an in depth analysis of disassembly on full scale x86 x64
play

An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries - PowerPoint PPT Presentation

Sep 05, 2023 •312 likes •508 views

An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries Dennis Andriesse , Xi Chen , Victor van der Veen , Asia Slowinska , Herbert Bos Vrije Universiteit Amsterdam Lastline, Inc. USENIX Security 2016

  1. An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries Dennis Andriesse † , Xi Chen † , Victor van der Veen † , Asia Slowinska § , Herbert Bos † † Vrije Universiteit Amsterdam § Lastline, Inc. USENIX Security 2016

  2. Introduction Disassembly in Systems Security Disassembly is the backbone of all binary-level systems security work (and more) • Control-Flow Integrity • Automatic Vulnerability/Bug Search • Lifting binaries to LLVM/IR (e.g., for reoptimization) • Malware Analysis • Binary Hardening • Binary Instrumentation • . . . An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 1 of 18

  3. Introduction Challenges in Disassembly Disassembly is undecidable, and disassemblers face many challenges • Code interleaved with data • Overlapping basic blocks • Overlapping instructions (on variable-length ISAs) • Indirect jumps/calls • Alignment/padding bytes (such as nop s) • Multi-entry functions • Tailcalls • . . . How much of a problem do these challenges cause in practice? An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 2 of 18

  4. Introduction Motivation of our Work Prior work explores corner cases, but no consensus on how common these really are in practice • Pessimistic view of disassembly among reviewers and researchers • Underestimation of the potential of binary-based work We study the frequency of corner cases in real-world binaries, and measure how well disassemblers deal with them An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 3 of 18

  5. Experiment Setup Binary Types We cover a wide range of commonly targeted binary types ( 981 tests ) • SPEC CPU2006 + real-world applications (C and C++) • Compiled with gcc , clang (ELF) and Visual Studio (PE) • Compiled for x86 and x64 • Five optimization levels ( O0 - O3 and Os ) + -flto • Dynamically and statically linked binaries • Stripped binaries and binaries with symbols • Library code with handwritten assembly ( glibc ) Focus on benign use cases, such as binary protection schemes (we already know obfuscated binaries can wreak havoc) An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 4 of 18

  6. Experiment Setup Ground Truth Ground truth from DWARF/PDB, with source-level LLVM info Disassembly Primitives and Complex Cases We study five commonly used disassembly/binary analysis primitives • � Instructions, � Function starts, � Function signatures, 1 2 3 � Control Flow Graph (CFG) accuracy, � Callgraph accuracy 4 5 Measure prevalence of seven complex cases � Overlapping BBs, � Overlapping instructions, • 1 2 � Inline data/jump tables, � Switches, � Padding bytes, 3 4 5 � Multi-entry functions, � Tailcalls 6 7 Disassemblers Tested nine popular industry and research disassemblers (details in paper and in results where needed) An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 5 of 18

  7. Experiment Results More results Far too many results to fit in this presentation • Focus on most interesting results here, see paper for more • Detailed results and ground truth publicly released https://www.vusec.net/projects/disassembly/ An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 6 of 18

  8. Experiment Results Instruction Accuracy Very high accuracy for best performing disassemblers • IDA Pro 6.7: 96%–99% TP (FNs due to padding, FPs rare) • Linear: 100% correct on ELF (no inline data) 99% correct for PE, some FPs/FNs due to inline jump tables gcc-5.1.1 x86 gcc-5.1.1 x64 clang-3.7.0 x86 clang-3.7.0 x64 Visual Studio '15 x86 Visual Studio '15 x64 100 90 % correct (geometric mean) 80 70 angr 4.6.1.4 BAP 0.9.9 ByteWeight 0.9.9 60 Dyninst 9.1.0 Hopper 3.11.5 IDA Pro 6.7 50 Jakstab 0.8.4 Linear 40 SPEC (C) SPEC (C++) 30 20 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 Figure: Correctly disassembled instructions An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 7 of 18

