[NCLUG] how was I hacked?

jbass at dmsd.com jbass at dmsd.com
Sun Jun 1 22:59:22 MDT 2003 

A few additional comments on the evolution of root kit technology. One of the
things people less aware of reverse engineering technology do not understand,
is just how is it anyway the these hackers find these bugs. For the open source
projects, it's pretty easy .... learn from reading a LOT of source code. Even
with source code, reverse engineering skills become VERY useful to actually
craft the exploits to make use of the bugs.

Useful reverse engineering tools are debuggers, kernel debuggers, disassemblers,
and a new tool finally coming to Linux is the reverse compiler. Binary to C
translators have been around for nearly 20 years in various forms ... some as
simple as awk/sed scripts to "fixup" debugger traces or disassembler output into
puesdo C code - sometimes well polished C code. These tools have been the stock
trade of system hackers and systems programmers for 40 years, back into batch
IBM mainframe days.

During the year and a half from summer 1974 thru winter of 1975 I lead a
team of 4 that disassembled and reverse engineered most of an operating system
and it's major applications/utilities to find security flaws as a Computer
Science Dept sponsored security research team. We found, documented, and
bug reported dozens of user level exploits for the system in that period,
including several architecturally critical kernel exploits that allowed us
to patch into the kernel/OS at will, effectively giving us complete control
of the machine if we wanted it. The details of those exploits were closely
held, and while bug reported, no fix was available without a rewrite of
major portions of the system. Our team disbanded after reaching this point.

A year later, a high school student several hundred miles away, using a
barrowed studdent account, independently located and exploited the same
"defect" in the design causing signficant damage and disruption to state
wide college classes using the facility for several months before getting
caught.

The experience got me a job as a UNIX systems programmer that winter
writing device drivers for a PDP11/35 graphics research computer. And
from that project, I went on writing UNIX drivers, UNIX admin, and a wide
variety of unix kernel and applications cross architecture porting for
for various employers and clients for nearly 25 years. I've also done
several dozen reverse engineering projects as contracts since, some
for government agencies which pay with checks from other agencies, some
who crack the security of confiscated "home computers". It's been a while
since I've had one of "those" contracts, as those agencies now have their
own full time staff of hackers and crackers with tools far more advanced
than we see publicly. It's nice to see that there are jobs for people
with good reverse engineering skills ;-)

Consider one open source project: http://boomerang.sourceforge.net which is
in it's early stages yet and can still take the stripped binary for this
C source code:

	$ more test/source/twoproc.c
	
	int proc1(int a, int b) {
	    return a + b;
	}
	
	int main() {
	    printf("%i\n", proc1(3, 4));
	}

	$ ./boomerang test/pentium/twoproc
	
	loading...
	decoding...
	analysing...
	decompiling...
	generating code...
	void main(int param1, int param2)
	{
	int local0;
	    proc1(local0);
	    printf("%i\n", 7);
	    return ;
	}

	void proc1(int param1)
	{
	    return ;
	}

The project is probably a couple hundred man weeks from really good results,
and can use volunteers if there are any students out there looking for a truely
useful project for the summer. There are probably a number of good senior,
masters or PhD thesis projects waiting there for those students who haven't
yet figured out what they want to do to graduate.

While these tools are certainly useful for crackers, they are even more useful
to those that need to quickly reverse engineer rootkit binaries to determine
the extend and impact of exploited machines, as well as help understand how
to track and hopefully find truely distructive "crackers" and "script kiddies"

Pass the word around that the boomerang team needs some help.

John

More information about the NCLUG mailing list