dynamic analysis kung fu with panda
play

Dynamic Analysis Kung-Fu with PANDA This work is sponsored in part - PowerPoint PPT Presentation

Sep 01, 2022 •240 likes •913 views

Dynamic Analysis Kung-Fu with PANDA This work is sponsored in part under Air Force contract FA8721- 05-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by the

  1. Dynamic Analysis Kung-Fu with PANDA This work is sponsored in part under Air Force contract FA8721- 05-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by the United States Government. Georgia Tech Brendan Dolan-Gavitt MIT Lincoln Lab Tim Leek MIT Lincoln Lab Josh Hodosh MIT Lincoln Lab Ryan Whelan

  2. About Me (moyix) • PhD student at Georgia Tech • Some stuff I’ve done • pdbparse – python parser for MS PDBs • Volatility – VAD plugins, volshell, GUI analysis • PANDA – what this talk is about!

  4. What is PANDA? • P latform for • A rchitecture • N eutral • D ynamic • A nalysis

  5. What is PANDA? You can write plugins • P latform for • A rchitecture • N eutral • D ynamic • A nalysis

  6. What is PANDA? You can write plugins • P latform for Supports x86, ARM � • A rchitecture and MIPS • N eutral • D ynamic • A nalysis

  7. What is PANDA? You can write plugins • P latform for Supports x86, ARM � • A rchitecture and MIPS • N eutral • D ynamic Static analysis is hard • A nalysis

  8. What is PANDA? You can write plugins • P latform for Supports x86, ARM � • A rchitecture and MIPS • N eutral • D ynamic Static analysis is hard • A nalysis (and often imprecise, � slow, hard to scale)

  9. Features • Based on QEMU 1.0.1 • Deterministic record/replay • Translation to LLVM for all QEMU architectures (extended from S2E code) • Android emulator support • Plugin architecture – easy to extend to new analyses

  10. Record/Replay CPU Outside World == Friday? == 0x45? >= 0x80?

  11. Record/Replay CPU Outside World Get Current Date == Fri May 23 11:33:27 Friday? == 0x45? >= 0x80?

  12. Record/Replay CPU Outside World Get Current Date == Fri May 23 11:33:27 Friday? == 0x45? >= 0x80?

  13. Record/Replay CPU Outside World Get Current Date == Fri May 23 11:33:27 Friday? 0x0000: 4500 002c 0000 4000 0x0008: 4006 6b48 127e 0021 Recv Packet == 0x0010: 5dae 5f37 01bb bed4 0x0018: fccd 820f d690 0847 0x45? 0x0020: 6012 3908 cfa2 0000 0x0028: 0204 05b4 >= 0x80?

  14. Record/Replay CPU Outside World Get Current Date == Fri May 23 11:33:27 Friday? 0x0000: 4500 002c 0000 4000 0x0008: 4006 6b48 127e 0021 Recv Packet == 0x0010: 5dae 5f37 01bb bed4 0x0018: fccd 820f d690 0847 0x45? 0x0020: 6012 3908 cfa2 0000 0x0028: 0204 05b4 >= 0x80?

  15. Record/Replay CPU Outside World Get Current Date == Fri May 23 11:33:27 Friday? 0x0000: 4500 002c 0000 4000 0x0008: 4006 6b48 127e 0021 Recv Packet == 0x0010: 5dae 5f37 01bb bed4 0x0018: fccd 820f d690 0847 0x45? 0x0020: 6012 3908 cfa2 0000 0x0028: 0204 05b4 >= 0x80?

  16. Record/Replay CPU Outside World Get Current Date == Fri May 23 11:33:27 Friday? 0x0000: 4500 002c 0000 4000 0x0008: 4006 6b48 127e 0021 Recv Packet == 0x0010: 5dae 5f37 01bb bed4 0x0018: fccd 820f d690 0847 0x45? 0x0020: 6012 3908 cfa2 0000 0x0028: 0204 05b4 Record Log >= 0x80?

  17. Sharing is Caring

  18. LLVM Translation 0x8260a634: push esp 0x8260a635: push ebp 0x8260a636: push ebx 0x8260a637: push esi 0x8260a638: push edi 0x8260a639: sub esp,0x54 0x8260a63c: mov ebp,esp 0x8260a63e: mov DWORD PTR [ebp+0x44],eax 0x8260a641: mov DWORD PTR [ebp+0x40],ecx 0x8260a644: mov DWORD PTR [ebp+0x3c],edx 0x8260a647: test DWORD PTR [ebp+0x70],0x20000 0x8260a64e: jne 0x8260a60c

