
Serene – best practice checks on executable binaries - maxt
https://summitroute.com/blog/2016/12/22/introducing_serene/
======
dguido
If you want to enable Control Flow Integrity (CFI) on your own projects, check
out these tutorials for Clang and Visual Studio:

[https://blog.trailofbits.com/2016/12/27/lets-talk-about-
cfi-...](https://blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-
microsoft-edition/)

[https://blog.trailofbits.com/2016/10/17/lets-talk-about-
cfi-...](https://blog.trailofbits.com/2016/10/17/lets-talk-about-cfi-clang-
edition/)

Then you can use Serene to check that it was turned on.

------
scottpiper
I'm the author if you have any questions

------
awinter-py
Assuming (and I know this is unfair) that programs are doing a good job of
sanitizing inputs, what other classes of error do these checks prevent?

~~~
scottpiper
Assuming the program has no vulnerabilities, these will do nothing. They are
mitigations for memory corruption vulns, such as buffer overflows and use-
after-frees. Sanitizing inputs doesn't really help for some of these.

These mitigations are "free" to add to programs in the sense that they are
just compiler flags. Usually the reason these aren't being used is because the
build process for a tool is really old and isn't using the latest version of
Visual Studio or some other compiler. Some examples of this are Google Drive,
which is still compiled with Visual Studio 2008, or 7-zip which seems to use
VS 2005.

~~~
awinter-py
Cool. Are there other tools on your list to check a binary executable?

~~~
scottpiper
For static analysis to check for best practices, there aren't any free tools
that come to mind that give you easily digestible info without usually doing
some manual reversing and a lot of extra knowledge. HBGary once created a tool
called FingerPrint that provided some of this extra info but that tool
disappeared. I extracted out a lot of what it does into YARA signatures:
[http://0xdabbad00.com/2011/01/09/fingerprinting-using-
yara/](http://0xdabbad00.com/2011/01/09/fingerprinting-using-yara/)

The original purpose of HBGary's tool was for fingerprinting malware, but what
it really was doing was just extracting out info from malware author's build
environments that could be learned from the executables they created.

Other things you would want to check for though are: \- Are the executables
code signed? \- When run, look in ProcessExplorer (for Windows) to see if it
runs with DEP/ASLR/CFG/x64 and ensure every DLL it loads has ASLR and CFG. \-
Run with wireshark on and ensure any network traffic is HTTPS.

There are thousands of ways for all these checks to give incorrect information
with regard to whether the developers follow best practices or not, but if you
do enough steps they'll add up to a decently accurate understanding.

