binary analysis with angr
play

Binary Analysis with angr Or: VEX was a good idea Who am I? Who are - PowerPoint PPT Presentation

Feb 17, 2024 •251 likes •626 views

Binary Analysis with angr Or: VEX was a good idea Who am I? Who are we? Who cares? Researchers at the University of California Santa Barbara Seclab People interested in finding bugs in software People interested in publishing papers

  1. Binary Analysis with angr Or: VEX was a good idea

  2. Who am I? Who are we? Who cares? Researchers at the University of California Santa ● Barbara Seclab People interested in finding bugs in software ● People interested in publishing papers about finding ● bugs in software CTF players ● People who want there to be a reasonable system for ● performing static analysis and symbolic execution on binary code

  3. That system is angr is a highly modular Python framework that performs binary analysis called angr using VEX as an intermediate representation The name “angr” is a pun on ● VEX, since, you know, when something is vexing it makes you angry Made of many interlocking ● (at least, that’s the parts to provide useful system we built) abstractions for analysis

  4. Part 1: the pile of abstractions called angr

  5. Interlocking part #1: PyVEX >>>> import pyvex, archinfo >>>> bb = pyvex.IRSB('\xc3', 0, archinfo.ArchAMD64()) >>>> bb.pp() PyVEX is a big FFI wrapper IRSB { around libVEX. t0:Ity_I64 t1:Ity_I64 t2:Ity_I64 t3:Ity_I64 t4:Ity_I64 For any sort of analysis to 00 | ------ IMark(0x0, 1, 0) ------ even start, we need to have 01 | t0 = GET:I64(rsp) an IRSB and then be able to 02 | t1 = LDle:I64(t0) look at it! PyVEX lets you 03 | t2 = Add64(t0,0x8) 04 | PUT(rsp) = t2 do this. 05 | t3 = Sub64(t2,0x80) 06 | === AbiHint(0xt3, 128, t1) === NEXT: PUT(rip) = t1; Ijk_Ret }

  6. Interlocking part #1: PyVEX There are python classes for each VEX struct, and >>>> bb.statements[3] enums are represented as <pyvex.stmt.WrTmp object> strings. >>>> bb.statements[3].data <pyvex.expr.Binop object> >>>> bb.statements[3].data.op Data is deepcopied out of 'Iop_Add64' libVEX between lifts so we >>>> bb.statements[3].data.args don’t run afoul of the [<pyvex.expr.RdTmp object>, memory management. <pyvex.expr.Const object>] Technically independent of libVEX, lifters can be written in pure python! We have written lifters for AVR, MSP430, and Brainfuck.

  7. Interlocking part #4: SimuVEX Symbolic execution with IRSBs Technically supports execution from many other sources (plugin interface) but VEX was the first and is the best-supported. Also it’s in the name. Contains symbolic implementations of the effects of: The primary abstraction we get from simuvex is the SimState , a Statements ● representation of program state at a Expressions given time. The symbolic execution ● process is one that produces Operations ● successors to SimStates, each Clean helpers successor being a copy of its parent ● with additional data and constraints Dirty helpers ●

  8. Interlocking part #4: SimuVEX This is the part where we have to begin considering how we model our environment. SimuVEX must also handle: Modeling memory and registers ● Syscalls ● Files and other data sources from outside the program ● Providing symbolic summaries (SimProcedures) of common ● library functions

  9. Interlocking part #2: Claripy Allows us to move execution from >>>> import claripy >>>> s = claripy.Solver() the domain of integers to anything >>>> a = claripy.BVS('a', 32) else we could possibly imagine! >>>> s.add(a > 4) >>>> s.add(a < 10) The most important other domain is >>>> s.eval(a, 10) symbolic bitvectors . This lets us (9, 5, 7, 6, 8) build up symbolic trees of expressions over variables, add >>>> s.add((a + 1) % 2 == a / 2) constraints on their value, and >>>> s.eval(a, 10) then solve for possible concrete ERROR: UNSATISFIABLE values they could take on. This operation is backed up by z3. Other domains are useful for special kinds of static analysis! See: abstract interpretation

  10. Interlude: Symbolic Execution Example We’re gonna show how symbolic execution executes a program and what we can do with that! (these slides stolen from Every Single Angr Presentation Ever)

  11. x = int(input()) if x >= 10: if x < 100: print "You win!" else: State A print "You lose!" else: Variables print "You lose!" x = ??? Constraints ------

  12. x = int(input()) if x >= 10: if x < 100: print "You win!" else: State A print "You lose!" else: Variables print "You lose!" x = ??? Constraints ------ State AB State AA Variables Variables x = ??? x = ??? Constraints Constraints x >= 10 x < 10

  13. x = int(input()) if x >= 10: if x < 100: print "You win!" else: State AA State AB print "You lose!" else: Variables Variables print "You lose!" x = ??? x = ??? Constraints Constraints x < 10 x >= 10

