Binary hardening is a web security technique for analyzing or manipulating binary files to protect against exploits. Binary planting continues to persist as one of the most crippling types of attacks on applications. Even though its prevalence has declined, it has the potential to expose an entire infrastructure. There are a few different methods of binary hardening, each targeted at a different type of binary planting.
How Binary Hardening Works
- Buffer Overflow Protection
A buffer overflow occurs when a program exceeds a buffer’s boundaries while writing data, thus overwriting other memory locations. It’s caused by a binary attack on a program. The most common way to protect against this involves compiler-enforced protection, which implements canary values to change the organization of stack-allocated data. [More Information]
- Binary Stirring
Applications often have static instruction addresses in their binary code. These static addresses are vulnerable to attack from a malicious binary file. Binary stirring protects against this by randomizing the instruction addresses every time the executable is launched. [More Information]
- Pointer Masking
Many code injection attacks focus on modifying code pointers to gain access. Code pointer masking enforces “the correct semantics of code pointers” to protect an application. It does so without the use of canaries to change stack organization. [More Information]
Example of Binary Hardening
Binary planting commonly utilizes insecure access permissions. Suppose you install an application named MyApp on a system with multiple users. When prompted, the application installer creates a root directory and installs the application in C:\MyApp. However in this instance, the installer failed to limit write access, allowing non-privileged users to access the directory.
Now a user with bad intent inserts a malicious binary file into C:\MyApp. When you go to launch MyApp next, the application loads and executes the malicious file. The attack causes a buffer overflow and overwrites adjacent memory locations.
This problem can be avoided by utilizing buffer overflow protection. Using canary values with a compiler-enforced protection scheme, a type of “early warning system” is produced that disallows a buffer overflow. With this application protection in place, the system is safe from memory exploits corrupting data.
Binary planting continues to persist as one of the most dangerous attack types. These attacks can modify software native to the operating system, and even the operating system itself.
In 2010, there was a massive influx in binary planting, largely due to third party application DLL files. That same year Acros (whose parent company is Thermo Fisher Scientific) conducted a study concluding that there were over 500 exploitable bugs in around 200 commonly-used Windows applications. While new security updates in Windows 10 have largely corrected this misstep, binary hardening remains a crucial step in protecting an application and overall system.