in this example. (size = bs * count). You can tune the bs and count parameters according to your need.
  • Step 2: Make the file we created as a disk device
sudo losetup /dev/loop0 disk.img

Loop device makes a file accessible as a block device. losetup command associats the file (disk.img in our example) with loop device (loop0 in our example)
  • Step 3: Now we have a partition of 10MB. In this step we will encrypt that partition.
sudo cryptsetup luksFormat -c aes -s 256 /dev/loop0

-c parameter is used to specify cipher. I used AES (Advanced Encryption Standard) in this example.
-s parameter is used to specify keysize for cipher in bits. It must be multiple of 8 bits. In this example I used 256 bit cipher key.

(Note: You can tune above parameters according to ur need)

(Note: This will ask you for confirmation before proceeding, you have to type YES in uppercase, if you want to continue. Then it will ask you for password for EVFS. This password you have to use whenever you want to access EVFS).
  • Step4: Now tell Linux to treat the encrypted partition as a Disk Device.
sudo cryptsetup luksOpen /dev/loop0 krp

krp is the name of disk device. you can use any name there.
  • Step5: Now Format the file system on ths disk
sudo mkfs -t vfat /dev/mapper/krp
  • Step6: Done. Cleanup the system now.
sudo cryptsetup luksClose krp
sudo losetup -d /dev/loop0

Now we have a single file as a encrypted virtual file system. In that file we can store any data which we want to hide from others. And as it is a single file you can move it from one machine to another machine without hassle of reformatting and installation of OS.


B. How to use Encrypted Virtual File System on Linux

Step 1: Tell Linux to treat this file as a disk device

sudo losetup /dev/loop0 disk.img

Step2: Tell Linux to treat the encrypted partition as a disk device

sudo cryptsetup luksOpen /dev/loop0 kailas

Step3: Mount the disk

sudo mount /dev/mapper/kailas /mnt

Now you can access the files in directory /mnt
You can create new files there or copy files there. Those files will be stored in your encrypted Virtual FileSystem.

C. How to cleanup EVFS after using it on Linux

sudo umount /dev/mapper/kailas
sudo cryptsetup luksClose kailas
sudo losetup -d /dev/loop0


D. How to use Encrypted Virtual File System on Windows

To open/access the EVFS we created above on Windows, download a open source free software FreeOTFE.
Install the FreeOTFE software, then launch the FreeOTFE software.
Select "File-> Linux Volume -> Mount File"

Enter the password of EVFS. FreeOTFE will show the virtual drive. Done!.