How to turn black to white?
System source code unavailability has affected many enterprises, especially oil & gas and energy companies that actively use SCADA systems in their production processes. However, the losses suffered by such companies if an attack hits the target are inducing banks, insurers, retailers and other businesses to go proactive.
Most companies have to use third-party software as a 'black box' because of source code unavailability. Moreover, it is almost impossible to obtain since the majority of companies avoid offering such a service. Ultimately, the impossibility to upgrade a system entails a variety of undocumented features and vulnerabilities, with this problem persisting in both legacy systems still widely used at production plants and brand new solutions.
The mystery of legacy systems
Legacy systems often use outdated technologies, architectures, platforms, software, and infoware. The fact that, for most such systems, neither documentation nor source code is available may become a serious information security issue due to vulnerabilities, undocumented features, and vague operation algorithms. For example, one of our customers uses a legacy industrial control system with dozens of disparate files, the size of which change from time to time, with there being no possibility of understanding which changes are caused by system logic and which ones indicate tampering attempts. Hired specialists reconstructed system source code, derived an operating algorithm from it and composed lists of both static files and files that must be periodically updated, thus allowing for the employment of an integrity control mechanism to protect the system against tampering.
On the other hand, modern systems are often designed and developed by integrating individual components, both proprietary and third-party, thus dramatically reducing software development duration and cost. The presence of insecure third-party modules in an information system can adversely affect overall security, cause information leakage and increase the likelihood of a successful attack.
Vulnerabilities are generally an aftermath of developer errors or careless use of high-level languages. Undocumented features are those not mentioned in software documentation and may be either involuntary or have been introduced in a code intentionally to access an application in circumvention of installed protections.
Exploiting of vulnerabilities or undocumented features by a cybercriminal in a single software module can compromise the entire information system. To prevent this, all third-party software should be scrutinized and thoroughly analyzed before integration with an existing information system.
When source code is available, it can be relatively easily analyzed for vulnerabilities or undocumented features by an expert, who may use either a manual approach or a wide range of automatic code analyzers available on the market
The challenge is: how to verify software security when its source code is unavailable? In such cases, information security specialists may opt for reconstructing source code by decompiling it.
It should be noted that decompilation is a complicated and knowledge-intensive task and that the concept of a fully automatic decompiler is highly sophisticated. However, some tools are available to address this issue in an automated interactive mode with a qualified expert being involved.
Decompilation can do good even if source code is available since, when an application is started, its compiled machine-readable version is executed rather than high-level language code. However, sometimes compilers spring surprises. For example, a compiler may leave a memory area unwiped, which is critically important when processing confidential data as a cybercriminal could gain access using various approaches, including a memory dump. Today, it is possible to look inside a piece of software and check it for vulnerabilities and undocumented features even if its source code is unavailable. However, this requires a proficient and experienced analyst knowledgeable in decompilation tools, with it not currently being an easy task to find such an expert in the market.