From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from sonic317-28.consmr.mail.bf2.yahoo.com (sonic317-28.consmr.mail.bf2.yahoo.com [74.6.129.83]) by sourceware.org (Postfix) with ESMTPS id 7C6E1385DC04 for ; Wed, 27 Sep 2023 08:24:44 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7C6E1385DC04 Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=yahoo.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=yahoo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1695803083; bh=sN5ogfV5fCwh9SAa4wVMl0YO+IJw2k9xCBBVSQScKvk=; h=Date:From:To:In-Reply-To:References:Subject:From:Subject:Reply-To; b=oupfj0bys92x7Q+pVEik3GNy33/K6TFK87V5CsP5+/xdUqRIizme+WChFiLawfiDOInUyb+wPusOjSvdwvtjNwM4t8/k2Xj4LXKqYbO6/4ugHsVims8nOCKcBD3xzj+9XHSvDByzfTs316L1xyyFmUwb5yGOI7Km1AQDwn17cp1rHxzG1DU22qPHirIxSQo6vW5Ga6xHYkgScRuGHtS/drX2s1nd7LBl1cIRI8yd9Tene5e+alflkbrLC4lwtOyH17eP154w1AUPq0GCzo4oV30Ixc+nblJVpqG/1u0W9tgh9n1+7a9ZL6RSWUBYJVKuGUs9g9NW1srWbKqVs/VFyg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1695803083; bh=aEJBQ+1Qejkb+okkblZtUlvf72NAy5QBCgwMa+x9bXO=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=KMcJLyj3xaOowL/pLjAwe0bxidEDSp0fwUxoZEKMGmaEGDIspr/iVDnalUnZCnPO1vpgmgYCWafXlbTaYKgjZWQ4hL8lCPKqWbZmGBiVp0bViQR82JGvKObEAGY/wkiajx/CudNmUA5Ym7Tsgu+ySG6kJaHGK98fSjVh7RBI3bz6wQB+iMZJNvgUNGf6qTIgOgCthgFkTXd7ncdMzsKev2bV1/olu9a/09tz/Y3ZY5pTlewuY4QgqksJIIcmg3g6gWjgqJG3vZWDqyc7al0woGuPHHJl4hXmlxTFW6oQa6KvRTU3A7M97n15joEwBkHrSfCv+xLsCHkifC6CWHkq/Q== X-YMail-OSG: YzO6MUYVM1nDzW1G3y6MCPp6AE5iIj_LSbskHURHrxg6QcsxnGSgAUX1Ys05TQA 6N9m.YDdLgMTYxHtR55rqin5fuOFl_ti7dmsOnJ9aE1.XA3pmwVhSrQGDjiLiGo12XxyZKQnSX_y vEiB3PclLncwjqQMlCqcjSbTru8WZJi_75i50PHtbyeW0VFOYDvjhw.0mPX.SPF8mUz_q2uDPHZf l33UrSkr5egBmSfJwxUNnIanoygAwLD5rv8zRBji2kC6wsH4SbsbkZHIGDTc._Ic_Kjw4DdZfNFk FoZGCYk_dbZq_L9roalXjTNjWkKIrRZ0VjfSO_smMQvxh57VRO7AE9plsWkZGVDhv1HJAmPzyyn4 GoSJyIStGSi56J_dn9ArRYjoR5pGWpFub9HMOIKgi8wwbjG61xsfJeoVlz0ApAHxHpbcDEVZMQHo 1G_C_PnDJDtJwZkXu.qQYYrZ9BaS275FLJj1LZvmFSD3IphZplQoZOsOW.X.exy1cr9i6VN6zoQd pVOD1Wl8xi4R.ZtSLIaUHU5f2Tc5YQBb8VErUVlbrF.KX0rvo56N1ITv5jS_Qti4.6F_3gi0ANaj UVHWoZIgN1bnUrojhJBzOShDu68pNOpyzgyss2RMVp_t_Ce9KiLorn44IOH_1bokJScN4S.jj5En KbkZUb3vT353dK5UyA2W7w.gFpefw2hTRDye7YBc_Nrew9ENZcqWjOyzUJ6yDkriEZvm46ffiDbf DJRjTQJ.iHUiDCZgkpRu9tCvMUHng_kh.GTBm0lWBasRCjQiLoiJlU.rriWv34vLkERkTh7SnuaQ _7rGCJou096EvAvxQd2QaT7DuE2GEdmH5bDDNqjsdFbMBPQT7J14aIiraeFJ8AFt3zWk5qz9gXKL gk27yf9sb6Oym0vi3TD9TRI0vuwZd2KryIae3pk3XpbFg8X4kDr6EuGC4WuMPyPoTf3f_uzW4Hu8 7wzsXfUMTWnfrw1SFPFTpbd_OewJS_Ue_WCs8iRjA4cmzhZQqQTpmq6AVw3p4MnsSn91bk86OXqv 1wq4P4IrSZ.r.9INOe_gr7BjE.HfM7qu9u.3It25bK6o0yTWNkAND1Z4XQP.ZZ0v_aS0wawwrvHJ GHnVN87HdkeCXj77BIm64TupU3wRU39KML1Egh9GhIjzSKcZN3QuTVmxFje.gPPgl5fT4dG4cmXr 3xSLweo2wP0qNwASzLC_BBj3Kf72J53fTYVNp5fXltQ9Yzrv2WdZmRboWX.Y.aFAZ_M8umUDpKhZ 7CXCwnpel3sbgpftOBQxGChzxp3Lepkobsf3ezcnLh6lsJh7OlrEGh.EQATyJc1eZv3WeC0Tj.cn N9arJsRYS6XDCmikBc66jX8tRl97jrELi6piUd4ZnCwYEeBv7zxqMH99y3htcubtUNAKsf33LQho 2wYJ_JrtdZA9r.pcaPiLzeY24ohmjE57iyJuKyw7aSXFsO4ZegKGyJGyDYx2qnqZytBz0TJuIeoZ .nra2RE4Bbi_tQZ46mkwCcaLyzGyNjoy_.djm_2Oulnhqr6VmFJWAfbPs8kElYSOhnCZp6I2IPKl s4KicHquD3JCyNx4fEqQpaiV3FvwfF7cBBcWPvxAR.Hu8s2vunH1RQqAVwhQhPLP.6Av.LMQUs34 pPwYOi0trMsQnUy23fJOwX9oNYfwGMxYhaHVfgr5onrRKg0I.xYMoevas25UrrtDK12gLhJn1Sxx CPNI5D72RJ25rmPCcQet54uqLqq3zH08riWe9v6cCYcrpNGgo8hFPn5NHMrOJkXrpoIJyPNFD9ii