analyzing memory accesses in x86 executables
play

Analyzing Memory Accesses in x86 Executables Gogul Balakrishnan - PowerPoint PPT Presentation

Jun 21, 2023 •529 likes •931 views

Analyzing Memory Accesses in x86 Executables Gogul Balakrishnan Thomas Reps University of Wisconsin Motivation Basic infrastructure for language-based security buffer-overrun detection information-flow vulnerabilities . . .

  1. Analyzing Memory Accesses in x86 Executables Gogul Balakrishnan Thomas Reps University of Wisconsin

  2. Motivation • Basic infrastructure for language-based security – buffer-overrun detection – information-flow vulnerabilities – . . . • What if we do not have source code? – viruses, worms, mobile code, etc. – legacy code (w/o source) • Limitations of existing tools – over-conservative treatment of memory accesses ⇒ Many false positives – unsafe treatment of pointer arithmetic ⇒ Many false negatives

  3. Goal (1) • Create an intermediate representation (IR) that is similar to the IR used in a compiler – CFGs – used, killed, may-killed variables for CFG nodes – points-to sets – call-graph • Why? – a tool for a security analyst – a general infrastructure for binary analysis

  4. Goal (2) • Scope: programs that conform to a “standard compilation model” – data layout determined by compiler – some variables held in registers – global variables � absolute addresses – local variables � offsets in esp -based stack frame • Report violations – violations of stack protocol – return address modified within procedure

  5. Codesurfer/x86 Architecture IDA Pro Parse Binary Binary Connector CodeSurfer Client Build Value-set Build SDG Applications CFGs Analysis Browse • CFGs • basic blocks • used, killed, may-killed variables for CFG nodes • points-to sets

  6. Codesurfer/x86 Architecture Whole-program analysis IDA Pro • stubs are ok Parse Binary Binary Connector CodeSurfer Client Build Value-set Build SDG Applications CFGs Analysis Browse Initial estimate of • code vs. data • procedures and call sites • malloc sites

  7. Outline • Example • Challenges • Value-set analysis • Performance • [Future work]

  8. Running Example int arrVal=0, *pArray2; ; ebx ⇔ i ; ecx ⇔ variable p int main() { int i, a[10], *p; sub esp, 40 ;adjust stack lea edx, [esp+8] ; /* Initialize pointers */ mov [4], edx ;pArray2=&a[2] pArray2=&a[2]; lea ecx, [esp] ;p=&a[0] p=&a[0]; mov edx, [0] ; /* Initialize Array*/ loc_9: for(i=0; i<10; ++i) { mov [ecx], edx ;*p=arrVal *p=arrVal; add ecx, 4 ;p++ inc ebx ;i++ p++ ; cmp ebx, 10 ;i<10? } jl short loc_9 ; /* Return a[2] */ mov edi, [4] ; return *pArray2; mov eax, [edi] ;return *pArray2 } add esp, 40 retn

  9. Running Example int arrVal=0, *pArray2; ; ebx ⇔ i ; ecx ⇔ variable p int main() { int i, a[10], *p; sub esp, 40 ;adjust stack lea edx, [esp+8] ; /* Initialize pointers */ mov [4], edx ;pArray2=&a[2] pArray2=&a[2]; lea ecx, [esp] ;p=&a[0] p=&a[0]; mov edx, [0] ; /* Initialize Array*/ loc_9: for(i=0; i<10; ++i) { mov [ecx], edx ;*p=arrVal *p=arrVal; add ecx, 4 ;p++ inc ebx ;i++ p++ ; ? cmp ebx, 10 ;i<10? } jl short loc_9 ; /* Return a[2] */ mov edi, [4] ; return *pArray2; mov eax, [edi] ;return *pArray2 } add esp, 40 retn

  10. Running Example – Address Space 0ffffh return_address ; ebx ⇔ i ; ecx ⇔ variable p Data local sub esp, 40 ;adjust stack to main lea edx, [esp+8] ; a(40 bytes) (Activation mov [4], edx ;pArray2=&a[2] Record) lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ ? cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; pArray2(4 bytes) mov eax, [edi] ;return *pArray2 4h Global data add esp, 40 arrVal(4 bytes) retn 0h

