Automatic Vulnerability Injection and Al Qaeda

Elephant_man

A couple days ago I was catching up on a couple of the security blogs I follow and two of the posts I read gave me an idea.

The first post I read was from Jeff Bardin at the CSO Online blog.  It offers some analysis of the Mujahedeen Secrets 2 software that was recently released by al Qaeda to help facilitate secure communications between Islamic fundamentalist/terrorist types.  This is basically a toolkit for doing encryption and steganography with Arabic help files and the target audience is terrorist cells who have a desire for secure communications.  Jeff Bardin, an ex-NSA analyst, has some interesting observations on the increasing technical sophistication of Al Qaeda.

The second post I read was from the Veracode blog.  It was a post from November that looked at techniques for automatically injecting vulnerabilities into an application.  In the base case this could be done by replacing safer calls to strncpy() with unsafe calls like strcpy() and would basically be the opposite of what products like Fortify Defender try to do.

That got me to thinking – if I were at CIA or NSA (and I wanted to take time off from running Facebook, LinkedIn and all those other SoCIAl networking sites) it would be handy for me to have some technology that would take an application binary such as the Mujahedeen Secrets toolkit and inject a bunch of vulnerabilities.  Then I could post that updated binary to my favorite Islamist/terrorist message board and wait for folks to start using it.

Obviously the vulnerabilities to be injected would have to be thought out and crafted so that they would actually be useful in disrupting and intercepting communications and accomplishing other intelligence goals.  But the cool thing about this would be that the base-level technology would probably work much the same as the source code or binary analysis being done now to find security defects.  Instead of finding dataflows that take tainted source data and send it to a sink without running it through a cleaning function, the software could identify those cleaning functions and replace them with NOOPs.  Now my question is: would it be easier to create a tool that would automatically patch up security defects?  Or to create a tool that would automatically inject security defects?  I’ll leave that as an exercise for the reader…

–Dan
dan _at_ denimgroup.com

(Photo is another I took in Costa Rica while on a zipline tour through the jungle)

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *