Binary code analysis is a fairly new approach in application security domain and it is changing the way of software security perception. These topic and tools are quite complex and hence not widely used by the security researchers. Nullcon got a unique opportunity to interview Nilo Redini, Ph.D. student in the computer science department (SecLab) at UCSB, Santa Barbara, who has chosen binary analysis as his primary research area. In a freewheeling chat with Nullcon, Nilo answered questions about his upcoming Nullcon Goa 2018 talk and his ongoing research in binary analysis:

What is the key idea of your talk “BootStomp: On the Security of Bootloaders in Mobile Devices”?

The key idea is to analyze bootloaders and try to understand if they are resilient against malicious data, which might be written on persistent storage. In other words, the question we wanted to answer was: “Is the booting process on smartphone reliable regardless of whatever data is present on the hard drive?” Note that, with reliable we do not necessarily mean that the booting process must succeed, but if something is not ok, the user must be at least informed.

- In your opinion, what are the main challenges in securing mobile devices bootloaders?

The main challenge is to execute the bootloader in a virtualized environment. In order to run the bootloaders you often need the device mounting it. This fact makes static analysis the only viable solution, unless one is willing to buy the device, of course.

- You have mentioned Binary Analysis as one of your interests. This topic is quite complex so could you help simplify the topic for our readers

Yes, binary analysis is my main research interest. The main idea behind it is to try to answer questions like "is the program vulnerable to xyz attacks?", "can the program be forced to access sensitive data without a valid login?" and so forth, only relying on the information an analyst can get from the binary itself. This is like the worst-case scenario for a security analyst, as they cannot rely on several information, such as data structures or variable names.

- Taking this into account, what is the main usage of binary code analysis?

Well, honestly, I think it is binary exploitation. There are other cases, though. For example, one would want to be able to hook some functions in a proprietary program and add additional security checks.

- What are the main challenges of implementing/using binary analysis?

I would say having a sound yet precise analysis. This is a problem of program analysis in general, but in binary analysis is usually much harder. This is due to the fact that some information are lost after compilation. For example: variable names, data structures and sometimes function names. This makes the analysis of a program more difficult as one could extract some valuable (often semantic) information if these three were present. Generally speaking, the analysis are usually more precise if one can rely on the application source code.

- How binary analysis might help in the frame of Application Security?

If one could (potentially) retrieve all and only the possible flow transitions of the program (soundness and completeness) just relying on the binary, one could answer a great deal of interesting questions, such as "can this program state be ever reached if property X is not satisfied". In theory, one could rely on this sound and complete analysis to check whether a proprietary program is secure. Unfortunately this is, in the general case, impossible.

- Which application security issues binary analysis can help to detect?

I would say memory corruption vulnerabilities (such as buffer overflow, format string vulnerability and so forth), denial of service attacks due to non-adequately controlled user inputs and so on. Usually the problem is not "what one can detect", rather how precise the results of the analysis are. For example, one can detect buffer overflows relying on binaries as well as relying on source code. Usually the second option, if available, is preferred as the former might provide more false positives (meaning that several of the generated alarms are not possible buffer overflows). In some cases though, like for bootloader, the source code is not available to a security analyst, therefore the former option is the only one available.

- To sum everything up, what role has binary analysis played in creating of BOOTSTOMP?

BootStomp works completely on a binary level. It does not need source code. So I would say that BootStomp is all about binary analysis :)

And the last question. Why do you think it is important to attend events like nullcon?

I think it is important to organize and to attend such events in order to share ideas and solutions and push research forward.

Nilo Redini will be presenting his research at Nullcon Goa 2018. To meet him or know more about binary analysis, book your tickets for Nullcon 2018 here.