decompilation type inference and finding the code to
play

Decompilation, type inference and finding the code to decompile - PowerPoint PPT Presentation

Nov 28, 2022 •265 likes •614 views

UNIVERSITY OF CAMBRIDGE Decompilation, type inference and finding the code to decompile Alan Mycroft Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/users/am/ 30 January 2012 Decompilation, type inference and finding

  1. UNIVERSITY OF CAMBRIDGE Decompilation, type inference and finding the code to decompile Alan Mycroft Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/users/am/ 30 January 2012 Decompilation, type inference and finding code 1 30 January 2012

  2. Structure UNIVERSITY OF CAMBRIDGE • Part 1: What is decompilation and why is it hard? • Part 2: Type reconstruction in decompilation Decompilation, type inference and finding code 2 30 January 2012

  3. Problem: given a binary .EXE what does it do? UNIVERSITY OF CAMBRIDGE • Run it: and get a virus • Run it in a sandbox: better • Run it in a program instrumenter (‘dynamic analysis’): even better But any form of dynamic analysis under-approximates program behaviour—consider a trojan which only attacks one username and only on a Sunday evening. Running = testing = only explore some paths. • Decompile it: re-write the binary in a high-level language with the high-level program having exactly the same execution paths as the low-level one. Harder than it sounds (simple cases easy). Decompilation, type inference and finding code 3 30 January 2012

  4. Decompilation—legality UNIVERSITY OF CAMBRIDGE • Isn’t this one of those things which is illegal? Or at best ‘shady’? • Depends. Lost source code, US and EU permit decompilation for interoperability. Always a ‘vaguely suspect’ activity. • New reason: Stuxnet, Duqu. Sophisticated malware written in high-level code. Decompilation, type inference and finding code 4 30 January 2012

  5. Decompilation—techniques UNIVERSITY OF CAMBRIDGE • Not always possible. Read in some code and branch to it, or other various assembler-level tricks such as updating a return address. Not a problem for ‘dynamic binary translation’ (DBT) tools but these effectively use dynamic analysis • Always trivally possible: just prepend an x86 interpreter in your favourite high-level language to the .EXE file. Cheating solution • In practice we need to make some assumptions . . . Decompilation, type inference and finding code 5 30 January 2012

  6. Decompilation—functionality vs beauty UNIVERSITY OF CAMBRIDGE Functionality: “if we decompile foo.exe to foo.c then recompiling to foo2.exe has the same I/O behaviour as foo.exe . Safety—which requires any analysis to be over-estimate behaviour Beauty: “the code is readable to humans” (most of the rest of this talk). While there’s not obviously a conflict, functionality means we must include all possible executions, which include some a human might wish to ignore . . . Decompilation, type inference and finding code 6 30 January 2012

  7. Decompilation—functionality vs beauty (2) UNIVERSITY OF CAMBRIDGE int f(int *p) { p[read()] += 1; // might increment the return address return 0; } int main() { int r,v[10]; putvaluesin(v); r = f(v); // f always returns zero. r++; // perhaps "inc eax" [one byte] print r; } Might this program print 0? What if we only had the assembler code version? We can’t decompile back to the above code, because the compiler (or options) might differ (stack offset between x and return address). For safety we might have to assume that almost every indirect write might overwrite a return address (adding many un-beautiful lines). Decompilation, type inference and finding code 7 30 January 2012

  8. Decompilation—functionality vs beauty (3) UNIVERSITY OF CAMBRIDGE f: pushl %ebp main: pushl %ebp movl %esp, %ebp movl %esp, %ebp pushl %ebx andl $-16, %esp subl $4, %esp pushl %ebx movl 8(%ebp), %ebx subl $76, %esp call read leal 24(%esp), %ebx ;;;;; here eax=-7 hits f’s return address incl (%ebx,%eax,4) movl %ebx, (%esp) addl $4, %esp call putvaluesin xorl %eax, %eax movl %ebx, (%esp) popl %ebx call f popl %ebp incl %eax ret movl %eax, (%esp) call print Decompilation, type inference and finding code 8 30 January 2012

