bincat
play

BinCAT Purrfecting binary static analysis June 16th 2017 - REcon - PowerPoint PPT Presentation

Jun 05, 2023 •279 likes •956 views

BinCAT Purrfecting binary static analysis June 16th 2017 - REcon Philippe Biondi, Raphal Rigo, Sarah Zennou, Xavier Mehrenberger Plan Introduction Demo Under the hood Conclusion 2 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT Plan

  1. BinCAT Purrfecting binary static analysis June 16th 2017 - REcon Philippe Biondi, Raphaël Rigo, Sarah Zennou, Xavier Mehrenberger

  2. Plan Introduction Demo Under the hood Conclusion 2 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  3. Plan Introduction Demo Under the hood Conclusion 3 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  4. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 4 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  5. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 5 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  6. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 6 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  7. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 7 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  8. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 8 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  9. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 9 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  10. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 10 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  11. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . indirect computed x86 jumps properties . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 11 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  12. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . inter- indirect computed mediate jumps properties language . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 12 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  13. BinCAT ( Binary Code Analysis Toolkit ) . . . taint values analysis extensible x86 CFG with . . . inter- indirect computed mediate jumps properties language . . . types Binary . . . analyzer forward / static backward analysis theory IDA in- backed tegration 13 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  14. Plan Introduction Demo Under the hood Conclusion 14 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  15. Example: keygenme $ ./get_key Usage: ./get_key company department name licence 15 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  16. Example: keygenme $ ./get_key Usage: ./get_key company department name licence $ ./get_key company department name wrong_serial 16 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  17. Example: keygenme $ ./get_key Usage: ./get_key company department name licence $ ./get_key company department name wrong_serial Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7] Invalid serial wrong_serial 17 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  18. Example: keygenme $ ./get_key Usage: ./get_key company department name licence $ ./get_key company department name wrong_serial Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7] Invalid serial wrong_serial $ ./get_key company department name 025E60CB0[...] 18 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  19. Example: keygenme $ ./get_key Usage: ./get_key company department name licence $ ./get_key company department name wrong_serial Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7] Invalid serial wrong_serial $ ./get_key company department name 025E60CB0[...] Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7] Thank you for registering ! 19 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  20. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC 20 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  21. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC mul 21 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  22. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC mul sprintf 22 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  23. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC mul sprintf 23 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  24. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC mul sprintf SHA-1 24 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  25. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC mul sprintf SHA-1 hex encode 25 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  26. Keygenme: data flow company name argv[0] department CRC CRC CRC CRC mul sprintf SHA-1 hex encode license 26 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  27. Demo 1: BinCAT usage 27 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  28. Demo 2: Tainting 28 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  29. Plan Introduction Demo Under the hood Conclusion 29 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  30. Architecture IDA IDA plugin 30 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  31. Architecture IDA IDA plugin bincat binary 31 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  32. Architecture IDA config, binary... IDA plugin bincat binary 32 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  33. Architecture local mode IDA config, binary... IDA plugin bincat binary results, logs 33 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  34. Architecture remote mode IDA REST IDA plugin Web server bincat binary REST 34 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  35. Architecture remote mode IDA REST IDA plugin Web server bincat binary REST 35 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  36. Control flow graph reconstruction state 1 IP=0x08041236 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|323130| state 3 state 2 IP=0x0804143D EAX=0x12345678 EBX=0x8765432? mem[0x1000]=|303132| IP=0x08041238 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|303132| state 4 EIP=0x0804123C IP=0x0804123A EAX=0x12345678 EAX=0x0007FFFF EBX=0x87654321 ZF=1 mem[0x1000]=|303132| mem[0x1000]=|303132| 36 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  37. Control flow graph reconstruction state 4 state 1 IP=0x08041236 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|323130| state 3 state 2 IP=0x0804143D EAX=0x12345678 EBX=0x8765432? mem[0x1000]=|303132| IP=0x08041238 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|303132| state 4 IP=0x0804123A EIP=0x0804123C EAX=0x0007FFFF EAX=0x12345678 ZF=1 EBX=0x87654321 mem[0x1000]=|303132| mem[0x1000]=|303132| IP=0x0804123A EIP=0x0804123C EAX=0x12345678 EAX=0x0007FFFF EBX=0x87654321 ZF=1 mem[0x1000]=|303132| mem[0x1000]=|303132| 37 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  38. Control flow graph reconstruction Decoder s t n e m g state 1 e s , t IP=0x08041236 EAX=0x00000000 x EBX=0x87654321 mem[0x1000]=|323130| e t n o c state 3 , C state 2 P IP=0x0804143D EAX=0x12345678 EBX=0x8765432? mem[0x1000]=|303132| IP=0x08041238 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|303132| state 4 EIP=0x0804123C IP=0x0804123A EAX=0x12345678 EAX=0x0007FFFF ZF=1 EBX=0x87654321 mem[0x1000]=|303132| mem[0x1000]=|303132| 38 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

