Dissecting Flash with EASE (Experimental ActionScript Emulator) presented at Virus Bulletin 2011

by Bing Liu (Fortinet),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2011/abstracts/Liu.xml

Summary : "In today's online world, Adobe Flash's ubiquity is hardly deniable. The reasons for this success are diverse and can be
speculated upon, but one consequence is certain: Flash is becoming a major vector of infection to the eyes of
And, while Flash zero-day vulnerabilities are revealed at a steady pace, even other exploits, for example browser-related
ones, are starting to leverage Flash. Indeed, the following two abilities in the Flash Player are precious to the
1. Bypassing DEP/ASLR through ActionScript driven JIT-Spraying. To ensure that it will run on as many different
machines as possible, DEP/ASLR bypassing is a 'must' for modern exploits. It can be achieved via return into libc
techniques, but JIT-Spraying provides a more generic and an overall easier solution. 2. Evading detection through ActionScript packer. The exploits for Flash vulnerabilities are regularly trying to hide
in Flash binaries, leveraging the power of ActionScript to bury themselves under several layers of obfuscation. This
renders detection (and reverse engineering!) tremendously difficult. Worse, the exploits for browser-related
vulnerabilities start using the same evasive technique (by embedding malicious HTML/JavaScript code in Flash binaries). To attempt to solve these two major issues, we developed an ActionScript emulator. It has the ability to detect
Heapspray/JIT-Spray and to unpack the embedded Flash/HTML/JavaScript as well.
Based on the emulator, we also developed a simple scanner. It is rule-based and can flag known exploits in a flash, as
well as zero-days (in some cases), thanks to the Heapspray/JIT-Spray detector.
In this paper, we will discuss the techniques implemented in our emulator and scanner by dissecting two Flash samples.
Limits and countermeasure will also be discussed.