« First
Previous
Newest »
Next

Concerning the Bradford Dissolvable Agent

Edit
This entry was posted on Friday, April 15th, 2011 at 9:10 pm

My university has recently decided to make its residential network harder to use, and has enlisted the help of Bradford Networks to do so. In particular they are using a piece of software name 'Bradford Dissolvable Agent', which they force users to download and run to examine their computers1.

On the grounds that my hardware is for my use only, or to be used as I direct, I consider it my prerogative to examine the workings of any piece of software which is to be executed on it2. I therefore made some examination of the software before running it. While I didn't do a particularly thorough job (in part since my access to reference materials was significantly curtailed) I did make some observations.

  • The program is written in C++, and uses the Xerces XML parser to read configuration information. It also uses a custom library to interpret or carry the configuration once read. Several boost libraries are used, including thread, datetime, signals and filesystem.
  • Most of the configuration is not encapsulated in the software; it carries with it a dictionary with three keys: 'policy', 'uid', and 'url', whose corresponding values are encoded (see next point).
  • The encoding used looks likely to be trivial. The code uses only capital roman letters and the decimal digits in its output. While the encoding is in some sense useless due to the fact that the decoded value of any encoded string can be learned by examining the process's memory as it runs, it also does not appear to use any passwords or keys3. In particular the software cannot (as it could if asymmetric key cryptography were used) verify that the data it is reading actually originates from a trusted source. 4
  • The system is predicated on using falsified DNS results to misdirect requests for www.youtube.com to go to the registration server. This appears to be done on the grounds that no one will set a personal firewall to block youtube.com, but the fear that a student will have blocked the website of his or her own institution is rather dubious, after all, if this were the case it would have been impossible for them to see the registration page and download the agent program. 5

At some point I would like to do a more complete job including understanding the encoding being used and in what ways the agent actually examines the system on which it runs. Unfortunately, I really can't read x86 assembly (or PPC assembly either, for that matter) so some studying would first be required.

  1. 'Dissolvable' refers to the fact that the program erases itself on completion, as it is only intended to be run a single time. Thankfully they aren't using the 'Bradford Persistent Agent', which hangs around watching indefinitely. 

  2. I find rather dubious the concept that a company can demand that I not attempt to understand their software by looking at its internals. If they wanted me to promise not to steal their ideas and use them for my own profit that would be one thing, but handing me the complete description of the ideas (since that is what even compiled or obfuscated code is) and telling me to pay no attention to it just doesn't seem compelling. 

  3. The decoding is handled by an object of a class called EncodeDecode whose constructor takes no arguments and whose only member functions (up to return types) are: charEncode(int), byteDecode(int), decode(char), decodeLong(char), decodeString(char const), decodeString(char), encode(char, int), encodeLong(long), and encodeString(char const). 

  4. It appears likely that encoded string BXWT9FYPT98A3US8RF8TASSKR4WLZJER6B8LWR45DHJA3FP76U58DUYA67WDASSR7U4L3SQBBU8M3HQT6K8T95YNB45LD32NRKWTVUQ57JKTDFV corresponds to the plaintext string https://www.youtube.com:443/registration/common/AgentPolicyOutput.jsp 

  5. I'm also not sure why Safari accepted an SSL certificate (issued by the unimpeachable, honorable, and altogether trustworthy Go Daddy Secure Certification Authority) for *.resnet.wisc.edu when loading a page supposedly from www.youtube.com. I wonder whether other browsers blindly accept this as well, but I forgot to test when i had the chance. This basically is a man-in-the-middle attack, accept for the fact that it doesn't transparently pretend to be the actual other party (Youtube). 

No Comments

Comment on this post