binary level security
play

BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien - PowerPoint PPT Presentation

Oct 29, 2023 •223 likes •1.11k views

BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Joint work with Richard Bonichon, Robin David, Adel Djoudi & many other people Sbastien Bardin -- ISSISP 2017 | 1 ABOUT MY LAB @CEA Sbastien Bardin

  1. BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sébastien Bardin (CEA LIST) Joint work with Richard Bonichon, Robin David, Adel Djoudi & many other people Sébastien Bardin -- ISSISP 2017 | 1

  2. ABOUT MY LAB @CEA Sébastien Bardin -- ISSISP 2017 | 2

  3. IN A NUTSHELL • Binary-level security analysis: many applications, many challenges • Standard techniques (dynamic, syntactic) not enough • Formal methods can help … but must be strongly adapted [Complement existing methods] • Need robustness, precision and scalability! • Acceptable to lose both correctness & completeness – in a controlled way • New challenges and variations, many things to do! • • A tour on how formal methods can help • Explore and discover -- with Josselin Feist • Prove infeasibility or validity -- with Robin David Simplify (not covered here) -- with Jonathan Salwan • Sébastien Bardin -- ISSISP 2017 | 3

  4. OUTLINE • Focus mostly on Symbolic Execution • Why binary-level analysis? • Give hints for abstract Interpretation • Some background on source-level formal methods • The hard journey from source to binary • A few case-studies Cover both • vulnerability detection • Conclusion • deobfuscation Sébastien Bardin -- ISSISP 2017 | 4

  5. OUTLINE • Why binary-level analysis? • Some background on source-level formal methods • The hard journey from source to binary • A few case-studies • Conclusion Sébastien Bardin -- ISSISP 2017 | 5

  6. BENEFITS No source code More precise analysis Malware What for: vulnerabilities, reverse (malware, legacy), protection evaluation, etc. Sébastien Bardin -- ISSISP 2017 | 6

  7. EXAMPLE: COMPILER BUG Our goal here: • Check the code after compilation Sébastien Bardin -- ISSISP 2017 | 7

  8. EXAMPLE: MALWARE COMPREHENSION APT: highly sophisticated attacks The day after: malware comprehension • understand what has been going on • Targeted malware • mitigate, fix and clean • Written by experts • Attack: 0-days • improve defense • Defense: stealth, obfuscation • Sponsored by states or mafia USA elections: DNC Hack Highly challenging [obfuscation] Sébastien Bardin -- ISSISP 2017 | 8

  9. CHALLENGE: CORRECT DISASSEMBLY Basic reverse problem • aka model recovery • aka CFG recovery Sébastien Bardin -- ISSISP 2017 | 9

  10. • code – data CAN BE TRICKY! • dynamic jumps (jmp eax) Sébastien Bardin -- ISSISP 2017 | 10

  11. STATE-OF-THE-ART TOOLS ARE NOT ENOUGH Just add mov %eax,%ecx mov %ecx,%eax and break results • Static (syntactic): too fragile • Dynamic: too incomplete Sébastien Bardin -- ISSISP 2017 | 11

  12. [See later] CAN BECOME A NIGHTMARE WHEN OBFUSCATED Sébastien Bardin -- ISSISP 2017 | 12

  13. EXAMPLE: VULNERABILITY DETECTION Find vulnerabilities before the bad guys • On the whole program • At binary-level • Know only the entry point and program input format Sébastien Bardin -- ISSISP 2017 | 13

  14. EXAMPLE: VULNERABILITY DETECTION Sébastien Bardin -- ISSISP 2017 | 14

  15. CHALLENGE: In-depth exploration (example: use after free) Dynamic: not enough • Too incomplete Sébastien Bardin -- ISSISP 2017 | 15

  16. BONUS: (MULTI-)ARCHITECTURE SUPPORT Sébastien Bardin -- ISSISP 2017 | 16

  17. THE SITUATION • Binary-level security analysis is necessary • Binary-level security analysis is highly challenging (*) • Standard tools are not enough – experts need better help! (*) i.e., more challenging • Static (syntactic): too fragile than source code analysis • Dynamic: too incomplete Sébastien Bardin -- ISSISP 2017 | 17

  18. SOLUTION? BINARY-LEVEL SEMANTIC ANALYSIS Semantic preserved by compilation or obfuscation Can reason about sets of executions Sébastien Bardin -- ISSISP 2017 | 18

  19. OUTLINE • Why binary-level analysis? • Some background on source-level formal methods • The hard journey from source to binary • A few case-studies • Conclusion Sébastien Bardin -- ISSISP 2017 | 19