  19. LLVM Translation movi_i64 tmp4,$0x8260a634 st_i64 tmp4,env,$0x80 ---- 0x8260a634 movi_i64 tmp12,$0x8260a634 st_i64 tmp12,env,$0xdae0 ld_i64 tmp12,env,$0xdad0 movi_i64 tmp13,$0x1 add_i64 tmp12,tmp12,tmp13 st_i64 tmp12,env,$0xdad0 mov_i64 tmp0,rsp mov_i64 tmp2,rsp movi_i64 tmp12,$0xfffffffffffffffc add_i64 tmp2,tmp2,tmp12 movi_i64 tmp12,$0xffffffff and_i64 tmp2,tmp2,tmp12 [ … ]

  20. LLVM Translation define private i64 @tcg-llvm-tb-0-8260a634(i64*) { entry: %1 = getelementptr i64* %0, i32 0 %env_v = load i64* %1 %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 store volatile i64 2, i64* inttoptr (i64 29543856 to i64*) store volatile i64 2187372084, i64* inttoptr (i64 29543864 to i64*) %4 = add i64 %env_v, 56032 %5 = inttoptr i64 %4 to i64* store i64 2187372084, i64* %5 %6 = add i64 %env_v, 56016 [ … ]

  21. Android Emulation • Supports Android 2.x – 4.2 • Can make phone calls, send SMS, run native apps • Record/replay • Introspection into Android apps (Dalvik-level) for Android 2.3 (from DroidScope) • System-level introspection supported on all Android versions

  22. Plugin Architecture • Extend PANDA by writing plugins • Implement functions that take action at various instrumentation points • Can also instrument generated code in LLVM mode

  23. Translation Execution Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � Basic Block � Basic Block

  24. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � Basic Block � Basic Block

  25. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � PANDA_CB_INSN_TRANSLATE Basic Block � Basic Block

  26. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � PANDA_CB_INSN_TRANSLATE Basic Block PANDA_CB_AFTER_BLOCK_TRANSLATE � Basic Block

  27. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE PANDA_CB_BEFORE_BLOCK_EXEC Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � PANDA_CB_INSN_TRANSLATE Basic Block PANDA_CB_AFTER_BLOCK_TRANSLATE � Basic Block

  28. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE PANDA_CB_BEFORE_BLOCK_EXEC Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR PANDA_CB_AFTER_BLOCK_EXEC � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � PANDA_CB_INSN_TRANSLATE Basic Block PANDA_CB_AFTER_BLOCK_TRANSLATE � Basic Block

  29. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE PANDA_CB_BEFORE_BLOCK_EXEC Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR PANDA_CB_AFTER_BLOCK_EXEC � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � PANDA_CB_INSN_TRANSLATE Basic Block PANDA_CB_AFTER_BLOCK_TRANSLATE PANDA_CB_VIRT_MEM_READ PANDA_CB_VIRT_MEM_WRITE PANDA_CB_PHYS_MEM_READ PANDA_CB_PHYS_MEM_WRITE � Basic Block

  30. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE PANDA_CB_BEFORE_BLOCK_EXEC Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR PANDA_CB_AFTER_BLOCK_EXEC � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � PANDA_CB_INSN_TRANSLATE Basic Block PANDA_CB_AFTER_BLOCK_TRANSLATE PANDA_CB_VIRT_MEM_READ PANDA_CB_VIRT_MEM_WRITE PANDA_CB_PHYS_MEM_READ PANDA_CB_PHYS_MEM_WRITE � Basic Block PANDA_CB_GUEST_HYPERCALL

  31. And many more… • On HDD read / write • Network packet send / receive • When page directory base changes (e.g., CR3) • When replay starts

  32. What Can You Do With It? • An answer in three demos: • Using taint to analyze a backdoored ssh- keygen • Breaking Spotify DRM • Live memory visualization with Hilbert curves

  33. Scenario • Backdoored ssh-keygen that exfiltrates passphrase and private key • We’re going to analyze: 1. Take recording of ssh-keygen 2. Run replay, taint the passphrase 3. What’s that tainted data doing in send() ?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PanDA in Nutshell PanDA = Production and Distributed Analysis System Designed to meet

PanDA in Nutshell PanDA = Production and Distributed Analysis System Designed to meet

PanDA Tadashi Maeno (BNL) NPPS meeting, Jun 19 PanDA in Nutshell PanDA = Production and Distributed Analysis System Designed to meet ATLAS production/analysis requirements for a data-driven workload management system capable of

553 views • 10 slides
Statistics and Data Analysis Regression Analysis (3) Ling-Chieh Kung Department of Information

Statistics and Data Analysis Regression Analysis (3) Ling-Chieh Kung Department of Information

Residual analysis Case study: bike rentals Statistics and Data Analysis Regression Analysis (3) Ling-Chieh Kung Department of Information Management National Taiwan University Regression Analysis (3) 1 / 21 Ling-Chieh Kung (NTU IM)

460 views • 21 slides
Panda: Production and Distributed Analysis System Tadashi Maeno (BNL) on behalf of PANDA team