  9. Decompiling .EXE UNIVERSITY OF CAMBRIDGE Needs pipeline: • obtain machine code not always easy if a packer is used, e.g. self extracting archive • obtain assembler code often a choice between readable assembly and missing some execution path • obtain high-level code (reconstruct loops, high-level expressions, types, even classes) again choice between readable source and missing some behaviours. First part of the sub-pipeline here is partitioning the code into procedures—e.g. is a branch between two sections of assembler just a branch, or actually an optimised tailcall? Decompilation, type inference and finding code 9 30 January 2012

  10. Economic argument UNIVERSITY OF CAMBRIDGE Decompilation can easily give a false impression of safety as it can miss malware-style attacks such as buffer overflow. However, even richly funded malware (e.g. Stuxnet) suffers from the “it’s not cost-effective to write everything in machine code” argument, with a result that much of it admits simple decompilation techniques. So, while malware will often contain “zero-day attacks” written in carefully crafted C or assembler, much or the high-level logic (both in malware and non-malware) will be written in “C which means C”. Decompilation, type inference and finding code 10 30 January 2012

  11. Analogy to testing and verification UNIVERSITY OF CAMBRIDGE • Running in a sandbox, or DBT, is like testing . • Can use ‘coverage’ metrics to help identify non-exectuted paths. • Safe decompilation is like verification , we consider all paths. • When disassembling/decompiling for human readability we may ignore some paths (e.g. assumptions of possible destinations of indirect branches). Verification subject to assumptions of various run-time invariants. • Determining whether some paths are feasible is a least-fixed-point problem. E.g. virtual calls can only be determined as targeting a particular destination if we can resolve an alias which is only resolvable if we know the virtual calls only target expected destinations . . . Decompilation, type inference and finding code 11 30 January 2012

  12. Decompilation—which high-level language? UNIVERSITY OF CAMBRIDGE • since assembler code is type-unsafe, we probably need a type-unsafe language to express things. • however if we’ve already given up on some things (e.g. we’re assuming no wild writes change return addresses) then perhaps we are willing to only consider programs with type-sensible data flow? • if we’re decompiling type-safe assembler code (e.g. JVM) we can safely decompile to a type-safe high-level language. • however, may still need to recreate abstract data types whose interface has been compiled away (e.g. generics in Java or ADTs). Decompilation, type inference and finding code 12 30 January 2012

  13. Funtionality and Beauty (partly) reconciled UNIVERSITY OF CAMBRIDGE Could in principle decompile assembler to C which is then compiled with safe-C style checks. • Whenever there is a potential missed behaviour in the generated C (e.g. index out of bounds) then detect this at run-time and refine the decompilation. • Doesn’t work for spotting trojan malware which attempts to stay hidden unless some carefully crafted condition holds.. E.g. Akritidis PhD work on cheap run-time checks for C mis-behaviour.. Decompilation, type inference and finding code 13 30 January 2012

  14. The interpreter problem UNIVERSITY OF CAMBRIDGE What if one carefully decompiles a program and finds out that the .EXE consists of an interpreter (e.g. for some bytecode) which does decompile nicely, followed by another layer of code in some mysterious language? • Start again at the next level • Issues if encryption is added. Decompilation, type inference and finding code 14 30 January 2012

  15. Obfuscation to counter-attack decompilers UNIVERSITY OF CAMBRIDGE There are various ways to make code hard to decompile. One (Lokhmotov’s masters thesis) is: • flatten a general CFG into a loop containing a dispatch to all the basic blocks in the CFG which then branch to the main loop. • dispatcher uses a new variable representing the PC within the original CFG. • can be strengthened by using a one-way hash function on the state. Decompilation, type inference and finding code 15 30 January 2012

  16. The decompilation pipeline UNIVERSITY OF Input: assembler code CAMBRIDGE Output: high-level code (e.g. C) • Partition code into procedures (may need code duplication). Need estimates of targets of indirect branches/calls. • Reconstruct control-flow (e.g. Cifuentes’ work). Irreducible CFG (perhaps produced by compiler optimisation) may need fixing up. • Transform to SSA form. Undoes register allocation etc. • Use dataflow analysis to reconstruct high-level expressions. Note C order-of-evaluation issues with f () + g () versus let x = f () in x + g () versus let y = g () in f () + y . • Generate high-level types, add casts if needed. These task are largely independent—apart from the first. Decompilation, type inference and finding code 16 30 January 2012

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 16 Decompilation Why decompilation? This course is ostensibly about Optimising

