binary level program analysis static disassembly
play

Binarylevel program analysis: Static Disassembly Gang Tan CSE 597 - PowerPoint PPT Presentation

Mar 21, 2023 •244 likes •514 views

Binarylevel program analysis: Static Disassembly Gang Tan CSE 597 Spring 2019 Penn State University 3 Disassemblers Disassembler Convert machine code in a binary file into assembly code or code in an equivalent IR Assume a

  1. Binary‐level program analysis: Static Disassembly Gang Tan CSE 597 Spring 2019 Penn State University 3

  2. Disassemblers • Disassembler – Convert machine code in a binary file into assembly code or code in an equivalent IR • Assume a decode function – decode(code, offset) returns the next instruction and the instruction’s size • Assuming code is a list of bytes, and offset is the beginning of the next instruction – E.g., assume code=“6A 03 83 C4 0C B8 CC CC CC CC” • decode(code,0) => (“push 3”, 2) – “6A 03” • decode(code,2) => (“add esp, 0x0C”, 3) – “83 C4 0C” • decode(code,5) => (“mov eax, 0xCCCCCCCC”, 5) – “B8 CC CC CC CC”

  3. Dynamic vs Static Disassemblers • Dynamic disassemblers – The binary code is executed and the execution traces are recorded and decoded – Advantages: accurate, can disassemble obfuscated binary code – Disadvantages: takes time to record traces; only covers one execution path at a time • Static disassemblers – A binary file is disassembled without executing it – Advantages: fast; covers more than one execution path – Disadvantages: many challenges; vulnerable to code obfuscation

  4. Static Disassemblers • Input: a binary file • Goal – Disassemble the executable sections in the binary file – May use other information in the binary file • E.g., symbol tables if they are available • Output: a Control‐Flow Graph (CFG) 6

  5. CFG • Nodes are basics blocks of assembly instructions – A basic block is a piece of straight‐line code: no jumps in or out of the middle of a basic block • Directed edges connect basic blocks – An edge from b1 to b2 means that after the execution of b1 it is possible b2 starts execution • A basic block may have multiple outgoing edges – E.g., when it ends with a conditional jump instruction 7

  6. CFG Example 8

  7. Static Disassembly Challenges • Variable‐sized instruction sets – Do not know instruction boundaries for stripped binaries • Embedded data in code – E.g., compiler may embed jump tables into the code section – Note: compilers do less of this nowadays; but an obfuscator might do it still • Targets of indirect jumps/calls require static analysis – E.g., “jmp 16[ebp]”, “call eax” 9

  8. Static Disassemblers • Some major algorithms – Linear sweep – Recursive traversal – Some mixed approach

  9. Linear Sweep • Linear Sweep – Start at the entry point of a code section – Decode instructions one by one until the end or an illegal instruction is reached • The Unix utility program objdump adopts linear sweep

  10. Linear Sweep Pseudo Code – Input • code holds the bytes of the input code section • codeSize is the code section size Assume decode throws exception when it fails (cannot decode, the end currOffset=0; of the code buffer, etc.) instrSet={}; while (currOffset < codeSize) { (instr, size) = decode(code, currOffset); instrSet = instrSet ∪ {(currOffset, instr, size)}; currOffset += size; } Build basic blocks and buildCFG(instrSet) add CFG edges

  11. Linear Sweep • Advantage: simple and easy to implement • Disadvantages – Mistreat data as code if they are mixed Code section instr instr data instr instr (1) Could be a jump over data to the next instr (2) Could be a ret Linear sweep: instr instr wrong wrong wrong

  12. Recursive Traversal • Idea – disassembles instructions following the control flow graph constructed during disassembly 14

