fun with symbolic execution
play

Fun with symbolic execution Carl Svensson, 27 MSc in Computer - PowerPoint PPT Presentation

Oct 31, 2022 •454 likes •695 views

Carl Svensson Exploit development and deobfuscation September 13, 2018 SEC-T 2018 Fun with symbolic execution Carl Svensson, 27 MSc in Computer Science, KTH Head of Security, Kry CTF-player, HackingForSoju 1 About me

  1. Carl Svensson Exploit development and deobfuscation September 13, 2018 SEC-T 2018 Fun with symbolic execution

  2. • Carl Svensson, 27 • MSc in Computer Science, KTH • Head of Security, Kry • CTF-player, HackingForSoju 1 About me •  calle.svensson@zeta-two.com •  @zetatwo •  https://zeta-two.com

  3. • Pro: Explore ”all” paths • Symbols vs. concrete values • Con: Exponential complexity 2 Symbolic execution

  4. • ”python framework for analyzing binaries” • ”both static and dynamic symbolic (concolic)” • Computer Security Lab at UC Santa Barbara • Uses Z3 internally 3 Once again, with fee... angr

  5. • Satisfy condition • IP control 4 Exploitation

  6. • Constrain execution • Find execution path • Satisfy condition 5 Exploitation with angr

  7. • Index OOB • Function pointer lookup • Hook messy function 6 Example from Security Fest CTF

  8. 7 angr exploitation example

  9. 8 angr exploitation example

  10. 9 angr exploitation example

  11. 10 angr exploitation example

  12. 11 angr exploitation example > python exploit_angr.py Choice: 2147483648 RDX: fffffffffffffffe > ./bowrain_581bbadaafd23051a25ccb4adc80b670 ... : 2147483648 [1] 17059 segmentation fault (core dumped)

  13. 12 Deobfuscation Deobfuscation

  14. • Make code hard to read • for humans • for computers • Control flow flattening • Packer • Dropper • VM • Dead code 13 Obfuscation

  15. • Hard problem • Undo the mess 14 Deobfuscation in general

  16. • Prove uniqueness of value • Prove that dead code is dead 15 Deobfuscation of dead code with angr

  17. 16 Example: indirect jmp deobfuscator

  18. • Find ”jmp reg” • Search callgraph backwards • Search forward • Simplify expression • Replace code 17 Example from mobile app

  19. 18 Example: indirect jmp deobfuscator

  20. 19 Example: indirect jmp deobfuscator

  21. 20 Example: indirect jmp deobfuscator

  22. 21 Example: indirect jmp deobfuscator

  23. 21 Thanks for listening!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin & Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, "Applications of Symbolic Evaluation," Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
POLYMORPHISM The same tool can be used in different contexts Example : color selector

POLYMORPHISM The same tool can be used in different contexts Example : color selector

INSTRUMENTAL INTERACTION POLYMORPHISM The same tool can be used in different contexts Example : color selector Change color of: Text Border Background Highlight INSTRUMENTAL INTERACTION POLYMORPHISM

330 views • 11 slides
Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev Stuxnet (2009) Organization Core a large .dll file 2 encrypted configuration files Dropper component Core in a stub section

703 views • 43 slides
Exam 1 Review Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Format

Exam 1 Review Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Format

Exam 1 Review Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Format Fifty minutes No notes Work alone (copying or sharing answers will result in failing the course) Three questions - Multiple choice - Short

297 views • 18 slides
JReFrameworker: One Year Later ben-holland.com (daedared) jreframeworker.com I Derbycon

JReFrameworker: One Year Later ben-holland.com (daedared) jreframeworker.com I Derbycon

JReFrameworker: One Year Later ben-holland.com (daedared) jreframeworker.com I Derbycon Derbycon 3.0: My first con ever! Loved it. Derbycon 4.0: A Bug or Malware? Catastrophic consequences either way. How would you detect the

627 views • 43 slides
MANAGE THE IMPRESSION YOU AND YOUR DISABILITY MAKE DURING THE JOB INTERVIEW Impression

MANAGE THE IMPRESSION YOU AND YOUR DISABILITY MAKE DURING THE JOB INTERVIEW Impression

GET THE JOB MANAGE THE IMPRESSION YOU AND YOUR DISABILITY MAKE DURING THE JOB INTERVIEW Impression management strategies and self disclosure can be used to dispel myths about disability, and strengthen your presentation during the interview.

813 views • 45 slides
Training Objectives Build a short relationship database and understand why it is necessary in

Training Objectives Build a short relationship database and understand why it is necessary in

4/5/2011 Engaging Communities and the Media by Telling Compelling Public Health Stories Webinar April 14, 2011 p , 1:30 PM 3:30 PM Sponsored by: 1 Laurie Call Director Center for Community Capacity Development Illinois Public

162 views • 14 slides
Current Quantum Measurements in . . . Cryptography Algorithm Main Idea of Quantum . . . A

Current Quantum Measurements in . . . Cryptography Algorithm Main Idea of Quantum . . . A

Why Quantum . . . Quantum . . . Remaining Problems . . . Quantum Physics: . . . Current Quantum Measurements in . . . Cryptography Algorithm Main Idea of Quantum . . . A General Family of . . . Is Optimal: A Proof What Do We Want to . . .

818 views • 40 slides
CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 02: Security, Protection, Privacy,

CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 02: Security, Protection, Privacy,

CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 02: Security, Protection, Privacy, & C-language Rahmat M. Samik-Ibrahim (ed.) University of Indonesia https://os.vlsm.org/ Always check for the latest revision! REV254

547 views • 17 slides

More recommend