Lecture 16 Decompilation Why decompilation? This course is ostensibly about Optimising

Lecture 16 Decompilation Why decompilation? This course is ostensibly about Optimising Compilers. It is really about program analysis and transformation . Decompilation is achieved through analysis and transformation of target code; the

408 views • 37 slides
Type Inference 75 Definition Type Inference Type inference = Java compiler's ability

Type Inference 75 Definition Type Inference Type inference = Java compiler's ability

Type Inference 75 Definition Type Inference Type inference = Java compiler's ability To look at each method invocation + corresponding declaration In order to determine the type argument (or arguments) that make the

457 views • 11 slides
Why decompilation? This course is ostensibly about Optimising Compilers. It is really about

Why decompilation? This course is ostensibly about Optimising Compilers. It is really about

Why decompilation? This course is ostensibly about Optimising Compilers. It is really about program analysis and transformation . Decompilation is achieved through analysis and transformation of target code; the transformations just work in the

650 views • 35 slides
Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen University of Cambridge TEITP 2010 The GCD program in ARM machine code: E1510002 B0422001 C0411002 01AFFFFFB Problems with machine code Formal

660 views • 46 slides
Last time Introduced type inference can write type-safe programs without writing CS 611

Last time Introduced type inference can write type-safe programs without writing CS 611

Last time Introduced type inference can write type-safe programs without writing CS 611 down types explicitly Advanced Programming Languages useful for higher-order functions because types are large, obscure code Andrew Myers

393 views • 3 slides
Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x

Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x

CSE340 Principles of Programming Languages Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x from this definition? f(x) = x Automatic Type Inference f(x) = x f is a function that takes a single

1.31k views • 73 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
Inference Statistical inference Definition: Definition: The act or process of reaching

Inference Statistical inference Definition: Definition: The act or process of reaching

10/20/2016 Outline Statistics in medicine Inference Lecture 2: Hypothesis testing and inference Hypothesis testing Type I error Type II error Fatma Shebl, MD, MS, MPH, PhD Confidence interval Assistant Professor Chronic

187 views • 6 slides
Where is ML type inference headed? Constraint solving meets local shape inference Franc ois

Where is ML type inference headed? Constraint solving meets local shape inference Franc ois

1 Where is ML type inference headed? Constraint solving meets local shape inference Franc ois Pottier September 2005 Franc ois Pottier Where is ML type inference headed? 2 Types are good A type is a concise description of the behavior

779 views • 60 slides
Succeeding at Search A Job Search on Indeed Finding a job on Indeed Start your search Type the

Succeeding at Search A Job Search on Indeed Finding a job on Indeed Start your search Type the

Succeeding at Search A Job Search on Indeed Finding a job on Indeed Start your search Type the words that target what youre Place screenshot here looking for. Include job title, skill or company name. Include city, state or zip code.

296 views • 18 slides
FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language codebases Kornelis (Korny) Sietsma - @kornys on Twitter WHO AM I? 2 WHAT DO I DO NOW? Consulting, Delivery, Agile, Technical excellence And the

630 views • 33 slides
Modular Interpretive Decompilation of Low-Level Code by Partial Evaluation Elvira Albert 1 joint

Modular Interpretive Decompilation of Low-Level Code by Partial Evaluation Elvira Albert 1 joint

Modular Interpretive Decompilation of Low-Level Code by Partial Evaluation Elvira Albert 1 joint work with omez-Zamalloa 1 and Germ an Puebla 2 Miguel G (1) Complutense University of Madrid (Spain) (2) Technical University of Madrid (Spain)

690 views • 56 slides
FE FELI LIX Tes est Fi Firmware Purpos ose type with Hit Finding/Hit Finding Emulator Com

FE FELI LIX Tes est Fi Firmware Purpos ose type with Hit Finding/Hit Finding Emulator Com

FE FELI LIX Tes est Fi Firmware Purpos ose type with Hit Finding/Hit Finding Emulator Com ompatible inter erface ty Add FELIX bloc ock hea eader er and chunk trailer er - Compatible with FELIX FULLMODE data - Identify

267 views • 6 slides
Type inference: Review of the basics 1. For each unknown type, a fresh type variable 2.

Type inference: Review of the basics 1. For each unknown type, a fresh type variable 2.