  13. Recursive Traversal Pseudo Code worklist = {0}; processed = {}; while (worklist <> {}) { offset = removeOneNode(worklist); processed = processed ∪ {offset}; (instr, size) = decode(code, offset); switch (instr) case non‐control‐flow‐instr: add(offset+size); case unconditional‐jmp(dest): add(dest); case cond‐jmp(dest1,dest2): add(dest1); add(dest2); … } Procedure add (offset): if (offset ∉ processed) then worklist = worklist ∪ {offset} 15

  14. Recursive Traversal • Advantage – Recursive traversal can accommodate data embedded in code section • Disadvantage: – Hard to determine the control‐flow edges out of indirect jumps and calls • IDA Pro uses recursive traversal – A commercial disassembler – An incomplete control flow graph (CFG) is emitted – The CFG is incomplete because there is no edge for indirect branch or call instructions

  15. Disassembling Obfuscated Code • “Static Disassembly of Obfuscated Binaries” by Kruegel et al at 2004 Usenix Security – Linear sweep and recursive traversal are combined – Heuristics are used to remove spurious nodes from initial CFGs • Obfuscated binaries – No symbol info – After obfuscation such as inserting unreachable junk data into the code section • E.g., “ins1; ins2” => “ins1; mov eax, someConst; jmp eax; junk bytes; ins2

  16. Disassembling Obfuscated Code • The algorithm: – Identify functions • Match binary code with common prologs • Common prolog: “push %ebp; mov %esp, %ebp”, i.e. 0x55 89 e5 – Construct intra‐procedural CFGs • Decode from every address; throw away illegal instructions – To accommodate variable‐sized instruction sets – May result in overlapping instructions • Identify all direct jump instructions in a function • Direct jump instructions whose targets are inside the function and direct conditional branch instructions are selected as jump candidates • An initial CFG is constructed by treating the entry instruction and jump candidates as the starting points using recursive traversal – Resolve block conflicts in the initial CFGs • Five steps are taken to remove spurious nodes

  17. Example Program 19

  18. Block Conflict Resolution Initial control flow graph Blue nodes represent the nodes in the real CFG; Red nodes represent spurious nodes; Node A is the entry node; Pink dash lines indicate there is a conflict between the nodes; Solid arrows represent the edges in the initial CFG.

  19. Block Conflict Resolution • The first step removes conflicting nodes which conflict with valid nodes – Entry node must be valid – Nodes reachable from a valid node must be valid – Nodes in conflict with valid nodes must be invalid • The second step removes ancestors of conflicting nodes – Assumption: valid nodes do not overlap – If two nodes in conflict share an ancestor, the ancestor must be invalid • The third step removes conflicting nodes with less predecessors – Assumes that valid nodes are more tightly integrated into a CFG – A node with more predecessors implies tighter integration – Clearly a heuristics • The fourth step removes conflicting nodes with less direct successors – Assumes that valid nodes are more tightly integrated into a CFG – More direct successors implies tighter integration – Heuristics • The last step removes nodes in conflict randomly – Pick one from two conflicting nodes by random – Being desperate here

  20. Block Conflict Resolution Control flow graph after the first step (Node B is removed) Blue nodes represent the nodes in the real CFG; Red nodes represent spurious nodes; Node A is the entry node; Pink dash lines indicate there is a conflict between the nodes; Solid arrows represent the edges in the initial CFG.

  21. Block Conflict Resolution Control flow graph after the second step (Node J is removed) Blue nodes represent the nodes in the real CFG; Red nodes represent spurious nodes; Node A is the entry node; Pink dash lines indicate there is a conflict between the nodes; Solid arrows represent the edges in the initial CFG.

  22. Block Conflict Resolution Control flow graph after the third step (Node K is removed) Blue nodes represent the nodes in the real CFG; Red nodes represent spurious nodes; Node A is the entry node; Pink dash lines indicate there is a conflict between the nodes; Solid arrows represent the edges in the initial CFG.

  23. Block Conflict Resolution Control flow graph after the fourth step (Node C is removed) Blue nodes represent the nodes in the real CFG; Red nodes represent spurious nodes; Node A is the entry node; Pink dash lines indicate there is a conflict between the nodes; Solid arrows represent the edges in the initial CFG.

