Forensic-Tool Development with RustΒΆ
Forensic Tool Development with Rust
Case study: stringsext
Author: Dipl.-Ing. Jens Getreu
Supervisor: Prof. Olaf Manuel Maennel
Forensic-Tool Requirements
Hard disk/memory images are huge
β code efficiency!
Images may contain malicious code exploiting potential code vulnerabilities
β memory safety
Rust Programming Language
- code efficiency
- zero cost abstractions
- no garbage collector
- memory safety
- data ownership
Hypothesis
Is the Rust ecosystem suitable for forensic tool development?
Method: Case study: Development of a GNU-strings alternative with multi-byte-encoding support
Test Case
(UTF-16LE encoded)
GNU-strings: Output
Very limited multi-byte-encoding support
"Don't run strings on untrusted files."
The setup_group function in
bfd/elf.cinlibbfdin GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.
Stringsext
- a GNU-strings alternative with multi-byte-encoding support for
- UTF-8, UTF-16be, UTF-16le, BIG5-2003, EUC-JP, KOI8-R and many others
Contribution
- production software stringsext (free source code)
- automated tests: 90 assertions
- 6 automated benchmarks and 2 automated field experiments
- user documentation
- 87 html pages of `developer documentation`_
- production builds for: Linux 32 bit, Linux 64 bit, Windows 32 bit, Windows 64 bit
Design
Stringsext Output
Demonstration
Combine UTF-16 Little-Endian and Big-Endian scanning and prevent false positives:
cat /dev/sda2 | ./stringsext -ci -tx \
-e UTF-16be,16,U+0..U+007f \
-e UTF-16be,30,U+20..U+2f,U+400..U+07ff \
-e UTF-16le,10,U+0..U+007f \
-e UTF-16le,30,U+20..U+2f,U+400..U+07ff \
Results
- [-] more bugs in young Rust libraries, but
- [+] Rust is memory safe and
- [+] bugs are much easier to detect than memory safety related vulnerabilities
β Rust meets the requirements of forensic tool development