How to protect your code from Pegasus spyware
August 5, 2021
Learn how to stop Pegasus-like attacks and protect your code from buffer overflows and other exploitable vulnerabilities
Introduction
You may have heard of Pegasus, a surveillance software produced by an Israeli company, the NSO Group, for anti-crime and anti-terrorism purposes.
It is back in the news for the alleged spying on 180 journalists and thousands of human rights activists, discovered in an investigative journalism effort called Project Pegasus.
Pegasus software is designed to collect text messages, intercept phone calls, geolocate the user and copy their passwords. The reason why it has been used by many governments in the past is to keep under control the activities of anyone who could represent, according to them, a danger to national security.
Amnesty International and Toronto-based Citizen Lab have been reporting its alleged misuse against privacy advocates and human and civil rights activists in 45 countries around the world, from Egypt to Mexico, since 2016.
Rights activists, journalists and lawyers around the world have been targeted with phone malware sold to authoritarian governments by an Israeli surveillance firm, media reports say.
They are reported to be on a list of some 50,000 phone numbers of people believed to be of interest to clients of the company.
Not the first time
But this is not the first time that Pegasus software has been associated with cyberattacks: in 2019, 1,400 users of WhatsApp were hacked over a period of 2 weeks with spyware software Pegasus. To send its malware to target devices, the NSO exploited a buffer overflow vulnerability in WhatsApp’s VoIP (Voice over IP) stack, and they succeeded even without people answering calls.
Taking advantage: the Buffer Overflow
But how did Pegasus manage to penetrate WhatsApp? The NSO group took advantage of vulnerabilities in WhatsApp that were due to a cache configuration issue and a missing bounds check in the audio decoding pipeline.
WhatsApp has revealed these issues were caused by a buffer overflow vulnerability in the WhatsApp VoIP stack that allowed remote code execution via a series of specially crafted SRTCP packets sent to a target phone number. Once the NSO group discovered the buffer overflow, they were able to overwrite the memory for remote code execution, sending these packets to their targets which installed the Pegasus spyware on the target devices.
What exactly is a buffer overflow?
A buffer is a memory zone used to temporarily store data which is being moved from one location to another. It has a determined size and boundaries for where it begins and ends.
A buffer overflow is what happens when one writes memory outside of the buffer boundaries, using inputs that are too large to fit in the buffer.
This bug can be exploited by attackers to trigger faulty behavior on purpose. An attacker can exploit a buffer overflow by overwriting the memory of the application in order to obtain access to compromised data that was supposed to be encrypted (such as passwords or tokens) and to even inject code that will be remotely executed, which can lead to taking full control of the program.
Once they have full control of the program, they can access any system and expose sensitive information. Overwriting the memory of WhatsApp’s VoIP stack is how Pegasus took advantage of the buffer overflow to collect data on what was supposed to be encrypted exchanges.
C and C++ languages, widely used in the embedded industry, are prone to buffer overflows and other memory errors because they have manual memory management, so they do not automatically check bounds, unlike in some other languages.
How TrustInSoft Analyzer can help
If the buffer overflow had been detected by WhatsApp beforehand, Pegasus would not have been able to hack the devices using WhatsApp. What’s more is that buffer overflows are 100% detectable during development and the verification/validation stage!
TrustInSoft Analyzer is the leading comprehensive code analyzer that can help you prevent this kind of error, thanks to its exhaustive source code analysis powered by formal methods, allowing it to detect 100% of buffer overflow vulnerabilities.
By analyzing the semantics of the code and having a mathematical model of the memory, TrustInSoft Analyzer can verify the behavior of the program for all possible inputs and all execution paths, making sure the analysis is exhaustive and all undefined behaviors, including buffer overflow, are caught.
In order to detect 100% of buffer overflows in the code, TrustInSoft builds a mathematical model of the memory, and conducts a value analysis for all possible values of variables that could come up during the execution of the program, examining them to determine if certain values will lead to buffer overflow. If so, TrustInSoft Analyzer reports the bug to its user, so that the user can correct it.
Learn more about TrustInSoft Analyzer and the benefits it can bring to its users here.