X-Ray Vision for Bug Finders

A new tool for malware researchers and reverse-engineers could make it easier to pinpoint bugs and flaws in commercial, closed-source software.

Sabre Security's BinNavi product -- which is expected to be released sometime this month -- provides visualization and graphical views of executable code in closed-source software. In essence, it speeds auditing and testing by consolidating the binary code into more digestible and relevant pieces of code.

Think of it as x-ray vision for finding vulnerabilities in closed-source software, says Thomas Ptacek, a researcher with Matasano Security, who has tested BinNavi for auditing software.

Ptacek says the tool lets him see inside compiled binary code with a graphical map of the components. "Instead of reading millions of lines of machine code, I can look at the picture, spot important components, zoom in, and see how they relate to the rest of the program."

With the tool, Matasano has found flaws in an authentication protocol, fixed a bug in a Windows server, and mapped out a proprietary file-transfer protocol, Ptacek says.

Reverse-engineering expert Thomas Dullien (a.k.a. Halvar Flake), CEO and head of research for Sabre Security, says BinNavi isn't really a true bug-finder, but it often leads to bug discovery. It's more of a visualization and documentation framework for large, closed-source systems: "The vulnerability assessment aspect is a side benefit to that," says Dullien, who headed up development of the tool.

BinNavi, which runs atop a SQL database, lets you quickly see if you can break an application, for instance, he says, or debug and analyze the code running on a network device. It can also help, say, an antivirus malware researcher analyze rogue code.

"It would make sense to folks who do malware analysis...or anyone trying to get a really solid view of how an application works, or trying to decode some gnarly, self-modifying executable," notes researcher HD Moore.

Matasano's Ptacek says it's for companies like his that find and fix security flaws in shrink-wrapped software, as well as for IPS companies building signatures, and even for network device vendors that must implement new, undocumented protocols.

There are similar tools from F-Secure and Pedram, but F-Secure's tool is focused on malware analysis, and Pedram's PaiMei doesn't have the graphical browsing and searching that BinNavi does, observers say.

Why should IT security pros who aren't reverse-engineering experts care about a tool like BinNavi? "Because tools like these are erasing the 'security through obscurity' advantage that closed-source software has claimed over open-source," Ptacek says. "Security teams should assume attackers can find bugs in Oracle and IOS as easily as they can in Apache now."

BinNavi's initial pricing is from $4,000 to $48,000.

— Kelly Jackson Higgins, Senior Editor, Dark Reading