  20. BACK IN TIME: THE SOFTWARE CRISIS (1969) Sébastien Bardin -- ISSISP 2017 | 20

  21. ABOUT FORMAL METHODS Success in safety-critical Sébastien Bardin -- ISSISP 2017 | 21

  22. A DREAM COME TRUE … IN CERTAIN DOMAINS Sébastien Bardin -- ISSISP 2017 | 22

  23. A DREAM COME TRUE … IN CERTAIN DOMAINS (2) Sébastien Bardin -- ISSISP 2017 | 23

  24. OVERVIEW OF FORMAL METHODS Semantics • Precise meaning for the domain of evaluation and the effect of instructions • Operational semantics = « interpreter » Properties • From Invariants / reachability to safety/liveness/hyper-properties /… • On software: mostly invariants and reachability Algorithms: • Historically: Weakest precondition, Abstract interpretation, model checking • Correctness: the analysis explores only behaviors of interest • Completeness: the analysis explores at least all behaviors of interest Sébastien Bardin -- ISSISP 2017 | 24

  25. OVERVIEW OF FORMAL METHODS Trends: • Frontier between techniques disappear • master abstraction (correct xor complete) • reduction to logic • sweet spots Representative • Industrial successes at • source-level Next: Adaptation to binary: • • AI: complete (can prove invariants) -- 1977 very different situations • DSE: correct (can find bugs) -- 2005 Sébastien Bardin -- ISSISP 2017 | 25

  26. ABSTRACT INTERPRETATION Sébastien Bardin -- ISSISP 2017 | 26

  27. ABSTRACT INTERPRETATION IN PRACTICE skip Sébastien Bardin -- ISSISP 2017 | 27

  28. ABSTRACT INTERPRETATION IN PRACTICE Key points: • Infinite data: abstract domain • Path explosion: merge • Loops: widening In practice: • Tradeoff between cost and precision • Tradeoff between generic & dedicated domains It is sometimes simple and useful • taint, pointer nullness, typing Big successes: Astrée, Frama-C, Clousot Sébastien Bardin -- ISSISP 2017 | 28

  29. DYNAMIC SYMBOLIC EXECUTION (DSE, Godefroid 2005) Perfect for intensive testing • Correct, relatively complete • No false alarm • Robust • Scale in some ways // incomplete Sébastien Bardin -- ISSISP 2017 | 29

  30. DSE: PATH PREDICATE COMPUTATION (DSE, Godefroid 2005) Sébastien Bardin -- ISSISP 2017 | 30

  31. DSE: GLOBAL PROCEDURE (DSE, Godefroid 2005) Sébastien Bardin -- ISSISP 2017 | 31

  32. ABOUT ROBUSTNESS (imo, the major advantage) « concretization » • Keep going when symbolic reasoning fails • Tune the tradeoff genericity - cost Sébastien Bardin -- ISSISP 2017 | 32

  33. DSE Three key ingredients • Path predicate & solving • Path enumeration • C/S policy Limits • #paths -> better heuristics (?), state merging, distributed search, path pruning, adaptation to coverage objectives, etc. • solving cost -> preprocessing, caching, incremental solving, aggressive concretization (good?) [wait for better solvers  ] • Preconditions/postconditions/advanced stubs Sébastien Bardin -- ISSISP 2017 | 33

  34. DSE: PATH PREDICATE MAY BE COMPLICATED Sébastien Bardin -- ISSISP 2017 | 34

  35. DSE: SEARCH • Search heurstics matters • But no good choice (hint: DFS is often the worst) • The engine must provide flexibility Sébastien Bardin -- ISSISP 2017 | 35

  36. DSE: SEARCH (2) Generic engine • Score each active prefix • Pick the best & expand • Easy encoding of many heuristics Sébastien Bardin -- ISSISP 2017 | 36

  37. C/S POLICIES Sébastien Bardin -- ISSISP 2017 | 37

  38. C/S POLICIES (2) • C/S policy matters • But no good choice • The engine must provide flexibility Sébastien Bardin -- ISSISP 2017 | 38

  39. C/S POLICIES (3) Generic engine • C/S specification • DSE parametrized by C/S Sébastien Bardin -- ISSISP 2017 | 39

  40. OUTLINE • Why binary-level analysis? • Some background on source-level formal methods • The hard journey from source to binary • A few case-studies • Conclusion Sébastien Bardin -- ISSISP 2017 | 40

