binary code analysis concepts and perspectives
play

Binary Code Analysis: Concepts and Perspectives Emmanuel Fleury - PowerPoint PPT Presentation

Dec 28, 2023 •10 likes •990 views

Binary Code Analysis: Concepts and Perspectives Emmanuel Fleury <emmanuel.fleury@u-bordeaux.fr> LaBRI, Universit de Bordeaux, France May 12, 2016 E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016

  1. Binary Code Analysis: Concepts and Perspectives Emmanuel Fleury <emmanuel.fleury@u-bordeaux.fr> LaBRI, Université de Bordeaux, France May 12, 2016 E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 1 / 35

  2. Overview Introducing to Binary Code Analysis 1 Why Is Binary Analysis Special? 2 Low-level Programs Formal Model 3 Control-flow Recovery 4 Current and Future Trends 5 E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 2 / 35

  3. Overview Introducing to Binary Code Analysis 1 Basic Definitions Binary Analysis Pipeline Practical and Theoretical Challenges Why Is Binary Analysis Special? 2 Low-level Programs Formal Model 3 Control-flow Recovery 4 Current and Future Trends 5 E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 3 / 35

  4. Why Looking at Binary Code? Analysis of legacy/off-the-shelf/proprietary software; Software reverse-engineering on malware (or others); Analysis of software generated with untrusted compiler; To capture many low-level security issues; Analysis of low-level interactions (hardware/OS). Optimize a binary without the sources (recompilation). E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 4 / 35

  5. What we mean by “ Binary Programs ”? Abstract Model : All unnecessary information for the analysis have been removed. Only necessary information remains. Source Code : Keep track of high-level information about the program such as variables , types , functions . But also, variable and function names , and pragmas or code decorations . Bytecode : May vary depending on the bytecode considered, but keep track of few high-level information about the program such as types and functions . But, programs are usually unstructured . Binary File : Only keep track of the instructions in an unstructured way (no for- loop, no clear argument passing in procedures, . . . ). No type , no naming . But, the binary file may enclose meta-data that might be helpful (symbols, debug, . . . ). Memory Dump : Pure assembler instructions with a full memory state of the current execution. We do not have anymore the meta-data of the executable file. E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 5 / 35

  6. What we mean by “ Binary Programs ”? Abstract Model : All unnecessary information for the analysis have been removed. Only necessary information remains. Source Code : Keep track of high-level information about the program such as variables , types , functions . But also, variable and function names , and pragmas or code decorations . Bytecode : May vary depending on the bytecode considered, but keep track of few high-level information about the program such as types and functions . But, programs are usually unstructured . Binary File : Only keep track of the instructions in an unstructured way (no for- loop, no clear argument passing in procedures, . . . ). No type , no naming . But, the binary file may enclose meta-data that might be helpful (symbols, debug, . . . ). Memory Dump : Pure assembler instructions with a full memory state of the current execution. We do not have anymore the meta-data of the executable file. E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 5 / 35

  7. What we mean by “ Binary Programs ”? Abstract Model : All unnecessary information for the analysis have been removed. Only necessary information remains. Source Code : Keep track of high-level information about the program such as variables , types , functions . But also, variable and function names , and pragmas or code decorations . Bytecode : May vary depending on the bytecode considered, but keep track of few high-level information about the program such as types and functions . But, programs are usually unstructured . Binary File : Only keep track of the instructions in an unstructured way (no for- loop, no clear argument passing in procedures, . . . ). No type , no naming . But, the binary file may enclose meta-data that might be helpful (symbols, debug, . . . ). Memory Dump : Pure assembler instructions with a full memory state of the current execution. We do not have anymore the meta-data of the executable file. Binary code is the closest format of what will be executed! E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 5 / 35

  8. Binary Analysis Pipeline Data-flow Analysis Decompiler Loader Disassembler Memory Executable Intermediate High-level File Mapping Representation Code Metadata Initial CFG IR Type-recovery, Other analysis Loader : Open the input file, parse the meta-data enclosed in the binary file and extract the code to be mapped in memory. Decoder : Given a sequence of bytes at an address in memory, translate it into an intermediate representation which will be analyzed afterward. Disassembler : Combination of a decoder and a strategy to browse through the memory in order to recover all the control-flow of the program. Decompiler : Translate the assembly code into a high-level language with variables, types, functions and more (modules, objects, classes, . . . ). Verificator : Take the high-level representation of the program and check it against formally specified properties. E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 6 / 35

  9. Binary Analysis Pipeline Data-flow Analysis Decompiler Loader Disassembler Memory Executable Intermediate High-level File Mapping Representation Code Metadata Initial CFG IR Type-recovery, Other analysis Loader : Open the input file, parse the meta-data enclosed in the binary file and extract the code to be mapped in memory. Decoder : Given a sequence of bytes at an address in memory, translate it into an intermediate representation which will be analyzed afterward. Disassembler : Combination of a decoder and a strategy to browse through the memory in order to recover all the control-flow of the program. Decompiler : Translate the assembly code into a high-level language with variables, types, functions and more (modules, objects, classes, . . . ). Verificator : Take the high-level representation of the program and check it against formally specified properties. E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 6 / 35

