call for contribution a new white box analytic tool
play

Call for Contribution: A New White-Box Analytic Tool Junwei Wang - PowerPoint PPT Presentation

Oct 28, 2023 •486 likes •853 views

Call for Contribution: A New White-Box Analytic Tool Junwei Wang WhibOx 2019 May 19, 2019, Darmstadt Overview 1 Why do we need a (new) tool? 2 What does it look like? 3 How to build it? 2 Why do we need a white-box analytic tool?

  1. Call for Contribution: A New White-Box Analytic Tool Junwei Wang WhibOx 2019 May 19, 2019, Darmstadt

  2. Overview 1 � Why do we need a (new) tool? 2 � What does it look like? 3 � How to build it? 2

  3. Why do we need a white-box analytic tool? � designer : to do an in-depth assessment in the design stage � security analyst : to evaluate the client’s solution � To participate a CTF (such as WhibOx contest)

  4. Basic requirements (for generic attacks) � tracing registers / accessed memory ◮ used in DCA, LDA, collision attack, ... ◮ many libraries for visualizing/analyzing traces already exist � injection faults ◮ e.g. manipulating data, instructions or control flows Advanced demands (to understand the design) � codes transformation ◮ e.g. single static assignment (SSA) transformation � control-flow & data-flow analyses ◮ e.g. data dependency analysis � · · ·

  5. Many Tools Already Exist! Mainly based on � debuggers : GDB , vtrace � or dynamic binary instrumentation (DBI): IntelPIN , Valgrind SideChannelMarvels/Tracer ◮ � or CPU emulators : Qemu , Unicorn , Ghidra RolfRolles/GhidraPAL ◮ Advantages � Efficient! � Very little development efforts to do!

  6. But have limited capabilities Basic requirements ✓ tracing memory / registers ✓ injection faults Advanced demands ✗ codes transformation ✗ control-flow & data-flow analyses ✗ · · ·

  7. Besides, these tools only deal with binaries ⇒ requiring knowledges on the binary and its architecture ⇒ some tools are a bit hard to deploy ⇒ the attack might be affected by physical behavior In fact, the architecture is not very important � because the attack are also only software-based � no hardware property is exploited. � we don’t want to build one tool for each architecture

  8. Illustration: RolfRolles/GhidraPAL class EmulatorTraceGenerator { AddressSpace defaultSpace ; LoggingMemorizingMemoryBank defaultMemoryBank ; MemoryState ms; Emulate Emulator; Program CurrentProgram ; HashSet <Address > PrintfAddrs; // Why do I need those numbers? How can I get them? public static final long [] PrintfLocations = {0 x04010a5l ,0 x0401193l ,0 x04011b9l ← ֓ ,0 x0401deel ,0 x0402372l ,0 x0402388l }; // What are those target-dependent registers initialized with those values? public static final String [] Reg32Names = {"EAX","ECX","EDX","EBX","ESP","EBP ← ֓ ","ESI","EDI"}; public static final long [] Reg32Values = {0 x28abbcl ,0 x611856c0l ,0x0l ,0x0l ,0 ← ֓ x28ab50l ,0 x28ac08l ,0 x200283f0l ,0 x6119fe9fl }; public static final long ProgramBegin = 0x00400000l; public static final long ProgramEnd = 0x005201ffl; public static final long StackBegin = 0x0028ab50l; public static final long StackEnd = 0x0028ABFCl; public static final long InputBegin = 0x0028ABE8l; public static final long ExecBegin = 0x004011C5l; public static final long ExecEnd = 0x00402381l;

  9. public EmulatorTraceGenerator (Program currentProgram ) { CurrentProgram = currentProgram ; // I don't care about the programming languages and architectures SleighLanguage l = ( SleighLanguage ) currentProgram . getLanguage (); // Initialize AddressSpace objects defaultSpace = currentProgram . getAddressFactory (). getDefaultAddressSpace ← ֓ (); AddressSpace registerSpace = currentProgram . getAddressFactory (). ← ֓ getRegisterSpace (); AddressSpace uniqueSpace = currentProgram . getAddressFactory (). ← ֓ getUniqueSpace (); // Create MemoryPageBank objects for the address spaces boolean isBigEndian = l.isBigEndian (); // memory tracing are hooked here (see later) defaultMemoryBank = new LoggingMemorizingMemoryBank (defaultSpace , ← ֓ isBigEndian , 4096 , acc , StackBegin , StackEnd); MemoryPageBank registerMemoryBank = ...; MemoryPageBank uniqueMemoryBank = ...;