TWn42GmdQcf2TyzSIqCCe72MKIOdqySjnk.eyjTvzfeaQCi6Wi3mXoTr3YHdTFrzAQdM_LMViF26 5B0s_XnObTwwqO.ORCRCCoWZXyNV6i7QPqeDXNmkLdJ8ELUviz57Wk_cJ.4nEYpIX7tvTRXxBabq cdAo.8B0zzTzSZNJXuNmDhShJiFu.Qyy8Wnrtpaxo40NppSQUm2M9OLMBGl74m5XmOpOTugycI99 uEY3NqMQCxvrWZEE_EVw4nZmJ8ZMKXF6.84aPHp9TmzmmCJhzq5zaHGz9c.AYOR4OuHaZxRat72M e4tRnElVaXuw4u0UDYwngebMDlFi2nbgm07DsdY5I713fAqFiE5aiutss38AvNfq.N7ulU_ItXjo J7EMvNg51PdzQGFb5889SS_Fr5pKFYsHNh7rRQ.BGxWxM0y7laHV6ZHQn3Sw6Cywnhu4e2lvy98t _KON7FjD2ZpfQxx9UHPZHQt0E3pLV6gNIRho- X-Sonic-MF: X-Sonic-ID: 3e7b0d63-3ec3-4b5b-95d3-ab2baea6422e Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.bf2.yahoo.com with HTTP; Wed, 27 Sep 2023 08:24:43 +0000 Date: Wed, 27 Sep 2023 08:24:39 +0000 (UTC) From: Jason Long To: SCOTT FIELDS via Gdb , Guinevere Larsen Message-ID: <1833873555.2376848.1695803079542@mail.yahoo.com> In-Reply-To: <53d9fdea-0180-bcaf-7cfb-e42f04d8bb10@redhat.com> References: <2065504698.3252109.1695560949235.ref@mail.yahoo.com> <2065504698.3252109.1695560949235@mail.yahoo.com> <4e6bdb93-4671-9ee6-5a89-b9ffba797cff@redhat.com> <1700896107.3285250.1695579162353@mail.yahoo.com> <53d9fdea-0180-bcaf-7cfb-e42f04d8bb10@redhat.com> Subject: Re: Debugging vs Reverse Engineering MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Mailer: WebService/1.1.21797 YMailNorrin X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi=C2=A0Gwen, Thanks again. Can I send you a private email? On Tuesday, September 26, 2023 at 05:03:51 PM GMT+3:30, Guinevere Larsen wrote:=20 On 24/09/2023 20:12, Jason Long wrote: > > Hi Larsen, You can call me Guinevere, or Gwen :) > Thank you so much for your reply. > Your answer raised other questions in my mind. > What do you mean by "Giving the program unexpected or malicious=20 > inputs."? Do you mean Fuzzing? Fuzzing is one way to get a malicious input, but not the only one. For=20 instance, look at the following example code: char* get_name() { =C2=A0=C2=A0=C2=A0 char* name; =C2=A0=C2=A0=C2=A0 int name_size; =C2=A0=C2=A0=C2=A0 printf("Please enter the length of your name:\n"); =C2=A0=C2=A0=C2=A0 scanf("%d", &name_size); =C2=A0=C2=A0=C2=A0 /* Vulnerable code here:=C2=A0 */ =C2=A0=C2=A0=C2=A0 name =3D (char*) malloc (name_size * sizeof(char)); =C2=A0=C2=A0=C2=A0 printf("enter your name:\n"); =C2=A0=C2=A0=C2=A0 scanf("%s", name); =C2=A0=C2=A0=C2=A0 return name; } int main() { =C2=A0=C2=A0=C2=A0 printf("Hello %s", get_name()); } For people used to looking for vulnerabilities, this has a very obvious=20 issue in not verifying the size of input when reading a string, so you=20 can just visually see that the input "1 AAAAAAAA" is enough to crash the=20 program, so that would also be considered a malicious input. However, if=20 you have a very big codebase, more complicated situations, or just=20 aren't used to it, you might need a fuzzer to generate random inputs to=20 see what makes your program crash. The way you get to the answer is not important, the reason something is=20 called a "malicious input" is if the person who designed it had=20 malicious (evil) intent. > > Please take a look at these vulnerabilities: > https://www.cvedetails.com/cve/CVE-2022-31705/ > > https://www.cvedetails.com/cve/CVE-2023-32209/ > > What technique did the person who found these vulnerabilities use?