binrec dynamic binary lifting and recompilation
play

BinRec: Dynamic Binary Lifting and Recompilation Anil Altinay , - PowerPoint PPT Presentation

Feb 03, 2023 •134 likes •457 views

BinRec: Dynamic Binary Lifting and Recompilation Anil Altinay , Joseph Nash , Taddeus Kroes Prabhu Rajasekaran, Dixin Zhou, Adrian Dabrowski, David Gens, Yeoul Na, Stijn Volckaert, Cristiano Giuffrida, Herbert Bos, Michael Franz

  1. BinRec: Dynamic Binary Lifting and Recompilation Anil Altinay ∗ , Joseph Nash ∗ , Taddeus Kroes ∗ Prabhu Rajasekaran, Dixin Zhou, Adrian Dabrowski, David Gens, Yeoul Na, Stijn Volckaert, Cristiano Giuffrida, Herbert Bos, Michael Franz ∗ Equal Contribution Joint-First Authors

  2. Legacy Binaries Need Help ¤ Source code or toolchain has been lost ¤ Microsoft patched CVE-2017-11882 in Equation Editor ¤ Binary Rewriting to patch, reoptimize, instrument, or harden binaries [1] 2

  3. Limitations of Static Rewriting ¤ 5 challenges for static binary rewriting ¤ Code vs Data Separation ¤ Indirect Control Flow Resolution ¤ Ill-formed Code ¤ Obfuscation ¤ External Entry Points ¤ Static approaches use heuristics since they can’t solve these challenges in a principled way ¤ Produce rewritten binaries with poor performance , especially with instrumentation ¤ Require re-implementing well known analyses within every framework 3

  4. BinRec vs McSema[6] BinRec Binaries’ Overhead 0.29 -0.02 4

  5. BinRec Framework Highlights Lift binaries to LLVM IR • Enable off-the-shelf compiler transformations • Safe Stack, ASAN, Optimizations, De- • obfuscation, CFI Lift and run all C/C++ benchmarks in SPEC • [9] CINT 2006 Better performing than existing lifting • frameworks Rev.ng[13] : 2.25x (static linked) • Multiverse[7] :1.60x (w/o instrumentation) • McSema[6] : >2x (only 4 binaries) • BinRec :1.29x • 5

  6. Leveraging Dynamic Traces to Overcome Static Rewriting Challenges

  7. Code vs Data ¤ A statically unsolvable problem (Horspool and Marovac [3]) ¤ Solution: ¤ Copy of original program in case of inlined code and data as in prior work [10,11] ¤ Dynamically observe the use of ambiguous values ¤ Never accidentally disassemble data as code. ¤ libjpeg example [12] 7

  8. Code vs Data in libjpeg McSema mis-handles this case! Callback function is stored in a struct Constant is same as address of callback function 8

  9. Code vs Data in libjpeg McSema mis-handles this case! Callback function is stored in a struct Constant is same as address of callback function 9

  10. Code vs Data in libjpeg McSema mis-handles this case! Callback function is stored in a struct Constant is same as address of callback function 10

  11. Indirect Control Flow ¤ Static approaches use heuristics with value set analysis ¤ BinRec records the exact target addresses of each indirect control flow %pc = load i32, i32* @PC ret switch %pc, label %otherwise [ i32 &A, label %BasicBlock_A Traces observed: i32 &B, label %Basicblock_B ] ret to A ret to B 11

  12. External Entry Points: Callbacks Binary Code Callback function int compare( const void* a, const void* b ) { Library Code …. void qsort(void *base, …. size_t nel, } size_t width, int (*compar)(const void *, int main() { const void *)) int arr[] = {5, 3, 1, -1}; { ….. int size = sizeof arr / sizeof *arr; ….. qsort( arr, size, sizeof( int ), ….. compare); compare(arg1, arg2); } } Passed to qsort function qsort invokes callback function 12

  13. Support for External Entry Points Problem: The callback function pointer still points to the original callback function Library Code void qsort(void *base, size_t nel, size_t width, int (*compar)(const void *, const void *)) Recovered Code { int compare_recovered( …. ) { ….. …. } ….. ….. int main_recovered() { compare(arg1, arg2); 2 …. } qsort invokes original callback function qsort( …., compare); 1 } 13

