binary program analysis theory and practice
play

Binary Program Analysis: Theory and Practice (what you code is not - PowerPoint PPT Presentation

Feb 11, 2023 •12 likes •924 views

Binary Program Analysis: Theory and Practice (what you code is not what you execute) Emmanuel Fleury <emmanuel.fleury@labri.fr> Joint work with: Grald Point <gerald.point@labri.fr> , Aymeric Vincent <aymeric.vincent@labri.fr>

  1. Binary Program Analysis: Theory and Practice (what you code is not what you execute) Emmanuel Fleury <emmanuel.fleury@labri.fr> Joint work with: Gérald Point <gerald.point@labri.fr> , Aymeric Vincent <aymeric.vincent@labri.fr> . LaBRI, Université Bordeaux 1, France June 13, 2013 E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 1 / 46

  2. Overview Binary Program Analysis 1 CFG Recovery 2 Insight: A Binary Analysis Framework 3 E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 2 / 46

  3. Overview Binary Program Analysis 1 Program Analysis Why Analyze Binary Program? Object of Study: Binary Programs Binary Code vs. Source Code What You Code Is Not What You Execute Analysis goals CFG Recovery 2 Insight: A Binary Analysis Framework 3 E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 3 / 46

  4. Program Analysis Definition Program analysis is the process of automatically deriving properties about the behavior of computer programs. Dynamic Program Analysis Static Program Analysis Analysis is performed by executing the Analysis is performed without actually program on chosen inputs. Traces of executing the program. An abstract the actual executions are collected and model of the program is issued and processed. Properties about program symbolically executed. Properties about behavior is deduced based on the program behavior is deduced from the analysis of these concrete executions. analysis of these symbolic executions. Techniques Techniques Software Testing Abstract Interpretation Performance Analysis Data-flow Analysis . . . Model-checking Theorem Proving . . . E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 4 / 46

  5. Input Program Formats for Analysis Abstract Model : All unnecessary information for the analysis have been removed. Only necessary information remains. Source Code : Keep track of high-level information about the program such as variables , types , functions . But also, variable and function names , and pragmas or code decorations . Bytecode : May vary depending on the bytecode considered, but keep track of few high-level information about the program such as types and functions . But, programs are unstructured . Binary File : Only keep track of the instructions in an unstructured way (no for-loop, no clear argument passing in procedures, . . . ). No type , no naming . But, the binary file may enclose meta-data that might be helpful (symbols, debug, . . . ). Memory Dump : Pure assembler instructions with a full memory state of the current execution. We do not have anymore the meta-data of the executable file. E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 5 / 46

  6. Input Program Formats for Analysis Abstract Model : All unnecessary information for the analysis have been removed. Only necessary information remains. Source Code : Keep track of high-level information about the program such as variables , types , functions . But also, variable and function names , and pragmas or code decorations . Bytecode : May vary depending on the bytecode considered, but keep track of few high-level information about the program such as types and functions . But, programs are unstructured . Binary File : Only keep track of the instructions in an unstructured way (no for-loop, no clear argument passing in procedures, . . . ). No type , no naming . But, the binary file may enclose meta-data that might be helpful (symbols, debug, . . . ). Memory Dump : Pure assembler instructions with a full memory state of the current execution. We do not have anymore the meta-data of the executable file. E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 5 / 46

  7. Input Program Formats for Analysis Abstract Model : All unnecessary information for the analysis have been removed. Only necessary information remains. Source Code : Keep track of high-level information about the program such as variables , types , functions . But also, variable and function names , and pragmas or code decorations . Bytecode : May vary depending on the bytecode considered, but keep track of few high-level information about the program such as types and functions . But, programs are unstructured . Binary File : Only keep track of the instructions in an unstructured way (no for-loop, no clear argument passing in procedures, . . . ). No type , no naming . But, the binary file may enclose meta-data that might be helpful (symbols, debug, . . . ). Memory Dump : Pure assembler instructions with a full memory state of the current execution. We do not have anymore the meta-data of the executable file. E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 5 / 46

