proxbbe | ProXBBE

proxbbe is a Ruby library typically used in Institutions, Learning, Education applications. proxbbe has no bugs, it has no vulnerabilities, it has a Permissive License and it has low support. You can download it from GitHub.

ProXBBE traces an executed binary and records all instructions, along with the corresponding CPU State, i.e. register values. As soon as a syscall is executed, which is responsible for receiving network traffic, its parameters and return value are recorded and saved in the execution trace. This makes it possible to determine where the network message was copied to, to be more specific the memory address and size of the message. Later, a second tool, the analyzer, takes the trace as input. The recorded syscalls determine the buffers with relevant messages. We taint the memory areas, as soon as they appear in the traces. Tainting, often referred to as Dynamic Flow Tracking (DFT), means we mark a memory area of interest and track accesses to that area. One has also to ensure, that when data copied from tainted areas, the destination is marked accordingly (Taint Spreading). Ruby and Perl have built-in support for DFT. One can retrieve the status of a variable to determine whether it's tainted or not. This mechanism can be used to track untrusted data across the application and detect its usage, e.g, for SQLi detection or when tainted data find its way into the Program Counter, which heavily suggests a buffer overrun. While a simple implementation presents "taint" in a binary way (tainted or not), other use cases require more information. To determine field boundaries the Taint Engine must contain offset information of the network message for every memory access. For example, if a successful comparison at the seventh byte of the network message happens against a one byte long static value, one could assume the byte at position seven represents a field (that's an oversimplified example). Making assumptions about how network protocols are parsed, ProXBBE analyzes memory access to the packets to infer field boundaries and their (rough) semantics. In the following I'll give a very short description on how ProXBBE determines field boundaries and their semantics. Again, if you want more details I'd like to refer you to the project documentation, linked above. Delimiters are one or multiple bytes which segregate fields of variable length. The assumption behind the inference approach is that the message is compared byte by byte against a fixed value. All unsuccessful comparisons against a consecutive byte sequence state a field, which is in scope of a delimiter. The first successful compare determines the delimiter byte. If the following compared byte or bytes yield yet another successful compare, the delimiter is extended by this byte(s). The intuition is the target program will compare bytes at offset 0 to 15 to the constant value "\r". The comparison at offset 15, in contrast to the ones before, is successful. Therefore, we conclude bytes 0-14 are delimited by the delimiter "\r". When consecutive successful comparisons follow, the delimiter is extended by this bytes. The maximum length of a delimiter is limited to four, with the rationale delimiters tend to be short. Keyword fields consist of bytes known to the target program, beforehand. These are fixed byte-values the network message is compared against. This work follows Polyglot's intuition that keywords can be found by extracting true comparisons. Therefore, this inference phase reuses the compare-instructions, extracted during delimiter inference. All true compare-instructions are considered as part of a keyword. Subsequent true-comparisons are considered as one keyword. As soon as an address does not yield such a comparison, a keyword is closed. A further constrain is that keywords cannot contain already inferred delimiters. Direction fields relate to other fields inside the same message. In most cases these are length fields used to calculate pointers of other variable-length fields, so called target fields. A direction field can be determined as soon as its value is used as an offset for another field. This field is not the corresponding target field but the following. We collect all instructions which access a tainted memory area and at the same time use a tainted base or index register to calculate the address. The value from the tainted base/index register is considered as direction field, and the resulting destination memory address as the beginning of the field after the target. We conclude that the end of the desired target field is one byte earlier. Still, we can not conclude the address of its beginning. Therefore, we temporarily assume the beginning to be one byte after the direction field's end. We change this assumption as soon as any other field was found during other inference stages. If multiple targets have been found, the smaller address is used. It is possible the pointer increment is done by a constant value inside a loop, and therefore, is not tainted. In order to find these fields all loops with a tainted stop condition, i.e. compares with one tainted operand, are extracted. This operand is considered as direction field, and message fields without a tainted base or index accessed within the loop are considered as direction field. This pattern is often found when the target field has a fix length and the direction is a counter for the amount of records, e.g., DNS. Fixed-length fields are fields that are used by an application at a time. For their detection ProXBBE collects all tainted accesses to the received message. Every access on a memory range is considered as an fixed-length field. As soon as memory accesses occur on overlapping ranges, these are merged together. Due to architecture-based restrictions (64-bit CPU) an application can access a maximum of eight bytes at a time. However, since most protocols were designed with portability in mind, it is more likely their maximum field lengths are 4 byte long. Since, previous inference phases already determined variable-length fields, we exclude these memory area from the list of fixed-length fields.