binary analysis
play

Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am - PowerPoint PPT Presentation

Jul 16, 2023 •374 likes •532 views

Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am I? Researcher at Vrije Universiteit Amsterdam Reverse engineering Hardening programs/anti-exploitation Malware analysis ... Attack developer in GameOver Zeus

  1. Binary Analysis Dennis Andriesse Finse Winter School 2018

  2. Who am I? • Researcher at Vrije Universiteit Amsterdam – Reverse engineering – Hardening programs/anti-exploitation – Malware analysis – ... • Attack developer in GameOver Zeus takedown • Past year: writing a book on binary analysis – Topic of these lectures 2

  3. 3

  4. What is Binary Analysis? • Analyzing and/or modifying programs at the binary (e.g. machine code ) level • As opposed to source-level analysis (C/Java/Python/. . .) • Simple example: disassembling a program with objdump • Here: focus on x86 ELF binaries 4

  5. Producing a Binary • High-level C programs compile into binaries • Intermediate step: assembly language 5

  6. Example of source vs assembly 6

  7. The ELF binary format 7

  8. Disassembly • Tools like objdump disassemble binaries into approximation of the original assembly code • Binary analysis uses disassembly or code recovered at runtime Disassemble binary “foobar” $ objdump -d ~/foobar /home/dnx/foobar: file format elf64-x86-64 Disassembly of section .text: Read from register %rbp ... 4005ae: 55 push %rbp 4005af: 48 89 e5 mov %rsp,%rbp Read from memory 4005b2: 48 83 ec 20 sub $0x20,%rsp 4005b6: 89 7d ec mov %edi,-0x14(%rbp) 4005b9: 48 89 75 e0 mov %rsi,-0x20(%rbp) 4005bd: c7 45 fc 2a 00 00 00 movl $0x2a,-0x4(%rbp) Call function 4005c4: bf be 06 40 00 mov $0x4006be,%edi 4005c9: e8 62 fe ff ff callq 400430 <puts@plt> 4005ce: 8b 45 fc mov -0x4(%rbp),%eax 4005d1: 89 c7 mov %eax,%edi ... Opcodes (machine level) 8

  9. Linear vs Recursive Disassembly 9

  10. Disassembly with IDA Pro 10

  11. Binary Analysis is Hard! • No symbolic names for variables/functions • No info on function/class layout • No type information • No clear distinction between code/data • Inserting new code/data can break things • Loads of undecidable problems to deal with! 11

  12. So why do it? • Only way to really know what a program does • Only way to analyze malware • Discover low-level vulnerabilities/backdoors • Only way to change/fix binary programs – Source may be lost/proprietary – Example: Microsoft’s recent Equation Editor patch – Lots of vulnerable legacy programs! 12

  13. BA is a large and active field • Lots of different topics: – Disassembly/Reverse engineering/Malware analysis – Binary instrumentation/binary hardening – Taint analysis – Symbolic execution – . . . • Static and dynamic (runtime) analysis 13

  14. BA is a large and active field Here we’ll focus on basic binary analysis in Linux Many more advanced and automated analysis and binary modification tools available! 14

  15. Demo: Basic Binary Analysis in Linux 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson Department of Statistics University of Washington This is joint work with James Robins (Harvard). Outline 1. The binary IV potential outcomes model

156 views • 15 slides
Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed 1-2 pm ENS 31NR Forsyth and Ponce book Binary images Two pixel values Foreground and background Regions of interest

1.13k views • 78 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David &lt;rdavid@quarkslab.com&gt; Luigi Coniglio &lt;luigi.coniglio@studenti.unitn.it&gt; Mariano Ceccato &lt;mariano.ceccato@univr.it&gt;

1.12k views • 82 slides
How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin (Nathan) Li, Xing Li, Loc Nguyen, James E. Just Outline Background Interactive Binary Analysis with TREE and CBASS Demonstrations

1.06k views • 67 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform gray-level each region is a binary image ( 0 : background, 1 : object or the reverse) more intensity values for overlapping regions

875 views • 30 slides
LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary to decimal conversions and vice versa IEEE 754 Floating point representations Binary Arithmetic Decimal representation of binary numbers

1.66k views • 118 slides
Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those that dont. What is binary? You and I write numbers like this: twelve is 12, sixty eight is 68, and one hundred is 100 Binary is a number

525 views • 26 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
Wallumbilla Gas Supply Hub &amp; Services GAB Meeting 20 May 2014 John Jamieson Wallumbilla Gas

Wallumbilla Gas Supply Hub &amp; Services GAB Meeting 20 May 2014 John Jamieson Wallumbilla Gas

Wallumbilla Gas Supply Hub &amp; Services GAB Meeting 20 May 2014 John Jamieson Wallumbilla Gas Supply Hub Voluntary Market which commenced operation on 20 March 2014 ~ 2 Year development process Consists of 3 trading nodes at the

187 views • 6 slides
Hawaii Invasive Species Council May 31, 2016 / Plant Quarantine Conf. Room, HDOA / 1849 Auiki St,

Hawaii Invasive Species Council May 31, 2016 / Plant Quarantine Conf. Room, HDOA / 1849 Auiki St,

Hawaii Invasive Species Council May 31, 2016 / Plant Quarantine Conf. Room, HDOA / 1849 Auiki St, Honolulu, HI, 96819 1. Call&amp;to&amp;order&amp; 2. Introduc1ons&amp; 3.

408 views • 16 slides
Revision to the ISO Transmission Planning Standards Revised Straw Proposal Neil Millar

Revision to the ISO Transmission Planning Standards Revised Straw Proposal Neil Millar

Revision to the ISO Transmission Planning Standards Revised Straw Proposal Neil Millar Executive Director, Infrastructure Development Robert Sparks Manager, Regional Transmission - South Jeff Billinton Manager, Regional Transmission -

950 views • 31 slides
International Collaboration International Collaboration and Partnership in and Partnership in

International Collaboration International Collaboration and Partnership in and Partnership in

International Collaboration International Collaboration and Partnership in and Partnership in Countering Biological Countering Biological Threats Threats Presentation by Georgia Presentation by Georgia Biological Weapons Convention Meeting

221 views • 11 slides
November 2018 City of London Group City of London Group plc is the AIM-listed parent company of a

November 2018 City of London Group City of London Group plc is the AIM-listed parent company of a

November 2018 City of London Group City of London Group plc is the AIM-listed parent company of a group focused on serving two key segments, the UK SME market and home reversion. While grounded with traditional values through the strength and

554 views • 22 slides
Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors -

904 views • 30 slides
Year 8 Parent Evening Wednesday, 19 February 2020 Positive Education Student Wellbeing Student

Year 8 Parent Evening Wednesday, 19 February 2020 Positive Education Student Wellbeing Student

Year 8 Parent Evening Wednesday, 19 February 2020 Positive Education Student Wellbeing Student Wellbeing Positive Education Positive Education aims to build strength and capability in wellbeing and resilience in an educational

500 views • 38 slides
Metro Banking Webinar Current Financial Case Law and Legislative Issues to have on Your Teams

Metro Banking Webinar Current Financial Case Law and Legislative Issues to have on Your Teams

Metro Banking Webinar Current Financial Case Law and Legislative Issues to have on Your Teams Radar Thursday, October 26, 2017 Daniel A. Beckman dbeckman@gislason.com Minnesota Probate Code Change Affidavit of Collection for Personal

720 views • 54 slides

More recommend