  10. // Create and initialize the MemoryState ms = new MemoryState (l); ms. setMemoryBank ( registerMemoryBank ); ms. ← ֓ setMemoryBank ( defaultMemoryBank ); // Initialize the BreakTable BreakTableCallBack bt = new BreakTableCallBack (l); // Create the emulator object Emulator = new Emulate(l, ms , bt); PrintfAddrs = new HashSet <Address >(); for(long printfRef : PrintfLocations ) PrintfAddrs .add( defaultSpace .getAddress(printfRef)); } void Init () { defaultMemoryBank .Accesses = new ArrayList <Byte >(); SleighLanguage l = ( SleighLanguage ) CurrentProgram . getLanguage (); VarnodeTranslator vt = new VarnodeTranslator ( CurrentProgram ); for(int i = 0; i < Reg32Names.length; i++) ms.setValue(l. getRegister (Reg32Names[i]), Reg32Values [i]); }

  11. ArrayList <Byte > execute(long desInput) { Address eaBeg = defaultSpace .getAddress(ExecBegin); Address eaEnd = defaultSpace .getAddress(ExecEnd); Init (); byte [] desArr = new byte [8]; for(int i = 0; i < 8; i++) desArr[i] = (byte)(( desInput >> (8*i)) & 0xFFl); defaultMemoryBank .setChunk(InputBegin , 8, desArr); Emulator. setExecuteAddress (eaBeg); while (! eaEnd.equals(Emulator. getExecuteAddress ())) { // why I need to do this? if(PrintfAddrs .contains(Emulator. getExecuteAddress ())) Emulator. setExecuteAddress (Emulator. getExecuteAddress ().add(5L)); Emulator. executeInstruction (true); } return defaultMemoryBank .Accesses; } }

  12. Illustration: RolfRolles/GhidraPAL class LoggingMemorizingMemoryBank extends MemoryPageBank { ArrayList <Byte > Accesses = new ArrayList <Byte >(); // Log the low byte of all addresses targeted by 1-byte reads public int getChunk(long addrOffset , int size , byte [] res , boolean stop) { int iRes = super.getChunk(addrOffset , size , res , stop); if(size == 1) { Accesses.add (( byte)(addrOffset &0 xFFl)); } return iRes; } // Log the low byte of all addresses targeted by 1-byte writes public void setChunk(long offset , int size , byte [] val) { super.setChunk(offset , size , val); if(size == 1) Accesses.add (( byte)(offset &0 xFFl)); } }

  13. g¯ ong y` u sh` an q´ ı sh` ı b` ı xi¯ an l` ı q´ ı q` ı 善 其 事 , 先 利 其 欲 器 必 工 To do a good job, an artisan needs the best tools. —– Chinese idiom

  14. In Dream we work with ✓ a Swiss army knife (basic/advanced features all-in-one) ✓ independent with programming languages (PL) and architectures ✓ open source: get community involved & contributed ✓ cross-platform (working with Windows, Linux and MacOS) ✓ usable, extendable, and maintainable 14

  15. qi´ an r´ en z¯ ai sh` u h` ou r´ en ch´ eng li´ ang 前 人 人 乘 凉 栽 树 , 后 To enjoy the benefits of the hard work of one’s predecessors. —– Chinese idiom

  16. In the Beginning, a Compiler duplicates N × M times of (a three-phrase design) Source: https://www.aosabook.org/en/llvm.html for N front-ends ( i.e. PL) and M target back-ends ( i.e. CPU architectures). 16

  17. The Ideal is N + M

  18. LLVM Architecture Source: https://www.aosabook.org/en/llvm.html � A complete de-coupling of the front-ends and back-ends � Thanks to an intermediate representation (IR) independent with PLs and architectures 18

  19. Our Secret Is Also to Use LLVM IR

  20. define i32 @increment (i32) { %2 = alloca i32 , align 4 store i32 %0 , i32* %2 , align 4 %3 = load i32 , i32* %2 , align 4 %4 = add nsw i32 %3 , 1 store i32 %4 , i32* %2 , align 4 %5 = load i32 , i32* %2 , align 4 int increment(int a) { ret i32 %5 a++; } return a; } clang -emit-llvm -S -c increment.c incremement.c define i32 @increment (i32) { %2 = add nsw i32 %0 , 1 ret i32 %2 } opt -mem2reg -S increment.ll

