BinCAT Purrfecting binary static analysis June 16th 2017 - REcon - - PowerPoint PPT Presentation

BinCAT

Purrfecting binary static analysis

June 16th 2017 - REcon

Plan

Introduction Demo Under the hood Conclusion

2

Plan

Introduction Demo Under the hood Conclusion

3

BinCAT (Binary Code Analysis Toolkit)

Binary analyzer

4

BinCAT (Binary Code Analysis Toolkit)

Binary analyzer

5

BinCAT (Binary Code Analysis Toolkit)

Binary analyzer

6

BinCAT (Binary Code Analysis Toolkit)

Binary analyzer

7

BinCAT (Binary Code Analysis Toolkit)

Binary analyzer

8

BinCAT (Binary Code Analysis Toolkit)

Binary analyzer

9

BinCAT (Binary Code Analysis Toolkit)

Binary analyzer

10

BinCAT (Binary Code Analysis Toolkit)

Binary analyzer

11

BinCAT (Binary Code Analysis Toolkit)

Binary analyzer

12

BinCAT (Binary Code Analysis Toolkit)

Binary analyzer

13

Plan

Introduction Demo Under the hood Conclusion

14

Example: keygenme

$ ./get_key Usage: ./get_key company department name licence

15

Example: keygenme

$ ./get_key Usage: ./get_key company department name licence $ ./get_key company department name wrong_serial

16

Example: keygenme

$ ./get_key Usage: ./get_key company department name licence $ ./get_key company department name wrong_serial Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7] Invalid serial wrong_serial

17

Example: keygenme

$ ./get_key Usage: ./get_key company department name licence $ ./get_key company department name wrong_serial Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7] Invalid serial wrong_serial $ ./get_key company department name 025E60CB0[...]

18

Example: keygenme

$ ./get_key Usage: ./get_key company department name licence $ ./get_key company department name wrong_serial Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7] Invalid serial wrong_serial $ ./get_key company department name 025E60CB0[...] Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7] Thank you for registering !

19

Keygenme: data flow

argv[0] department company name CRC CRC CRC CRC

20

Keygenme: data flow

argv[0] department company name CRC CRC CRC CRC mul

21

Keygenme: data flow

argv[0] department company name CRC CRC CRC CRC mul sprintf

22

Keygenme: data flow

argv[0] department company name CRC CRC CRC CRC mul sprintf

23

Keygenme: data flow

argv[0] department company name CRC CRC CRC CRC mul sprintf SHA-1

24

Keygenme: data flow

argv[0] department company name CRC CRC CRC CRC mul sprintf SHA-1 hex encode

25

Keygenme: data flow

argv[0] department company name CRC CRC CRC CRC mul sprintf SHA-1 hex encode license

26

Demo 1: BinCAT usage

27

Demo 2: Tainting

28

Plan

Introduction Demo Under the hood Conclusion

29

Architecture

IDA plugin IDA

30

Architecture

IDA plugin IDA bincat binary

31

Architecture

IDA plugin IDA bincat binary config, binary...

32

Architecture

IDA plugin local mode IDA bincat binary config, binary... results, logs

33

Architecture

IDA plugin remote mode IDA bincat binary Web server REST REST

34

Architecture

IDA plugin remote mode IDA bincat binary Web server REST REST

35

Control flow graph reconstruction

state1 state2 state3 state4

36

Control flow graph reconstruction

state1 state2 state3 state4

state4

IP=0x0804123A EAX=0x12345678 EBX=0x87654321 mem[0x1000]=|303132| EIP=0x0804123C EAX=0x0007FFFF ZF=1 mem[0x1000]=|303132|

37

Control flow graph reconstruction

state1 state2 state3 state4

Decoder P C , c

• n

t e x t , s e g m e n t s

38

Control flow graph reconstruction

state1 state2 state3 state4

Decoder intermediate language

inc eax

39

Control flow graph reconstruction

state1 state2 state3 state4

Decoder intermediate language

inc eax

language

eax ← (eax + 0x1); zf ← eax=0 ? 1: 0; sf ← (eax >> 0x1f)=1 ? 1: 0; . . .

