Finding Backdoors In Code presented at OWASP BeNelux 2010

by Matias Madou (Fortify Software ),

Tags: Security Exploitation


Summary : Insiders who write code, whether they are developers working for an enterprise or contributors to an open source project, have an almost unlimited number of ways to put chinks in the armor of their software. Many times, these holes are put in place for seemingly good reasons—to facilitate easy debugging, make working from home easier, or as a failsafe in case other mechanisms for interfacing with the system fail. Worse still, malicious insiders can plant logic bombs or insert backdoors so that they can embezzle funds, steal private information, or exact revenge if they become disgruntled.
Whether unintentional or malicious, code that performs questionable behavior or permits unauthorized access can be introduced with relative ease and can persist in a code base almost indefinitely without being discovered. Until it's too late. In this talk, we discuss techniques for applying static analysis to program source code to assist auditors hunting for backdoors, logic bombs, and other threats introduced by insiders. We give detailed examples of insider threats that have been uncovered in real software systems, outline possible motives for malicious insiders, and discuss how external stimuli like layoffs are increasing the attention paid to insider threats. We conclude the talk with results of applying the detection techniques discussed in this talk to real-world software.