IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [binary-code]

60 questions
52
votes
4 answers

How to inject executable, malicious code into PDF, JPEG, MP3, etc.?

I wanted to know if its generally possible to inject executable code into files like PDFs or JPEGs etc., or must there be some kind of security hole in the application? And if so, how would one do that? I often hear that people get infected by…
JohnnyFromBF
  • 1,413
  • 4
  • 16
  • 23
24
votes
4 answers

What is the corrupted image vulnerability? How does it work?

What exactly happens when someone injects malicious binary code into an image file (on Windows)? How is that done?
Moshe
  • 1,721
  • 3
  • 16
  • 22
22
votes
2 answers

Is there a way to verify a binary against the sources?

It seems like there is no practical way to verify the full integrity path of precompiled and packaged software? I can check the downloaded package itself by hashes, but I have no verification if the compiled binaries really represent the public…
flori
  • 381
  • 2
  • 8
19
votes
7 answers

Any comprehensive solutions for binary code protection and anti-reverse-engineering?

Does anyone know of good products with comprehensive binary hardening and anti-reverse-engineering features? Or better, has anyone seen an independent review comparing products that perform these types of binary code protections? I've only found…
Weber
  • 1,006
  • 1
  • 6
  • 10
16
votes
8 answers

Trust Issues Relative to Open Source

Two separate discussions have very recently opened my eyes to an issue I had not considered – how to confirm the Open Source binary one uses is based on the published source code. There is a large discussion thread on cryptography-randombit based…
zedman9991
  • 3,377
  • 15
  • 22
15
votes
1 answer

What does the NSA's Recently Leaked "The Equation Group" Files do?

First Hand Details: TEG (The Equation Group) is NSA's team of hackers who'd write code to exploit systems worldwide. Some of the private files were recently dropped by a group called Shadow Brokers & they've auctioned it in exchange for BTC bids ..…
Shritam Bhowmick
  • 1,602
  • 14
  • 28
14
votes
6 answers

Code Analysis: Binary vs Source

While conducting a software security assessment, if you have access to the source code of a compiled application (say C++), would you ever do any analysis upon the compiled version, either with any automated techniques or manually? Is fuzzing the…
TobyS
  • 1,597
  • 1
  • 12
  • 17
12
votes
5 answers

Storing private asymmetric key in application binary?

I would like to give a daemon-style process (i.e. no user interaction) access to a shared secret key so that it can access a shared, encrypted data file. User applications accessing the same encrypted data store the shared secret key in the user's…
Barry Wark
  • 241
  • 2
  • 8
11
votes
4 answers

What's more secure? Hard coding credentials or storing them in a database?

I wonder which of these things is more secure. Imagine hard coded credentials, similar to this: if user.Equals("registereduser") && (password.Equals(encryptedpassword)) { Give access to the user I know this method has big flaws like having to…
user3421
  • 119
  • 1
  • 4
9
votes
5 answers

Is it safer to compile open source code vs simply running the binary?

I understand that with OpenSource software, my milage may vary based on the trust of the author and the distribution platform they use (Codeplex, Git, or private server). Oftentimes a FOSS website will offer me a link to download the binary and…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
9
votes
1 answer

How could I block or at least detect the use of ultrasonic side channels or Google Nearby Messages API on my smartphone?

My question is about the use of ultrasonic messages that are part of the modern advertising ecosystem and are also used by the Google Nearby Messages API. When it comes to advertising, the type of ultrasonic messages that I am referring to are…
user100487
  • 503
  • 4
  • 8
8
votes
4 answers

Static code review approach

My questions is related with static code analysis approach used by Veracode vs Fortify/AppScan. Veracode – Finds security flaws in application binaries and bytecode without requiring source Fortify/AppScan - Analyzes actual source code to identify…
hindiuniversity
  • 99
  • 1
  • 5
8
votes
3 answers

Does the endianness used with an encryption algorithm affect its security?

I'm implementing the AES block cipher, which reads/writes data in 16 byte blocks. The implementation I'm working with usually read data in the little endian format. But in my platform the endianness I'm using is "network order" big endian. Can I use…
Robin Rodricks
  • 379
  • 1
  • 4
  • 10
7
votes
5 answers

Does a binary executable have to have some critical plain-text components?

When companies package binary executables, they are often encrypted, compressed, scrambled, and otherwise made so that your lazy hacker can't simply open the program up in Notepad++ and see the code. In all the ones I've looked at, however, they…
asteri
  • 1,885
  • 3
  • 15
  • 22
7
votes
2 answers

Bash function manipulation explained

I was recently reading through a write up on a capture the flag Linux VulnHub machine. For privilege escalation, the author references 'bash function manipulation'. A Google search turns up very little on how this works. In short they run strings on…
n00b
  • 445
  • 2
  • 13
1
2 3 4