  9. Experiment Results CFG and Callgraph accuracy CFG and callgraph very accurate due to high instruction accuracy (see paper for details) An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 8 of 18

  10. Experiment Results Function Signatures Only IDA Pro, important mostly for manual reverse engineering • Poor accuracy, especially on x64 • Acceptable for manual analysis, caution in automated analysis gcc-5.1.1 x86 gcc-5.1.1 x64 clang-3.7.0 x86 clang-3.7.0 x64 Visual Studio '15 x86 Visual Studio '15 x64 100 80 % correct (geometric mean) 60 40 20 0 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 Figure: Correctly detected non-empty argument list (IDA Pro, argc only) An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 9 of 18

  11. Experiment Results Function Detection Function detection currently the main disassembly challenge • Even function start detection yields many FPs/FNs (20% + ) • Complex cases: non-standard prologues, tailcalls, inlining, . . . • Binary analysis commonly requires function information gcc-5.1.1 x86 gcc-5.1.1 x64 clang-3.7.0 x86 clang-3.7.0 x64 Visual Studio '15 x86 Visual Studio '15 x64 100 80 % correct (geometric mean) 60 angr 4.6.1.4 BAP 0.9.9 ByteWeight 0.9.9 40 Dyninst 9.1.0 Hopper 3.11.5 IDA Pro 6.7 Jakstab 0.8.4 20 SPEC (C) SPEC (C++) 0 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 Figure: Correctly detected function start addresses An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 10 of 18

  12. Experiment Results Function Detection: False Negative Listing: False negative indirectly called function for IDA Pro 6.7 ( gcc compiled with gcc at O3 for x64 ELF) 6caf10 <ix86 fp compare mode>: 6caf10: mov 0x3f0dde(%rip),%eax 6caf16: and $0x10,%eax 6caf19: cmp $0x1,%eax 6caf1c: sbb %eax,%eax 6caf1e: add $0x3a,%eax 6caf21: retq An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 11 of 18

  13. Experiment Results Function Detection: False Positive Listing: False positive function (shaded) for Dyninst ( perlbench compiled with gcc at O3 for x64 ELF) 46b990 <Perl pp enterloop>: [...] 46ba02: ja 46bb50 <Perl pp enterloop+0x1c0> 46ba08: mov %rsi,%rdi 46ba0b: shl %cl,%rdi 46ba0e: mov %rdi,%rcx 46ba11: and $0x46,%ecx 46ba14: je 46bb50 <Perl pp enterloop+0x1c0> [...] 46bb47: pop %r12 46bb49: retq 46bb4a: nopw 0x0(%rax,%rax,1) 46bb50: sub $0x90,%rax An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 12 of 18

  14. Prevalence of Complex Cases Complex Cases in Application Code • No inline data in ELF , even jump tables placed in .rodata • Inline data for PE (jump tables), well recognized by IDA Pro • No overlapping basic blocks , contrary to widespread belief • Tailcalls quite common (impact on function detection) gcc-5.1.1 x86 gcc-5.1.1 x64 clang-3.7.0 x86 clang-3.7.0 x64 Visual Studio '15 x86 Visual Studio '15 x64 600 BB overlap ins overlap 500 multi-entry jmps # complex cases (geometric mean) multi-entry targets tailcall jmps tailcall targets 400 SPEC (C) SPEC (C++) 300 200 100 0 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 Figure: Prevalence of complex constructs in SPEC CPU2006 binaries An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 13 of 18

  15. Prevalence of Complex Cases Complex Cases in Library Code ( glibc-2.22 ) Highly optimized library code (handwritten assembly) allows for more complex cases • Surprisingly, no inline data in recent glibc versions (explicitly pushed into .rodata even in handwritten code) • No overlapping basic blocks • Tailcalls again quite common • Some overlapping instructions (handwritten assembly) • Some multi-entry functions (well-defined) An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 14 of 18

  16. Prevalence of Complex Cases Complex Cases in Library Code: Overlapping Instruction Listing: Overlapping instruction in glibc-2.22 7b05a: cmpl $0x0,%fs:0x18 7b063: je 7b066 7b065: lock cmpxchg %rcx,0x3230fa(%rip) An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 15 of 18