  8. Input Program Formats for Analysis Abstract Model : All unnecessary information for the analysis have been removed. Only necessary information remains. Source Code : Keep track of high-level information about the program such as variables , types , functions . But also, variable and function names , and pragmas or code decorations . Bytecode : May vary depending on the bytecode considered, but keep track of few high-level information about the program such as types and functions . But, programs are unstructured . Binary File : Only keep track of the instructions in an unstructured way (no for-loop, no clear argument passing in procedures, . . . ). No type , no naming . But, the binary file may enclose meta-data that might be helpful (symbols, debug, . . . ). Memory Dump : Pure assembler instructions with a full memory state of the current execution. We do not have anymore the meta-data of the executable file. Binary code is the closest format of what will be executed ! E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 5 / 46

  9. Why Analyze Binary Program? The Lack of High-Level Source Code Low-level assembly code built-in the source code Legacy code Commercial Off-the-shelf software (COTS) Application stores (for cell phones and tablets) Malware or any “ hostile ” programs Technology forecasting Mistrust in the Compilation Chain C compiler possibly buggy Optimization probably buggy, yet optimized code reduce hardware cost Checking low-level bugs (exploitability of a stack buffer-overflow) Bugs with a strong interconnection with hardware What you code is not what you execute 1 (see further example) 1 Inspired by G. Balakrishnan and T. Reps. E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 6 / 46

  10. Binary Code vs. Source Code (1/3) We want to analyze binary code . It can come as: an executable file, an object file, a dynamic library, a firmware, a memory dump, . . . We don’t rely on getting the corresponding high-level source code . E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 7 / 46

  11. Binary Code vs. Source Code (1/3) We want to analyze binary code . It can come as: an executable file, an object file, a dynamic library, a firmware, a memory dump, . . . We don’t rely on getting the corresponding high-level source code . Until now, most of the analysis techniques have been designed for source code analysis. So, what do we loose exactly at looking at binary programs only ? E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 7 / 46

  12. Binary Code vs. Source Code (2/3) int Compile this to assembly addition(int x, int y) { Compile this to a binary object return x + y; Let’s compare those versions. } E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 8 / 46

  13. Binary Code vs. Source Code (2/3) int Compile this to assembly addition(int x, int y) { Compile this to a binary object return x + y; Let’s compare those versions. } $ gcc -S -m32 addition-function.c .file "addition -function.c" .text .globl addition .type addition , @function addition: .LFB0: pushl %ebp movl %esp , %ebp movl 12(% ebp), %eax movl 8(% ebp), %edx addl %edx , %eax popl %ebp ret .LFE0: .size addition , .-addition .ident "GCC:␣(Debian␣4.7.3 -4)␣4.7.3" .section .note.GNU -stack ,"",@progbits E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 8 / 46

  14. Binary Code vs. Source Code (2/3) int Compile this to assembly addition(int x, int y) { Compile this to a binary object return x + y; Let’s compare those versions. } $ gcc -S -m32 addition-function.c $ objdump -d addition-function.o .file "addition -function.c" addition - function.o : .text file format elf32 -i386 .globl addition .type addition , @function Disassembly of section .text: addition: .LFB0: 00000000 <addition >: pushl %ebp 0: 55 push %ebp movl %esp , %ebp 1: 89 e5 mov %esp ,% ebp movl 12(% ebp), %eax 3: 8b 45 0c mov 0xc(% ebp),%eax movl 8(% ebp), %edx 6: 8b 55 08 mov 0x8(% ebp),%edx addl %edx , %eax 9: 01 d0 add %edx ,% eax popl %ebp b: 5d pop %ebp ret c: c3 ret .LFE0: .size addition , .-addition .ident "GCC:␣(Debian␣4.7.3 -4)␣4.7.3" .section .note.GNU -stack ,"",@progbits E. Fleury (LaBRI, France) Binary Program Analysis: Theory and Practice June 13, 2013 8 / 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit. Theory alone can bring forth and develop the spirit of inventions Louis Pasteur, 1822-1895 Practice : It is a capital mistake to theorize before

548 views • 42 slides
Computational Logic: (Constraint) Logic Programming Theory, practice, and implementation Program