  39. Control flow graph reconstruction Decoder inc eax state 1 IP=0x08041236 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|323130| intermediate language eax ← (eax + 0x1); zf ← eax=0 ? 1: 0; sf ← (eax >> 0x1f)=1 ? 1: 0; . . . state 3 state 2 IP=0x0804143D EAX=0x12345678 EBX=0x8765432? mem[0x1000]=|303132| IP=0x08041238 EAX=0x00000000 EBX=0x87654321 mem[0x1000]=|303132| state 4 EIP=0x0804123C IP=0x0804123A EAX=0x12345678 EAX=0x0007FFFF ZF=1 EBX=0x87654321 mem[0x1000]=|303132| mem[0x1000]=|303132| 39 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BinCAT Purrfecting binary static analysis 8 juin 2017 Philippe Biondi, Raphal Rigo, Sarah

BinCAT Purrfecting binary static analysis 8 juin 2017 Philippe Biondi, Raphal Rigo, Sarah

BinCAT Purrfecting binary static analysis 8 juin 2017 Philippe Biondi, Raphal Rigo, Sarah Zennou, Xavier Mehrenberger Plan Introduction Dmonstration Sous le capot Conclusion 2 Biondi, Mehrenberger, Rigo, Zennou :: BinCAT Plan

875 views • 66 slides
Huawei's story of leveraging GridGain as a distributed caching service on its public cloud

Huawei's story of leveraging GridGain as a distributed caching service on its public cloud

Huawei's story of leveraging GridGain as a distributed caching service on its public cloud environment Paul Chen Chief Architect, Cloud Services Research and Development, Huawei Technologies Canada Lab Agenda Huawei Public Cloud

343 views • 22 slides
1 Castle Biosciences provides molecular diagnostic solutions for patients with underserved and

1 Castle Biosciences provides molecular diagnostic solutions for patients with underserved and

Incorporating DecisionDx-Melanoma into Clinical Practice: Molecular Information for Personalized Management Decisions Eric D. Whitman, MD, FACS Medical Director, Atlantic Health System Cancer Care Director, Atlantic Melanoma Center Morristown

359 views • 9 slides
Aerosol, Clouds and the Southern Ocean From Cape Grim to the RV Investigator Melita Keywood and

Aerosol, Clouds and the Southern Ocean From Cape Grim to the RV Investigator Melita Keywood and

Aerosol, Clouds and the Southern Ocean From Cape Grim to the RV Investigator Melita Keywood and Alain Protat 20 May 2015 OCEANS AND ATMOSPHERE FLAGSHIP Poor simulation of Southern Ocean Clouds cloud over SO Satellite obs >0.8 in a band

701 views • 39 slides
Collaborative and Coordinated Integrative Cloud Services for Sustainable Development Dulei

Collaborative and Coordinated Integrative Cloud Services for Sustainable Development Dulei

Collaborative and Coordinated Integrative Cloud Services for Sustainable Development Dulei Huawei Cloud Huawei: Leading Global Provider of ICT Infrastructure and Smart Devices 188,000 80,000+ 170+ 68 in 72 in Interbrand's Employees R&D

446 views • 16 slides
Metrics for Differential Privacy in Concurrent Systems Lili Xu 1 , 3 , 4 , Konstantinos

Metrics for Differential Privacy in Concurrent Systems Lili Xu 1 , 3 , 4 , Konstantinos

Introduction Two Pseudometrics Non-expansive Process Operators An application to the Dining Cryptographers Protocol Summary Metrics for Differential Privacy in Concurrent Systems Lili Xu 1 , 3 , 4 , Konstantinos Chatzikokolakis 2 , 3 , Huimin

608 views • 49 slides
What does respectful maternal care look like? Better Maternal Outcomes: IHI Rapid Improvement

What does respectful maternal care look like? Better Maternal Outcomes: IHI Rapid Improvement

1 What does respectful maternal care look like? Better Maternal Outcomes: IHI Rapid Improvement Network Informational Call for Wave 3 March 18, 2020 WebEx Quick Reference 3 Please use chat to All Participants for discussion

526 views • 34 slides
29th Annual The Medical Management of HIV/AIDS and Hepatitis December 79, 2017 Park Central

29th Annual The Medical Management of HIV/AIDS and Hepatitis December 79, 2017 Park Central

HIV, ID and Global Medicine Division Zuckerberg San Francisco General Hospital and Trauma Center Department of Medicine University of California, San Francisco, School of Medicine presents 29th Annual The Medical Management of HIV/AIDS and

305 views • 12 slides
Patient Centered Medical Home primary care that facilitates partnerships between individual

Patient Centered Medical Home primary care that facilitates partnerships between individual

10/1/2013 What is a Patient Centered Medical Home (PCMH)? "an approach to providing comprehensive Patient Centered Medical Home primary care that facilitates partnerships between individual patients, and their personal providers, and when

538 views • 7 slides
Engaging the Clinical Team October 5, 2016 We Want To Hear From You! Type questions into the

Engaging the Clinical Team October 5, 2016 We Want To Hear From You! Type questions into the

Depression Screening & Treatment in Primary Care, Part Two: Workflow and Engaging the Clinical Team October 5, 2016 We Want To Hear From You! Type questions into the Questions Pane at any time during this presentation Patient-Centered

623 views • 46 slides
AMM STRATEGIC DIRECTION 2015 2015 AMM Officers President: Fabien Savenay, Wolters Kluwer

AMM STRATEGIC DIRECTION 2015 2015 AMM Officers President: Fabien Savenay, Wolters Kluwer

AMM STRATEGIC DIRECTION 2015 2015 AMM Officers President: Fabien Savenay, Wolters Kluwer President Elect, Lori Raskin, Frontline Medical Communications Treasurer, Jack Angel, Coalition for Healthcare Communications Secretary,

140 views • 12 slides
IHS Prescription Drug Abuse Workgroup Report Out 2016 National Combined Councils June 23, 2016

IHS Prescription Drug Abuse Workgroup Report Out 2016 National Combined Councils June 23, 2016

IHS Prescription Drug Abuse Workgroup Report Out 2016 National Combined Councils June 23, 2016 History--Purpose/Overview Recognizing that prescription drug abuse and deaths due to overdose from prescription medications is a national

971 views • 85 slides
Warm Up Activity True or False Vaping in Minnesota 1. You can vape/JUUL at school. 2. You must

Warm Up Activity True or False Vaping in Minnesota 1. You can vape/JUUL at school. 2. You must

Warm Up Activity True or False Vaping in Minnesota 1. You can vape/JUUL at school. 2. You must be 18 to buy a vape/JUUL. 3. Stores are not allowed to sell vapes/JUULs to someone under 18. 4. You can buy vapes in vending machines. 5. JUULs

470 views • 27 slides
Talking with Parents about Vaccines for Infants Tuesday, August 14, 2018 12:00 PM ET In Case of

Talking with Parents about Vaccines for Infants Tuesday, August 14, 2018 12:00 PM ET In Case of

8/14/2018 Talking with Parents about Vaccines for Infants Tuesday, August 14, 2018 12:00 PM ET In Case of Technical Difficulties If you hear an echo: Make sure you are only logged in once on your computer Select one form of audio only

261 views • 24 slides
Finding and Evaluating Finding and Evaluating Medical I nformation on Medical I nformation on

Finding and Evaluating Finding and Evaluating Medical I nformation on Medical I nformation on

Finding and Evaluating Finding and Evaluating Medical I nformation on Medical I nformation on the I nternet the I nternet Peter J. Ziemkowski, MD Peter J. Ziemkowski, MD MSU/Kalamazoo Center for Medical Studies MSU/Kalamazoo Center for