  14. Support for External Entry Points Problem: The callback function pointer still points to the original callback function Library Code void qsort(void *base, size_t nel, size_t width, int (*compar)(const void *, const void *)) Recovered Code { int compare_recovered( …. ) { ….. …. } ….. ….. int main_recovered() { compare(arg1, arg2); 2 …. } qsort invokes original callback function qsort( …., compare); 1 } 14

  15. Support for External Entry Points ¤ Option 1: statically link library code into the analysis region ¤ Problem: High memory usage ¤ Option 2: update code pointers ¤ Problem: Heuristics fail ¤ Option 3: create a lookup table ¤ Problem: Performance degradation

  16. Support for External Entry Points Our Dynamic Approach Use original address space as Original Code Region trampolines Library Code compare: jmp compare_recovered void qsort(void *base, size_t nel, 3. size_t width, int (*compar)(const void *, const void *)) Recovered Code { int compare_recovered ( …. ) { ….. …. 4. } 2. ….. ….. int main_recovered() { compare(arg1, arg2); …. } 1. qsort( …., compare); } No need for arguments patching! 16

  17. BinRec Architected for Coverage ¤ Coverage for Dynamic Analysis ¤ Dynamic lifting engine efficiently covers paths of interest ¤ Installed handlers provides recovery and iterative improvement 17

  18. BinRec Architected for Coverage ¤ Coverage for Dynamic Analysis ¤ Dynamic lifting engine efficiently covers paths of interest ¤ Installed handlers provides recovery and iterative improvement 18

  19. BinRec Architected for Coverage ¤ Coverage for Dynamic Analysis ¤ Dynamic lifting engine efficiently covers paths of interest ¤ Installed handlers provides recovery and iterative improvement 19

  20. Multi-Trace Merging ¤ Drive execution - Trusted inputs, fuzzing, concolic execution ¤ Build CFG – Merge basic block boundaries, control flow edges 20

  21. Configurable Pass Miss Handlers ¤ Path Miss := instructions needed for the current workload were not observed in the initial lifting ¤ Path Miss Handlers are installed in every control flow transfer ¤ Optimized Out ¤ Report and Log ¤ Fallback ¤ Incremental Lifting 21

  22. Path Miss Handler: Incremental Lifting ¤ Use logged ‘path misses’ as points to restart lifting 22

  23. Incremental Lifting of Bzip2 23

  24. Correct and Performant Rewriting of SPEC CINT 2006 BinRec Binaries’ Overhead 0.29 -0.02 24

  25. BinRec vs Static Rewriters SPEC Int Geomean O3 BinRec 1.29x Multiverse [7] 1.60x Rev.ng[13] 2.25x O0 mcf bzip2 sjeng libquantum BinRec 0.83x 0.76x 0.77x 0.95x McSema 2.31x 2.84x 3.43x 2.07x ¤ Static approaches are less precise ¤ More possible behaviors -> less optimization is possible ¤ Dynamic lifting has a one-time cost (~450x on SPEC) SPEC Int Geomean O0 O3 BinRec 178480s 138379s McSema 371s 320s 25

  26. Now we can have nice things! LLVM IR + dynamic linking support == No need to rewrite transformations

  27. Address Sanitizer in BinRec ¤ ASAN: A memory access violation finding tool available in LLVM ¤ Works with off the shelf ASAN no modifications on binaries ¤ All memory accesses are instrumented ¤ Heap allocations are instrumented ¤ No stack variable symbolization -> stack allocations are not instrumented by ASAN ¤ ASAN runtime library links and reports violations [14] 27

  28. Obfuscation and Ill-formed Code Unaligned / Overlapping Instructions Virtualization [15] Packing Code Encryption [17] [16] 28.5

  29. Control-Flow Integrity in BinRec ¤ Only observed control flows are allowed ¤ C -> G disallowed ¤ Contexts are merged ¤ Performance Vs Precision ¤ Indirect CFT -> Direct CFT ¤ Ret = switch %pc, label %error [ i32 &D, label %BB_D ] ¤ BinCFI uses an address taken heuristic over- approximation ¤ BinRec is on average at least 25x more restrictive than BinCFI 29

  30. BinRec: Dynamic Binary Lifting and Recompilation ¤ First of its kind dynamic trace lifting and recompilation of stripped binaries ¤ Heuristic free and supports obfuscated code ¤ Enables off-the-shelf transformations, which only existed for source code ¤ Low overhead (29%) 30