Computational Logic: (Constraint) Logic Programming Theory, practice, and implementation Program

Computational Logic: (Constraint) Logic Programming Theory, practice, and implementation Program Analysis, Debugging, and Optimization A Tour of ciaopp : The Ciao Prolog Preprocessor Department of Artificial Intelligence School of Computer

694 views • 30 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David &lt;rdavid@quarkslab.com&gt; Luigi Coniglio &lt;luigi.coniglio@studenti.unitn.it&gt; Mariano Ceccato &lt;mariano.ceccato@univr.it&gt;

1.12k views • 82 slides
The Binary Blocking Flow Algorithm Andrew V. Goldberg Microsoft Research Silicon Valley

The Binary Blocking Flow Algorithm Andrew V. Goldberg Microsoft Research Silicon Valley

The Binary Blocking Flow Algorithm Andrew V. Goldberg Microsoft Research Silicon Valley www.research.microsoft.com/ goldberg/ Theory vs. Practice In theory, there is no difference between theory and practice. Binary Blocking Flows

496 views • 26 slides
Theory-to-Practice Grant Program Presentation of Experience Form As set forth in the Guidelines

Theory-to-Practice Grant Program Presentation of Experience Form As set forth in the Guidelines

Theory-to-Practice Grant Program Presentation of Experience Form As set forth in the Guidelines and Instructions and in the Grant Agreement of the Theory-to- Practice Grant (TPG) Program, all grant recipients must present the results of their

426 views • 4 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
practice theory for social change practice theory is not for social change in itself it has no

practice theory for social change practice theory is not for social change in itself it has no

practice theory for social change practice theory is not for social change in itself it has no internal normative content practice theory for understanding social change well demonstrated as enabling distinctive insight into change

536 views • 24 slides
University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs

University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs

(Or Living Between a Rock and a Hard Place) Nigel Smart University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs Theory and Practice A key problem is someones theory is someone elses practice,

1.66k views • 68 slides
From practice to theory and back again Tools for algorithms and programs In theory there is no

From practice to theory and back again Tools for algorithms and programs In theory there is no

From practice to theory and back again Tools for algorithms and programs In theory there is no difference between theory and practice, but We can time different methods, but how to compare timings? not in practice Different on different

450 views • 7 slides
DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang Li, Jinghan Wang, and Heng Yin 1 Motivation Binary Code Differential Analysis quantitatively measure the similarity between two given

507 views • 27 slides
The Ecology of Language Learning Practice to Theory - Theory to Practice DILIT - International

The Ecology of Language Learning Practice to Theory - Theory to Practice DILIT - International

The Ecology of Language Learning Practice to Theory - Theory to Practice DILIT - International House, Rome April 17-18, 2010 Leo van Lier Monterey Institute of International Studies lvanlier@miis.edu 1 1 The ecology has spoken! 2 2 All

421 views • 29 slides
Software Security Economics: Theory, in Practice An Exploratory Analysis Stephan

Software Security Economics: Theory, in Practice An Exploratory Analysis Stephan

Software Security Economics: Theory, in Practice An Exploratory Analysis Stephan Neuhaus&lt;neuhaust@tik.ee.ethz.ch&gt; Bernhard Plattner &lt;plattner@tik.ee.ethz.ch&gt; Thursday, June 28, 12 Making the Best Use of Cybersecurity Economic

498 views • 30 slides
THE CONCEPTUAL ANALYSIS AS A METHODOLOGICAL BASIS FOR THE CREATION OF A BEHAVIOURAL THEORY OF THE

THE CONCEPTUAL ANALYSIS AS A METHODOLOGICAL BASIS FOR THE CREATION OF A BEHAVIOURAL THEORY OF THE

International Annual Edition of Applied Psychology: Theory, Research, and Practice Volume 2, Issue 1, 2015. THE CONCEPTUAL ANALYSIS AS A METHODOLOGICAL BASIS FOR THE CREATION OF A BEHAVIOURAL THEORY OF THE FINANCIAL DECISION-MAKING UNDER