=20 > Debugging or Reverse Engineering? There isn't really a way to tell after the fact. I am reasonably sure=20 the firefox one wasn't reverse engineering, since all the code is open=20 source, so you don't need to reverse engineer it. Quite likely both cases were just a fuzzer, and then some debugging was=20 involved to understand exactly why the program crashed and if it was=20 indeed a vulnerability or not, but there is no way to tell after the=20 fact, and honestly if it was a real vulnerability, I don't think it=20 really matters. If you don't mind, why are you so interested in the distinction? I might=20 be able to explain better in that case. --=20 Cheers, Guinevere Larsen She/Her/Hers > > > >=C2=A0 =C2=A0 On Sun, Sep 24, 2023 at 4:53 PM, Guinevere Larsen >=C2=A0 =C2=A0 wrote: >=C2=A0 =C2=A0 On 24/09/2023 15:09, Jason Long via Gdb wrote: >=C2=A0 =C2=A0 > Hello folks,I have two questions: >=C2=A0 =C2=A0 Hello, thanks for the questions! >=C2=A0 =C2=A0 > 1- Can a debugger like GDB be used to find the vulnerabili= ty? > >=C2=A0 =C2=A0 Yes, you could use GDB to find some security vulnerabilities= , >=C2=A0 =C2=A0 though it >=C2=A0 =C2=A0 is hardly the best tool for this job. The kind of stuff you'= d find >=C2=A0 =C2=A0 with >=C2=A0 =C2=A0 GDB is a logic mistake that leads to information leaks or si= milar. >=C2=A0 =C2=A0 In my >=C2=A0 =C2=A0 experience, though, GDB is more useful to look at one unexpe= cted >=C2=A0 =C2=A0 behavior and figure out if that leads to a security vulnerab= ility or >=C2=A0 =C2=A0 not, rather than going form scratch and giving the program >=C2=A0 =C2=A0 unexpected or >=C2=A0 =C2=A0 malicious inputs. > >=C2=A0 =C2=A0 > >=C2=A0 =C2=A0 > 2-=C2=A0When a hacker finds a vulnerability in a program, = has that >=C2=A0 =C2=A0 hacker used debugging techniques or reverse engineering? > >=C2=A0 =C2=A0 Reverse engineering doesn't necessarily have to do with secu= rity. >=C2=A0 =C2=A0 Reverse engineering is the act of getting something that is = not >=C2=A0 =C2=A0 understood and trying to understand it without having access= to >=C2=A0 =C2=A0 any kind >=C2=A0 =C2=A0 of documentation. I don't recommend running unknown binaries= in your >=C2=A0 =C2=A0 machine, since GDB doesn't provide any security, but if you = are doing >=C2=A0 =C2=A0 that, stepping slowly and trying to understand how the progr= am works, >=C2=A0 =C2=A0 you are doing reverse engineering. It doesn't have to relate= at >=C2=A0 =C2=A0 all to >=C2=A0 =C2=A0 security. > >=C2=A0 =C2=A0 With that in mind, the answer to your question is "it depend= s". The >=C2=A0 =C2=A0 stuff you can find with GDB alone will always involve debugg= ing >=C2=A0 =C2=A0 techinques, but with regards to reverse engineering techniqu= es, the >=C2=A0 =C2=A0 question is does the vulnerability come in from the fact tha= t the >=C2=A0 =C2=A0 attacker knows the internal mechanisms for the program or no= t? If it >=C2=A0 =C2=A0 does, then yes you could say you found a vulnerability by re= verse > >=C2=A0 =C2=A0 engineering. > >=C2=A0 =C2=A0 > Any idea welcomed. >=C2=A0 =C2=A0 > >=C2=A0 =C2=A0 > Thank you. > >=C2=A0 =C2=A0 > >=C2=A0 =C2=A0 I hope this helps! > >=C2=A0 =C2=A0 --=20 >=C2=A0 =C2=A0 Cheers, >=C2=A0 =C2=A0 Guinevere Larsen >=C2=A0 =C2=A0 She/Her/Hers > >