  24. Disassembler Accuracy Program Objdump Linn/Debray IDA Pro This paper compress95 56.07 69.96 24.19 91.04 gcc 65.54 82.18 45.09 88.45 go 66.08 78.12 43.01 91.81 Ijpeg 60.82 74.23 31.46 91.60 li 56.65 72.78 29.07 89.86 m88ksim 58.42 75.66 29.56 90.39 perl 57.66 72.01 31.36 86.93 vortex 66.02 76.97 42.65 90.71 Mean 60.91 75.24 34.55 90.10 All programs went through an obfuscation tool Percentage of instructions correctly disassembled by each tool using SPECint 95

  25. Student Presentations related to Static Disassembly • Shingled Graph Disassembly: Finding the Undecideable Path; presenter: Yi Zheng • Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics; presenter: Eric Pauley • Static Binary Rewriting without Supplemental Information; presenter: Tingwei Hua • Recognizing Functions in Binaries with Neural Networks; presenter: Ryan Sheatsley 27

  26. Next: Static Analysis Basics • On a high‐level language – Techniques applicable to assembly code – We will read papers that apply static analysis on assembly code • Dataflow analysis – First discuss the theory – Then go through implementation in Datalog • Inter‐procedural analysis; flow‐sensitivity, path‐sensitivity, context sensitivity; 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
A Heuristic Approach to Detect Opaque Predicates that Disrupt Static Disassembly By: Yu-Jye

A Heuristic Approach to Detect Opaque Predicates that Disrupt Static Disassembly By: Yu-Jye

A Heuristic Approach to Detect Opaque Predicates that Disrupt Static Disassembly By: Yu-Jye Tung, Ian G. Harris Opaque Predicates Defini nition: n: conditional branches that always evaluate to true or false. Thus, one of their branches is

570 views • 23 slides
rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at

rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at

rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at Politecnico di Milano LLVM developers meeting 2016 November 3, 2016 Index Introduction A peek inside Recovery of switch cases Function detection

908 views • 53 slides
Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations cs6363 1 The Nature of static analysis --- approximation Static program analysis --- predict the dynamic behavior of programs without running

368 views • 19 slides
Supermodule Disassembly Tom Dietel WWU M unster TRD Status Meeting 3.11.2008 Supermodule

Supermodule Disassembly Tom Dietel WWU M unster TRD Status Meeting 3.11.2008 Supermodule

Supermodule Disassembly Supermodule Disassembly Tom Dietel WWU M unster TRD Status Meeting 3.11.2008 Supermodule Disassembly Disassembly of SM-II Cooling problems in L5 short silicone hoses, bends problem has been solved in

321 views • 4 slides
Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien,

Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien,

Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien, Sebastian Porst zynamics GmbH CanSecWest 2009 Overview The REIL Language Abstract Interpretation MonoREIL Results 2 Motivation Bugs are

677 views • 52 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Making Numerical Program Analysis Fast Gagandeep Singh Markus Pschel Martin Vechev Department

Making Numerical Program Analysis Fast Gagandeep Singh Markus Pschel Martin Vechev Department

Making Numerical Program Analysis Fast Gagandeep Singh Markus Pschel Martin Vechev Department of Computer Science ETH Zrich Static Program Analysis Static Program Analysis public static void verify() { int[] ptr = new int[8]; int start

637 views • 45 slides
Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program

Program Analysis Extracting static and dynamic information from a software system Program Analysis Extracting information, in order to present abstractions of, or answer questions about, a software system Static Analysis: Examines the

754 views • 32 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
Special topics on binarylevel program analysis: More on Static Analysis Gang Tan CSE 597

Special topics on binarylevel program analysis: More on Static Analysis Gang Tan CSE 597

