dyninst a binary analysis and modification framework
play

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. - PowerPoint PPT Presentation

Feb 15, 2023 •250 likes •492 views

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

  1. Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland

  2. Binary modification Behavior Attack Detection Analysis Binary Program Optimization Performance 1d8d481674c08548530033 0019058b48854808c38348 Analysis Binary Modified 08438b48d0ff0033000c00 Modification 00441f0f660000441f0fc3 Binary Program 5bf175c01d8d481674c085 Toolkit 48530032ff1058b4885480 1d8d481674c08548530033 Fault Diagnosis 8c3834808438b48d0ff003 0019058b48854808c38348 2ffc490909090909090909 08438b48d0ff0033000c00 b1eb000001003337a205c 09090c35bf175c00000000 00441f0f660000441f0fc3 0801f0f00000000801f0fc 5bf175c01d8d481674c085 3f300000000801f0f00014 Cyberforensics 48530032ff1058b4885480 f82474894cf0246c894ce 427e808ec8348 8c3834808438b48d0ff003 2ffc490909090909090909 09090c35bf175c00000000 64894ccd8948d8245c894 0801f0f00000000801f0fc 3f300000000801f0f00014 Testing Modification 427e808ec8348 fab70f087448503966003 Requests Simulation Debugging Dynamic Program Auditing (“Hot”) Patching University of Maryland

  3. Uses For Runtime Code Patching  Security & Testing – Code coverage testing – Monitoring (dynamic taint analysis)  Correctness debugging – Fast conditional breakpoints – Data breakpoints  Execution driven simulation – Architecture studies University of Maryland

  4. Why Binary Analysis and Manipulation?  It’s what runs on the computer  All compiled languages (more or less) look the same as a binary  No Source Code Required – For commercial and malware, often not available  Implicitly Picks up compiler issues – Security problems due to compiler bugs University of Maryland

  5. What is Dyninst?  API for – binary analysis – binary re-writing – runtime patching  Features – Generates info about the binary • Example: Recover control flow graphs – New code can be added to programs during execution • Permits instrumentation and modification – Provides processor independent abstractions – Platform independent patching • API abstracts away OS, hardware differences University of Maryland

  6. Dyninst Design Philosophy  Use Any Data Available – Debug symbols – Dynamic Linker info – Binary Analysis within Dyninst – User Supplied Info  Work when any source of data is missing – Stripped binaries – Static linked program – Obfuscated binaries University of Maryland

  7. Type & Variable Support in Dyninst  Access to local (stack) variables  Complex types – non-integer scalars – structures – arrays – Fortran common blocks  Example: Correctness debugging – print contents of data structures University of Maryland

  8. Representing New Code Snippets  Platform Independent Representation – Same code can be inserted into apps on any system  Simple Abstract Syntax Tree – Can refer to application state (variables & params) – Includes simple looping construct – Permits calls to application subroutines  Type Checking – Ensures that snippets are type compatible – Based on structural equivalence • allows flexibility when adding new code University of Maryland

  9. Snippet Example if (flagVar == 0) fdVar = open(filename, ...) BPatch_ifExpr BPatch_boolExpr(BPatch_eq, …) BPatch_arithExpr(BPatch_assign, …) BPatch_variableExpr BPatch_constExpr(0) flagVar BPatch_VariableExpr BPatch_funcCallExpr fdVar BPatch_Vector BPatch_constExpr( filename ) BPatch_function “open” BPatch_constExpr(O_WRONLY | O_CREAT) BPatch_constExpr(0666) University of Maryland

  10. Memory Instrumentation  Dynamic memory access instrumentation – collect low level memory accesses – with the flexibility of dynamic instrumentation  Possible applications – tools to catch memory errors – offline performance analysis (Sigma etc.) – online optimization University of Maryland

  11. Memory Instrumentation Features  Finding memory access instructions – loads, stores, prefetches  Builds on Arbitrary Instrumentation  Decoded instruction information – type of instruction – constants and registers involved in computing • the effective address • the number of bytes moved – available in the mutator before execution  Memory access snippets – effective address in process space – byte count – available in mutatee at execution time University of Maryland