  31. Thanks and Acknowledgements We thank our shepherd and the anonymous reviewers for their feedback. ¤ Thanks to Alyssa Milburn for editing assistance, and Chinmay Deshpande for testing and ¤ ongoing efforts. This material is based upon work partially supported by the Defense Advanced Research ¤ Projects Agency (DARPA) under contracts FA8750-15-C-0124 andFA8750-15-C-0085, by the United States Office of Naval Research (ONR) under contract N00014-17-1-2782, by the National Science Foundation under awards CNS-1619211and CNS-1513837. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA) or its Contracting Agents, the Office of Naval Research or its Contracting Agents, the National Science Foundation, or any other agency of the U.S. Government. 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018 Attack Surface Reduction x =

2.55k views • 62 slides
Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S. Albers Winter term 07/08 Method of dynamic programming Recursive approach: Solve a problem by solving several smaller analogous subproblems of the same

559 views • 16 slides
Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department

Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department

Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department of Computer Science ETH Z rich Motivation Binary Translation (BT) well known technique for late transformations Extend or add

326 views • 29 slides
JEFFERSON JOBOY 27 November 2018 1 LIFTING AWARENESS 2 GROUND RULES 3 What is a lifting

JEFFERSON JOBOY 27 November 2018 1 LIFTING AWARENESS 2 GROUND RULES 3 What is a lifting

JEFFERSON JOBOY 27 November 2018 1 LIFTING AWARENESS 2 GROUND RULES 3 What is a lifting operation? An operation concerned with the lifting or lowering of a load'. A 'load' is the item or items being lifted, which includes a person or people

380 views • 27 slides
Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations: Search/Find Minimum/findMin Maximum/findMax Binary Search Trees Predecessor Successor Insert Delete/Remove ! All

83 views • 4 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan Caselden, Alex Bazhanyuk, Mathias Payer , Stephen McCamant, Dawn Song, UC Berkeley Recovering Information Knowledge of information (data) flow and

694 views • 32 slides
Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Introduction DBT principle Design flow Intermediate Representation Generation Conclusion Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc Michel and Nicolas Fournel Tima Laboratory , Grenoble,

686 views • 25 slides
NIOSH revised lifting equation Week 8 Dr. Belal Gharaibeh 1 Why use the NIOSH lifting equation?

NIOSH revised lifting equation Week 8 Dr. Belal Gharaibeh 1 Why use the NIOSH lifting equation?

NIOSH revised lifting equation Week 8 Dr. Belal Gharaibeh 1 Why use the NIOSH lifting equation? National Institute for Occupational Safety and Health (NIOSH) in the USA made a standard procedure for assessing the physical demands of

540 views • 14 slides
Binary Rewriting at Runtime for Efficient Dynamic Domain Map Implementations 3 rd CHIUW Workshop,

Binary Rewriting at Runtime for Efficient Dynamic Domain Map Implementations 3 rd CHIUW Workshop,

Technische Universitt Mnchen Binary Rewriting at Runtime for Efficient Dynamic Domain Map Implementations 3 rd CHIUW Workshop, Chicago, May 27, 2016 Josef Weidendorfer, Jens Breitbart Chair for Computer Architecture Department of

258 views • 8 slides
Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects

Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects

Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects instrumentation code into a binary to collect run-time information 2 Instrumentation A technique that injects instrumentation code into a binary to

773 views • 46 slides
Goals for Today Learning Objective: Understand challenges in Static/Dynamic Binary

Goals for Today Learning Objective: Understand challenges in Static/Dynamic Binary

Goals for Today Learning Objective: Understand challenges in Static/Dynamic Binary Translation Announcements, etc: Midterm debrief forthcoming on Friday MP2 extension: now due on March 23rd Reminder : Please put away devices

684 views • 12 slides
Lifting your cargoes faster shorecranes up to 208 tons rhb stevedoring & warehousing Our

Lifting your cargoes faster shorecranes up to 208 tons rhb stevedoring & warehousing Our

stevedoring & warehousing Lifting your cargoes faster shorecranes up to 208 tons rhb stevedoring & warehousing Our company rhb stevedoring & warehousing was founded in 1930 and has developed into a modern, dynamic, private

357 views • 9 slides
Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke

Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke

Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke Martin Schulz Chair of Computer Architecture and Parallel Systems TUM Department of Informatics Technical University of Munich VEE 2020, virtual