  14. x = int(input()) if x >= 10: if x < 100: print "You win!" else: State AA State AB print "You lose!" else: Variables Variables print "You lose!" x = ??? x = ??? Constraints Constraints x < 10 x >= 10 State ABB State ABA Variables Variables x = ??? x = ??? Constraints Constraints x >= 10 x >= 10 x >= 100 x < 100

  15. x = int(input()) if x >= 10: if x < 100: print "You win!" else: print "You lose!" State ABA else: Variables print "You lose!" x = ??? Constraints x >= 10 x < 100 Concretized ABA Variables x = 99

  16. Interlocking part #3: CLE A binary loader. ● Very complicated. ● Not at all within the scope of this presentation. ● BASICALLY , it provides the ability to turn an executable file and libraries and turn them into a usable address space. (I would very much like to spend several hours talking about the challenges of designing a generic binary loader interface and then implementing the linux/windows/macos dynamic loaders on top of it, but that’s not why we’re here today)

  17. Interlocking part #5: angr >>> import angr >>> proj = angr.Project('./fauxware') >>> cfg = proj.analyses.CFG() >>> dict(proj.kb.functions) {4195552L: <Function _init (0x4004e0)>, The analysis module! Ties 4195712L: <Function _start (0x400580)>, all the abstractions 4195756L: <Function call_gmon_start (0x4005ac)>, together into a control 4195904L: <Function frame_dummy (0x400640)>, interface: the Project . 4195940L: <Function authenticate (0x400664)>, 4196077L: <Function accepted (0x4006ed)>, Allows convenient access to 4196093L: <Function rejected (0x4006fd)>, symbolic execution and also 4196125L: <Function main (0x40071d)>, 4196320L: <Function __libc_csu_init to several built-in (0x4007e0)>, analyses that do a lot of 4196480L: <Function __do_global_ctors_aux (0x400880)>} common tasks, like CFG >>> pg = proj.factory.path_group() recovery, data-flow >>> pg.explore(find=0x4006ed) >>> pg.found[0].state.posix.dumps(0) analysis, etc. '\x00\x00\x00\x00\x00\x00\x00\x00\x00SOSNEAKY \x00' Has a knowledge base to accumulate analysis results

  18. That was a lot angr is big and complicated, but a lot of care has been taken to make it a stack of useful abstractions so that any part of the binary analysis process can be easily instrumented.

  19. Symbolic execution ● Built-in analyses: CFG, ● BinDiff, Disassembly, Backward-Slice, Data-Flow Analysis, Value-Set What can we do Analysis, etc Binary rewriting ● with angr? Type inference ● Symbolically-assisted ● fuzzing (driller) Automatic exploit ● generation Analyze a lot of binaries Win 3rd place in the Cyber ● Grand Challenge

  20. A lot of people are using angr for some reason!! > 100 people on #angr ● on freenode > 100 people on ● What can we do angr.slack.com Daily issues, pull ● with angr? requests, and discussion on github Patches have been ● submitted and friends have been made with Build a community other open source projects: z3, capstone, unicorn engine, qemu

  21. And all this is because we can lift binary code to the VEX IR and execute it symbolically! Under the hood, pretty much every primitive operation that angr does is a call into SimuVEX to execute some code. libVEX sure is great! ...but was it the only option?

  22. Part 2: a brief summary of other analysis IRs

  23. BAP - Binary Analysis Platform BAP is developed by CMU for CONS their research. Most notably, Written in ocaml ● it powers Mayhem, which is The IR is tied to the ● their bug-finding tool. larger analysis platform CMU research’s spinoff Only supports ● company, ForAllSecure, used x86/amd64/arm Mayhem to win 1st place in When we started angr in ● the Cyber Grand Challenge. 2013, BAP was heavily fragmented and very PROS difficult to use. Since then it has been Written in ocaml ● completely rewritten. Written by people with a ● solid theoretical background

  24. REIL - Reverse Engineering Intermediate Language REIL is a 2009 paper PROS describing an IR that is Ideal for binary ● ideal for binary analysis. analysis CONS Doesn’t actually exist ● If you decide to write a ● binary lifter, you will spend three years writing a binary lifter https://static.googleusercontent.com/media/www.zynamics.com/en//downloads/csw09.pdf

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using SMT solvers for binary analysis and exploitation A primer on SMT, SMT solvers, Z3 &amp; angr

Using SMT solvers for binary analysis and exploitation A primer on SMT, SMT solvers, Z3 &amp; angr

Using SMT solvers for binary analysis and exploitation A primer on SMT, SMT solvers, Z3 &amp; angr Carl Svensson August 29, 2018 Nixucon 2018 About me Carl Svensson, 27 MSc in Computer Science, KTH Head of Security, KRY/LIVI