  12. Runtime Binary Modification Mutator Mutatee Mutator App Application API Code Dyninst Machine Code Dependent Snippets Code Run-time Library Ptrace or procfs University of Maryland

  13. Static Binary Rewriting in Dyninst Mutatee DyninstAPI a.out Process rewritten Process Control a.out a.out libc.so Parsing rewritten SymtabAPI libapp.so libc.so libapp.so Instrumentation libapp.so University of Maryland

  14. A Static Binary Rewriter  Binary Rewriter Capabilities – Instrument once, run many times – Run instrumented binaries on systems without dynamic instrumentation (e.g. some embedded systems). – Perform static analysis without running a binary  Operates on unmodified binaries. – No debug information required – No linker relocations required – No symbols required  Same abstractions and interfaces as online rewriter. Binary Rewriting University of Maryland

  15. Static Vs. Dynamic Rewriting Static Rewriting Dynamic Instrumentation  Faster instrumentation  Insert and Remove insertion. instrumentation at run time.  Amortize parsing and  Execute instrumentation at instrumentation time a particular time across multiple runs. (oneTimeCode).  Easier to port.  Respond to run time events (shared library loads, exec, …). Binary Rewriting University of Maryland

  16. BPatch_addressSpace  Use BPatch_addressSpace for static and dynamic code instrumentation. if (use_bin_edit) addr_space = bpatch.openFile(...); else addr_space = bpatch.attachProcess(...); ... addr_space->getImage()->findFunction(...); addr_space->insertSnippet(...); addr_space->replaceFunction(...); University of Maryland

  17. Example Use: Rewriting Symbols Tables  Add a function symbol to a binary: /* Open a file */ Symtab *symt; Symtab::openFile(symt, “a.out”); /* Add Symbol */ symt- >createFunction(“func1” /*name*/, 0x1000 /*offset*/, 100 /*size*/); /* Write new binary */ symt- >emit(“rewritten.out”); University of Maryland

  18. Sensitivity-resistant code relocation  Preserve visible behavior – Relationship of input to output  Identify sensitive instructions – Those whose behavior is changed  Compensate for externally sensitive instructions – Those whose sensitivity affects visible behavior  Approach – Binary analysis (slicing, symbolic execution) – Code generation – Runtime checks University of Maryland

  19. Sensitivity Code Replacement Effects Actions Code-as-Data Modified Binary (P’) (CAD) Sensitive Overwriting code Instructions that read or write original code Program Counter (PC) Sensitive Moved instructions that use the PC Moving code Control Flow Modified Code (CF) Sensitive Instructions whose successors were moved Allocated-vs-Unallocated (AVU) Sensitive Adding code Instructions that test allocated memory University of Maryland

  20. Example compensation transformations PC Sensitive push $(orig_ret_addr) call printf jmp printf CAD/AVU Sensitive cmp %eax, $textEnd jge L1 mov $offset(%eax), %ebx mov (%eax), %ebx jmp L2 L1: mov (%eax), %ebx L2: ... Efficient group transformation (PC/CF Sensitive) call ebx_thunk ebx_thunk: mov $(ret_addr), %ebx mov (%esp), %ebx ret University of Maryland

  21. Experiments: code relocation  Verify preservation of behavior on sensitive binaries – Instrument synthetic malware samples – Samples should execute with unchanged behavior  Evaluate overall performance – Null instrumentation of SPEC CPU 2006 benchmarks, Apache, and MySQL – Sensitivity-resistant code relocation should reduce overhead – Group transformations should benefit on Apache/MySQL University of Maryland

  22. Results: behavior preservation Packer Tool Market share CAD sensitive Anti-debug Success ✓ PolyEnE_CAD 6.21% yes EXECryptor 4.06% yes yes Themida 2.95% yes yes ✓ PECompact_CAD 2.59% yes ✓ ASProtect 0.43% yes Armadillo 0.37% yes yes Yoda’s Protector ✓ 0.33% yes yes • S-R relocation succeeded on four additional packers • Failures are due to anti-debug techniques not yet addressed University of Maryland

  23. The Dyninst Team  Maryland  Wisconsin – Jeff Hollingsworth – Bart Miller – Ray Chen – Bill Williams – Tugrul Ince – Andrew Bernat – Chester Lam – Michael Brim – Mike Lam – Wenbin Fang – Geoff Stoker – Emily Jacobson – Philip Yang – Xiaozhu Meng – Yifan Zhou – Kevin Roundy – Evan Samanas – Ben Welton University of Maryland – ….