396 views • 25 slides
Dynamic Binary Optimization Introduction Application profiling Optimizing translation

Dynamic Binary Optimization Introduction Application profiling Optimizing translation

Dynamic Binary Optimization Introduction Application profiling Optimizing translation blocks Compatibility Code reordering Other code optimizations 1 EECS 768 Virtual Machines Optimization Overview Identify frequently

822 views • 40 slides
Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

CRYPTACUS Workshop Nijmegen, 16 - 18 November 2017 Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration Marius Muench <marius.muench@eurecom.fr> PART I Avatar - Enhancing Binary Firmware

1.04k views • 26 slides
CPSC 213 Introduction to Computer Systems Unit 2c Synchronization 1 Reading Companion 6

CPSC 213 Introduction to Computer Systems Unit 2c Synchronization 1 Reading Companion 6

CPSC 213 Introduction to Computer Systems Unit 2c Synchronization 1 Reading Companion 6 (Synchronization) Text Shared Variables in a Threaded Program, Synchronizing Threads with Semaphores, Using Threads for Parallelism, Other

821 views • 58 slides
make world Chris Smowton University of Cambridge spell-rite /usr/share/real_words ~/nonsense

make world Chris Smowton University of Cambridge spell-rite /usr/share/real_words ~/nonsense

make world Chris Smowton University of Cambridge spell-rite /usr/share/real_words ~/nonsense spell-rite /usr/share/real_words ~/nonsense spell-rite /usr/share/real_words ~/nonsense /usr/share/real_words ~/nonsense /usr/share/real_words

725 views • 37 slides
Objects (cont.) Deian Stefan (Adopted from my & Edward Yangs CS242 slides) Today

Objects (cont.) Deian Stefan (Adopted from my & Edward Yangs CS242 slides) Today

Objects (cont.) Deian Stefan (Adopted from my & Edward Yangs CS242 slides) Today Statically-typed OO languages: C++ vtables Closer look at subtyping Why talk about C++? C++ is an OO extension of C Efficiency and

572 views • 33 slides
Thread Lecture 6 Disclaimer: some slides are adopted from the book authors slides with

Thread Lecture 6 Disclaimer: some slides are adopted from the book authors slides with

Thread Lecture 6 Disclaimer: some slides are adopted from the book authors slides with permission 1 Recap IPC Shared memory share a memory region between processes read or write to the shared memory region fast

754 views • 27 slides
E XPLOITING S EMANTIC C OMMUTATIVITY IN H ARDWARE S PECULATION G UOWEI Z HANG , V IRGINIA C HIU , D

E XPLOITING S EMANTIC C OMMUTATIVITY IN H ARDWARE S PECULATION G UOWEI Z HANG , V IRGINIA C HIU , D

E XPLOITING S EMANTIC C OMMUTATIVITY IN H ARDWARE S PECULATION G UOWEI Z HANG , V IRGINIA C HIU , D ANIEL S ANCHEZ MICRO 2016 Executive summary 2 Exploiting commutativity benefits update-heavy apps Software techniques that exploit

1k views • 44 slides
CS 241: Systems Programming Lecture 25. Function Pointers Spring 2020 Prof. Stephen Checkoway 1

CS 241: Systems Programming Lecture 25. Function Pointers Spring 2020 Prof. Stephen Checkoway 1

CS 241: Systems Programming Lecture 25. Function Pointers Spring 2020 Prof. Stephen Checkoway 1 Function pointers Function pointers are pointers that point tofunctions Syntax return_type (*var)(parameters); int (*f1)( void ); // f1 is

486 views • 21 slides
DescribingLinkedDatasets OntheDesignandUsageof voiD ,

DescribingLinkedDatasets OntheDesignandUsageof voiD ,

KeithAlexander(Talis),RichardCyganiak(DERI), MichaelHausenblas(DERI)andJunZhao(UniversityofOxford) DescribingLinkedDatasets OntheDesignandUsageof voiD ,

417 views • 31 slides
Introduction to CUDA C What is CUDA? CUDA Architecture Expose general-purpose GPU

Introduction to CUDA C What is CUDA? CUDA Architecture Expose general-purpose GPU

Introduction to CUDA C What is CUDA? CUDA Architecture Expose general-purpose GPU computing as first-class capability Retain traditional DirectX/OpenGL graphics performance CUDA C Based on industry-standard C A handful of

1.31k views • 62 slides

More recommend