  17. Prevalence of Complex Cases Complex Cases in Library Code: Multi-Entry Function Listing: Multi-entry function in glibc-2.22 e9a30 <splice>: e9a30: cmpl $0x0,0x2b9da9(%rip) e9a37: jne e9a4c < splice nocancel+0x13> e9a39 < splice nocancel>: e9a39: mov %rcx,%r10 e9a3c: mov $0x113,%eax e9a41: syscall e9a43: cmp $0xfffffffffffff001,%rax e9a49: jae e9a7f < splice nocancel+0x46> e9a4b: retq e9a4c: sub $0x8,%rsp e9a50: callq f56d0 < libc enable asynccancel> [...] An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 16 of 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Supermodule Disassembly Tom Dietel WWU M unster TRD Status Meeting 3.11.2008 Supermodule

Supermodule Disassembly Tom Dietel WWU M unster TRD Status Meeting 3.11.2008 Supermodule

Supermodule Disassembly Supermodule Disassembly Tom Dietel WWU M unster TRD Status Meeting 3.11.2008 Supermodule Disassembly Disassembly of SM-II Cooling problems in L5 short silicone hoses, bends problem has been solved in

321 views • 4 slides
Binarylevel program analysis: Static Disassembly Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Static Disassembly Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Static Disassembly Gang Tan CSE 597 Spring 2019 Penn State University 3 Disassemblers Disassembler Convert machine code in a binary file into assembly code or code in an equivalent IR Assume a

514 views • 26 slides
Full Depth Reclamation Fly Ash Stabilization MERRILL AIRPORT &amp; LANGLADE COUNTY AIRPORT

Full Depth Reclamation Fly Ash Stabilization MERRILL AIRPORT &amp; LANGLADE COUNTY AIRPORT

Full Depth Reclamation Fly Ash Stabilization MERRILL AIRPORT &amp; LANGLADE COUNTY AIRPORT (Antigo) Pulverize Asphaltic Pavement and Base Course Full Depth Reclamation aka Cold In-place Recycling [CIR] A reclamation technique in

749 views • 20 slides
Senior Thesis Analysis Topics Alternate Formwork System Evaluation (Depth Analysis) The

Senior Thesis Analysis Topics Alternate Formwork System Evaluation (Depth Analysis) The

Senior Thesis Analysis Topics Alternate Formwork System Evaluation (Depth Analysis) The Green Building Reference Guide (Depth Analysis) Office Tower Structural Redesign (Breadth Analyses) Introduction Occupants Headquarters of

522 views • 31 slides
Pennsylvania State University Atrium Medical Corporation Architectural Engineering Table of

Pennsylvania State University Atrium Medical Corporation Architectural Engineering Table of

Pennsylvania State University Atrium Medical Corporation Architectural Engineering Table of Contents Headquarters Facility Senior Thesis Final Presentation Title Page Project Information Depth Analysis 1 Depth Analysis 2 Depth Analysis 3

533 views • 32 slides
Successful Online and Offline Cleaning of Steam Turbines With and Without Disassembly Successful

Successful Online and Offline Cleaning of Steam Turbines With and Without Disassembly Successful

Successful Online and Offline Cleaning of Steam Turbines With and Without Disassembly Successful Online and Offline Cleaning of Steam Turbines With and Without Disassembly Bladimir Gomez Supervisor, Rotating Equipment Engineering PDVSA CRP

354 views • 21 slides
PCA and Admixture proportions for low depth NGS data Anders Albrechtsen Admixture model

PCA and Admixture proportions for low depth NGS data Anders Albrechtsen Admixture model

PCA and Admixture proportions for low depth NGS data Anders Albrechtsen Admixture model NGSadmix Introduction to PCA PCA for NGS - genotype likelihood approach analysis based on individual allele frequencies Analysis of low depth

930 views • 53 slides
Graphical Exploratory Analysis Using Take a fixed collection of datapoints : ( x 1 , y 1 ) , ( x 2

