[Owasp-leaders] Code review for backdoors

Jeff Williams jeff.williams at owasp.org
Wed Mar 11 21:00:08 UTC 2015


You may find some interesting guidance in a paper I did at BlackHat.  Remember that any vulnerability might be put there on purpose.  So a malicious code review has to include a regular code review.
https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf 

--Jeff

Jeff Williams  | CTO
Contrast Security
@planetlevel @contrastsec






On Wed, Mar 11, 2015 at 1:51 PM -0700, "Ali Khalfan" <ali.khalfan at owasp.org> wrote:











  
  
    yes,

      

      one reason I wanted to setup some sort of guideline is for peer
      reviewing.  The last thing a developer would want to do is read
      code they did not create prior to deployment.  So, it would be
      easier to have a guideline telling the developer what to look for
      (e.g. hard-coded values, encoded string,..etc).   Another reason
      would be for the security reviews and auditors who have tools, but
      of course tools may detect security weaknesses not backdoors or
      logic bombs.  Thus, I think giving the reviewers general 'hints'
      on what to look for would be very helpful.

      

      

      If you have a link or summary of the Cigital session, please do
      share.

      

      

      

      Ali

      

      

      On 03/11/2015 10:38 PM, Gary Robinson wrote:

    
    
      Hi Ali,
        

        
        I can confirm the latest version of the code review guide
          (in progress) doesn't mention intentional backdoors either. 
          This does tie in with an interesting session Cigital put on
          last week about developers (in house or 3rd party) being the
          'bad guy' inserting vulnerabilities/backdoors.
        

        
        If you have some technical ideas or content let us know. 
          I've never seen any technical advice on spotting intentional
          backdoors, however peer source code review (and audit or
          security reviews) would be the best way of catching this.
        

        
        Gary
      
      

        On Wed, Mar 11, 2015 at 7:06 PM,
          Azzeddine Ramrami <azzeddine.ramrami at owasp.org>
          wrote:

          
            
              
                All backdoor exploit the security flaw in the apps.
                  A good code review can detect security flaw in the
                  code.

                
                You can also do a reverse engineering technique or fuzzy
                testing to detect security bugs in the apps.

              
              Azzeddine

            
            
              
                

                  On Wed, Mar 11, 2015 at 8:02
                    PM, Aaron Guzman <aaron.guzman at owasp.org>
                    wrote:

                    
                      Backdoors are
                        typically at the hardware or embedded level
                        where its harder to locate. Usually ODMs and
                        OEMs fall victim to this. Typically because they
                        use “backdoors” for debugging and testing
                        purposes during manufacturing. A solution is to
                        test and analyze your code from third parties.
                        Whether thats though IDA or other means.

                        
                          
                            
                              --
                              Aaron
                                G
                              OWASP-LA
                                Board Member
                              Twitter:
                                @scriptingxss
                              Linkedin: http://lnkd.in/bds3MgN
                            
                          
                        
                        
                          
                            

                            
                              
                                On Mar 11, 2015, at 11:27 AM,
                                  psiinon <psiinon at gmail.com>
                                  wrote:
                                

                                
                                  How about: "Dont put
                                    them in" ??

                                    

                                    ;)

                                  
                                  

                                    On Wed, Mar
                                      11, 2015 at 6:22 PM, Ali Khalfan <ali.khalfan at owasp.org>
                                      wrote:

                                      The
                                        owasp code review guidelines do
                                        a great job at looking for
                                        vulnerabilities. However, the
                                        will not address intentional
                                        vulnerabilities such as
                                        backdoors and logic bombs. 

                                        

                                        I wanted to establish such a
                                        guideline, but I was wondering
                                        if there is any reference I
                                        could fall back on ?

                                            

                                            Ali

                                            -- 

                                            Sent from my Android device
                                            with K-9 Mail. Please excuse
                                            my brevity.

_______________________________________________

                                        OWASP-Leaders mailing list

                                        OWASP-Leaders at lists.owasp.org

                                        https://lists.owasp.org/mailman/listinfo/owasp-leaders

                                        

                                      
                                    
                                    

                                    

                                    

                                    -- 

                                    OWASP ZAP
                                      Project leader

                                    
                                  
_______________________________________________

                                  OWASP-Leaders mailing list

                                  OWASP-Leaders at lists.owasp.org

                                  https://lists.owasp.org/mailman/listinfo/owasp-leaders

                                
                              
                            
                            

                          
                        
                      
                      

                      _______________________________________________

                      OWASP-Leaders mailing list

                      OWASP-Leaders at lists.owasp.org

                      https://lists.owasp.org/mailman/listinfo/owasp-leaders

                      

                    
                  
                  

                  

                  

                  -- 

                
              
              
                  
                    
                      Azzeddine RAMRAMI

                        +33 6 65
                          48 90 04.

                        Enterprise Security Architect

                        OWASP Leader (Morocco Chapter)

                      
                      Mozilla Security Projects Mentor

                    
                  
                
            

            _______________________________________________

            OWASP-Leaders mailing list

            OWASP-Leaders at lists.owasp.org

            https://lists.owasp.org/mailman/listinfo/owasp-leaders

            

          
        
        

      
      

      
      

      _______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150311/721a0b9a/attachment.html>


More information about the OWASP-Leaders mailing list