CanSecWest2017

1. State of Windows Application
Security: Shared Libraries

2. About the speaker
• Previously a software developer
• Chromium based browser with security features
• Joined Tencent in 2014
• Security researcher
• Xuanwu Lab researches real world security problems
• CanSecWest 2016 speaker
• QCon 2016 speaker

3. Previously…
• At CanSecWest 2016
• 55% of popular AV’s can be exploited to escape browser sandbox
• Reported and fixed… hopefully

4. Browser Sandboxes… What is it for?
• It contains the damage of the code execution exploits
• Make it much harder for exploits to gain higher privileges

5. Sandbox Whitelist: Elevation Policy
Browser
Renderer
Browser Broker Elevation Policy
Medium
Integrity Level
Process
Security Boundary
Low Integrity
Level Process

6. Example: Panda Internet Security
Pandasecuritytbdtuser.exe
• Elevation policy with silent Medium IL
• Run arbitrary command
dtuser.exe runappasadmin calc.exe
• Copy arbitrary file
dtuser.exe copyfile <origin> <target>

7. How to detect it
automatically?

8. Project A'Tuin
• Automated installation
• Detect insecure characteristics and behaviors
• Provide searchable results
Crawl Install
Trigger
Behavior
Log
Cluster
Offline
Computation
Frontend
Interface

9. Project A'Tuin

10. Example: Panda Internet Security

11. Diversity is Installers’ Strength

12. Automated installation
• Searches all top level windows created by the installer
• In all screen area covered by recorded windows, find polygons that
has the largest area and highest contrast ratio
• Simulate input to screen area inside the polygon
• Success rate 95%+, special case the rest

13. What else did we found?

14. Typical Windows Application
Main
Code
Shared Libraries
MFC / Qt OpenSSL
Image /
Video /
Audio
Decoders
Network
Libraries
WebKit …

15. The OpenSSL Landscape

16. The OpenSSL Landscape: Heartbleed

17. The OpenSSL Landscape: CVSS >= 9

18. Does your application have
an embedded web browser?
Most likely.

19. Chromium Embedded Framework
• “CEF is a BSD-licensed open source project founded by Marshall
Greenblatt in 2008 and based on the Google Chromium project”
• “CEF focuses on facilitating embedded browser use cases in third-
party applications”
• “There are currently over 100 million installed instances of CEF
around the world embedded in products from a wide range of
companies and industries”

20. The CEF Landscape

21. QtWebKit

22. How can we find unknown shared libraries?
• Brainstorming?
• OpenSSL, zlib, Qt, what else?
• Many libraries are developed in-house and used inside one company
• Library issue may share among multiple software
• Outdated parsing / rendering / decoding libraries almost always
indicate security issues

23. How can we find unknown shared libraries?
• Install every software
• Extract all PE files
• Use a disassembler to extract function information
• IDAPython
• Record and compare function signatures across different software

24. The Result

25. Recap
• A system that can automatically detect possible security issues
• Many applications still have old OpenSSL libraries that are affected by
old vulnerabilities
• A new way to automatically detect shared libraries used in
applications
• Detected over 4000 shared libraries in our sample, many of them
unknown

26. Future works
• More behavior detection
• Go mobile
• Cross-platform clustering of results

27. A comprehensive report about
shared library security will be
released publicly later this year.
And the system may be open to public in the future.

28. Thanks.
Chuanda Ding
Tencent Xuanwu Lab
xlab.tencent.com