Graphical Exploratory Analysis Using Take a fixed collection of datapoints : ( x 1 , y 1 ) , ( x 2

Bivariate halfspace depth (Tukey depth) Graphical Exploratory Analysis Using Take a fixed collection of datapoints : ( x 1 , y 1 ) , ( x 2 , y 2 ) , . . . , ( x n , y n ) . Halfspace Depth Given an arbitrary point ( x , y ) : take all (closed)

208 views • 5 slides
Re Regio gional nal Fu Full-Scale Scale Ex Exerc ercis ise Molly McFadden &amp; Alicia

Re Regio gional nal Fu Full-Scale Scale Ex Exerc ercis ise Molly McFadden &amp; Alicia

Nor orth th Cen entral tral Te Texas as Re Regio gional nal Fu Full-Scale Scale Ex Exerc ercis ise Molly McFadden &amp; Alicia Toombs May 16, 2017 Pr Pres esenters enters Molly McFadden Director of Emergency Preparedness

594 views • 55 slides
Applications of Graph Traversal Algorithm : Design &amp; Analysis [12] In the last class

Applications of Graph Traversal Algorithm : Design &amp; Analysis [12] In the last class

Applications of Graph Traversal Algorithm : Design &amp; Analysis [12] In the last class Depth-First and Breadth-First Search Finding Connected Components General Depth-First Search Skeleton Depth-First Search Trace

498 views • 35 slides
Full-scale micropollutant removal from municipal wastewater in Switzerland Aline Meier, Julie

Full-scale micropollutant removal from municipal wastewater in Switzerland Aline Meier, Julie

Associazione svizzera Verband Schweizer des professionnels Association suisse dei professionisti Gewsserschutz- della protezione de la protection Abwasser- und Swiss Water delle acque Association fachleute des eaux Full-scale

333 views • 12 slides
The Pavement Design Spreadsheet can be used to develop pavement designs for full depth pavement

The Pavement Design Spreadsheet can be used to develop pavement designs for full depth pavement

The Pavement Design Spreadsheet can be used to develop pavement designs for full depth pavement projects off the National Highway System. The spreadsheet walks the designer from start to finish and develops the Pavement Design signature form

671 views • 30 slides
State-of-the-art Report On FULL-DEPTH PRECAST CONCRETE BRIDGE DECK PANELS (SOA -01-1911) Vince

State-of-the-art Report On FULL-DEPTH PRECAST CONCRETE BRIDGE DECK PANELS (SOA -01-1911) Vince

State-of-the-art Report On FULL-DEPTH PRECAST CONCRETE BRIDGE DECK PANELS (SOA -01-1911) Vince Campbell Former president of Bayshore Concrete Products Corporation, VA This presentation is developed by Sameh S. Badie, Ph.D., PE Associate

1.36k views • 72 slides
Agenda 9:30 AM 10:30 AM Plans for 2017 Full scale adaptive management What it means for our

Agenda 9:30 AM 10:30 AM Plans for 2017 Full scale adaptive management What it means for our

W ELCOME AND I NTRODUCTIONS Nancy Sheehan, Program Coordinator Volunteer Stream Monitoring Program The Rock River Coalition 9:00 AM 9:15 AM Registration 9:15 AM 9:30 AM Introduction Agenda 9:30 AM 10:30 AM Plans for 2017 Full scale

670 views • 34 slides
Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics Erick Bauman 1 ,

Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics Erick Bauman 1 ,

Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics Erick Bauman 1 , Zhiqiang Lin 1 , 2 , Kevin Hamlen 1 1 University of Texas at Dallas 2 The Ohio State University NDSS 2018 Introduction Background and Overview Design

1.07k views • 81 slides
Depth-First Search A B D E C Outline and Reading Definitions (6.1) Subgraph

Depth-First Search A B D E C Outline and Reading Definitions (6.1) Subgraph

Depth-First Search A B D E C Outline and Reading Definitions (6.1) Subgraph Connectivity Spanning trees and forests Depth-first search (6.3.1) Algorithm Example Properties Analysis Applications of

