Saturday, March 26, 2005

Reading up on OS internals

I was looking at the preview chapter from the upcoming Symbian Internals book. I was hoping that it would give some insight on some of the current generations(ver. 6,7) of the Symbian OS. The book is more of an Inside OS/2 for the upcoming realtime Symbian version 9.

The chapter covered platform security, mostly a high level description of application security. Some highlights:

  • No Execute is used to make buffer overflows more difficult.
  • Security is based on directory(hidden from user) rather than file
  • Nothing is trusted on removable media; HW-like security
  • (integrity checking via hash stored in secured location)
  • Capabilities(access rights, r/w system directory) granted to processes based on bits in the header of the binary.
  • The key to all this is that the installation system is considered part of the trusted base system. A good decision as it is unlikely that somone would deliver malware in SIS packages. :)


The spread of Cabir has made one thing clear, it is that one should never understimate people's willingness to accept gifts.

Thursday, March 17, 2005

Updated Dumpsis; Other SIS tools

I've added dumping of all available language variants. Previously only the file for the first language in the set was dumped. The first language is not necessarily the default, as that is determined by the user's system settings and not the developer's PKG file settings.

The language is appended to the filename for all but the first file. This is similar to what Sisunpack does with language variants, except with long language names(e.g. UK_English,Spanish). Interestingly, Sisunpack is written in the D programming language. One page of source code and portable to Linux with a recompile. Not bad; the Windows binary is 130K.

The key with the latest versions of Dumpsis is that most of the SIS file handling code has been moved into the Sisdump perl module. Import Sisdump.pm and you've got relatively easy perl-OO access to SIS files from your perl script or program. This is good for simple utilities and one off scripts. A good example is a little script that outputs the md5 hash for each file in the SIS. Saves time in analyzing files. Combine it with file extraction and a small known file database and you only deal with the previously unseen. Of course due to all the news about MD5 collisions, it might be a good thing to take a page from the integrity checkers(Tripwire,AIDE) and add SHA1 hashing as well.

I've got a version of that tool nearly done. More stuff to add to the SIS analysis toolkit.

Monday, March 07, 2005

Commwarrior worm

I've gotten a sample from the distributor's site. As yet, I have not run across a second version. From preliminary analysis it looks like the worm picked up the SIS writing trick from Cabir. The boot up trick is defective, but the run on install is correct.

Vallez, author of Cabir, originally decided against using MMS as Bluetooth involves no direct monetary charges. This worm's author must not want the worm to spread very far.

Protecting the ‘Metaverse ecosystem’…: Openness is healthy

Meta’s Reality Labs has an opening for “Malware Reverse Engineer” . Not an uncommon role, but this particular one is a bit more specific whe...