Cloud services have mushroomed in the past couple of years and are becoming widely used by many companies. The...
use of cloud-based applications brings a lot of advantages, but it also brings some disadvantages. New technologies should be taken with a grain of salt and it's important to discover both their positive and negative side effects before using them.
There are a number of approaches to cloud-based application analysis for apps running on a desktop system that connect to cloud services. Since it is executed on the user's computer, there are a number of techniques for application analysis.
On the highest level, there are two techniques for analyzing cloud-based applications:
- Static analysis: Static application analysis involves analyzing an application without running it, therefore only taking the application executable and determining the most information about its inner workings.
- Dynamic analysis: Dynamic application analysis can be used to analyze a cloud-based application's inner workings while the application is running, which enables the analyzer to determine the program flow depending on the actions taken by the user.
Both approaches come with advantages and disadvantages, but most importantly both can be used to obtain different kinds of information about the application internals. Because of that, it's a good idea to use both static and dynamic analysis techniques to infer information about the application that can be very useful when testing the application's security.
Static application analysis
There are a number of static application analysis techniques for exploring a cloud-based application, including:
- Strings: Every five-character, or more, string can be pulled out of the cloud-based application via the strings command-line Unix tool or any other alternative tool, such as TextExtract and BinText. This is the simplest static analysis technique, and outputs the strings present in an application inferring the internals of the application. A cloud-based application supposedly contains the domain names of servers where the connection will be established.
- API calls: Every application compiled dynamically contains a number of API function calls, which can determine the functionalities provided by the application. A cloud-based application connecting to the cloud server will surely use a number of network API function calls that can be saved for later when hooking the functions with security tools capable of hooking functions at runtime, such as Frida and Cycript.
- Signatures: Antivirus or YARA rules can be used to match against a cloud-based application to determine whether it contains malicious signatures. This is useful when determining whether an application is malicious -- which can happen if it was downloaded from a third-party malicious website controlled by hackers, rather than the official website.
Dynamic applications analysis
Dynamic application analysis can obtain information about a program, which cannot be obtained by using static analysis techniques alone. Some dynamic analysis techniques include:
- Registry information: While running an application, it's easy to obtain the registry keys accessed, removed or modified by the application. Dynamic analysis tools can hook into the acquisition of the registry key and dynamically change the value before it is returned from a function to possibly change the behavior of cloud-based application.
- Network information: When the application is running, sniff the network traffic being exchanged between the application and a corresponding cloud server endpoint in order to analyze the traffic flowing between them. Dynamic analysis tools can hook into the sending/receiving function to be able to change or alter the network messages before leaving the application. By doing that, it's possible to change the username the application sends to the cloud server to access the data of another user, potentially including sensitive information of that user.
- Memory information: While the application is running, inspect its memory to identify sensitive information the application is leaking -- like decrypted private keys that can be directly used by an attacker to decrypt the communication of an application and the cloud server counterpart, or possibly even the encrypted data stored privately in the cloud.
There are a number of tools for dynamic application analysis, some of which are widely used, while others are just gaining popularity. These tools include:
- User-mode debuggers: User-mode debuggers are mostly used for analyzing the internals of user-mode applications, which makes them useful for analyzing cloud-based applications. They can start/stop a program, pause a program, add breakpoints into the program where the execution will be stopped and so on. Some tools belonging to this category are: OllyDbg, IDA PRO, WinDbg, Immunity Debugger, GDB and others.
- Kernel-mode debuggers: Kernel-mode debuggers are useful when analyzing the internals of a system rather than an application. They are also useful when determining what a system call that was initiated by a cloud-based application will do. Some tools belonging to this category are: SoftICE, WinDbg and others.
- Sandboxes: A sandbox provides an environment that is used for running applications, but is mostly used for suspected malicious applications. Normally, the untrusted applications are run in a sandbox to limit their access to the application. An application being run in a sandbox won't have access to other applications' files or directories, and will not be able to inject a malicious code into other applications' virtual memory space to run arbitrary code. Examples of sandbox tools are Sandboxie and Chroot.
- Dynamic binary instrumentation tools: While the applications are running, insert chunks of code into the application's memory space in order to inspect the application's stack structures, heap structures, function calls, function call parameters, function return values and more. Frida, one of the latest tools for analyzing cloud-based applications, belongs to this category and is capable of inspecting every function call, changing its parameters or changing the computed return value and much more. Other tools belonging to this category are: PIN, DynamoRIO, Valgrind, Strace and others.
Techniques and tools for cloud-based application analysis
There are a number of techniques for cloud-based application analysis. While the static analysis is used to obtain information from a cloud-based application like strings, API calls and signatures, the dynamic analysis is used to obtain information from an application during runtime, such as accessed registry keys, the contents of memory space and network packets sent over the wire.
Because of its scripting possibilities, it's easy to write scripts to test different cloud-based applications and try to change different parts of the runtime program state. In a backup cloud-based application, it's possible to hook an appropriate function to change the amount of free space available and enlarge it without paying for it. Alternatively, it's also possible to hook a different function to change the username of the current user after logging in and before accessing the encrypted data of another user. These are all valid goals, which must be protected against on the server-side rather than on the client-side. Frida is just one of the tools that can be used to check whether the security recommendations are followed and if any security vulnerabilities exist in the cloud-based applications. Other tools include Cycript and PIN.
Learn how to perform tests that validate cloud app security
Check out this e-book on getting control of cloud-based applications
Find out how to lessen the security risks of SaaS apps