551 views • 15 slides
Random Expert Distillation For Imitation Learning Ruohan Wang, Carlo

Random Expert Distillation For Imitation Learning Ruohan Wang, Carlo

Random Expert Distillation For Imitation Learning Ruohan Wang, Carlo Ciliberto, Pierluigi Amadori, Yiannis Demiris ICML 2019 Imitation Learning Teacher Student Policy learning from

275 views • 11 slides
Parallel Coupling of CFD-DEM simulations MUG2018 Gabriele Pozzetti, Xavier Besseron, Alban

Parallel Coupling of CFD-DEM simulations MUG2018 Gabriele Pozzetti, Xavier Besseron, Alban

Parallel Coupling of CFD-DEM simulations MUG2018 Gabriele Pozzetti, Xavier Besseron, Alban Rousset, Bernhard Peters Luxembourg XDEM Research Centre http://luxdem.uni.lu/ Parallel Coupling of CFD-DEM simulations MUG2018 Outline

793 views • 32 slides
Performing parallel parameter scans on Hopper at NERSC Robert Ryne LBNL Sept 10, 2012 Bringing

Performing parallel parameter scans on Hopper at NERSC Robert Ryne LBNL Sept 10, 2012 Bringing

Performing parallel parameter scans on Hopper at NERSC Robert Ryne LBNL Sept 10, 2012 Bringing High Performance Computing (HPC) to MAP D&amp;S Incorporating HPC techniques is an integral part of our D&amp;S plans A new account for MAP

81 views • 7 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
DrillSafe Fluids Management and Bulk Mixer Inc. Present The Technology of Drilling Fluids Bulk

DrillSafe Fluids Management and Bulk Mixer Inc. Present The Technology of Drilling Fluids Bulk

DrillSafe Fluids Management and Bulk Mixer Inc. Present The Technology of Drilling Fluids Bulk Mixing and Material Handling IADC Spark Tank December 12, 2018 DrillSafe Fluids Management Mission: Provide high-quality drilling fluids mixing

380 views • 21 slides
MILLIONS OF TRANSACTIONS PER SECOND ON A SINGLE MACHINE CASE FOR A VIRTUALIZED DATABASE AND

MILLIONS OF TRANSACTIONS PER SECOND ON A SINGLE MACHINE CASE FOR A VIRTUALIZED DATABASE AND

MILLIONS OF TRANSACTIONS PER SECOND ON A SINGLE MACHINE CASE FOR A VIRTUALIZED DATABASE AND SCALE-IN ROGER JOHANSSON Who am I? Roger Johansson Actor Model, Scalability, Distributed Systems, C#, Senior Solution Architect Starcounter Go,

683 views • 37 slides
APNA 29th Annual Conference Session 3016.1: October 30, 2015 Amy LaValla DNP, APRN, PMHNP-BC, PHN

APNA 29th Annual Conference Session 3016.1: October 30, 2015 Amy LaValla DNP, APRN, PMHNP-BC, PHN

APNA 29th Annual Conference Session 3016.1: October 30, 2015 Amy LaValla DNP, APRN, PMHNP-BC, PHN The speaker has no conflicts of interest to disclose Identify why comprehensive fall risk assessment policies are needed Recognize

166 views • 4 slides
Pattern-driven Parallel I/O Tuning Babak Behzad 1 , Surendra Byna 2 , Prabhat 2 , Marc Snir 1 , 3 1

Pattern-driven Parallel I/O Tuning Babak Behzad 1 , Surendra Byna 2 , Prabhat 2 , Marc Snir 1 , 3 1

Pattern-driven Parallel I/O Tuning Babak Behzad 1 , Surendra Byna 2 , Prabhat 2 , Marc Snir 1 , 3 1 University of Illinois at Urbana-Champaign, 2 Lawrence Berkeley National Laboratory, 3 Argonne National Laboratory Babak Behzad Pattern-driven

516 views • 22 slides

More recommend