PHoneyC future development ideas

[Angelo Dell'Aera]

Hi all,
I'm writing this email in order to summarize a few things I thought about
the future steps in PHoneyC development process.

First of all I was thinking about starting improving DOM emulation in order
to have a good and precise emulation. Moreover while running PHoneyC
on www.google.com I realized this behaviour

buffer@alnitak ~/phoneyc $ python phoneyc.py -v www.google.com
Traceback (most recent call last):
File "/home/buffer/phoneyc/DOM/DOM.py", line 49, in parse
i.onclick()
RuntimeError: Failed to execute JS Function.
Traceback (most recent call last):
File "/home/buffer/phoneyc/DOM/DOM.py", line 49, in parse
i.onclick()
RuntimeError: Failed to execute JS Function.
No Shellcode/Heapspray Alerts.

and this is really bad since this site was handled correctly a few
revisions ago. This brought me to the conclusion we should start doing
test-driven development writing test-cases (or taking them from the net) in
order to improve the code and not introduce regressions. IMHO we should
start focusing on a DOM object (i.e. Window), improving it and writing
specific test cases and after that all the other DOM objects.

Another thing to decide is about using honeyjs or moving to pydermonkey.
Pydermonkey design seems cleaner but I don't know how many effort could be
required for porting the code. Zhijie?

Moreover maybe we need a SWF analyzer. I read this paper

http://www.cs.ucsb.edu/~vigna/publications/2009_ford_cova_kruegel_vigna_FlashAds.pdf

Please take a look at it because it is really interesting and depicts
possible approaches which could be used in order to develop such additional
module.

That's all! Let me know what you think about these ideas.

--

Angelo Dell'Aera 'buffer'
Antifork Research, Inc. http://buffer.antifork.org
Metro Olografix

[Joyan]

Hi Angelo,

I agree with your first suggestion. Yes we need such test samples to
avoid regression, and I'd like to work on it, too.

as for the moving to pydermonkey, this is a big change so i think we
should be very careful on it. before changing to another engine, i think
the following questions should be considered and answered: Is there
something wrong with the current solution? Why is pydermonkey better
than honeyjs?

i'm graduating from the university in the near future, and currently i'm
busy with some graduating stuff like formalities and renting house and
blablabla, so i don't have too much time to spend on phoneyc, but i'd
love to do some bug-fix stuff. I think the source of those regressions
is that the current code should be carefully reviewed again, only if we
have a robust code base can we develop new features without introducing
regressions.

Regards,
Zhijie

[Louis]

Has the Google issue been resolved yet?

I am working with PHoneyC and it seems just about every website I
visit, malicous or benign, returns the "RuntimeError: Failed to
execute JS Function".

On May 28, 9:25 am, Angelo Dell'Aera <angelo.della...@gmail.com>
wrote:

> Hi all,
> I'm writing this email in order to summarize a few things I thought about
> the future steps in PHoneyC development process.
>
> First of all I was thinking about starting improving DOM emulation in order
> to have a good and precise emulation. Moreover while running PHoneyC

> onwww.google.comI realized this behaviour

>
> buffer@alnitak ~/phoneyc $ python phoneyc.py -vwww.google.com
> Traceback (most recent call last):
>   File "/home/buffer/phoneyc/DOM/DOM.py", line 49, in parse
>     i.onclick()
> RuntimeError: Failed to execute JS Function.
> Traceback (most recent call last):
>   File "/home/buffer/phoneyc/DOM/DOM.py", line 49, in parse
>     i.onclick()
> RuntimeError: Failed to execute JS Function.
> No Shellcode/Heapspray Alerts.
>
> and this is really bad since this site was handled correctly a few
> revisions ago. This brought me to the conclusion we should start doing
> test-driven development writing test-cases (or taking them from the net) in
> order to improve the code and not introduce regressions. IMHO we should
> start focusing on a DOM object (i.e. Window), improving it and writing
> specific test cases and after that all the other DOM objects.
>
> Another thing to decide is about using honeyjs or moving to pydermonkey.
> Pydermonkey design seems cleaner but I don't know how many effort could be
> required for porting the code. Zhijie?
>
> Moreover maybe we need a SWF analyzer. I read this paper
>

> http://www.cs.ucsb.edu/~vigna/publications/2009_ford_cova_kruegel_vig...

[Joyan]

hi louis,

you can try '-n' option, and if it still raises errors, please describe it in detail on the issues list( http://code.google.com/p/phoneyc/issues/list) or in this maillist, so we can reproduce the bugs. thanks

zhijie

[Louis]

I reran phoneyc with -n, and still received the error. I have
submitted it to the issues list at: http://code.google.com/p/phoneyc/issues/detail?id=34

On Jun 10, 2:37 am, Joyan <joya...@gmail.com> wrote:
> hi louis,
>
> you can try '-n' option, and if it still raises errors, please describe

> it in detail on the issues list(http://code.google.com/p/phoneyc/issues/list) or in this maillist, so we

[Joyan]

hi louis,

Solved the problem proved in test.html. but it still raises errors when running on google.com. i'll accept the issue you submitted and hopefully solve it in the future. currently you can just ignore such errors 'cause google heavily use advanced JavaScript features which is not simulated in phoneyc.

Thanks for the bug report.

zhijie

[Louis]

Awesome, thanks :) Mind describing what the problem is with the
test.html? I am simply curious.

[Joyan]

it's about the 'this' variable. phoneyc couldn't handle it correctly,
now it can if the code assigned to onclick is not obfuscated.~

zhijie