  11. Running Example – Address Space 0ffffh return_address ; ebx ⇔ i ; ecx ⇔ variable p Data local sub esp, 40 ;adjust stack to main lea edx, [esp+8] ; (Activation mov [4], edx ;pArray2=&a[2] Record) lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal No debugging add ecx, 4 ;p++ inc ebx ;i++ ? information cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 Global data add esp, 40 retn 0h

  12. Challenges (1) • No debugging/symbol-table information • Explicit memory addresses – need something similar to C variables – a-locs • Only have an initial estimate of – code, data, procedures, call sites, malloc sites – extend IR on-the-fly • disassemble data, add to CFG, . . . • similar to elaboration of CFG/call-graph in a compiler because of calls via function pointers

  13. Challenges (2) • Indirect-addressing mode – need “pointer analysis” – value-set analysis • Pointer arithmetic – need numeric analysis (e.g., range analysis) – value-set analysis • Checking for non-aligned accesses – pointer forging? – keep stride information in value-sets

  14. Not Everything is Bad News ! • Multiple source languages OK • Some optimizations make our task easier – optimizers try to use registers, not memory – deciphering memory operations is the hard part

  15. Memory-regions • An abstraction of the address space • Idea: group similar runtime addresses – collapse the runtime ARs for each procedure … f … g f f … g g f global global

  16. Memory-regions • An abstraction of the address space • Idea: group similar runtime addresses – collapse the runtime ARs for each procedure • Similarly, • one region for all global data • one region for each malloc site

  17. Example – Memory-regions ret_main (main, 0) ; ebx ⇔ i ; ecx ⇔ variable p (GL,8) sub esp, 40 ;adjust stack lea edx, [esp+8] ; (GL,0) mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] Global Region mov edx, [0] ; (main, -40) loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ Region for main inc ebx ;i++ ? cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn

  18. “Need Something Similar to C Variables” • Standard compilation model – some variables held in registers – global variables � absolute addresses – local variables � offsets in stack frame • A-locs – locations between consecutive addresses – locations between consecutive offsets – registers • Use a-locs instead of variables in static analysis – e.g., killed a-loc ≈ killed variable

  19. Example – A-locs ret_main (main, 0) ; ebx ⇔ i ; ecx ⇔ variable p (GL,8) [4] (GL,4) sub esp, 40 ;adjust stack lea edx, [esp+8] ; [0] (GL,0) mov [4], edx ;pArray2=&a[2] [esp+8] (main, -32) lea ecx, [esp] ;p=&a[0] Global Region mov edx, [0] ; [esp] (main, -40) loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ Region for main inc ebx ;i++ ? cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn

  20. Example – A-locs ret_main (main, 0) ; ebx ⇔ i ; ecx ⇔ variable p (GL,8) mem_4 mainv_20 (GL,4) sub esp, 40 ;adjust stack mem_0 lea edx, [esp+8] ; (GL,0) mov [4], edx ;pArray2=&a[2] (main, -32) lea ecx, [esp] ;p=&a[0] Global Region mov edx, [0] ; mainv_28 (main, -40) loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ Region for main inc ebx ;i++ ? cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn

  21. Example – A-locs ret_main (main, 0) ; ebx ⇔ i ; ecx ⇔ variable p (GL,8) mem_4 mainv_20 (GL,4) sub esp, 40 ;adjust stack mem_0 lea edx, &mainv_2 ; (GL,0) mov mem_4, edx ;pArray2=&a[2] (main, -32) lea ecx, &mainv_2 ;p=&a[0] Global Region mov edx, mem_0 ; mainv_28 (main, -40) loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ Region for main inc ebx ;i++ ? cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, mem_4 ; mov eax, [edi] ;return *pArray2 add esp, 40 retn