Panda: Production and Distributed Analysis System Tadashi Maeno (BNL) on behalf of PANDA team

Panda: Production and Distributed Analysis System Tadashi Maeno (BNL) on behalf of PANDA team Overview PanDA Production and Distributed Analysis Designed for analysis as well as production New system developed by US ATLAS team

186 views • 18 slides
Statistics and Data Analysis Regression Analysis (1) Ling-Chieh Kung Department of Information

Statistics and Data Analysis Regression Analysis (1) Ling-Chieh Kung Department of Information

Introduction Least square approximation Model validation Variable transformation and selection Statistics and Data Analysis Regression Analysis (1) Ling-Chieh Kung Department of Information Management National Taiwan University Regression

501 views • 37 slides
Statistics and Data Analysis Descriptive Statistics (2): Summarization Ling-Chieh Kung

Statistics and Data Analysis Descriptive Statistics (2): Summarization Ling-Chieh Kung

Central tendency Variability Correlation Statistics and Data Analysis Descriptive Statistics (2): Summarization Ling-Chieh Kung Department of Information Management National Taiwan University Descriptive Statistics 1 / 33 Ling-Chieh Kung

338 views • 33 slides
Statistics and Data Analysis Regression Analysis (2) Ling-Chieh Kung Department of Information

Statistics and Data Analysis Regression Analysis (2) Ling-Chieh Kung Department of Information

Ticket selling Indicator variables Interaction among variables Endogeneity Statistics and Data Analysis Regression Analysis (2) Ling-Chieh Kung Department of Information Management National Taiwan University Regression Analysis (2) 1 / 35

457 views • 35 slides
Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley,

Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley,

Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley, ICSI, EPFL Networks: Not Just for Delivery Enforce a variety of invariants: Packet Isolation: Packets from A can not reach B Content

585 views • 42 slides
Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu, Hong, Patrick A. V. Hall, and John H. R. May, "Software Unit Test Coverage and Adequacy," ACM Computing Surveys, vol. 29, no.4, pp.

1.03k views • 58 slides
Statistics and Data Analysis A Brief Introduction to Data Mining Ling-Chieh Kung Department of

Statistics and Data Analysis A Brief Introduction to Data Mining Ling-Chieh Kung Department of

Classification Association Clustering Statistics and Data Analysis A Brief Introduction to Data Mining Ling-Chieh Kung Department of Information Management National Taiwan University Introduction to Data Mining 1 / 59 Ling-Chieh Kung (NTU

713 views • 59 slides
MA111: Contemporary mathematics Exam is Nov 19. HW is due Nov 19. Context: How to share? The

MA111: Contemporary mathematics Exam is Nov 19. HW is due Nov 19. Context: How to share? The

. $ 6 Today we investigate fair division. The friends are leaving the store, who should get which movie? $9 $12 $ 6 WALL-E $9 $ 6 $12 Kung Fu Panda $6 $ 6 . Momma Mia! Chad Bart Adam They each think they paid for different movies:

290 views • 9 slides
Physics Analysis Concepts with PandaRoot (3) PANDA Lecture Week 2017 GSI, Dec 11 - 15, 2017

Physics Analysis Concepts with PandaRoot (3) PANDA Lecture Week 2017 GSI, Dec 11 - 15, 2017

Physics Analysis Concepts with PandaRoot (3) PANDA Lecture Week 2017 GSI, Dec 11 - 15, 2017 Klaus Gtzen GSI Darmstadt Topics Effective Analysis - Working with ROOT TTrees Event Generators: EvtGen, DPM, FTF, Box Generator

1.22k views • 51 slides
Statistics and Data Analysis Introduction to Probability (1) Ling-Chieh Kung Department of

Statistics and Data Analysis Introduction to Probability (1) Ling-Chieh Kung Department of

Basic concepts Independent events Random variables Descriptive measurements Statistics and Data Analysis Introduction to Probability (1) Ling-Chieh Kung Department of Information Management National Taiwan University Introduction to

287 views • 27 slides
Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring Meeting Martin Eling, University of Ulm Thomas Parnitzke, Baloise Holding San Diego, May 23-26, 2010 Hato Schmeiser, University of St. Gallen Hato

639 views • 30 slides
Physics Analysis Concepts with PandaRoot (3) PANDA Computing Week 2017 Nakhon Ratchasima,

Physics Analysis Concepts with PandaRoot (3) PANDA Computing Week 2017 Nakhon Ratchasima,

Physics Analysis Concepts with PandaRoot (3) PANDA Computing Week 2017 Nakhon Ratchasima, Thailand, July 3 - 7, 2017 Klaus Gtzen GSI Darmstadt Topics Effective Analysis - Working with ROOT TTrees Event Generators: EvtGen, DPM,

