Wednesday, 11 April 2012

Recx SDL Binary Assurance, BinScope and LookingGlass

So we've had a few questions around what Recx SDL Binary Assurance does compared to Microsoft's BinScope (video) and Errata Security's LookingGlass. Hopefully the tables below will explain the differences in terms of what they identify.

SDL Checks
The following specific SDL checks are performed on the binaries.
Check
Recx SDL Binary Assurance
Microsoft BinScope
Errata Security LookingGlass
Purpose / Comments
/GS (Stack Cookies)
Yes – without symbols
Yes – with symbols
No
Checks for the presence of stack cookie usage in the binary.

Recx uses heuristics.

Microsoft uses symbols. Microsoft is able to detect partial application of stack cookies as a result.
Yes
Yes
Yes
Checks that binary opts into ASLR
/NXCompat (DEP)
Yes
Yes
Yes
Checks that binary opts into DEP
Yes
Yes
No
Checks that 32bit binaries use SafeSEH
Compiler version
Yes – without symbols
Yes – with symbols
No
Recx uses the Rich header.

Microsoft uses symbols.
Yes
No
No
Checks if the binary requests UAC UI access
Yes
No
No
Checks the UAC privilege level the binary requests to run as
Yes
No
No
Checks for usage of this function. Indicates SDL awareness if used and provides further defences.
Yes
No
No
Checks for usage of this function. Indicates SDL awareness if used and provides further defences.
Yes
No
No
Checks for usage of this function. Indicates SDL awareness if used and provides further defences.
Yes
No
No
Checks for usage of this function. Risk of undermining ASLR if used.
Process Heap Executable
Yes
No
No
Checks the default process heap is not executable
Insecure Section
Yes
Yes
No
Checks if any section of the binary is shared and writeable
Yes
No
No
Checks if the binary uses force integrity
LoadLibrary / DLL Planting Mitigations
Yes
No
No
Checks if the binary uses load library and if it does if it uses DLL planting mitigations
Yes
No
No
Indicates if delay loaded imports are used due to potential increased susceptibility to DLL planting.
Yes
No
No
Checks if the binary is susceptible to MS12-001
Yes
Yes - via Windows 8 SDK
No
Checks if the binary runs in a Windows 8 App Container
.NET Fully Managed
Yes
No
No
Checks if the .NET binary is fully managed. Non fully managed binaries may be susceptible to memory corruption.
.NET Skip Validation
Yes
No
No
Checks if the .NET binary is indicates to skip strong name validation
Yes
Yes
No
Checks if the .NET binary uses strong name checks
Yes
Yes
No
Checks if the .NET binary allows partially trusted callers
Banned SDL API Usage
Yes
No
Yes
Checks if the binary uses banned or unsafe APIs
ATL Header Version Check
No
Yes – with symbols
No
Checks if the COM binary uses known bad versions of ATL header

Source: BinScope docs
No
Yes – with symbols
No
Checks if the COM binary uses ‘IPersistStreamInit that have potentially vulnerable property map entries

Source: BinScope docs
No
Yes – with symbols
No
Checks if the binary initialises the GS cookies in a safe manner.

Source: BinScope docs
No
Yes – with symbols
No
Checks to see if stack ordering was not performed due to optimisations being disabled.

For details on when /GS wont be applied see MSDN.

Source: BinScope documentation
No
Yes – with symbols
No
Check if a function was declared __declspec( safebuffers ).

Source: BinScope
Global Function Pointers
No
Yes – with symbols
No
Checks if global function pointers are used. If static buffers and global function pointers are present stack cookie protection wont be applied.

Source: BinScope documentation


Informational Fields
The following information fields are also provided (a subset):
Information
Purpose / Comments
Platform
Platform the binary targets
32bit or 64bit
If the binary is 32bit or 64bit
Company
Company name from the file properties
Signer
Who signed the binary
Signature type
Type of signature and strength
MD5
MD5 of binary
SHA1
SHA1 of binary
Manifest
Manifest of binary
Import table
List of imported functions


Another Thanks
We like thanking people! We only found out last night that Ivan Medvedev of Microsoft is the brains behind the DLL we use for PE parsing (he also writes BinScope!). We'd like to thank Ivan for his excellent work as it cut down our development effort significantly.

No comments:

Post a Comment