July 20, 2004
Runtime Call Stack Analysis with .NETWindows SecurityJason Coombs
Profiling the call stack helps you spot expected behavior early on. The .NET Framework's System.Diagnostics classes make it possible
Easy programmatic access to the call stack during program execution opens up new avenues for analysis and defensive coding. The easiest way to read the call stack is through the use of the .NET Framework class library namespace System.Diagnostics. StackTrace and StackFrame are two Diagnostics classes that together provide managed code with call stack analytical capabilities. The following code reads the call stack and writes each stack frame to a System.IO.MemoryStream buffer: using System;
using System.Diagnostics;
using System.IO;
using System.Text;
namespace callstackanalysis {
class Class1 {
[STAThread]
static void Main(string[] args) {
Class1 o = new Class1();
o.call1(); }
void call1() {
call2(); }
void call2() {
call3(); }
void call3() {
displaycallstack(); }
void displaycallstack() {
byte[] b;
StackFrame sf;
MemoryStream ms = new MemoryStream();
String s = Process.GetCurrentProcess().ProcessName;
Console.Out.WriteLine(s + " Call Stack");
StackTrace st = new StackTrace();
for(int a = 0;a<st.FrameCount;a++) {
sf = st.GetFrame(a);
s = sf.ToString();
b = Encoding.ASCII.GetBytes(s);
ms.Write(b,0,b.Length); }
ms.WriteTo(System.Console.OpenStandardOutput()); }}}
The System.IO.MemoryStream class provides a WriteTo method that writes the entire contents of the MemoryStream to another stream. Using WriteTo you can easily dump the call stack contained in the MemoryStream to a file or network stream. The example shown here sends the MemoryStream to standard output. Runtime call-stack logging is a valuable tool for understanding complex applications. The call stacks that are observed during normal operation of an application provide valuable forensic context and knowledge of the code paths that are expected in practice. Security for some applications can hinge on preventing unexpected or improper execution paths, and only by profiling what is expected can anomalies be detected. An intriguing concept is to combine call stack analysis during Quality Assurance testing with runtime security enforcement that prevents anomalous call stacks from forming. Although such call-stack anomalies may not be the result of attacks, if QA testing never examined a particular path through the code, perhaps it should be denied by default. A thorough forensic call-path analysis could be provided by software vendors as a result of a forensic quality assurance process, enabling the list of QA-tested code execution paths to be combined with an anomaly prevention layer. Real software quality control from point of source code origin to runtime execution of compiled code may be possible under such a system.
Jason Coombs is Director of Forensic Services for PivX Solutions Inc. (NASDAQ OTCBB: PIVX), a provider of security solutions, computer forensics, and expert witness services. Reach him at jcoombs@PivX.com.
|
 |
|||||||||||||||||
|
|
|
more