638 views • 49 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson Department of Statistics University of Washington This is joint work with James Robins (Harvard). Outline 1. The binary IV potential outcomes model

156 views • 15 slides
Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed 1-2 pm ENS 31NR Forsyth and Ponce book Binary images Two pixel values Foreground and background Regions of interest

1.13k views • 78 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David &lt;rdavid@quarkslab.com&gt; Luigi Coniglio &lt;luigi.coniglio@studenti.unitn.it&gt; Mariano Ceccato &lt;mariano.ceccato@univr.it&gt;

1.12k views • 82 slides
How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin (Nathan) Li, Xing Li, Loc Nguyen, James E. Just Outline Background Interactive Binary Analysis with TREE and CBASS Demonstrations

1.06k views • 67 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform gray-level each region is a binary image ( 0 : background, 1 : object or the reverse) more intensity values for overlapping regions

875 views • 30 slides
LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary to decimal conversions and vice versa IEEE 754 Floating point representations Binary Arithmetic Decimal representation of binary numbers

1.66k views • 118 slides
Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those that dont. What is binary? You and I write numbers like this: twelve is 12, sixty eight is 68, and one hundred is 100 Binary is a number

525 views • 26 slides
Networking in Unity Emil AngryAnt Johansen Unity Technologies Networking in Unity HTTP

Networking in Unity Emil AngryAnt Johansen Unity Technologies Networking in Unity HTTP

Networking in Unity Emil AngryAnt Johansen Unity Technologies Networking in Unity HTTP and browser interface End to end connections HTTP and browser interface HTTP WWW WWWForm Yield to pause coroutine WebPlayer WWW security

440 views • 15 slides
Be Angry ry and Do Not Sin The world is falling apart. Heres how we fix it. Therefore, la

Be Angry ry and Do Not Sin The world is falling apart. Heres how we fix it. Therefore, la

Be Angry ry and Do Not Sin The world is falling apart. Heres how we fix it. Therefore, la laying aside fals lsehood, SPEAK TRUTH EACH ONE of you WIT ITH HIS IS NEIGHBOR, for we are members of one another. BE ANGRY, AND yet DO NOT SIN

374 views • 8 slides
SI486m? : NLP Set 6 Sentiment and Opinions It's about finding out what people think... Can be

SI486m? : NLP Set 6 Sentiment and Opinions It's about finding out what people think... Can be

SI486m? : NLP Set 6 Sentiment and Opinions It's about finding out what people think... Can be big business Someone who wants to buy a camera Looks for reviews online Someone who just bought a camera Writes reviews online

620 views • 39 slides
Here are the songs we sang this Sunday. This shows the song name, the artist who performed the

Here are the songs we sang this Sunday. This shows the song name, the artist who performed the

Here are the songs we sang this Sunday. This shows the song name, the artist who performed the song, and the cd that contains the song. Same Power Jeremy Camp I Will Follow Youll Come Hillsong Live This is Our God Praise to the

720 views • 34 slides
Regaining the ST(E)AM in STEM Education: Transcending Boundaries to Transform STEM Education

Regaining the ST(E)AM in STEM Education: Transcending Boundaries to Transform STEM Education

Regaining the ST(E)AM in STEM Education: Transcending Boundaries to Transform STEM Education Roni Ellington, PhD Plenary Session Midwest Regional Noyce Connections Conference Friday, October 30, 2015 Omaha, Nebraska Thank You for the

372 views • 34 slides
7 @moRtenDk #drUpaltWIG DRUpAl 8 tH

7 @moRtenDk #drUpaltWIG DRUpAl 8 tH

7 @moRtenDk #drUpaltWIG DRUpAl 8 tH e mI n g DRUpALCoN BaRCElONA 2015 @moRtenDk #drUpaltWIG sLidEs SLIdES aRE oNLInE

1.91k views • 166 slides
Scenario 4 Conflict / Angry Customers Driver Vic Transactional Analysis (T.A.) P P A

Scenario 4 Conflict / Angry Customers Driver Vic Transactional Analysis (T.A.) P P A

Scenario 4 Conflict / Angry Customers Driver Vic Transactional Analysis (T.A.) P P A A C C Tips for dealing with conflict/anger (Adult mode) Reflect, think before reacting - pause and take a slow breath Listen - Let them

603 views • 4 slides
Discrete Mathematics -- Chapter 2: Fundamentals of Ch t 2 F d t l f Logic Hung-Yu Kao (

Discrete Mathematics -- Chapter 2: Fundamentals of Ch t 2 F d t l f Logic Hung-Yu Kao (

Discrete Mathematics -- Chapter 2: Fundamentals of Ch t 2 F d t l f Logic Hung-Yu Kao ( ) Department of Computer Science and Information Engineering, N National Cheng Kung University l Ch K U Outline Basic Connectives and

759 views • 62 slides

More recommend