5 min Security

Digging deeper into software artifacts

Insight: Security Platforms

Digging deeper into software artifacts

Software has artifacts. Spelled in correct English we would talk about artefacts, but because most of the planet’s software artefacts exist (or were created in Silicon Valley), we tend to embrace the Americanization and say artifacts. But what are software artifacts, why do they exist in the first place, how much of a vulnerability do they represent and what does the recent ‘unearthing’ (pun intended) of the Windows 11 PCA mean for our enterprise systems?

In search of a simple definition we can all interpret, software artifacts occur as a natural result of human programmers touching enterprise software. They may be core sections of an application’s source code, or they might be design documents with annotations (possibly electronic, but sometimes printed on paper) created during development.

More commonly, we think about software artifacts as data models, application dependencies, software binaries, language models, microservices and even prototype code that might have been used to try out ideas at the start of a software project. But bringing it back down, artifacts can also exist in the form of meeting notes, benchmarks, change-logs or Unified Modelling Language (UML) notations and diagrams. 

Whatever form they take, software artifacts are stored in a repository so that they can be accessed across teams and inspected via an agreed form of query language for analysis and reference. But why does any of this matter? 

Microsoft Windows 8 artifact

Perhaps because software artifacts have been discussed more fervently across the developer wires recently as a result of Microsoft talking about a new forensic artifact (i.e. one carries evidence that something has happened in the computer system) that first appeared in the 2022 update of Windows 11 (22H2). The artifact in question here is related to a Windows compatibility function that has been around since Windows 8, which if your memory fails you was way back in October 2012. The software artifact here is related to the Program Compatibility Assistant (PCA), a mechanism that was introduced in Windows Vista. 

“PCA detects and fixes compatibility issues in legacy applications when they are executed on newer versions of Windows and is implemented as a Windows service, called PcaSvc,” said Harel Segev, a cloud solutions architect writing on the Sygnia Incident Response team blog.

Segev and team note that Microsoft doesn’t typically develop forensic artifacts as part of its standard practices. By reverse-engineering the Windows PCA service binaries, Sygnia gained additional insights on the undocumented structure of two PCA file formats and found unique behaviours and edge-cases (as in rare cases, not as in edge computing in the Internet of Things), which are critical to correctly interpreting the data within. 

Hostage-turned-ransomware negotiators 

For those unfamiliar with Sygnia, the company takes an intelligence-based approach to cybersecurity with a team comprised not only of information cybersecurity specialists, but also ex-military intelligence officers, psychologists, hostage-turned-ransomware negotiators and cyber criminologists. They are described as the guys (gender-neutral sense) that nations ‘quietly turn to’ for help.

Sygnia claims that the new insights it has uncovered can enable enterprises to create a set of known bad Program-IDs, find and root them out of their networks. As clarified by IBM here, in software application development, “The Program-ID paragraph specifies the name by which the program is known and assigns selected program attributes to that program. It is required and must be the first paragraph in the ‘Identification Division’, [that part of the code structure that] identifies the program, class, factory object, object, method, function or interface.” 

Parse, leverage, go

According to Segev and his co-writers Noam Lifshitz, Oren Biderman & Amir Sadon, “With this additional deep dive, digital forensics and incident response teams can now uncover the elements necessary to parse this artifact and leverage it in threat investigations including: information on the impact encoding formats, record storage patterns and the application execution behaviours of historical data, which could prove to be a breakthrough for incident response teams.”

Talking about the work that it carries out with this type of intelligence on board, the Sygnia makes note of a major cyber incident targeting a cryptocurrency exchange, where the team discovered that attackers spent months establishing relationships with a senior IT person, gaining their trust and eventually socially engineering them into installing ‘research software’ on their laptops. 

“Once attackers had access to this highly privileged laptop, they could stealthily leverage the IT person’s privileged credentials to establish a foothold in the environment and create transactions transferring millions of dollars in cryptocurrencies from the company’s wallet. When anyone noticed the missing funds, it was too late to recover them,” said Yotam Meitar, director of incident response, Sygnia. 

Sleepless nights ahead?

If this brief history and tour of software artifacts tells us one thing, it is that these things exist for good reason and their creation and onward use as a point of reference should be regarded as a positive aspect of competent application development in the most holistic sense. It should also perhaps tell us that software artifacts are also being cross-reference by cyber response teams and filtering that information down to DevOps teams at the coalface of modern development to make our enterprise applications (and indeed our games and leisure apps) safer and more robust.

To the average user, artifacts or artefacts might sound dull, but just try telling that to Indiana Jones. In this scenario, you can keep your eyes firmly open.

Free image use: Wikipedia Commons