  22. Example – A-locs locals: mainv_28, mainv_20 {a[0], a[2]} ; ebx ⇔ i globals: mem_0, mem_4 ; ecx ⇔ variable p {arrVal, pArray2} sub esp, 40 ;adjust stack lea edx, &mainv_20; mov mem_4, edx ;pArray2=&a[2] lea ecx, &mainv_28;p=&a[0] edx mainv_20 mov edx, mem_0 ; loc_9: mem_4 mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ ? cmp ebx, 10 ;i<10? edi jl short loc_9 ; mov edi, mem_4 ; ecx mov eax, [edi] ;return *pArray2 mainv_28 add esp, 40 retn

  23. Example – A-locs locals: mainv_28, mainv_20 {a[0], a[2]} ; ebx ⇔ i globals: mem_0, mem_4 ; ecx ⇔ variable p {arrVal, pArray2} sub esp, 40 ;adjust stack lea edx, &mainv_20; mov mem_4, edx ;pArray2=&a[2] lea ecx, &mainv_28;p=&a[0] edx mainv_20 mov edx, mem_0 ; loc_9: mem_4 mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ � cmp ebx, 10 ;i<10? edi jl short loc_9 ; mov edi, mem_4 ; ecx mov eax, [edi] ;return *pArray2 mainv_28 add esp, 40 retn

  24. Value-Set Analysis • Resembles a pointer-analysis algorithm – interprets pointer-manipulation operations – pointer arithmetic, too • Resembles a numeric-analysis algorithm – over-approximate the set of values/addresses held by an a-loc • range information • stride information – interprets arithmetic operations on sets of values/addresses

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Memory Systems Survey on the Off-Chip Scheduling of Memory Accesses in the Memory Interface of

Memory Systems Survey on the Off-Chip Scheduling of Memory Accesses in the Memory Interface of

IEE5008 Autumn 2012 Memory Systems Survey on the Off-Chip Scheduling of Memory Accesses in the Memory Interface of GPUs Garrido Platero, Luis Angel EECS Graduate Program National Chiao Tung University luis.garrido.platero@gmail.com Luis

891 views • 36 slides
Memory Protection ability to avoid unwanted memory accesses management Sharing

Memory Protection ability to avoid unwanted memory accesses management Sharing

Requirements Relocation ability to change process image position Memory Protection ability to avoid unwanted memory accesses management Sharing ability to share memory portions among processes Logical organization

504 views • 15 slides
Memory and I/O buses I/O bus 1880Mbps 1056Mbps Memory CPU Crossbar CPU accesses physical

Memory and I/O buses I/O bus 1880Mbps 1056Mbps Memory CPU Crossbar CPU accesses physical

Memory and I/O buses I/O bus 1880Mbps 1056Mbps Memory CPU Crossbar CPU accesses physical memory over a bus Devices access memory over I/O bus with DMA Devices can appear to be a region of memory 1 / 41 Realistic ~2005 PC

1.54k views • 50 slides
Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow

Enhancing Server Availability and Security Through Problem Failure-Oblivious Computing Memory Errors and Memory Corruption Buffer Overflow Out of Bounds Array Accesses Invalid Pointer Accesses Importance Martin Rinard,

340 views • 4 slides
Why Use Scheduling? Sequential accesses to DRAM Memory Access are wasteful Scheduler

Why Use Scheduling? Sequential accesses to DRAM Memory Access are wasteful Scheduler

Why Use Scheduling? Sequential accesses to DRAM Memory Access are wasteful Scheduler Improve latency and bandwidth of memory requests Matthew Cohen, Alvin Lin Order requests to take advantage 6.884 Complex Digital Systems of

91 views • 5 slides
Optimizing Indirect Memory References with milk Vladimir Kiriansky, Yunming Zhang, Saman

Optimizing Indirect Memory References with milk Vladimir Kiriansky, Yunming Zhang, Saman