  24. Summary  Dyninst Provides – Multi Architecture Support (x86, Power) – Multi OS Support (Windows, Linux, AIX, VxWorks) – Multi Compilter (Intel, Microsoft, GCC, PGI, Cray) – Toolkit approach • Uses as little or as much as you want  Dyninst is Mature – Commercial Products from IBM & SGI – Used in many third party open source tools  More Information – www.dyninst.org University of Maryland

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dyninst Scalable Tools Workshop Granlibakken Resort Lake Tahoe, California Dyninst Scalable

Dyninst Scalable Tools Workshop Granlibakken Resort Lake Tahoe, California Dyninst Scalable

Dyninst Scalable Tools Workshop Granlibakken Resort Lake Tahoe, California Dyninst Scalable Tools Workshop A Brief Introduction to Dyninst Dyninst: a tool for static and dynamic binary instrumentation and modification 2 Dyninst Scalable

711 views • 47 slides
Recent and Upcoming Advances in the Dyninst Toolkits Sasha Nicolas and Xiaozhu Meng Paradyn

Recent and Upcoming Advances in the Dyninst Toolkits Sasha Nicolas and Xiaozhu Meng Paradyn

Recent and Upcoming Advances in the Dyninst Toolkits Sasha Nicolas and Xiaozhu Meng Paradyn Project Petascale Tools Workshop Solitude, UT July 8-12, 2018 A Brief Introduction to Dyninst Dyninst: a tool for static and dynamic binary

575 views • 25 slides
Recent and Upcoming Advances in the Dyninst Toolkits Bill Williams Paradyn Project Petascale

Recent and Upcoming Advances in the Dyninst Toolkits Bill Williams Paradyn Project Petascale

Recent and Upcoming Advances in the Dyninst Toolkits Bill Williams Paradyn Project Petascale Tools Workshop Granlibakken, CA Aug 1-Aug 4, 2016 Dyninst Development Roadmap Dyninst 9.2 Dyninst 9.3 Dyninst 10.0 Q2/3 2016

539 views • 26 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
New Developments in the Dyninst and MRNet T oolkits Bill Williams Paradyn Project 9 th

New Developments in the Dyninst and MRNet T oolkits Bill Williams Paradyn Project 9 th

New Developments in the Dyninst and MRNet T oolkits Bill Williams Paradyn Project 9 th Petascale Tools Workshop Tahoe, CA August 3, 2015 Dyninst 9.0 Overview o New features: o Memory optimizations o Initial ARM64 support o Improved TLS

347 views • 30 slides
rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at

rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at

rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at Politecnico di Milano LLVM developers meeting 2016 November 3, 2016 Index Introduction A peek inside Recovery of switch cases Function detection

908 views • 53 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides
UNC Modification Proposal 0565 - Central Data Service Provider General framework and

UNC Modification Proposal 0565 - Central Data Service Provider General framework and

UNC Modification Proposal 0565 - Central Data Service Provider General framework and obligations UNC Modification Panel November 2015 Chris Warner National Grid Distribution UK GAS DISTRIBUTION Background to Xoserve Funding Governance

190 views • 7 slides
ROUND MODIFICATION ANALYSIS ON AES USING ELECTROMAGNETIC GLITCH Amine DEHBAOUI , Amir-Pasha

ROUND MODIFICATION ANALYSIS ON AES USING ELECTROMAGNETIC GLITCH Amine DEHBAOUI , Amir-Pasha

ROUND MODIFICATION ANALYSIS ON AES USING ELECTROMAGNETIC GLITCH Amine DEHBAOUI , Amir-Pasha MIRBAHA , Nicolas MORO , Jean-Max DUTERTRE , Assia TRIA COSADE 2013 Paris, France (1) (2) OUTLINE Context Round Modification

