Tuesday, 10 April 2012

Recx SDL Binary Assurance for Windows goes 1.0

Here at Recx we strive to create products that help organisations to be more secure while not requiring everyone to be a security expert. Our latest product is the embodiment of this philosophy.

The product? 
It's called Recx SDL Binary Assurance for Windows. This, as the name suggests, is a Secure Development Life-cycle support tool for analysing Microsoft Windows binaries.

What does it do? 
In short it's primarily designed for development teams, quality assurance teams and end-user organisations (who aren't necessarily security experts) to identify potential weak points in Windows binaries. Such weaknesses can indicate the level of SDL health for a particular binary or product and thus act as a risk indicator.

Why should I care?
A majority of code will likely have security bugs. Microsoft provides a plethora of mitigations at the compiler and operating system level that can complicate the exploitation of certain classes of vulnerability. If you're a vendor and don't fully leverage these mitigations today, or you're an organisation and your vendors aren't , then the simple question is why? By getting these basics right, vendors can carry a higher number of unpatched bugs (ROI) and end-user organisations can gain confidence that there is some mitigation against the unknown.

How does it work? 
We don't rely on source code or symbols (unlike Microsoft's BinScope). The first reason for this is to allow the assessment of binaries where the code or symbols is not available. For example, source code or full private symbols may not be available if you've licensed a DLL from a third party or for end user organisation. The other reason was allow verification of build environments, even if source is available. 

What does it check for?
We check the following aspects of a binary:
  • Compiler versions: Identifies weaker compilers that don't have some protections or that implemented weaker mitigations.
  • Linker versions: Identifies older versions of Microsoft's tool suite
  • SafeSEH: Identifies those binaries that omit 32bit SafeSEH information.
  • DEP (Data Execution Prevention) - NX/XN: Identifies binaries that don't indicate they're safe for DEP
  • ASLR (Address Space Layout Randomisation): Identifies binaries that don't indicate they're safe for ASLR.
  • Stack Cookies: Identifies binaries which don't contain stack cookies.
  • UAC UI Access: Identifies binaries which indicate they need UI access.
  • UAC Integrity Level: Detail the integrity level the binary requests to run as.
  • HeapSetInformation: Identifies executable which don't reference HeapSetInformation as this indicates they won't set the terminate on heap corruption flag.
  • SetProcessDEPPolicy: Identifies executables which don't reference SetProcessDEPPolicy as this indicates they wont force DEP on always.
  • VirtualAlloc: Identifies executables that reference VirtualAlloc as it is not subject to ASLR. That is of course unless you use our free VirtualAlloc_s implementation.
  • EncodePointer: Identifies binaries which don't reference EncodePointer as this is an indication that defence in depth has been used.
  • Process Heap Executable: Identifies binaries which have their default process heap as executable.
  • Insecure Sections: Identifies binaries which have sections which are shared and writeable.
  • LoadLibrary / DLL Planting Mitigations: Two checks, the first checks for binaries that reference LoadLibrary, but we then check to see if they also reference DLL planting mitigations.
  • MS12-001: Identifies binaries which are subject to the anomaly that MS12-001 mitigates.
  • AppContainer: Identifies binaries which run inside an AppContainer on Windows 8.
  • .NET: We have four distinct .NET checks including fully managed and skip validation.
  • Microsoft Banned APIs: Both a count and list of which ones are used.

We also provide a number of informational fields including:
  • Binaries manifest
  • Producer
  • Code signer
  • Code signer issuer
  • Code signature type and strength
  • Imports
  • If delayed loading imports are used
  • MD5/SHA1 of binary
  • Platform
  • Binary type

We wrap this all up into an easy to use interface that supports both interactive and batch execution (output is CSV). The help is clear, providing where appropriate guidance on how to resolve any issues identified. 

Help example (click for larger version)
We have also provide colour coding in the user interface to flag those items which need further investigation.

Graphical Interactive Interface (click for larger version)

How much does it cost?
A single-user license costs 99 GBP plus taxes, per year.
A 20 license bundle costs 999 GBP plus taxes, per year.
(We can also process USD payments.)

How can I buy it?
To purchase on-line please visit our product page. Alternatively contact us via phone / e-mail or through our on-line form if you wish to raise a Purchase Order.

Thanks / Special Mentions
This release would not have been possible without a number of people outside of Recx. The people I would like to personally thank are:
  • Alex Lucas of Microsoft who helped us navigate the Microsoft legal machine. This was so we could re-distribute a Microsoft DLL with the product.
  • Ivan Medvedev of Microsoft who authored the Microsoft DLL we rely on for PE parsing (he's also the author of BinScope).
  • Michael K Brown of RIM (BlackBerry) for being extremely pragmatic by allowing me to carry on an idea I was developing prior to RIM and while there. 
  • Joshua J. Drake for putting up with questions around MS12-001.

No comments:

Post a Comment