40

Control flow graph reconstruction

state1 state2 state3 state4

Decoder intermediate language

State generator

41

Control flow graph reconstruction

state1 state2 state3 state4

Decoder State generator state5

42

Control flow graph reconstruction

state1 state2 state3 state4

Decoder State generator state5

state4

IP=0x0804123A EAX=0x12345678 EBX=0x87654321 mem[0x1000]=|303132| EIP=0x0804123C EAX=0x0007FFFF ZF=1 mem[0x1000]=|303132|

state5

EIP=0x0804123D EAX=0x00080000 ZF=0 mem[0x1000]=|303132|

43

Control flow graph reconstruction

state1 state2 state3 state4 state5

Decoder State generator state5

i f n e w

44

Formal correctness: static analysis by abstract interpretation

• operations on values/taint/types are done on abstract objects which

represent sets of values/taint/types ex: 0 ≡ {0}, ? ≡ {integers}, Struct ≡ {C structs}

• abstract computations are always an overapproximation of actual ones
• approximation example: loop widening (∇)

45

Formal correctness: static analysis by abstract interpretation

• operations on values/taint/types are done on abstract objects which

represent sets of values/taint/types ex: 0 ≡ {0}, ? ≡ {integers}, Struct ≡ {C structs}

• abstract computations are always an overapproximation of actual ones
• approximation example: loop widening (∇)

s1: esi = 0x1000, uint32* while esi < 0x8000

• esi = esi + 4

46

Formal correctness: static analysis by abstract interpretation

• operations on values/taint/types are done on abstract objects which

represent sets of values/taint/types ex: 0 ≡ {0}, ? ≡ {integers}, Struct ≡ {C structs}

• abstract computations are always an overapproximation of actual ones
• approximation example: loop widening (∇)

s1: esi = 0x1000, uint32* s2: esi = 0x1004, uint32* s′

esi = 0x????????, uint32* while esi < 0x8000

• esi = esi + 4
• Idea:
• what is stable is kept

• what changes is
• verapproximated

47

Formal correctness: static analysis by abstract interpretation

• operations on values/taint/types are done on abstract objects which

represent sets of values/taint/types ex: 0 ≡ {0}, ? ≡ {integers}, Struct ≡ {C structs}

• abstract computations are always an overapproximation of actual ones
• approximation example: loop widening (∇)

s1: esi = 0x1000, uint32* s2: esi = 0x1004, uint32* s′

esi = 0x????????, uint32* s3: esi = 0x????????, uint32* s′

esi = 0x????????, uint32* while esi < 0x8000

• esi = esi + 4
• Idea:
• what is stable is kept

• what changes is
• verapproximated

48

Formal correctness: static analysis by abstract interpretation

• operations on values/taint/types are done on abstract objects which

represent sets of values/taint/types ex: 0 ≡ {0}, ? ≡ {integers}, Struct ≡ {C structs}

• abstract computations are always an overapproximation of actual ones
• approximation example: loop widening (∇)

s1: esi = 0x1000, uint32* s2: esi = 0x1004, uint32* s′

esi = 0x????????, uint32* s3: esi = 0x????????, uint32* s′

esi = 0x????????, uint32* s2 s3 sn ⊑ ⊑ ⊑ while esi < 0x8000

• esi = esi + 4
• Idea:
• what is stable is kept

• what changes is
• verapproximated

• Theorem 1: (s′

ultimately stationary

• Theorem 2: fixpoint s′

• verapproximation of the real

execution trace

49

Formal correctness: static analysis by abstract interpretation

• operations on values/taint/types are done on abstract objects which

represent sets of values/taint/types ex: 0 ≡ {0}, ? ≡ {integers}, Struct ≡ {C structs}

• abstract computations are always an overapproximation of actual ones
• approximation example: loop widening (∇)

s1: esi = 0x1000, uint32* s2: esi = 0x1004, uint32* s′

esi = 0x????????, uint32* s3: esi = 0x????????, uint32* s′

esi = 0x????????, uint32* s2 s3 sn ⊑ ⊑ ⊑ while esi < 0x8000

• esi = esi + 4
• Idea:
• what is stable is kept

• what changes is
• verapproximated

• Theorem 1: (s′

ultimately stationary

• Theorem 2: fixpoint s′

• verapproximation of the real

execution trace

• some techniques allow for precision

recovery

50

Empirical testing

• Theory is correct.

51

Empirical testing

• Theory is correct.
• In theory, the implementation too.