Optimizing Indirect Memory References with milk Vladimir Kiriansky, Yunming Zhang, Saman Amarasinghe MIT PACT 16 September 13, 2016, Haifa, Israel 1 Indirect Accesses 2 Indirect Accesses with OpenMP 3 Indirect Accesses

918 views • 55 slides
Process Control processes and executables job control ps and kill top at

Process Control processes and executables job control ps and kill top at

Process Control processes and executables job control ps and kill top at cron, crontab, and calendar Processes vs. Executables A process is a program that is executing in memory. An executable is a program that

533 views • 20 slides
Operating Systems WT 2019/20 Memory Management Shared Memory Process 1 virtual memory most

Operating Systems WT 2019/20 Memory Management Shared Memory Process 1 virtual memory most

Operating Systems WT 2019/20 Memory Management Shared Memory Process 1 virtual memory most modern OSs provide a way for processes to share Physical memory memory compiler e.g. code pages for image executables Process 2 virtual

511 views • 29 slides
The Memory Hierarchy Many problems that modern computers are given to solve (analyzing

The Memory Hierarchy Many problems that modern computers are given to solve (analyzing

E XTERNAL M EMORY C OMPUTING hierarchical memory management B-trees external sorting External Memory Computing 1 The Memory Hierarchy Many problems that modern computers are given to solve (analyzing scientific data, running

655 views • 11 slides
Tag-Protector: An Effective and Dynamic Detection of Out-of-bound Memory Accesses Ahmed Saeed,

Tag-Protector: An Effective and Dynamic Detection of Out-of-bound Memory Accesses Ahmed Saeed,

Tag-Protector: An Effective and Dynamic Detection of Out-of-bound Memory Accesses Ahmed Saeed, Ali Ahmadinia Mike Just School of Engineering and Built Environment School of Mathematics and Glasgow Caledonian University, United Kingdom

310 views • 15 slides
Pointing in the Right Direction Securing Memory Accesses in a Faulty World Robert Schilling

Pointing in the Right Direction Securing Memory Accesses in a Faulty World Robert Schilling

www.iaik.tugraz.at S C I E N C E P A S S I O N T E C H N O L O G Y Pointing in the Right Direction Securing Memory Accesses in a Faulty World Robert Schilling 1,2 , Mario Werner 1 , Pascal

909 views • 31 slides
The Synchronization Power of The Synchronization Power of Coalesced Memory Accesses oalesced

The Synchronization Power of The Synchronization Power of Coalesced Memory Accesses oalesced

The Synchronization Power of The Synchronization Power of Coalesced Memory Accesses oalesced Memory ccesses Phuong H Ha (Univ of Troms Norway) Phuong H. Ha (Univ. of Troms, Norway) Philippas Tsigas (Chalmers Univ. of Tech., Sweden) Otto

248 views • 20 slides
Memory Accesses in Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502

Memory Accesses in Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502

Spring 2015 :: CSE 502 Computer Architecture Memory Accesses in Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502 Computer Architecture Big Picture I-cache Instruction Branch FETCH Flow Predictor

381 views • 19 slides
Virtual Memory Evolution Initially, each program ran alone on the machine, using all of the

Virtual Memory Evolution Initially, each program ran alone on the machine, using all of the

Virtual Memory Evolution Initially, each program ran alone on the machine, using all of the available memory. It was linked and loaded starting at a known address (like 0). All memory accesses used physical addresses . Problem:

423 views • 5 slides
Verification of Transactional Memories that support Non-Transactional Memory Accesses Ariel Cohen

Verification of Transactional Memories that support Non-Transactional Memory Accesses Ariel Cohen

Verification of Transactional Memories that support Non-Transactional Memory Accesses Ariel Cohen 1 , Amir Pnueli 1 , and Lenore Zuck 2 1 New York University 2 University of Illinois at Chicago TRANSACT February 2008 Cohen, Pnueli, Zuck

665 views • 28 slides
Memory Accesses in Out-of-Order Execution Nima Honarmand Spring 2016 :: CSE 502 Computer