  41. NOW: BINARY-LEVEL SECURITY Sébastien Bardin -- ISSISP 2017 | 41

  42. THE HARD JOURNEY FROM SOURCE TO BINARY Wanted • robustness • precision • scale Sébastien Bardin -- ISSISP 2017 | 42

  43. ADAPTING DSE and AI to BINARY: two very different stories DSE is quite easy to adapt • thx to SMT solvers (arrays+bitvectors) Problems • thx to concretization • Low-level control: jump eax • yet, performance degrades • Low-level data: memory • Low-level data: flags AI is much more complicated • Even for « normal » code Problem solved: multi-architecture • btw, cannot expect better than • rely on some IR source-level precision Sébastien Bardin -- ISSISP 2017 | 43

  44. FULL DISCLOSURE: the BINSEC tool Still very young! Semantic analysis for binary-level security • Help make sense of binary • more robust than syntactic • more exhaustive than dynamic Some features • Help to recover a simple model • Identify feasible events (+ input) • Identify infeasible events (eg, protections) • Multi-architecture Sébastien Bardin -- ISSISP 2017 | 44

  45. UNDER THE HOOD Sébastien Bardin -- ISSISP 2017 | 45

  46. INTERMEDIATE REPRESENTATION • Concise • Well-defined • Clear, side-effect free Sébastien Bardin -- ISSISP 2017 | 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer Schools on Cryptography and Principles of Software Security @ Penn State; Jun 1st, 2012 High-Level Languages for Safety/Security 2 Java, C#,

1.54k views • 98 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin & Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Lesly-Ann Daniel Sbastien Bardin Tamara Rezk CEA LIST, France CEA LIST, France INRIA, France IEEE Symposium on Security and Privacy May

464 views • 25 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Reverse engineering Reverse engineer Did anyone analyze f1 something similar A binary file f2

Reverse engineering Reverse engineer Did anyone analyze f1 something similar A binary file f2

Asm2Vec : Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization Steven H. H. Ding Benjamin C. M. Fung Philippe Charland Data Mining and Security Lab Mission Critical Cyber Security

625 views • 23 slides
Binary Tree Traversal Methods Preorder Inorder Postorder Level order Preorder

Binary Tree Traversal Methods Preorder Inorder Postorder Level order Preorder

Binary Tree Traversal Methods In a traversal of a binary tree, each element of the binary tree is visited exactly once. During the visit of an element, all action (make a clone, display, evaluate the operator, etc.) with respect to this

305 views • 14 slides
1.00 Lecture 37 Data Structures: TreeMap, HashMap Binary Trees Level Nodes 2 0 0 m e p 2 1

1.00 Lecture 37 Data Structures: TreeMap, HashMap Binary Trees Level Nodes 2 0 0 m e p 2 1

1.00 Lecture 37 Data Structures: TreeMap, HashMap Binary Trees Level Nodes 2 0 0 m e p 2 1 1 2 2 2 d f n v 2 k k Full binary tree has 2 (k+1) -1 nodes Maximum of k steps required to find (or not find) a node E.g. 2

306 views • 13 slides
Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

University of Crete Computer Science Department CS457 Introduction to Information Systems Security Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki Eleni 872 Rigakis Nikolaos 2422

513 views • 22 slides
Binary Tree Traversal Methods Preorder Inorder In a traversal of a binary tree, each

Binary Tree Traversal Methods Preorder Inorder In a traversal of a binary tree, each

Binary Tree Traversal Methods Binary Tree Traversal Methods Preorder Inorder In a traversal of a binary tree, each element of Postorder the binary tree is visited exactly once. Level order During the visit of an

406 views • 7 slides
Binary Tree Traversal Methods Preorder Inorder In a traversal of a binary tree, each

Binary Tree Traversal Methods Preorder Inorder In a traversal of a binary tree, each

Binary Tree Traversal Methods Binary Tree Traversal Methods Preorder Inorder In a traversal of a binary tree, each element of Postorder the binary tree is visited exactly once. Level order During the visit of an

408 views • 5 slides
RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications * Taegyu Kim, Chung

RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications * Taegyu Kim, Chung

RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications * Taegyu Kim, Chung Hwan Kim, Hongjun Choi, Yonghwi Kwon, + Brendan Saltaformaggio, Xiangyu Zhang, Dongyan Xu + * Security of ARM platforms ARM platforms have

377 views • 22 slides
Transport Level Security HTTPS SSH CSS322: Security and Cryptography Sirindhorn International

Transport Level Security HTTPS SSH CSS322: Security and Cryptography Sirindhorn International

CSS322 Transport Security Web Security TLS/SSL Transport Level Security HTTPS SSH CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013

687 views • 32 slides
Chapter 16 Cryptography and Network Transport Level Security Security Chapter 16 Use your

Chapter 16 Cryptography and Network Transport Level Security Security Chapter 16 Use your

