.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Home >> Articles >> Security >> Post New Resource Bookmark and Share   

 Subscribe to Articles

Binscope Binary Analyzer

Posted By:Sunil Yadav       Posted Date: March 03, 2011    Points: 200    Category: Security    URL: http://www.dotnetspark.com  

This article explains how we can use Binscope Binary Analyzer to perform a security check for the weaknesses like Buffer Overflow ,Data Execution Prevention(DEP) etc.

Binscope is a binary analyzer is a security tool to ensure that the assemblies do comply with SDL requirements and recommendations. Binscope performs the following security checks to test the weaknesses like buffer overflow, data execution etc. which are commonly exploited by an attacker. Adopting the security best practices greatly enhances the quality of source code.




/GS Prevent buffer overflow
/SafeSEH Ensures safe exception handling
/NXCOMPAT Ensure compatibility with Data Execution Prevention(DEP)
/DYNAMICBASE Ensures the Address Space Layouts Randomization (ASLR)
/SNCHECK Ensures unique key pairs and strong integrity check.

Binscope also points out dangerous constructs that are prohibited or discouraged by SDL, including:
  • Non /GS friendly initialization
  • R/W shared sections
  • Use of APTCA (allow partially trusted caller attribute) with Strong-named assemblies
  • Global function pointers
  • ATLVulnCheck for classes implementing IPersistStreamInit that have potentially vulnerable property map entries.

Included Checks

BinScope includes a variety of SDL-required and non-SDL--required checks. Each check is implemented by one of several included plug-ins with a name that matches each check. These checks are described in the following table.



ATLVersionCheck Verifies that ATL headers used to build the binary are known good. For COM only.
ATLVulnCheck Detects classes implementing IPersistStreamInit that have potentially vulnerable property map entries. For COM only.
APTCACheck Reports a failure if the binary being verified is a managed assembly, has a strong name signature, and bears the APTCA attribute (AllowPartiallyTrustedCallersAttribute). Such assemblies can be potentially dangerous and should not be shipped without a thorough security review.
SectCheck Reports a failure if the PE-format binary being verified has sections marked as shared and writable. Having such sections is a potential security vulnerability, and their use should be avoided.
GSCheck Verifies that the /GS compiler flag was used to compile all components of the binary and shows detailed information per object in the binary. It is possible that only part of the object files in a binary were built with /GS. In this case you will need to find the owner of non-/GS-compiled objects or libraries and request a compliant version. Note: GSCheck needs access to the debug symbols for the binary. Ensure that the correct symbols are able to be located (for example by setting _NT_SYMBOL_PATH=SRV*\\symbols\symbols).
SafeSEHCheck Verifies that the image was linked using /SAFESEH. Not using /SAFESEH undermines the protection provided by /GS. Note - In order to link an image with /SAFESEH, all object files and lib files must be /SAFESEH-compatible.
FPCheck Identifies images having global function pointers. Overriding static buffers can cause global function pointers to be overwritten, which may expose a security vulnerability. This is not covered by /GS protection; therefore, if you have global function pointers, you may want to examine use of static/global buffers in your code to make sure there are no possible security issues. This check is not enforced by SDL, but it is strongly recommended that you check use of your static buffers to make sure no buffer overruns are possible. FPCheck requires that symbols be present (see the /GS check note above).
SicCheck Identifies images that have non-/GS-friendly initialization. When using /GS, the executable needs some way to initialize the /GS infrastructure at load time, and usually it is done in CRT startup or similar functions. However, if the executable is linked in such a way that no standard code is executed at startup (such as with /NOENTRY linker option) and no custom /GS-startup routine is provided, that image will be left unprotected. This check identifies these images.
CompilerCheck Identifies images that contain C or C++ modules compiled with a compiler older than the version required by the SDL. Specifically, BinScope checks that the C/C++ compiler (cl.exe) is at least version 14.00.50727 and the CVTRES compiler, the MASM compiler and the linker are at least version 8.00.50727. Those are the versions of the tools contained in Visual Studio 2005.
DBCheck Checks if a binary has opted into the ASLR feature.
SNCheck Checks for use of strong-named assemblies. A strong name is a digital signature representing a cryptographically unique name for a managed assembly. Integrity of information is protected by digital signature. No piece of the strong name and no bits in the assembly body can be modified without rebuilding the assembly.
NXCheck Checks if a binary has opted into Hardware Data Execution Prevention.

Binscope Binary Analyzer must be used during verification phase of Microsoft security development lifecycle (SDL).

 Binscope binary analyzer

Binscope has a standalone and VS integrated versions available. It also integrates with Microsoft Team Foundation Server (TFS). Below are the steps to use Binscope binary analyzer.
  1. Start the Binscope binary analyzer.
  2. Browse the target file path and output log file along with the check to perform on the assembly. In the options group, enter the directory or symbol server containing your project's private symbol.
  3. Binscope binary analyzer

  4. Click start. Once finished with the scan you will see a report generated against the test immediately.
    Binscope binary analyzer

 http://www.microsoft.com/security/sdl/adopt/tools.aspx http://technet.microsoft.com/en-us/library/ee672187.aspx

 Subscribe to Articles


Further Readings:


No response found. Be the first to respond this post

Post Comment

You must Sign In To post reply
Find More Articles on C#, ASP.Net, Vb.Net, SQL Server and more Here

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend