binrec attack surface reduction through dynamic binary
play

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery - PowerPoint PPT Presentation

May 08, 2023 •1.9k likes •2.55k views

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018 Attack Surface Reduction x =

  1. BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018

  2. Attack Surface Reduction x = getenv(“SET_ME”); if (x) cold_code(); hot_code(); 2

  3. Attack Surface Reduction x = getenv(“SET_ME”); if (x) Buggy features cold_code(); hot_code(); ROP gadgets 3

  4. Attack Surface Reduction x = getenv(“SET_ME”); if (x) Remove unwanted features cold_code(); hot_code(); d e c u d e r e a c r f u s k c a t A t e d o c d e s t e t l - e l w o t 4

  5. Attack Surface Reduction setme_str: .asciz: “SET_ME” push setme_str call getenv Want to work on cmp eax, 0 COTS binaries je main call cold_code main: call hot_code 5

  6. Static approach Input Transformed Transform binary binary 6

  7. Static approach Input Transformed Transform binary binary i n c o m p l e t e d i s a s s e m b l y PIC? obfuscated? 7

  8. Static approach w contains cold h i c h c o d e i s code r e a c h e d ? Input Transformed Transform binary binary i n c o m p l e t e d i s a s s e m b l y PIC? obfuscated? 8

  9. Dynamic approach by BinRec e s c i r e p y b l m e s s a s d i Input Transformed Execute Transform binary binary only hot code 9

  10. Dynamic approach by BinRec Recovery Input Recovered Execute Transform binary binary 10

  11. Dynamic approach by BinRec Recovery Input Recovered Execute Transform binary binary can we make this more generic? 11

  12. BinRec goal: complex binary transformation many applications Attack Surface Reduction / Binary rejuvenation / Input Recovered Execute binary Profile-guided binary optimization / (De)obfuscation / ISA retargeting 12

  13. BinRec goal: complex binary transformation many applications Attack Surface Reduction / Binary rejuvenation / Input Recovered Execute binary Profile-guided binary optimization / (De)obfuscation / ISA retargeting s e r u i q e r l e v e l - h g i h ! e d o c 13

  14. BinRec design Compiler IR Transform Machine Code Input Recovered Execute binary binary 14

  15. BinRec design Compiler IR Transform Lift Lower Machine Code Input Recovered Execute binary binary 15

  16. BinRec design Compiler IR Transform Lift Lower Machine Code Input Recovered Execute binary binary Sometimes we want more code coverage than a single code path 16

  17. BinRec design Compiler IR Transform Lift Lower Machine Code Input Symbolic Recovered binary execution binary Run with “symbolic” input and follow both sides of a branch 17

  18. BinRec design Compiler IR Transform Lift Lower Machine Code Input Symbolic Recovered binary execution binary Want to support multiple architectures Need to observe each instruction 18

  19. BinRec design Compiler IR Transform Lift in VM Lower Machine Code Input Symbolic Recovered binary execution binary , V M i n t e u l a E m I R t o n s c t i o r u n s t e i s l a t a n t r 19

  20. BinRec design Compiler IR Transform Lift in VM Lower Machine Code Input Symbolic Recovered binary execution binary 20

  21. BinRec design Compiler IR Transform Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary J u s t u s e t h e c o m p i l e r 21

  22. BinRec design Compiler IR Transform Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary 22

  23. BinRec design Compiler IR Transform Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary What about unlifted code paths? ... if (getenv(“SET_ME”)) { puts(“thanks!”); // not recovered! } ... 23

  24. BinRec design Compiler IR Transform Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary What about unlifted code paths? 1. do nothing (breaks conservative behavior) ... getenv(“SET_ME”); ... 24

  25. BinRec design Compiler IR Transform Add errors Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary What about unlifted code paths? 2. yield error ... if (getenv(“SET_ME”)) { abort(); } ... 25

  26. BinRec design Compiler IR Transform Add errors / fallbacks Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary What about unlifted code paths? 3. fallback to old code ... if (getenv(“SET_ME”)) { goto old_code_address; } ... 26

  27. BinRec design Compiler IR Transform Add errors / fallbacks Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary R e f e r e n c e s d a t a f r o m i n p u t b i n a r y 27

  28. BinRec design Compiler IR Transform Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary 28

  29. BinRec design Compiler IR Transform Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary IR interacts with VM runtime 29

  30. BinRec design Compiler IR Transform Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary IR interacts with VM runtime // machine code // Lifted code emit_event(BASIC_BLOCK_START) 0x1000: cpu_state.pc = 0x1000 add ebx, 1 ebx = &cpu_state.registers[R_EBX] jmp 0x1234 *ebx = *ebx + 1 cpu_state.icount++ cpu_state.pc = 0x1234 30 emit_event(BASIC_BLOCK_END)

  31. BinRec design Compiler IR Transform Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary // machine code // Lifted code emit_event(BASIC_BLOCK_START) 0x1000: cpu_state.pc = 0x1000 add ebx, 1 events, counters ebx = &cpu_state.registers[R_EBX] jmp 0x1234 *ebx = *ebx + 1 cpu_state.icount++ cpu_state.pc = 0x1234 31 emit_event(BASIC_BLOCK_END)

  32. BinRec design Compiler IR Transform Strip emulation Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary // machine code // Lifted code emit_event(BASIC_BLOCK_START) 0x1000: cpu_state.pc = 0x1000 add ebx, 1 control flow through ebx = &cpu_state.registers[R_EBX] jmp 0x1234 virtual program counter *ebx = *ebx + 1 cpu_state.icount++ registers in CPU state cpu_state.pc = 0x1234 32 emit_event(BASIC_BLOCK_END)

  33. BinRec design Compiler IR Transform Strip emulation Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary // machine code // Lifted code // stripped code emit_event(BASIC_BLOCK_START) 0x1000: global ebx cpu_state.pc = 0x1000 add ebx, 1 lifted_1000: ebx = &cpu_state.registers[R_EBX] jmp 0x1234 ebx = ebx + 1 *ebx = *ebx + 1 goto lifted_1234 cpu_state.icount++ cpu_state.pc = 0x1234 33 emit_event(BASIC_BLOCK_END)

  34. BinRec design Compiler IR Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary Needed to prevent over-optimization during transformations (details in paper) 34

  35. This is quite bit of code 35

  36. Implementation Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Link data sections Input Symbolic Recovered binary execution binary 36

  37. Implementation Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Link data sections S 2 E Input Symbolic Recovered binary execution binary 37

  38. Implementation LLVM Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Link data sections S 2 E Input Symbolic Recovered binary execution binary 38

  39. Implementation LLVM Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Binutils Link data sections S 2 E Input Symbolic Recovered binary execution binary Bash + Python 39

  40. Case study 40

  41. Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Link data sections Input Symbolic Recovered binary execution binary // ab.c int main(int argc, char **argv) { char a = argv[1][0]; char b = argv[1][1]; if (a == 'a') { if (b == 'b') { puts("You entered \"ab\""); } } return 0; } 41

  42. Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Link data sections Input Symbolic Recovered binary execution binary 42

  43. Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Link data sections Input Symbolic Recovered binary execution binary Raw code is heavily instrumented - event triggers - instruction counter - program counter, registers, flags, etc. stored in CPU state in memory 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BinRec: Dynamic Binary Lifting and Recompilation Anil Altinay , Joseph Nash , Taddeus

BinRec: Dynamic Binary Lifting and Recompilation Anil Altinay , Joseph Nash , Taddeus

BinRec: Dynamic Binary Lifting and Recompilation Anil Altinay , Joseph Nash , Taddeus Kroes Prabhu Rajasekaran, Dixin Zhou, Adrian Dabrowski, David Gens, Yeoul Na, Stijn Volckaert, Cristiano Giuffrida, Herbert Bos, Michael Franz

457 views • 32 slides
HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan Caselden, Alex Bazhanyuk, Mathias Payer , Stephen McCamant, Dawn Song, UC Berkeley Recovering Information Knowledge of information (data) flow and

694 views • 32 slides
The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice

The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice

The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice Director Global experts in cyber security & risk mitigation Agenda Space attack surface overview Attacks against terrestrial assets

310 views • 30 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides
Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript Imperial College, March 2018 Risk as Attack Surface a Expected Risk: likelihood * damage Potential damage Likelihood of exploitable

592 views • 48 slides
Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc.

Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc.

Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc. Tonimir Kiasondi Sponsored by http://iot.foi.hr Why should i listen to you and not go out for coffee? Well, IoT is the next big hotness

725 views • 55 slides
Dynamic Critical Grading Surfaces Class Summary This demonstration will guide the participant

Dynamic Critical Grading Surfaces Class Summary This demonstration will guide the participant

Dynamic Critical Grading Surfaces Class Summary This demonstration will guide the participant through workflows to leverage surface creation tools to develop a dynamic setup surface based on critical criteria parameters. This base surface can

458 views • 34 slides
Windows Metafiles An Analysis of the EMF Attack Surface & Recent Vulnerabilities Mateusz

Windows Metafiles An Analysis of the EMF Attack Surface & Recent Vulnerabilities Mateusz

Windows Metafiles An Analysis of the EMF Attack Surface & Recent Vulnerabilities Mateusz j00ru Jurczyk PacSec, Tokyo 2016 PS> whoami Project Zero @ Google Low-level security researcher with interest in all sorts of

1.62k views • 150 slides
Fault attack vulnerability assessment of binary code Cryptography and Security in Computing

Fault attack vulnerability assessment of binary code Cryptography and Security in Computing

Fault attack vulnerability assessment of binary code Cryptography and Security in Computing Systems [CS219], Valencia, Spain January 21, 2019 Jean-Baptiste Brjon Emmanuelle Encrenaz Karine Heydemann Quentin Meunier Son-Tuan Vu Sorbonne

770 views • 34 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S. Albers Winter term 07/08 Method of dynamic programming Recursive approach: Solve a problem by solving several smaller analogous subproblems of the same

559 views • 16 slides
Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department

Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department

Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department of Computer Science ETH Z rich Motivation Binary Translation (BT) well known technique for late transformations Extend or add

326 views • 29 slides
Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations: Search/Find Minimum/findMin Maximum/findMax Binary Search Trees Predecessor Successor Insert Delete/Remove ! All

83 views • 4 slides
Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware Analysis Device Rooting System Architecture Vulndev Environment Remote H.323 Exploit Post Exploitation Who am I? From Hamburg,

1.13k views • 80 slides
FABRICATION OF SUPER-HYDROPHILIC/HYDROPHOBIC SURFACE AND DRAG REDUCTION EFFECTS S. Lyu 1 , D. C.

FABRICATION OF SUPER-HYDROPHILIC/HYDROPHOBIC SURFACE AND DRAG REDUCTION EFFECTS S. Lyu 1 , D. C.

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS FABRICATION OF SUPER-HYDROPHILIC/HYDROPHOBIC SURFACE AND DRAG REDUCTION EFFECTS S. Lyu 1 , D. C. Nguyen 2 , B. S. Yoon 2 , W. Hwang 1 * 1 Department of Mechanical Engineering, POSTECH, Pohang,

75 views • 4 slides
Support Recovery for Orthogonal Matching Pursuit: Upper and Lower bounds Raghav Somani 1 , Chirag

Support Recovery for Orthogonal Matching Pursuit: Upper and Lower bounds Raghav Somani 1 , Chirag

Support Recovery for Orthogonal Matching Pursuit: Upper and Lower bounds Raghav Somani 1 , Chirag Gupta 2 , Prateek Jain 1 & Praneeth Netrapalli 1 1 Microsoft Research Lab - India 2 Machine Learning Department, Carnegie Mellon University

895 views • 21 slides
Intrusion Recovery for Database-backed Web Applications Ramesh Chandra , Taesoo Kim, Meelap Shah,

Intrusion Recovery for Database-backed Web Applications Ramesh Chandra , Taesoo Kim, Meelap Shah,

Intrusion Recovery for Database-backed Web Applications Ramesh Chandra , Taesoo Kim, Meelap Shah, Neha Narula, Nickolai Zeldovich MIT CSAIL Web applications routinely compromised Web applications routinely compromised Web applications

1.44k views • 75 slides
Healthcare Personnel Safety Component Healthcare Personnel Vaccination Module Influenza Vaccination

Healthcare Personnel Safety Component Healthcare Personnel Vaccination Module Influenza Vaccination

Healthcare Personnel Safety Component Healthcare Personnel Vaccination Module Influenza Vaccination Summary Inpatient Rehabilitation Facilities National Center for Emerging and Zoonotic Infectious Diseases Division of Healthcare Quality Promotion

1.38k views • 68 slides
Crash Recovery Chapter 18 Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 1

Crash Recovery Chapter 18 Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 1

Crash Recovery Chapter 18 Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 1 Review: The ACID properties A A tomicity: All actions in the Xact happen, or none happen. C C onsistency: If each Xact is consistent, and

253 views • 9 slides
Plastic Recovery and Recycling Project Accounting Standard Introduction to the first

Plastic Recovery and Recycling Project Accounting Standard Introduction to the first

Plastic Recovery and Recycling Project Accounting Standard Introduction to the first consultation Julianne Baroody & Sneha Balasubramanian 26 March 2020 Verra organizational overview Non-profit organization founded in 2007

1.41k views • 29 slides
Training Tips: Get the Most from Your Workouts Training Tips: Get the Most from Your Workouts

Training Tips: Get the Most from Your Workouts Training Tips: Get the Most from Your Workouts

Training Tips: Get the Most from Your Workouts Training Tips: Get the Most from Your Workouts Playing It Safe: Playing It Safe: Principles to Pr Principles to Prevent event Injury Injury Many athletic injuries can be prevented by going

436 views • 4 slides
ATKINS Southeast Region Design-Build Member of the SNC-Lavalin Group MacDill 48 Parcel

ATKINS Southeast Region Design-Build Member of the SNC-Lavalin Group MacDill 48 Parcel

Lower Peninsula Stormwater Improvements Project ATKINS Southeast Region Design-Build Member of the SNC-Lavalin Group MacDill 48 Parcel Improvements - Information Session October 5, 2020 Presenting: Thomas Ries (ESA) Lower Peninsula Watershed

537 views • 28 slides
Reactive Microsystems The Evolution of Microservices at Scale Jonas Bonr @jboner

Reactive Microsystems The Evolution of Microservices at Scale Jonas Bonr @jboner

Reactive Microsystems The Evolution of Microservices at Scale Jonas Bonr @jboner Microservices Are Hyped So You Want To strangle The Almighty Monolith And Move Towards Microservices? Do Not Settle For Microliths Microlith Single

1.66k views • 127 slides

More recommend