Type inference: Review of the basics 1. For each unknown type, a fresh type variable 2. Instantiate every variable automatically 3. Every typing rule adds equality constraints 4. Solve constraints to get substitution 5. Apply substitution to

491 views • 16 slides
Certifying OCaml type inference (and other type systems) Jacques Garrigue Nagoya University

Certifying OCaml type inference (and other type systems) Jacques Garrigue Nagoya University

Certifying OCaml type inference (and other type systems) Jacques Garrigue Nagoya University http://www.math.nagoya-u.ac.jp/~garrigue/papers/ Jacques Garrigue Certifying OCaml type inference 1 Whats in OCamls type system Core ML

628 views • 39 slides
From ML to MLF Graphic type constraints with efficient type inference Boris Yakobowski, Didier

From ML to MLF Graphic type constraints with efficient type inference Boris Yakobowski, Didier

From ML to MLF Graphic type constraints with efficient type inference Boris Yakobowski, Didier R emy Who? Where? INRIA, Gallium team ICFP 2008 When? MLF Extends both ML and System F, combining the benefits of both Compared to ML The

590 views • 33 slides
Composer 2.0 Nils Adermann @naderman Private Packagist https://packagist.com Goals for 2.0

Composer 2.0 Nils Adermann @naderman Private Packagist https://packagist.com Goals for 2.0

Composer 2.0 Nils Adermann @naderman Private Packagist https://packagist.com Goals for 2.0 Performance Improvements - - Better reproducibility - Most serious 1.x bugs are edge cases which are difficult to debug and hard to reproduce -

609 views • 28 slides
First Investigations on Self Trained Speaker Diarization el Le Lan 1 , 2 Sylvain Meignier 2 Ga

First Investigations on Self Trained Speaker Diarization el Le Lan 1 , 2 Sylvain Meignier 2 Ga

First Investigations on Self Trained Speaker Diarization el Le Lan 1 , 2 Sylvain Meignier 2 Ga Delphine Charlet 1 Anthony Larcher 2 1 Orange Labs, France first.lastname@orange.com 2 LIUM, Universit e du Maine, France

449 views • 33 slides
Saratoga a Delay-Tolerant Networking convergence layer with efficient link utilization Wesley

Saratoga a Delay-Tolerant Networking convergence layer with efficient link utilization Wesley

Saratoga a Delay-Tolerant Networking convergence layer with efficient link utilization Wesley M. Eddy co-authors: Lloyd Wood (Cisco Systems) Verizon / NASA GRC Wesley M. Eddy (Verizon / NASA GRC) Will Ivancic (NASA Glenn Research Center)

573 views • 15 slides
The Problem Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in

The Problem Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in

The Problem Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Network Security Peter Reiher May 3, 2006 Lecture 9 Lecture 9 Page 1 Page 2 CS 239, Spring 2006 CS 239, Spring 2006 Distributed Denial of Service

500 views • 4 slides
t t t

t t t

t s tr r t t t

1.05k views • 31 slides
Software Testing Lecture 7 Property Based Testing Justin Pearson 2019 1 / 17 When are there

Software Testing Lecture 7 Property Based Testing Justin Pearson 2019 1 / 17 When are there

Software Testing Lecture 7 Property Based Testing Justin Pearson 2019 1 / 17 When are there enough unit tests? Lets look at a really simple example. import u n i t t e s t def add ( x , y ) : return x+y class TestAddition ( u n i t t e s t

352 views • 17 slides
Eclipse Project 3.3 Release Review Eclipse Project PMC 1 Highlights 3.3 new features:

Eclipse Project 3.3 Release Review Eclipse Project PMC 1 Highlights 3.3 new features:

Eclipse Project 3.3 Release Review Eclipse Project PMC 1 Highlights 3.3 new features: Vista support, Java6 (JSR 269, JSR 199), UI usability/appearance enhancements, Early Access WPF port, Eclipse on the server, JNI launcher and

821 views • 40 slides
Low power, small die-size PLL using semi-digital storage instead of big loop filter capacitance

Low power, small die-size PLL using semi-digital storage instead of big loop filter capacitance

Low power, small die-size PLL using semi-digital storage instead of big loop filter capacitance Presented by: Markus Dietl 1 Outline Conventional PLL design approach / Proposed PLL design architecture Circuit description of major blocks

481 views • 25 slides

More recommend