372 views • 22 slides
Care Coordination for Kids A webinar brought to you by the National Center for Medical Home

Care Coordination for Kids A webinar brought to you by the National Center for Medical Home

Care Coordination for Kids A webinar brought to you by the National Center for Medical Home Implementation School Nurses Linking with the Medical Home May 25, 2016 12:30 pm Central This project is supported by the Health Resources and Services

741 views • 39 slides
Cessation Facts and Myths about Smokers with Chemical Dependency, Mental Health Conditions, and

Cessation Facts and Myths about Smokers with Chemical Dependency, Mental Health Conditions, and

Cessation Facts and Myths about Smokers with Chemical Dependency, Mental Health Conditions, and Homelessness Kolawole S. Okuyemi, MD, MPH, Professor of Family Medicine Director, Program in Health Disparities Research, Director, Minnesota

433 views • 39 slides
Pharmacists Provided Medication Therapy Management: A Patients Ally Against Chronic Diseases

Pharmacists Provided Medication Therapy Management: A Patients Ally Against Chronic Diseases

Pharmacists Provided Medication Therapy Management: A Patients Ally Against Chronic Diseases Presented by: Kisha Gant, PharmD, BCACP, BCGP, BCPS Clinical Coordinator, Pharmacy Slidell Memorial Hospital Continuing Education This Live

661 views • 65 slides
ACIP COVID-19 Vaccines Work Group Dr. Beth Bell, Work Group Chair June 24, 2020 For more

ACIP COVID-19 Vaccines Work Group Dr. Beth Bell, Work Group Chair June 24, 2020 For more

ACIP COVID-19 Vaccines Work Group Dr. Beth Bell, Work Group Chair June 24, 2020 For more information: www.cdc.gov/COVID19 COVID-19 vaccination in the United States Need for equitable access to safe and effective vaccines and evidence -based

395 views • 11 slides
CMS Innovation and Health Care Delivery System Reform Patrick Conway, MD, MSc Acting Principal

CMS Innovation and Health Care Delivery System Reform Patrick Conway, MD, MSc Acting Principal

CMS Innovation and Health Care Delivery System Reform Patrick Conway, MD, MSc Acting Principal Deputy Administrator and Chief Medical Officer Deputy Administrator for Innovation and Quality Director, Center for Medicare and Medicaid

383 views • 37 slides
Click to edit Master title Are You on Track? style Diagnostic Test Results, Consults and

Click to edit Master title Are You on Track? style Diagnostic Test Results, Consults and

Click to edit Master title Are You on Track? style Diagnostic Test Results, Consults and Referrals Click to edit Master subtitle style EXPLORE Conference August 9 , 2018 8/5/2018 1 EXPLORE August 9, 2018 Click to edit Master title

426 views • 40 slides
Physician-Assisted Suicide ~An Examination of Ethics and Dignity at the End of Life~ Breanne

Physician-Assisted Suicide ~An Examination of Ethics and Dignity at the End of Life~ Breanne

Physician-Assisted Suicide ~An Examination of Ethics and Dignity at the End of Life~ Breanne Parets The Hippocratic Oath I will neither give a deadly drug to anybody who asked for it, nor will I make a suggestion to this effect

607 views • 33 slides
NAM Action Collaborative on Clinician Well-Being and Resilience February 2, 2018 Webinar

NAM Action Collaborative on Clinician Well-Being and Resilience February 2, 2018 Webinar

NAM Action Collaborative on Clinician Well-Being and Resilience February 2, 2018 Webinar Presenters Charlee Alexander , Director, Action Collaborative on Clinician Well-Being and Resilience, National Academy o of Medicine Neil Busis ,

506 views • 28 slides
Strengths and Challenges Facing the Basic and Advanced Practice Nursing Workforce Navigating

Strengths and Challenges Facing the Basic and Advanced Practice Nursing Workforce Navigating

Strengths and Challenges Facing the Basic and Advanced Practice Nursing Workforce Navigating Uncertainty in the US Health Care system THE 25 th PINCETON CONFERENCE Peter Buerhaus, PhD, RN, FAAN, FAANP(h) Professor of Nursing and Director

483 views • 30 slides

More recommend