[Owasp-leaders] Code review for backdoors

Yiannis Pavlosoglou yiannis at owasp.org
Sat Apr 4 13:18:40 UTC 2015


This is a very specialised review that you seek guidance on and not a
code review per say.

A traditional code review has the objective of determining if a
vulnerability is present within the code, further to this if the
vulnerability is exploitable and under what conditions.

A code review for backdoors has the objective to determine if a
certain portion of the codebase is carrying code that is unnecessary
for the logic and implementation of the use cases it serves.

Further to this, the reviewer, looks for the trigger points of that
logic. From experience in a previous life, typical examples serve as a
branch statement going off to a part of assembly or obfuscated code.

Please note, the latter has no mention of vulnerability in its method
description. There is a whole world of "hybrid code auditing" that
DeepSec Vienna saw on how to combine today's rather dumb code tools to
spot such patterns. You can see how traditional source-to-sink
analysis would fall quite flat on its head here.

Maybe a project or two in this as well, for the adventurous and committed..

On 11 March 2015 at 21:26, Ali Khalfan <ali.khalfan at owasp.org> wrote:
> Looks very helpful , thanks . I'll see if I can come up with a guideline
> based on it.
>
> On 12 مارس، 2015 12:00:08 ص GMT+03:00, Jeff Williams
> <jeff.williams at owasp.org> wrote:
>>
>> You may find some interesting guidance in a paper I did at BlackHat.
>> Remember that any vulnerability might be put there on purpose.  So a
>> malicious code review has to include a regular code review.
>>
>>
>> https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf
>>
>> --Jeff
>>
>> Jeff Williams | CTO
>> Contrast Security
>> @planetlevel @contrastsec
>>
>>
>>
>>
>>
>> On Wed, Mar 11, 2015 at 1:51 PM -0700, "Ali Khalfan"
>> <ali.khalfan at owasp.org> wrote:
>>
>>> yes,
>>>
>>> one reason I wanted to setup some sort of guideline is for peer
>>> reviewing.  The last thing a developer would want to do is read code they
>>> did not create prior to deployment.  So, it would be easier to have a
>>> guideline telling the developer what to look for (e.g. hard-coded values,
>>> encoded string,..etc).   Another reason would be for the security reviews
>>> and auditors who have tools, but of course tools may detect security
>>> weaknesses not backdoors or logic bombs.  Thus, I think giving the reviewers
>>> general 'hints' on what to look for would be very helpful.
>>>
>>>
>>> If you have a link or summary of the Cigital session, please do share.
>>>
>>>
>>>
>>> Ali
>>>
>>>
>>> On 03/11/2015 10:38 PM, Gary Robinson wrote:
>>>
>>> Hi Ali,
>>>
>>> I can confirm the latest version of the code review guide (in progress)
>>> doesn't mention intentional backdoors either.  This does tie in with an
>>> interesting session Cigital put on last week about developers (in house or
>>> 3rd party) being the 'bad guy' inserting vulnerabilities/backdoors.
>>>
>>> If you have some technical ideas or content let us know.  I've never seen
>>> any technical advice on spotting intentional backdoors, however peer source
>>> code review (and audit or security reviews) would be the best way of
>>> catching this.
>>>
>>> Gary
>>>
>>> On Wed, Mar 11, 2015 at 7:06 PM, Azzeddine Ramrami
>>> <azzeddine.ramrami at owasp.org> wrote:
>>>>
>>>> All backdoor exploit the security flaw in the apps. A good code review
>>>> can detect security flaw in the code.
>>>> You can also do a reverse engineering technique or fuzzy testing to
>>>> detect security bugs in the apps.
>>>> Azzeddine
>>>>
>>>> On Wed, Mar 11, 2015 at 8:02 PM, Aaron Guzman <aaron.guzman at owasp.org>
>>>> wrote:
>>>>>
>>>>> Backdoors are typically at the hardware or embedded level where its
>>>>> harder to locate. Usually ODMs and OEMs fall victim to this. Typically
>>>>> because they use “backdoors” for debugging and testing purposes during
>>>>> manufacturing. A solution is to test and analyze your code from third
>>>>> parties. Whether thats though IDA or other means.
>>>>> --
>>>>> Aaron G
>>>>> OWASP-LA Board Member
>>>>> Twitter: @scriptingxss
>>>>> Linkedin: http://lnkd.in/bds3MgN
>>>>>
>>>>> On Mar 11, 2015, at 11:27 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>
>>>>> How about: "Dont put them in" ??
>>>>>
>>>>> ;)
>>>>>
>>>>> On Wed, Mar 11, 2015 at 6:22 PM, Ali Khalfan <ali.khalfan at owasp.org>
>>>>> wrote:
>>>>>>
>>>>>> The owasp code review guidelines do a great job at looking for
>>>>>> vulnerabilities. However, the will not address intentional vulnerabilities
>>>>>> such as backdoors and logic bombs.
>>>>>>
>>>>>> I wanted to establish such a guideline, but I was wondering if there
>>>>>> is any reference I could fall back on ?
>>>>>>
>>>>>> Ali
>>>>>> --
>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> OWASP ZAP Project leader
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Azzeddine RAMRAMI
>>>> +33 6 65 48 90 04.
>>>> Enterprise Security Architect
>>>> OWASP Leader (Morocco Chapter)
>>>> Mozilla Security Projects Mentor
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list