  21. LLVM IR is Better than Assembly � LLVM IR is a complete code representation � with RISC-like instruction sets � but independent with PLs and architectures � strong typed variables with simple type system � infinite virtual registers in SSA form define i32 @increment(i32) { %2 = add nsw i32 %0 , 1 ret i32 %2 } 21

  22. Three Isomorphic Forms in-memory data structure llvm-as textual format ( *.ll ) bitcode ( *.bc ) llvm-dis define i32 @increment (i32) { 91238107 4904 c841 |..#.A..I| %2 = add nsw i32 %0 , 1 39321006 0c840192 |..29....| ret i32 %2 19080525 628 b041e |%......b| } 02450 c80 420 b9242 |..E.B..B| 14321064 4b180838 |d.2.8..K|

  23. In-memory data structure � Module contains Functions/GlobalVariables ◮ Module is the unit of compilation/analysis/optimization � Function contains BasicBlocks/Arguments ◮ Functions roughly correspond to functions in C � BasicBlock contains list of instructions ◮ Each block ends in a control flow instruction � Instruction is typed opcode + operands

  24. Our Proposal

  25. Optimization Tracer Existing SCA/FA Tools Frontends Fault Injection LLVM IR Interpretor Binary Lifter Structural Analysis ...... Code Transformation

  26. Advantages � easy to implement the basic requirements � built-in features to support advanced features (control-flow/data dependency analysis) � architecture & language independent ⇒ we only need to understand one instruction sets ⇒ no re-synchronization, free to filter samples in acquisition time, · · · � big community: many LLVM IR based tools can be directly forked and used 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Black Box Scanning Tool + White Box Testing Tool Toshis Black Box Scanning Tool Same

Black Box Scanning Tool + White Box Testing Tool Toshis Black Box Scanning Tool Same

Toshis Approach to Runtime Analysis Black Box Scanning Tool + White Box Testing Tool Toshis Black Box Scanning Tool Same approach as: Cenzic SPI Dynamics Watchfire Toshis tool is unique because: Built on Microsoft Visual Studio

583 views • 18 slides
The Contribution of School-related Factors to ICT Use as a Management Tool in Primary and

The Contribution of School-related Factors to ICT Use as a Management Tool in Primary and

The Contribution of School-related Factors to ICT Use as a Management Tool in Primary and Secondary Education David Rodrguez-Gmez 1 , Julio Meneses 2 , Sergi Fbregues 2 1. Applied Pedagogy Department. Universitat Autnoma de Barcelona.

292 views • 14 slides
CALL FOR CONTRIBUTION FOR GLOBAL NGN (NEXT GENERATION NETWORK) PRESENTATION SHOWCASE 2020 CIGRE

CALL FOR CONTRIBUTION FOR GLOBAL NGN (NEXT GENERATION NETWORK) PRESENTATION SHOWCASE 2020 CIGRE

CALL FOR CONTRIBUTION FOR GLOBAL NGN (NEXT GENERATION NETWORK) PRESENTATION SHOWCASE 2020 CIGRE SESSION 23-28 AUGUST PARIS, FRANCE This document describes the criteria for contribution for the Global NGN Presentation Showcase at the 2020

457 views • 3 slides
General WHealth HSA Management App Visual Compositions 1 Login Page Landing Page HSA Balance

General WHealth HSA Management App Visual Compositions 1 Login Page Landing Page HSA Balance

General WHealth HSA Management App Visual Compositions 1 Login Page Landing Page HSA Balance Summary Page HSA Reports Page HSA Budget Tool: Contribution and Estimated Growth HSA Budget Tool: Contribution Editing Page Safe Wallet Tool

317 views • 27 slides
NARR Quarterly Call September 2016 The Community Reception Center (CRC) Tool Kit Understanding

NARR Quarterly Call September 2016 The Community Reception Center (CRC) Tool Kit Understanding

NARR Quarterly Call NARR Quarterly Call September 2016 The Community Reception Center (CRC) Tool Kit Understanding the use of the CRC tool kit Understanding the use of the CRC tool kit Radiation Studies Branch, DEHHE National Center for

318 views • 7 slides
Global infection prevention and control 2018-22: a call for action EUNETIPS contribution Daniele

Global infection prevention and control 2018-22: a call for action EUNETIPS contribution Daniele

Global infection prevention and control 2018-22: a call for action EUNETIPS contribution Daniele Celotto Silvio Brusaferro EUNETIPS board coordinator Agenda GIPCN call for action EUNETIPS: presentation of the network EUNETIPS:

580 views • 39 slides
Opsim and MAF Metrics Lynne Jones Opsim and MAF metrics Call for white papers on LSST survey

Opsim and MAF Metrics Lynne Jones Opsim and MAF metrics Call for white papers on LSST survey

Opsim and MAF Metrics Lynne Jones Opsim and MAF metrics Call for white papers on LSST survey strategy The call - https://ls.st/c66 White papers need method to evaluate survey strategy effectiveness for specific science goal: metrics (MAF

471 views • 17 slides
Zeros of analytic functions Lecture 14 Zeros of analytic functions Zeros of analytic functions

Zeros of analytic functions Lecture 14 Zeros of analytic functions Zeros of analytic functions

Zeros of analytic functions Lecture 14 Zeros of analytic functions Zeros of analytic functions Suppose that f : D C is analytic on an open set D C . A point z 0 D is called zero of f if f ( z 0 ) = 0. The z 0 is a zero of

372 views • 25 slides
Particle Tagging and Semi-Analytic Models In collaboration with: S. Cole, A. Benson, C. Frenk, J.

Particle Tagging and Semi-Analytic Models In collaboration with: S. Cole, A. Benson, C. Frenk, J.

Andrew Cooper, Durham Particle Tagging and Semi-Analytic Models In collaboration with: S. Cole, A. Benson, C. Frenk, J. Helly, T. Le Bret, A. Pontzen, R. DSouza, G. Kau ff mann, S. White, L. Gao, W.

717 views • 42 slides
5. Analytic Combinatorics http://aofa.cs.princeton.edu Analytic combinatorics is a calculus for

5. Analytic Combinatorics http://aofa.cs.princeton.edu Analytic combinatorics is a calculus for

A N A L Y T I C C O M B I N A T O R I C S P A R T O N E 5. Analytic Combinatorics http://aofa.cs.princeton.edu Analytic combinatorics is a calculus for the quantitative study of large combinatorial structures. Features : Analysis begins

1.26k views • 64 slides
October 2016 Define a situation where you might call Code White. Co Code e Whi hite te

October 2016 Define a situation where you might call Code White. Co Code e Whi hite te

October 2016 Define a situation where you might call Code White. Co Code e Whi hite te = Violent Resident or Visitor Violence lence: the attempted or actual exercise by a person, other than a worker, of any physic ysical al

433 views • 25 slides
Hadamard type operators for real analytic functions of several variables and moments of analytic

Hadamard type operators for real analytic functions of several variables and moments of analytic

Hadamard multipliers Multiplicative Fourier-Laplace transform Hadamard type operators for real analytic functions of several variables and moments of analytic functionals Pawe Doma nski (based on joint results with Michael Langenbruch

822 views • 64 slides
Fourth Quarter 2009 Investor Call Investor Call Terry Turner, President and CEO Harold Carpenter,

Fourth Quarter 2009 Investor Call Investor Call Terry Turner, President and CEO Harold Carpenter,

Fourth Quarter 2009 Investor Call Investor Call Terry Turner, President and CEO Harold Carpenter, EVP and CFO Harvey White Chief Credit Officer Harvey White, Chief Credit Officer January 20, 2010 Safe Harbor Statements Forward looking

567 views • 32 slides
Fourth Quarter 2010 Investor Call Investor Call Terry Turner, President and CEO Harold Carpenter,

Fourth Quarter 2010 Investor Call Investor Call Terry Turner, President and CEO Harold Carpenter,

Fourth Quarter 2010 Investor Call Investor Call Terry Turner, President and CEO Harold Carpenter, EVP and CFO Harvey White Chief Credit Officer Harvey White, Chief Credit Officer January 19, 2011 Safe Harbor Statements Forward looking

891 views • 58 slides
Status on 1 st Call - Albania Becici, 10 Th of Apr 2019 IPARD II Program 2014-2020 Total grant

Status on 1 st Call - Albania Becici, 10 Th of Apr 2019 IPARD II Program 2014-2020 Total grant

QEVERIA SHQIPTARE BASHKIMI EVROPIAN Status on 1 st Call - Albania Becici, 10 Th of Apr 2019 IPARD II Program 2014-2020 Total grant amount public support is 94,337,255 Euro from which 75% EU contribution &amp; 25% National Contribution The

443 views • 10 slides
Third Quarter 2010 Investor Call Investor Call Terry Turner, President and CEO Harold Carpenter,