808 views • 51 slides
Analysis Tools in PandaRoot GlueX PANDA Workshop 2019 Washington, GW, May 3 - 5, 2019 Klaus

Analysis Tools in PandaRoot GlueX PANDA Workshop 2019 Washington, GW, May 3 - 5, 2019 Klaus

Analysis Tools in PandaRoot GlueX PANDA Workshop 2019 Washington, GW, May 3 - 5, 2019 Klaus Gtzen GSI Darmstadt Topics Performing analysis Only briefly The Rho Analysis Framework discussed PandaRoot Tools Previewing

1.34k views • 94 slides
Physics Analysis Concepts with PandaRoot (1) PANDA Computing Week 2017 Nakhon Ratchasima,

Physics Analysis Concepts with PandaRoot (1) PANDA Computing Week 2017 Nakhon Ratchasima,

Physics Analysis Concepts with PandaRoot (1) PANDA Computing Week 2017 Nakhon Ratchasima, Thailand, July 3 - 7, 2017 Klaus Gtzen GSI Darmstadt Topics Data Levels Data Access (PndAnalysis) Analysis Basics Particle Candidates

727 views • 37 slides
An Efficient Black-box Technique for Defeating Web Application Attacks R. Sekar S tony Brook

An Efficient Black-box Technique for Defeating Web Application Attacks R. Sekar S tony Brook

An Efficient Black-box Technique for Defeating Web Application Attacks R. Sekar S tony Brook University (Research supported by DARPA, NS F and ONR) 2/9/2009 Example: SquirrelMail Command Injection Attack: use maliciously Incom ing

747 views • 21 slides
Amgen Investor Event 2014 ACC Scientific Session March 30, 2014 Safe Harbor Statement This

Amgen Investor Event 2014 ACC Scientific Session March 30, 2014 Safe Harbor Statement This

Amgen Investor Event 2014 ACC Scientific Session March 30, 2014 Safe Harbor Statement This presentation contains forward-looking statements that are based on managements current expectations and beliefs and are subject to a number of risks,

839 views • 40 slides
Introduction to Artificial Intelligence Local Search Janyl Jumadinova September 19, 2016

Introduction to Artificial Intelligence Local Search Janyl Jumadinova September 19, 2016

Introduction to Artificial Intelligence Local Search Janyl Jumadinova September 19, 2016 Evaluation Completeness : Is the algorithm guaranteed to find a solution when there is one? Optimality : Does the strategy find the optimal

549 views • 20 slides
LCS 11: Cognitive Science quickly you hardly catch it going? Its really all memory ...except

LCS 11: Cognitive Science quickly you hardly catch it going? Its really all memory ...except

Has it ever struck you ...that life is Pomona College all memory, except for the one present moment that goes by so LCS 11: Cognitive Science quickly you hardly catch it going? Its really all memory ...except for Memory - long and short

396 views • 10 slides
Thy Kingdom Come [A STUDY THROUGH MATTHEWS GOSPEL] QUESTIONS FOR DISCUSSION & DISCOVERY 1.

Thy Kingdom Come [A STUDY THROUGH MATTHEWS GOSPEL] QUESTIONS FOR DISCUSSION & DISCOVERY 1.

APRIL 10, 2016 SERMON NOTES Salt/Light Matthew 5:13-16 Pastor John Sloan Introduction : Come closer. Surrounded by peasants, the religious brass, and curious observers, Jesus beckons for his disciples to lean in and listen. When they do,

393 views • 3 slides
Tor and circumvention: Lessons learned Nick Mathewson The Tor Project https://torproject.org/

Tor and circumvention: Lessons learned Nick Mathewson The Tor Project https://torproject.org/

Tor and circumvention: Lessons learned Nick Mathewson The Tor Project https://torproject.org/ 1 What is Tor? Online anonymity 1) open source software, 2) network, 3) protocol Community of researchers, developers, users, and relay operators

1.03k views • 68 slides
Introduction: In this 21 st century the cognitive impairment and oxidative stress were most

Introduction: In this 21 st century the cognitive impairment and oxidative stress were most

MOL2NET , 2018 , 4, ISSN : 2624-5078, ISBN : 978-3-03842-820-6 http://sciforum.net/conference/mol2net-04 1 MDPI MOL2NET, International Conference Series on Multidisciplinary Sciences PHYTOCHEMICAL AND PHARMACOLOGICAL EVALUATION OF ANTI-AMNESIC

583 views • 13 slides
Division of labor Parietal: Where are things relative to me? (ego) RSC: Where am I and which

Division of labor Parietal: Where are things relative to me? (ego) RSC: Where am I and which

3/3/17 1 Division of labor Parietal: Where are things relative to me? (ego) RSC: Where am I and which direction am I facing? Hippocampus: (allo) Where are other places? PPA: what is this? 1 3/3/17 Neural Navigation I: constructing a

369 views • 17 slides

More recommend