Memory Accesses in Out-of-Order Execution Nima Honarmand Spring 2016 :: CSE 502 Computer

Spring 2016 :: CSE 502 Computer Architecture Memory Accesses in Out-of-Order Execution Nima Honarmand Spring 2016 :: CSE 502 Computer Architecture Big Picture I-cache Instruction Branch FETCH Flow Predictor Instruction Buffer

600 views • 19 slides
Pre-COVID-19 GMR Budget Storm Impact Revenue FY 20 through 3 quarter Cash

Pre-COVID-19 GMR Budget Storm Impact Revenue FY 20 through 3 quarter Cash

Pre-COVID-19 GMR Budget Storm Impact Revenue FY 20 through 3 quarter Cash Balance Projection Transportation Emergency Reserve 1 2 3 4 Same Appropriation received in FY 1992 5 6 7 8 9 Revenue FY 2020 Revenue

664 views • 17 slides
PRESENTATION TITLE PRESENTATION SUBTITLE Washoe County Planning Commission StoneGate Annexed

PRESENTATION TITLE PRESENTATION SUBTITLE Washoe County Planning Commission StoneGate Annexed

PRESENTATION TITLE PRESENTATION SUBTITLE Washoe County Planning Commission StoneGate Annexed into Reno in 2005 1,737 acres 5,000 residential units Non-residential development Over 25% Open Space and Trails Master Plan

494 views • 15 slides
Metro Toronto Convention Centre North Building Thursday, September 20, 2012 CAIC 2012

Metro Toronto Convention Centre North Building Thursday, September 20, 2012 CAIC 2012

Metro Toronto Convention Centre North Building Thursday, September 20, 2012 CAIC 2012 Moderator: Kris Boyce Chief Executive Officer, Greenwin Inc. Speakers: Aik Aliferis Principal, Primecorp Commercial Realty Inc.

450 views • 16 slides
VERILOG Hardware Description Language CAD for VLSI 1 About Verilog Along with VHDL, Verilog

VERILOG Hardware Description Language CAD for VLSI 1 About Verilog Along with VHDL, Verilog

VERILOG Hardware Description Language CAD for VLSI 1 About Verilog Along with VHDL, Verilog is among the most widely used HDLs. Main differences: VHDL was designed to support system- level design and specification. Verilog was

833 views • 45 slides
2019 Research Experience for Undergraduates Parameterizing Fingerprints to Protect Against

2019 Research Experience for Undergraduates Parameterizing Fingerprints to Protect Against

2019 Research Experience for Undergraduates Parameterizing Fingerprints to Protect Against Sniff and Suppress Attacks Marcus Aqui and Terence Pocklington Advisor: Dr. Leiss Motivation Passwords: easy to generate and replace, near

346 views • 15 slides
Executable Object Modelling analysis use cases class diagrams analysis use cases (message)

Executable Object Modelling analysis use cases class diagrams analysis use cases (message)

Executable Object Modelling analysis use cases class diagrams analysis use cases (message) sequence diagrams Object-model diagrams Statecharts sequence diagrams test use cases

223 views • 19 slides
Analyzing NHL Goalie Stats (03-04 07-08) Using the Self-Organizing Map By: Chuck Crittenden

Analyzing NHL Goalie Stats (03-04 07-08) Using the Self-Organizing Map By: Chuck Crittenden

Analyzing NHL Goalie Stats (03-04 07-08) Using the Self-Organizing Map By: Chuck Crittenden &quot;In hockey, goaltending is 75 percent of the game. Unless it's bad goaltending. Then it's 100 percent of the game, because you're going to

741 views • 26 slides
An offshore regulators perspective: maintaining focus on managing spill risk Cameron Grebe

An offshore regulators perspective: maintaining focus on managing spill risk Cameron Grebe

An offshore regulators perspective: maintaining focus on managing spill risk Cameron Grebe General Manager Environment National Offshore Petroleum Safety and Environmental Management Authority April 2014 Presentation Roadmap

287 views • 9 slides

More recommend