Bug in Flash Player when processing PNG format
The BugThe PNG file consists of a sequence of data structures called chunks. A chunk has a Length field that is a DWORD value. A specially crafted Length field can cause integer overflow in Flash...
View ArticleTrace And Watch
This is how I recently performed dynamic integer analysis on a 32-bit binary application that reads DWORD values from the file.The file format contains many fields of type DWORD. There was given a...
View ArticleOn-the-fly Switching Between Debuggers
Sometimes it's useful to switch between debuggers without restarting the target application. An example for doing so is when you want to use another debugger's capability that the one doesn't have....
View ArticleTracking Down by Pin
Recently, there was a challenging situation I had faced. At first sight it looked like a common debugging problem that can be solved with some experiment but the more time I spent on it the more...
View ArticleChange of Execution Flow in Debugger
When debugging sometimes we need to force the execution to either take or not take the conditional jump.There are several ways to achieve this. One possibility is to overwrite the conditional jump with...
View ArticleThoughts About Finding Race Condition Bugs
Race condition bugs can exist in multi-threaded applications. Improper synchronization can be the root cause of race condition bugs.Executing stress testing is a good start to find bugs. It might not...
View ArticleExamining Unknown Binary Formats
This post is about to discuss the methods for examining unknown binary formats that can be either a file, file fragment, or memory dump.Before discussing the methods I'm describing few scenarios when...
View ArticleYou May Not Need to Debug SSE Instructions
There are binaries that contain implementation of an algorithm in two ways. The first one is optimized to run on all architectures and so it consists of i386 instructions only. The second one is...
View ArticleInspection of Division & Multiplication
Division and multiplication calculations can lead to trigger bugs, and potentially pose as security risks. Here are few things that I believe to be helpful for those who do binary...
View ArticleClik here to view.
Order of Memory Reads of Intel's String Instructions
Neither the Intel Manual nor Kip R. Irvine's assembly book discusses the behavior I'm describing about x86 string instructions in this post.Given the following instruction that compares the byte at ESI...
View ArticleSecurity Implications of IsBad*Ptr Calls in Binaries
IsBad*Ptr [1] functions are to test whether the memory range specified in the argument list is accessible. Despite the fact they have been banned, they are still being referenced in many binaries...
View ArticleIssues with Flash Player & Firefox in Non-default Configurations
Few months ago I encountered a bug when a fuzzed flash file is being rendered by Flash Player in Firefox. This bug can be reached only in the non-default configuration described below so very unlikely...
View Article251 Potential NULL Pointer Dereferences in Flash Player
251 potential NULL pointer dereference issues have been identified in Flash Player 14 by pattern matching approach. The file examined is NPSWF32_14_0_0_145.dll (17,029,808 bytes).The issues are...
View ArticleExamining Native Code by Looking for Patterns
Earlier this year a post was published of examining data format without using the program that reads the format. That post discusses patterns to look for, in order to identify certain constructs. This...
View ArticleInspection of SAR Instructions
SAR stands for Shift Arithmetic Right and the instruction performs arithmetic shift. The instruction preserves the sign of the value to be shifted and so the vacant bits are filled according to the...
View ArticlePractical Suggestions for Writing a Pintool
This is my list of practical suggestions to people developing a pintool. Since I dealt with these previously I thought to jot them down to help others. By applying this you should be somewhat closer to...
View ArticleInstrumenting Flash Player to Inspect JITted Pages for Integer Errors
In this blog post I'm writing about the method I experiment with to discover potential areas, that may or may not be prone to integer errors, in Flash Player.I have 26k flash files that are used as a...
View ArticleVariable-length permutation with repetition using backtracking
Recently, I needed the implementation of the search algorithm that qualifies for the followings.It must be able to produce the variable-length permutation with repetition of the given set.It must be...
View ArticleClik here to view.
Use of refactor can make Visual C# 2013 to crash
For the change I'm working on a C# project not much to do with security. I was happy to re-discover and use the refactor feature in Visual C# 2013 until the point it crashed. Here are the simplified...
View ArticleEMET Can Interfere With Pin
Sometimes no matter how simple your pintool is when it's run against the target it crashes. Recently I investigated such crash. One of my pintool was randomly crashed/hung/terminated as well as...
View ArticleArrangement Of The Variables In Data Structures
Let's assume that an extensive code review had identified the direct security issues and the developers eliminated all. Now the code is free from bugs. How nice to write that. :-)That would not be the...
View ArticleClik here to view.
Even Calculator Has Bugs
Windows Calculator (calc.exe) has a functional bug that is associated with the clipboard and the integers below.INT8_MIN -128INT16_MIN -32768INT32_MIN -2147483648INT64_MIN -9223372036854775808In...
View ArticleSimple Code Coverage Analyzer
coco.cpp is a simple pintool for code coverage analysis. It comes with the Pin Framework.The reason I write a post about it is because it's really a simple but well-designed tool. The code coverage...
View ArticleFully Managed C# Can Corrupt Memory
In this post I'm writing about memory corruption in fully managed C# code. On the internet, many people advocate that managed C# should be immune against memory corruption. Even reputable organizations...
View ArticleManaged out-of-bound access in DeflateStream (.NET)
Recently I made a test to see the robustness of the Deflate algorithm in .NET Framework. It was written in Visual Studio 2013 using C# and DeflateStream class.The test came back with one issue worth...
View Article