Hacking The Framework Nimrod Luria Head Of Consulting Services, 2Bsecure. Security MVP .NET Security User Group Leader. Microsoft affiliate consultant. [email protected].
Download ReportTranscript Hacking The Framework Nimrod Luria Head Of Consulting Services, 2Bsecure. Security MVP .NET Security User Group Leader. Microsoft affiliate consultant. [email protected].
Hacking The Framework Nimrod Luria Head Of Consulting Services, 2Bsecure. Security MVP .NET Security User Group Leader. Microsoft affiliate consultant. [email protected] Attack sophistication vs. Intruder Technical Knowledge binary encryption “stealth” / advanced scanning techniques Tools High denial of service packet spoofing sniffers Intruder Knowledge GUI distributed attack tools www attacks automated probes/scans back doors network mgmt. diagnostics disabling audits hijacking burglaries sessions Attack Sophistication exploiting known vulnerabilities password cracking Attackers password guessing Low 1980 1985 Source: CERT/CC (used w/o permission & modified 1990 1995 2001 “Can you say ‘fair use?’ Sure, I knew you could.” IHO Fred Rogers) Warm Up - Demo Why you shouldn’t use Custom validator Why should we be aware of security? 1st Scenario : In my current smart card company, most of the information stored within our SDK are highly confidential. We do not want our SDK to be manipulated by our competitors. 2nd Scenario : You took a year to write a software and in the process consumed a lot of resources and time for its development. Then you sell your software, you find that all your hard work in past 12 months were easily manipulated. Therefore, steps must be taken to ensure this does not happen. 3rd Scenario : One day, my manager came to me and asked me this question. Questions: Are .NET assemblies that secure? Answer: Nothing is secure, but all we can do is to try to make things harder for a hacker. Reflector Demo Don’t trust the Registry Back in 1990s, you may have noticed that some shareware programs implements this kind of verification technique. When you install the software, it will create a key in the Windows registry. Basically what it does, is stores the serial number inside the registry as either a plain text or encrypted version. Yes, I have seen people placing plain text in registry. So when your program runs, it will check the registry to verify the existence that particular key. If you have a wrong serial number or that particular key is not there, it will prompt you an error. Right now I will try to simulate this verification technique in C# step by step. Demo Manipulating The Registry Listening with RegMon Internal Representation of Methods by the CLR Let’s Change the code How to use ILdasm and ILasm to manipulate the code. Type ildasm CrackingIL.exe /out=CrackingIL.il Open CrackingIL.il with any text editor Just remove all the codes from IL_0000 to IL_0075.(Clean FrmSecureApp_Load event) type 'ilasm CrackingIL.il'. You are done ! protect your .NET assemblies from being tampered Strong Name key is a RSA 1024 bit encryption, and to break it is not that easy at all. You need to have huge computing power to get that private key. Why Strong Name?? Strong Name, is it strong enough ? It did not encrypt my codes nor did it hide my codes from decompilers such as .NET Reflector. It isn't even related to obfuscation. So then what is Strong Name for? Some marketing tool to convince the public that the assemblies it protects is secure? What people doing in the industry ? Your superior comes to you and asks you to implement a Strong Name key in your assemblies. And then when you reply, why Strong Name, they would say this is what other people are doing in the industry; we should follow them as well. It’s seems to be strong But It’s NOT ! How to break Strong Name .NET Assemblies Questions: Question : Is Strong Name key secure? Answer : Yes, Strong Name key uses RSA 1024 bit encryption. Question : Is Strong Name key breakable? Answer : If you have enough computing power, time and knowledge on how to break RSA, the answer is yes. Question : Can Strong Name key be removed from .NET assemblies? Answer : Yes, it can be removed very easily if you know how. Demo Removing the signature. Tempering the code. Hijacking .NET type members defined with a private access modifier are not actually private Even though the method is private, calling clients can still set the state of the object whenever they want using reflection. Demo Calling private methods using reflection The Solution Modifying Rotors Source Code [DebuggerStepThroughAttribute] [Diagnostics.DebuggerHidden] public override void SetValue(Object obj,Object val,BindingFlags invokeAttr,Binder binder,CultureInfo culture) { InternalSetValue(obj, val, invokeAttr, binder, culture, true, binder == Type.DefaultBinder); } to: [DebuggerStepThroughAttribute] [Diagnostics.DebuggerHidden] public override void SetValue(Object obj,Object val,BindingFlags invokeAttr,Binder binder,CultureInfo culture) { // Add the check. if (this.IsPrivate) { throw new Exception("Access denied!!! Cannot set the value of private fields."); } InternalSetValue(obj, val, invokeAttr, binder, culture, true, binder == Type.DefaultBinder); } VS 2005 Exploit Demo Solutions To make sure that only trusted assemblies are calling your assembly you can use StrongNameIdentityPermission Class You should use sn.exe –o <infile> <outfile> to get the signature. You can use imperative or declarative checks. <StrongNameIdentityPermissionAttribute(SecurityAction.LinkDemand, _ PublicKey:="002400000480000094000...")> _ Public Class myClass ... Evidence Use the wizards Encrypt Your code Reactor CryptKey Preemptive .NET obfuscation In Got We Trust ! Don’t trust any code. Use sandbox to test downloaded code or 3rd party assemblies. Use CAS Follow the least privilege principle. Review your code. Test your applications for security. ? Thank You ! Nimrod Luria Head Of Consulting Services, 2Bsecure. Security MVP .NET Security User Group Leader.