Talk: Cracking Sendmail crackaddr – Still a challenge for automated program analysis

The old and famous “Sendmail crackkaddr” bug is a stack buffer overflow that allows remote code execution when parsing a specially crafted email address. Much to the fascination of security engineers the bug, that was found by manual code inspection, is difficult to spot by automatic program analysis. Many tools either do not find the bug or report the same warnings for the vulnerable and the fixed code. Henceforth, the “Sendmail crackaddr” bug has been used by the security community as a prototypical example for the deficiencies of automated program analysis tools. Our static analyzer for binaries “Bindead” was the first to solve the Sendmail crackaddr challenge. It was able to automatically prove the correctness of the patched crackaddr version and produce a warning given the vulnerable version. Furthermore, the results were obtained by analyzing the disassembled binary not the source code.

In this talk I illustrate the Sendmail crackaddr vulnerability and detail the static analysis of the bug step by step. Additionally, I introduce the theoretical background and discuss the technology used by our analyzer and the additional challenges of analyzing binaries. The detailed analysis walkthrough is followed by a short live demonstration of the Bindead tool applied to the Sendmail bug. After that I discuss and compare the analysis results of various other available state-of-the-art automated bug finding tools when applied to this problem. These tools use techniques such as fuzzing, symbolic execution and abstract interpretation.

Bio:

Security researcher with a background in automated program analysis. Implemented compilers, disassemblers and program analysis tools. Now am focusing on tools for reverse engineering and vulnerability discovery. I recently finished my PhD thesis on the static analysis of binaries. In my work I co-developed an analyzer for binaries — Bindead, that disassembles, reconstructs the control flow and performs various static analyses on executables. Besides the ongoing development on Bindead (the dreaded remaining 20% of the project) and other ambitious projects I continue the research on binary analysis and reverse engineering.
My goal is to improve the tooling in this area by bringing academic results out of the proof-of-concept phase to usable tools for security engineers.