815 views • 30 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete ->

963 views • 77 slides
Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume Bouffard Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6 2 / 19

779 views • 40 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
AFFECTING BEHAVIOR MODIFICATION IN DIABETIC PATIENTS A qualitative and quantitative analysis of

AFFECTING BEHAVIOR MODIFICATION IN DIABETIC PATIENTS A qualitative and quantitative analysis of

PSYCHOSOCIAL FACTORS AFFECTING BEHAVIOR MODIFICATION IN DIABETIC PATIENTS A qualitative and quantitative analysis of patients with Type II Diabetes Mellitus in a primarily Hispanic Population in Northeast Community Clinics, Downtown Los

428 views • 19 slides
Lattice-Theoretic Data Flow Analysis Framework Lattices Define lattice D = ( S , ): Goals:

Lattice-Theoretic Data Flow Analysis Framework Lattices Define lattice D = ( S , ): Goals:

Lattice-Theoretic Data Flow Analysis Framework Lattices Define lattice D = ( S , ): Goals: provide a single, formal model that describes all DFAs S is a (possibly infinite) set of elements is a binary relation over elements of

248 views • 5 slides
Lattice-Theoretic Data Flow Analysis Framework Lattices Define lattice D = ( S , ): Goals:

Lattice-Theoretic Data Flow Analysis Framework Lattices Define lattice D = ( S , ): Goals:

Lattice-Theoretic Data Flow Analysis Framework Lattices Define lattice D = ( S , ): Goals: provide a single, formal model that describes all DFAs S is a (possibly infinite) set of elements is a binary relation over elements of

303 views • 4 slides
The 10 Commandments of Release Engineering Dinah McNutt Google, Inc. Overview This talk is

The 10 Commandments of Release Engineering Dinah McNutt Google, Inc. Overview This talk is

The 10 Commandments of Release Engineering Dinah McNutt Google, Inc. Overview This talk is really about "Build & Release", not just "Release" Focus is on server-side software The commandments are solutions to

358 views • 16 slides
Retrofitting Security in input parsing routines Jayakrishna Menon, Christophe Hauser, Yan

Retrofitting Security in input parsing routines Jayakrishna Menon, Christophe Hauser, Yan

Retrofitting Security in input parsing routines Jayakrishna Menon, Christophe Hauser, Yan Shoshitaishvili, Stephen Schwab {jmenon, hauser, schwab}@isi.edu yans@asu.edu Modern defenses Vulnerabilities Many programs are still OS defenses

702 views • 35 slides
Allocation for Social Good Auditing Mechanisms for Utility Maximization Taylor Lundy 1 , Alexander

Allocation for Social Good Auditing Mechanisms for Utility Maximization Taylor Lundy 1 , Alexander

Allocation for Social Good Auditing Mechanisms for Utility Maximization Taylor Lundy 1 , Alexander Wei 2 , Hu Fu 1 , Scott Duke Kominers 2 , Kevin Leyton-Brown 1 1 University of British Columbia 2 Harvard University Food Banks and Food Pantries

489 views • 24 slides
David Rook Agnitio Security code review swiss army knife Hack in Paris, Paris Friday, 17 June

David Rook Agnitio Security code review swiss army knife Hack in Paris, Paris Friday, 17 June

David Rook Agnitio Security code review swiss army knife Hack in Paris, Paris Friday, 17 June 2011 if (slide == introduction) System.out.println( " Im David Rook " ); Security Analyst, Realex Payments, Ireland CISSP, CISA,

933 views • 74 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall

CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall

CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Announcements Syllabus: posted on website Academic Integrity PRE posted on website Team formation - how's it going? Grades will be in UBLearns

456 views • 43 slides
DTrace Topics: xclock 20 xntpd 25

DTrace Topics: xclock 20 xntpd 25

# dtrace -n 'syscall:::entry { @[exe dtrace: description 'syscall:::entry ^C iscsitgtd 1 nscd 1 operapluginclean 3 screen-4.0.2 3 devfsadm

739 views • 56 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides

More recommend