Forensic-Tool Development with RustΒΆ

Forensic Tool Development with Rust

Case study: stringsext

Author: Dipl.-Ing. Jens Getreu
Supervisor: Prof. Olaf Manuel Maennel

Forensic-Tool Requirements

  • Hard disk/memory images are huge

    β†’ code efficiency!

  • Images may contain malicious code exploiting potential code vulnerabilities

    β†’ memory safety

Rust Programming Language

code efficiency
  • zero cost abstractions
  • no garbage collector
memory safety
  • data ownership

Hypothesis

Is the Rust ecosystem suitable for forensic tool development?

Method: Case study: Development of a GNU-strings alternative with multi-byte-encoding support

Test Case

_images/test_case_encoding-input.png

(UTF-16LE encoded)

GNU-strings: Output

_images/strings-el.png

Very limited multi-byte-encoding support

"Don't run strings on untrusted files."

The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.

CVE-2014-8485

Stringsext

  • a GNU-strings alternative with multi-byte-encoding support for
    • UTF-8, UTF-16be, UTF-16le, BIG5-2003, EUC-JP, KOI8-R and many others

Contribution

_images/data-processing-and-thread.png

Design

Stringsext Output

_images/stringsext-utf-16le-input.png

Demonstration

Combine UTF-16 Little-Endian and Big-Endian scanning and prevent false positives:

cat /dev/sda2  | ./stringsext -ci -tx \
                 -e UTF-16be,16,U+0..U+007f \
                 -e UTF-16be,30,U+20..U+2f,U+400..U+07ff \
                 -e UTF-16le,10,U+0..U+007f \
                 -e UTF-16le,30,U+20..U+2f,U+400..U+07ff \

Results

  • [-] more bugs in young Rust libraries, but
  • [+] Rust is memory safe and
  • [+] bugs are much easier to detect than memory safety related vulnerabilities

β†’ Rust meets the requirements of forensic tool development