Chapter 16 Cryptography and Network Transport Level Security Security Chapter 16 Use your mentality Wake up to reality From the song, "I've Got You under My Skin Fifth Edition by Cole Porter by William Stallings Lecture slides by

300 views • 5 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin (Nathan) Li, Xing Li, Loc Nguyen, James E. Just Outline Background Interactive Binary Analysis with TREE and CBASS Demonstrations

1.06k views • 67 slides
BINSEC: Binary-level Semantic Analysis to the Rescue S ebastien Bardin joint work with

BINSEC: Binary-level Semantic Analysis to the Rescue S ebastien Bardin joint work with

BINSEC: Binary-level Semantic Analysis to the Rescue S ebastien Bardin joint work with Richard Bonichon, Robin David, Adel Djoudi, Benjamin Farinier, Josselin Feist, Laurent Mounier, Marie-Laure Potet, Thanh Dihn Ta, Franck V edrine CEA

1.27k views • 61 slides
Network Security Dr. Haojin Zhu Zhu-hj@cs.sjtu.edu.cn https://nsec.sjtu.edu.cn/ 1 About

Network Security Dr. Haojin Zhu Zhu-hj@cs.sjtu.edu.cn https://nsec.sjtu.edu.cn/ 1 About

Network Security Dr. Haojin Zhu Zhu-hj@cs.sjtu.edu.cn https://nsec.sjtu.edu.cn/ 1 About Instructor Dr. Haojin Zhu, Professor of Computer Science and Engineering Department https://nsec.sjtu.edu.cn/ zhu-hj@cs.sjtu.edu.cn Office:

748 views • 56 slides
How we hacked Online Banking Malware Sebastian Bachmann & Tibor Eli as 22. November

How we hacked Online Banking Malware Sebastian Bachmann & Tibor Eli as 22. November

How we hacked Online Banking Malware Sebastian Bachmann & Tibor Eli as 22. November 2014 B-Sides Vienna Sebastian Bachmann & Tibor Eli as How we hacked Online Banking Malware 22. November 2014 1 / 55 About Us About:

576 views • 55 slides
Databases Services at CERN Databases Services at CERN for the Physics Community Luca Canali,

Databases Services at CERN Databases Services at CERN for the Physics Community Luca Canali,

Databases Services at CERN Databases Services at CERN for the Physics Community Luca Canali, CERN Orcan Conference, Stockholm, May 2010 y Outline Overview of CERN and computing for LHC Database services at CERN DB service

565 views • 53 slides
: :

: :

: : http://mehr.sharif.edu/~shahriari 1 http://www.fata.ir

494 views • 17 slides
WHY YOU WILL SOON SEE 100S OF NEW NFC APPLICATIONS HOW IOS11 AND NXP CAN BOOST YOUR BUSINESS

WHY YOU WILL SOON SEE 100S OF NEW NFC APPLICATIONS HOW IOS11 AND NXP CAN BOOST YOUR BUSINESS

WHY YOU WILL SOON SEE 100S OF NEW NFC APPLICATIONS HOW IOS11 AND NXP CAN BOOST YOUR BUSINESS JORDI JOFRE 24/10/2017 PUBLIC Agenda The NFC journey including iOS 11 release Key NFC use cases with smartphones NXP NFC portfolio

338 views • 32 slides
7 sins of ATM protection against logical attacks Timur Yunusov Senior expert ptsecurity.com

7 sins of ATM protection against logical attacks Timur Yunusov Senior expert ptsecurity.com

7 sins of ATM protection against logical attacks Timur Yunusov Senior expert ptsecurity.com whoami Positive Technologies (from 2009) Application security researcher (from 2009) Banking systems

647 views • 45 slides
Week 9 Page 1 Lab Session Activities Homework assignment #9 Team Homework Assignment #9

Week 9 Page 1 Lab Session Activities Homework assignment #9 Team Homework Assignment #9

Week 9 Page 1 Lab Session Activities Homework assignment #9 Team Homework Assignment #9 http://www.csun.edu/~twang/380/HW/HW9.pdf Page 2 1. Requirements of the ATM Simulator The software to be designed will control a simulated automated

567 views • 28 slides
Detector Support System Cost estimate at Conceptual Design Jim Stewart DUNE CDR: DSS Review

Detector Support System Cost estimate at Conceptual Design Jim Stewart DUNE CDR: DSS Review

Detector Support System Cost estimate at Conceptual Design Jim Stewart DUNE CDR: DSS Review August 20 2018 INDICO Agenda h.ps://indico.fnal.gov/event/17719/other-view?view=standard Content Methodology for the Cost Estimate

461 views • 22 slides

More recommend