  10. Practical and Theoretical Challenges Trustable reconstruction of the program control-flow; " As much as we can " automation of recovery of the control-flow; Scaling the analysis from small to big binary software; Performing automatic and correct, but partial, decompilation; Verification of few accessibility properties on real binary programs; E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 7 / 35

  11. Practical and Theoretical Challenges Trustable reconstruction of the program control-flow; " As much as we can " automation of recovery of the control-flow; Scaling the analysis from small to big binary software; Performing automatic and correct, but partial, decompilation; Verification of few accessibility properties on real binary programs; It does not seems to be a lot, but it is already quite tricky! E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 7 / 35

  12. Overview Introducing to Binary Code Analysis 1 Why Is Binary Analysis Special? 2 Unstructured Programming Architectural Model Low-level Programs Formal Model 3 Control-flow Recovery 4 Current and Future Trends 5 E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 8 / 35

  13. Unstructured Programming No Advanced Programming Constructs and Types No variable (only registers and memory accesses) No advanced types (only: Value, Pointer or Instructions); No advanced control-flow constructs ( if-then-else , for , while , . . . ); Jump-based Programming Static Jumps: jmp 0x12345678 Dynamic Jumps: jmp *%eax No Function Facilities No Function Type or Definition; No Argument Passing Facilities; No Procedural Context Facilities; E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 9 / 35

  14. Architectural Model Harvard Architecture CPU First implemented in the Mark I (1944). Bus Bus Keep program and data separated. Program Data Allows to fetch data and instructions in Memory Memory the same time. Princeton Architecture (Von Neumann) CPU First implemented in the ENIAC (1946). Bus Allows self-modifying code and entanglement of program and data . Memory (program and data) E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 10 / 35

  15. Architectural Model H Harvard Architecture i g h - l CPU e v First implemented in the Mark I (1944). e l Bus Bus p r o Keep program and data separated. g r a m Program Data Allows to fetch data and instructions in m i n Memory Memory g the same time. Princeton Architecture (Von Neumann) L o w - l CPU e v e l p r First implemented in the ENIAC (1946). o g Bus r a m Allows self-modifying code and m i n entanglement of program and data . Memory g (program and data) E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 10 / 35

  16. Overview Introducing to Binary Code Analysis 1 Why Is Binary Analysis Special? 2 Low-level Programs Formal Model 3 Control-flow Recovery 4 Current and Future Trends 5 E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016 11 / 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

Welcome back! In the last session, we started to look at computers and coding, and explored the computer language binary. Can anyone remember what binary code looks like? (Binary code is a series of digits, that are either ones or zeros.

402 views • 25 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David &lt;rdavid@quarkslab.com&gt; Luigi Coniglio &lt;luigi.coniglio@studenti.unitn.it&gt; Mariano Ceccato &lt;mariano.ceccato@univr.it&gt;

1.12k views • 82 slides
DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang Li, Jinghan Wang, and Heng Yin 1 Motivation Binary Code Differential Analysis quantitatively measure the similarity between two given

507 views • 27 slides
Using Axe to Reason About Binary Code Eric Smith Kestrel Institute and Kestrel Technology

Using Axe to Reason About Binary Code Eric Smith Kestrel Institute and Kestrel Technology

Using Axe to Reason About Binary Code Eric Smith Kestrel Institute and Kestrel Technology ACL2 Workshop, May, 2017 Goal Lift binary code into logic JVM bytecode x86 binary code Then verify against a spec using Axe

276 views • 24 slides
Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters e.g. ASCII code A = 01000001 fixed-length code B = 01000010 C = 01000011 How to decode: ? 01000001010000100100001101000001 Problem:

348 views • 14 slides
Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters e.g. ASCII code A = 01000001 fixed-length code B = 01000010 C = 01000011 How to decode: ? 01000001010000100100001101000001 Problem:

163 views • 13 slides
Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien,

Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien,

Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien, Sebastian Porst zynamics GmbH CanSecWest 2009 Overview The REIL Language Abstract Interpretation MonoREIL Results 2 Motivation Bugs are

677 views • 52 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Supervisors: Author: Lesly-Ann Daniel Sbastien Bardin CEA LIST CEA LIST Tamara Rezk Oct 2018 - Oct 2021 INRIA Sophia Antipolis

777 views • 38 slides
! The variable-length code is a prefix min f ( c ) d ( c ) code : no binary string is

! The variable-length code is a prefix min f ( c ) d ( c ) code : no binary string is