Special topics on binarylevel program analysis: More on Static Analysis Gang Tan CSE 597 Spring 2019 Penn State University 1 ITERATION ALGORITHMS 2 Chaotic Iteration Suppose there are n equations in total RD j = F j ( RD 1 ,

660 views • 29 slides
EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last lecture. . . More Points-to Analysis Memory Errors 2 / 44 Challenges to Static Analysis Static analysis is far from solved Very active

574 views • 42 slides
Boosting Job-Level Migration by Static Analysis Workshop on Operating Systems Platforms for

Boosting Job-Level Migration by Static Analysis Workshop on Operating Systems Platforms for

Boosting Job-Level Migration by Static Analysis Workshop on Operating Systems Platforms for Embedded Real-Time Applications July 09, 2019 Tobias Klaus, Peter Ulbrich, Phillip Raffeck, Benjamin Frank, Lisa Wernet , Maxim Ritter von Onciul ,

841 views • 42 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
PROGRAMMING IN HASKELL Chapter 4 - Defining Functions 1 Conditional Expressions As in most

PROGRAMMING IN HASKELL Chapter 4 - Defining Functions 1 Conditional Expressions As in most

PROGRAMMING IN HASKELL Chapter 4 - Defining Functions 1 Conditional Expressions As in most programming languages, functions can be defined using conditional expressions. abs :: Int Int abs n = if n 0 then n else -n abs takes an

255 views • 24 slides
Math 1060Q Lecture 3 Jeffrey Connors University of Connecticut September 3, 2014 Today we

Math 1060Q Lecture 3 Jeffrey Connors University of Connecticut September 3, 2014 Today we

Math 1060Q Lecture 3 Jeffrey Connors University of Connecticut September 3, 2014 Today we discuss equations, graphs and functions Conditional equations x and y intercepts Symmetry Definition: what is a function? Vertical line

358 views • 18 slides
ICML 2019 in Long Beach Model Function Based Conditional Gradient Method with Armijo-like Line

ICML 2019 in Long Beach Model Function Based Conditional Gradient Method with Armijo-like Line

ICML 2019 in Long Beach Model Function Based Conditional Gradient Method with Armijo-like Line Search Peter Ochs Mathematical Optimization Group Saarland University 13.06.2019 joint work: Yura Malitsky 1 / 7 c 2019 Peter

135 views • 9 slides
Compiler Construction Lecture 19: Code Generation V (Compiler Backend) Winter Semester 2018/19

Compiler Construction Lecture 19: Code Generation V (Compiler Backend) Winter Semester 2018/19

Compiler Construction Lecture 19: Code Generation V (Compiler Backend) Winter Semester 2018/19 Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1819/cc/ The Compiler Backend

1.27k views • 59 slides
Lecture 14 Return-oriented programming Stephen Checkoway Oberlin College Based on slides by

Lecture 14 Return-oriented programming Stephen Checkoway Oberlin College Based on slides by

Lecture 14 Return-oriented programming Stephen Checkoway Oberlin College Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application logic gadgets Requirements: vulnerability +

1.64k views • 80 slides
CONTROL INSTRUCTIONS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of

CONTROL INSTRUCTIONS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of

CONTROL INSTRUCTIONS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of Utah CS/ECE 3810: Computer Organization Overview Homework 3 due on Jan 31 st (midnight) HW 1 and 2 graded and will be posted soon This

377 views • 21 slides
Assembly Language Programming Optimization Zbigniew Jurkiewicz, Instytut Informatyki UW December

Assembly Language Programming Optimization Zbigniew Jurkiewicz, Instytut Informatyki UW December

Assembly Language Programming Optimization Zbigniew Jurkiewicz, Instytut Informatyki UW December 9, 2017 Zbigniew Jurkiewicz, Instytut Informatyki UW Assembly Language Programming Optimization Conditional transfer Sometimes we make comparison

598 views • 34 slides
s strt

s strt

s strt rttr strt s st strts

787 views • 76 slides

More recommend