52

Empirical testing

• Theory is correct.
• In theory, the implementation too.
• In practice, a lot of things are complex and bug prone: the decoder,

abstract operations, etc.

53

Empirical testing

• Theory is correct.
• In theory, the implementation too.
• In practice, a lot of things are complex and bug prone: the decoder,

abstract operations, etc. = ⇒ lots of unit tests

54

Empirical testing

• Theory is correct.
• In theory, the implementation too.
• In practice, a lot of things are complex and bug prone: the decoder,

abstract operations, etc. = ⇒ lots of unit tests

• BinCAT vs CPU: > 67.000 tests for ≃ 55 instructions

55

Empirical testing

• Theory is correct.
• In theory, the implementation too.
• In practice, a lot of things are complex and bug prone: the decoder,

abstract operations, etc. = ⇒ lots of unit tests

• BinCAT vs CPU: > 67.000 tests for ≃ 55 instructions
• BinCAT vs QEMU test-i386: 87% test coverage over ≃ 105 instructions

56

Empirical testing

• Theory is correct.
• In theory, the implementation too.
• In practice, a lot of things are complex and bug prone: the decoder,

abstract operations, etc. = ⇒ lots of unit tests

• BinCAT vs CPU: > 67.000 tests for ≃ 55 instructions
• BinCAT vs QEMU test-i386: 87% test coverage over ≃ 105 instructions

57

Analyzer’s performance

Example: keygenme

• 6407 instructions analyzed
• RAM usage: 90 MiB
• running time: 6s
• average: ≃ 1060 insn/s

QEMU tests:

• 209 120 instructions analyzed
• RAM usage: 2.3 GiB
• running time: 23 min 30 s
• average: ≃ 150 insn/s

58

Plan

Introduction Demo Under the hood Conclusion

59

Conclusion

Binary analyzer

60

Current features improvements (planned)

• better type reconstruction
• new types from heuristics. Ex:

• several distinct taint sources
• more precise computations in

backward analysis

• more standard library functions

models

• type and value override in IDA
• memory definition directly in IDA

61

Future features

• bject

• finer approximations in values computation by using intervals
• complex objects reconstruction (C++)
• x86-64 and ARM decoders

62

Thanks!

Full paper (link in README):

• project was partially financed by DGA-MI
• Get it! (AGPL licence)

https://github.com/airbus-seclab/bincat docker run -p 5000:5000 airbusseclab/bincat tutorial in doc/tutorial.md

63

x86 coverage

ADD PUSH ES POP ESOR PUSH CS 2 bytes

ADC PUSH SS POP SSSBB PUSH DS POP DS AND ES: DAASUB CS: DAS XOR SS: AAACMP DS: AAS

INCDEC

PUSHPOP

JNO JNO JB JNB JZ JNZ JBE JA JS JNS JP JNP JL JNL JLE JNLE

Grp1 Grp1 Grp1 TEST XCHGMOV LEA MOV POP

NOP XCHG EAX CWD CDQ CALL WAIT PUSHF POPF SAHF LAHF

MOV EAX MOVS CMPS TEST STOS LODS SCAS

MOV

SHIFT RETN LES LDS MOV ENTER LEAVE RETF INT3 INT INTO IRETD

Grp2 AAM AAD SALC XLATFPU

LOCK: INT1 REPNE: REP: HLT CMC Grp3 CLC STC CLI STI CLD STD Grp4 Grp5

64

x86 coverage - Second table Grp6 Grp7 LAR LSL

CLTS INVD WBINVD

UD2 NOP

SSE PrefetchSSE1 HINT NOP

MOV CR DR

SSE

SSE

CMOV

SSE

MMX SSE

MMX SSE VMX

MMX SSE

JNO JNO JB JNB JZ JNZ JBE JA JS JNS JP JNP JL JNL JLE JNLE

CMPXCHG LSS BTR LFS LGS MOVZX POPCNT UD BTx BTC BSF BSR MOVSX

XADDSSE CMPXCHGBSWAP

MMX SSE MMX SSE

MMX SSE

65

Currently implemented lattices

⊤ . . . ⊥ 7

• 4

. . . . . . very precise less precise ⊑ ⊤ untainted tainted ⊥ ⊤ int struct . . . . . . int32 uint32 ⊥ very precise less precise ⊑

66