Coding ! Representing characters from some input alphabet using another alphabet . Example: input characters from the Latin Huffman Codes alphabet, output strings of binary digits. ! Fixed-length binary character code: for an input

326 views • 3 slides
Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

University of Crete Computer Science Department CS457 Introduction to Information Systems Security Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki Eleni 872 Rigakis Nikolaos 2422

513 views • 22 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Lesly-Ann Daniel Sbastien Bardin Tamara Rezk CEA LIST, France CEA LIST, France INRIA, France IEEE Symposium on Security and Privacy May

464 views • 25 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
AGATA: Status AGATA: Status and Perspectives and Perspectives E.Farnea INFN Sezione di Padova,

AGATA: Status AGATA: Status and Perspectives and Perspectives E.Farnea INFN Sezione di Padova,

AGATA: Status AGATA: Status and Perspectives and Perspectives E.Farnea INFN Sezione di Padova, Italy on behalf of the AGATA Collaboration Outline Outline Basic concepts: pulse shape analysis and gamma-ray tracking Gamma-ray

623 views • 48 slides
Part III Synchronization Semaphores The bearing of a child takes nine months, no matter how many

Part III Synchronization Semaphores The bearing of a child takes nine months, no matter how many

Part III Synchronization Semaphores The bearing of a child takes nine months, no matter how many women are assigned. 1 Spring 2015 Frederick P. Brooks Jr. Se Semap apho hores es A semaphore is an object that consists of a private

474 views • 45 slides
Logics for Program Reasoning University of Oslo Ratan Thapa/ratanbt@ifi.uio.no INF 5140:

Logics for Program Reasoning University of Oslo Ratan Thapa/ratanbt@ifi.uio.no INF 5140:

Logics for Program Reasoning University of Oslo Ratan Thapa/ratanbt@ifi.uio.no INF 5140: Specification and verification of parallel system 18 May 2018 Modal Logic Modal logic is particularly suitable for reasoning dynamic behaviour of programs

255 views • 10 slides
Interval Temporal Logics: a selective overview Dedicated to the memory of Sasha Chagrov Valentin

Interval Temporal Logics: a selective overview Dedicated to the memory of Sasha Chagrov Valentin

Interval Temporal Logics: a selective overview Dedicated to the memory of Sasha Chagrov Valentin Goranko Department of Philosophy, Stockholm University Advances in Modal Logic 2016 Budapest, August 30, 2016 V Goranko Interval Temporal Logics:

924 views • 60 slides
Page 1 1 Review: Marching Cubes Review: Direct Volume Rendering Pipeline create cube do

Page 1 1 Review: Marching Cubes Review: Direct Volume Rendering Pipeline create cube do

University of British Columbia News CPSC 314 Computer Graphics P4 grading May-June 2005 4:30-5:45 Wed Jun 22 Tamara Munzner Animation, Advanced Rendering, Final Review Week 6, Tue Jun 14 http://www.ugrad.cs.ubc.ca/~cs314/Vmay2005

652 views • 17 slides
Principles of Programming Languages Kristopher Micinski This class is about understanding how

Principles of Programming Languages Kristopher Micinski This class is about understanding how

Principles of Programming Languages Kristopher Micinski This class is about understanding how programs work To do this, were going to have to learn how a computer works Heres a program in a new language, C++ C++ is a compiled language

532 views • 30 slides
Decompilation and Data Flow Analysis Silvio Cesare &lt;silvio.cesare@gmail.com&gt; Who am I and

Decompilation and Data Flow Analysis Silvio Cesare &lt;silvio.cesare@gmail.com&gt; Who am I and

Bugalyze.com - Detecting Bugs Using Decompilation and Data Flow Analysis Silvio Cesare &lt;silvio.cesare@gmail.com&gt; Who am I and where did this talk come from? Ph.D. Student at Deakin University Book Author This talk covers some

764 views • 50 slides
Transparent Parallelization of Binary Code Benot Pradelle Alain Ketterlin Philippe Clauss

Transparent Parallelization of Binary Code Benot Pradelle Alain Ketterlin Philippe Clauss

Transparent Parallelization of Binary Code Benot Pradelle Alain Ketterlin Philippe Clauss Universit de Strasbourg INRIA (CAMUS team, Centre Nancy Grand-Est) CNRS (LSIIT, UMR 7005) First International Workshop on Polyhedral Compilation

305 views • 18 slides
Registers &amp; Counters M. Sachdev Dept. of Electrical &amp; Computer Engineering University of

Registers &amp; Counters M. Sachdev Dept. of Electrical &amp; Computer Engineering University of

ECE 223 Digital Circuits and Systems Registers &amp; Counters M. Sachdev Dept. of Electrical &amp; Computer Engineering University of Waterloo 1 Registers Register is a group of flip-flops n -bit register has n flip-flops Can hold

225 views • 10 slides

More recommend