darpa

Digging into the Android SystemUI Crash from a JPEG

By Sophia d'Antoine, Peter Wyatt (PDF Association), Ryan Speers

July 29, 2020

In late May 2020, we were asked to help triage the root cause of a bug where an image, when parsed by Android SystemUI, caused the Android process to crash. This could cause a boot loop if, for example, the image was set as the phone’s background. We quickly identified the root cause which we found interesting from an ecosystem perspective.

This blog shares parts of our analysis, and covers our trace of the relevant code path and diagnosis of the root cause. We describe how the fixes work, and then dive into why this bug was only seen relatively recently. Finally, we break down the file’s JPEG and ICC structures, and what impacts these may have on the parsers.

Continue reading

Analysis Methods and Tooling for Parsers

By Ryan Speers, Paul Li (Two Six Labs), Sophia d'Antoine, Michael Locasto (SRI)

June 9, 2020

This is the first post in a series that describes how we built tools to rapidly identify and characterize “format extensions”: modifications and new feature additions in parsers of complex formats. In this puzzle, we were given a set of binaries and a few input files – in this instance PDFs. Our task was to precisely characterize any new feature(s) present in the binaries and describe how the input files triggered them. Moreover, our goal was to build tools to enable a human to do this faster and/or more completely than they could previously. Our approach was to make the best use of the inputs that triggered modified behaviors, with a combination of fine-grained static binary diffing and execution trace and memory trace analysis.

Continue reading

Hashashin: Using Binary Hashing to Port Annotations

By Rylan O'Connell, Ryan Speers

December 2, 2019

In our previous blog, we described some examples of where binary hashing can help solve problems and compared a number of algorithms for both basic block and graph aware hashing. Today we are releasing a tool, Hashashin, which combines some of these algorithms to allow security researchers to port Binary Ninja annotations from one binary to another.

Continue reading

Binary Hashing: Motivations and Algorithms

By Rylan O'Connell

November 26, 2019

As security researchers, we often spend a lot of time looking into the internals of libraries in products we are assessing. With this come some common time sinks, such as identifying library versions. While library version identification is relatively straightforward on the surface, other tasks are clearly more challenging – such as applying signatures to stripped binaries, porting defined types across libraries, and similar codebases.

Continue reading