602 views • 15 slides
MEDIA SKILLS WORKSHOP SECTION 1: MEDIA INTRODUCTION OVERVIEW: SECTION 1 Tactics: Bridging,

MEDIA SKILLS WORKSHOP SECTION 1: MEDIA INTRODUCTION OVERVIEW: SECTION 1 Tactics: Bridging,

CIGI MEDIA SKILLS WORKSHOP SECTION 1: MEDIA INTRODUCTION OVERVIEW: SECTION 1 Tactics: Bridging, Hooking, Flagging, Touch and Go Ten tips DOs and DONTs General Interview Tips - Before, During, and After Final Thoughts THE

733 views • 57 slides
elausys.be ELECTRONIC &amp; AUTOMATION SYSTEMS Products Universal KNX Actuator System Switching

elausys.be ELECTRONIC &amp; AUTOMATION SYSTEMS Products Universal KNX Actuator System Switching

KNX MANUFACTURER Made in Belgium elausys.be ELECTRONIC &amp; AUTOMATION SYSTEMS Products Universal KNX Actuator System Switching | Shutter | Blind Control Products Universal KNX Actuator System Modular &amp; Extensible Rich Features

359 views • 13 slides
Good advising may be the single most underestimated characteristic of a successful college

Good advising may be the single most underestimated characteristic of a successful college

Good advising may be the single most underestimated characteristic of a successful college experience. Advisors play a critical role. They can ask a broad array of questions, and can make suggestions, that can affect students in a profound

355 views • 20 slides
XFINITY HOME June 2017 COMCAST Corporation (Nasdaq: CMCSA, CMCSK) A global media &amp; technology

XFINITY HOME June 2017 COMCAST Corporation (Nasdaq: CMCSA, CMCSK) A global media &amp; technology

XFINITY HOME June 2017 COMCAST Corporation (Nasdaq: CMCSA, CMCSK) A global media &amp; technology company 2 COMCAST CONFIDENTIAL XFINITY Home 7/1/2017 COMCAST XFINITY Experience XFINITY Internet Service XFINITY Home Speeds up

259 views • 11 slides
Detecting Similar Code Segments through Side Channel Leakage in Microcontrollers Peter Samarin 1 ,

Detecting Similar Code Segments through Side Channel Leakage in Microcontrollers Peter Samarin 1 ,

Detecting Similar Code Segments through Side Channel Leakage in Microcontrollers Peter Samarin 1 , 2 and Kerstin Lemke-Rust 1 Bonn-Rhein-Sieg University of Applied Sciences 1 Ruhr-Universitt Bochum 2 Germany November 29, 2017 Bonn-Rhein-Sieg

464 views • 33 slides
Fault-Channel Watermarks Peter Samarin 1 , 2 , Alexander Skripnik 1 , and Kerstin Lemke-Rust 1

Fault-Channel Watermarks Peter Samarin 1 , 2 , Alexander Skripnik 1 , and Kerstin Lemke-Rust 1

Fault-Channel Watermarks Peter Samarin 1 , 2 , Alexander Skripnik 1 , and Kerstin Lemke-Rust 1 Bonn-Rhein-Sieg University of Applied Sciences 1 Ruhr-Universitt Bochum 2 Germany 27 September 2016 Bonn-Rhein-Sieg University of Applied Sciences

310 views • 14 slides
Mapping the Dutch Critical Infrastructure Razvan C. Oprea Fahime Alizade Supervised by Benno

Mapping the Dutch Critical Infrastructure Razvan C. Oprea Fahime Alizade Supervised by Benno

Mapping the Dutch Critical Infrastructure Razvan C. Oprea Fahime Alizade Supervised by Benno Overeinder Wednesday, July 3, 13 The initial question Critical infrastructure sectors What is the network level representation of the critical

392 views • 24 slides
Mathematical Discourse Math Department Objectives Participants will: Understand what

Mathematical Discourse Math Department Objectives Participants will: Understand what

Mathematical Discourse Math Department Objectives Participants will: Understand what mathematical discourse is. Understand how to incorporate mathematical discourse in daily lessons. What Questions Did You Ask Today? Lets go to

276 views • 13 slides

More recommend