Third Quarter 2010 Investor Call Investor Call Terry Turner, President and CEO Harold Carpenter,

Third Quarter 2010 Investor Call Investor Call Terry Turner, President and CEO Harold Carpenter, EVP and CFO Harvey White Chief Credit Officer Harvey White, Chief Credit Officer October 20, 2010 Safe Harbor Statements Forward looking

676 views • 49 slides
Cr Cryst stalNet alNet Faithfully Emulating Large Production Networks Hongqiang Harry Liu,

Cr Cryst stalNet alNet Faithfully Emulating Large Production Networks Hongqiang Harry Liu,

Cr Cryst stalNet alNet Faithfully Emulating Large Production Networks Hongqiang Harry Liu, Yibo Zhu Jitu Padhye, Jiaxin Cao, Sri T allapragada, Nuno Lopes, Andrey Rybalchenko Guohan Lu, Lihua Yuan Micr croso soft t Resear arch h Micr

530 views • 36 slides
Getting System Sizing and Getting System Sizing and performance testing right performance

Getting System Sizing and Getting System Sizing and performance testing right performance

Getting System Sizing and Getting System Sizing and performance testing right performance testing right Steve Hazeltine Steve Hazeltine Sema Group Sema Group Andrew J ohnston Andrew J ohnston Independent Consultant, Sema Group Asscociate

522 views • 24 slides
RD53A Emulator and 64b/66b Serial Link Status Lev Kurilenko (levkur@uw.edu) University of

RD53A Emulator and 64b/66b Serial Link Status Lev Kurilenko (levkur@uw.edu) University of

RD53A Emulator and 64b/66b Serial Link Status Lev Kurilenko (levkur@uw.edu) University of Washington LBL Instrumentation Progress Meeting June 16 2017 1 Emulator Block Diagram Emulator fully implemented, except Tx block Rx

257 views • 11 slides
A Generic Framework for Testing Parallel File Systems Jinrui Cao, Simeng Wang, Dong Dai,

A Generic Framework for Testing Parallel File Systems Jinrui Cao, Simeng Wang, Dong Dai,

A Generic Framework for Testing Parallel File Systems Jinrui Cao, Simeng Wang, Dong Dai, Mai Zheng, and Yong Chen Computer Science Department, New Mexico State University Computer Science Department, Texas Tech University

697 views • 22 slides
Adding new architecture to QEMU Marek Va sut &lt; marek.vasut@gmail.com &gt; June 1, 2017

Adding new architecture to QEMU Marek Va sut &lt; marek.vasut@gmail.com &gt; June 1, 2017

Adding new architecture to QEMU Marek Va sut &lt; marek.vasut@gmail.com &gt; June 1, 2017 Marek Vasut Contractor at multiple companies Versatile Linux kernel hacker Custodian at U-Boot bootloader Yocto (oe-core) contributor

796 views • 30 slides
MED: The Monitor-Emulator-Debugger for Software-Defined Networks Quanquan Zhi and Wei Xu

MED: The Monitor-Emulator-Debugger for Software-Defined Networks Quanquan Zhi and Wei Xu

MED: The Monitor-Emulator-Debugger for Software-Defined Networks Quanquan Zhi and Wei Xu Institute for Interdisciplinary Information Sciences Tsinghua University Software-Defined Networks (SDN): promises and challenges SDN will simplify

414 views • 25 slides
Xamarin, two IDE, two views Vojt ch Mdr About eMan - A leading Czech supplier of mobile

Xamarin, two IDE, two views Vojt ch Mdr About eMan - A leading Czech supplier of mobile

Xamarin, two IDE, two views Vojt ch Mdr About eMan - A leading Czech supplier of mobile solutions - Present on the market since 2010 - Experienced team consisting of 60 people - Member of JABLOTRON GROUP Who I am? Vojt ch is mobile

257 views • 12 slides
PowerFL : Fuzzing VxWorks embedded systems Peter Goodman Artem Dinaburg Trent Brunson 1

PowerFL : Fuzzing VxWorks embedded systems Peter Goodman Artem Dinaburg Trent Brunson 1

PowerFL : Fuzzing VxWorks embedded systems Peter Goodman Artem Dinaburg Trent Brunson 1 Introductions Peter Goodman Artem Dinaburg Trent Brunson Senior Security Engineer Principal Security Engineer Director of R&amp;D

495 views • 31 slides

More recommend