Chapter 17: Instrumented Investigation: A Manual Approach

Philosophy

The idea behind our approach is to simplify the researcher's view of the system, allowing him or her to focus on the structure and behavior of the system from a technical security perspective rather than being led along some predefined path by vendor documentation or source code. It is more of an attitude and an approach than a specific technique, although you will need some basic skills. Our experience has been that this approach leads to the discovery of bugs that were "not thought possible" by the development teams because they were too obvious, or obscured by the source code (for example, complex C macro definitions), or because an interaction between components of the system had simply not been thought about. Throwing away the rulebook, so to speak, is a liberating thing.

The approach can best be summarized as follows :

• Attempt to understand the system without referencing its documentation and source code.

• Investigate likely areas of weakness. During the investigation, make use of system tracing tools to learn more about the behavior of the system and take note of where behaviors divergethese points may not be obvious.

• Where differing behaviors are observed , attempt common forms of attack and observe the response.

• Continue until you've covered all the behaviors.

Perhaps a concrete example would clarify the process.