how to grow a tree from cbass
play

How to Grow a TREE from CBASS Interactive Binary Analysis for - PowerPoint PPT Presentation

Jan 28, 2024 •380 likes •1.06k views

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin (Nathan) Li, Xing Li, Loc Nguyen, James E. Just Outline Background Interactive Binary Analysis with TREE and CBASS Demonstrations

  1. How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin (Nathan) Li, Xing Li, Loc Nguyen, James E. Just

  2. Outline • Background • Interactive Binary Analysis with TREE and CBASS • Demonstrations • Conclusions

  3. Interactive Binary Analysis • Automated binary analyses useful for certain tasks (e.g., finding crashes) • Many binary analyses can’t be automated • Expert experience and heuristics are still key to binary analyses

  4. Benefits of Interactive Binary Analysis • Applicable to many security problems • Our tools increase productivity in: – Finding vulnerabilities – Analyzing root causes – Exploitability and risk assessment

  5. Interactive Analysis Like Connecting Dots What’s in the dots?

  6. Our Tools are Designed to Help Explore Connect Fix the the Dots New Dots Dots

  7. What Do Our Tools Do? Connect Explore Fix the the Dots New Dots Dots TREE CBASS Replay & Taint Analysis Symbolic Execution Cross-platform Binary Tainted-enabled Reverse Automated Symbolic Engineering Environment execution System

  8. Gaps between Research and Interactive Binary Analysis • Existing research does not support interactive binary analysis – No practical tools – No uniform trace collection tools – No unified Instruction Set Architecture(ISA) -independent analysis tools

  9. Bringing Proven Research Techniques to Interactive Binary Analysis • Our tools use dynamic, trace-based, offline analysis approach – Interactive binary analysis [1] – Dynamic taint analysis ([2][3][4]) – Symbolic execution/ SMT solver ([2][5]) – Trace replay ([6])

  10. Making It Practical • TREE integrates with IDA Pro now and • Simple Static Analyses other mainstream binary analysis – Cyclomatic complexity environments (later) – Loop Detection • TREE leverages debugging infrastructure to • IR Translation support tracing on multiple platforms – CBASS and TREE are separate components and • CBASS uses Intermediate Representation work in a client/server architecture – CBASS and TREE share native to IR mapping (REIL [6][7])-based approach to support through IR Store ISA-independent analysis

  11. CBASS Supports Both Automated & Interactive Analysis TREE Automated Fuzzer Interactive Analysis Automated Analysis CBASS IR-based Symbolic Execution Engine TREE fills gaps for interactive analysis

  12. Tools Support Interactive Binary Analyses Connect Explore Fix the the Dots New Dots Dots CBASS TREE Symbolic Execution Replay Don’t chase a moving target Explore the unexplored Taint Analysis path and code Focus only on data and code that are relevant

  13. Illustrative Dots in Vulnerability Analysis: A Running Example //INPUT ReadFile(hFile, sBigBuf, 16, &dwBytesRead, NULL); //Vulnerable Function void StackOVflow(char *sBig,int num) //INPUT TRANSFORMATIONS { …… char sBuf[8]= {0}; …… //PATH CONDITIONS for(int i=0;i<num;i++) if(sBigBuf[0]=='b') iCount++; //Overflow when num>8 if(sBigBuf[1]=='a') iCount++; { if(sBigBuf[2]=='d') iCount++; sBuf[i] = sBig[i]; if(sBigBuf[3]=='!') iCount++; } if(iCount==4) // bad! …… StackOVflow(sBigBuf,dwBytesRead) return; else // Good } printf (“Good!”);

  14. Our Tools Support Fixing the Dots (TREE)

  15. Fix the Dots • Reverse engineers don’t like moving dots • Why do the dots move? – Concurrency (multi-thread/multi-core) brings non-deterministic behavior – ASLR guarantees nothing will be the same

  16. Fix the Dots • How does TREE work? – Generates the trace at runtime – Replays it offline • TREE trace – Captures program state = {Instruction, Thread, Register, Memory} – Fully automated generation • TREE can collect traces from multiple platforms – Windows/Linux/Mac OS User/Kernel and real devices (Android/ARM, Cisco routers/MIPS, PowePC)

  17. TREE Taint-based Replay vs. Debug-based Replay • Debug-replay lets you connect the dots – Single step, stop at function boundary, Breakpoint • TREE replay connects dots for you – Deterministic replay with taint-point break

  18. Our Tools Support Connecting the Dots (TREE)

  19. Connecting Dots is Hard • Basic elements complex in real programs – Code size can be thousands (++) of lines – Inputs can come from many places – Transformations can be lengthy – Paths grow exponentially • Basic elements likely separated by millions of instructions, spatially and temporally • Multiple protections built in

  20. Techniques Help Connect the Dots • Dynamic Taint Analysis – Basic Definitions o Taint source o Taint Sink: o Taint Policy: • Taint-based Dynamic Slicing – Taint focused on data – Slicing focused on relevant instructions and sequences

  21. Connect the Dots • TREE connects dots -- using taint analysis Taint Source:

  22. Connect the Dots • TREE connects dots -- using taint analysis Taint Source: Taint Sink:

  23. Connect the Dots • TREE connects dots -- using taint analysis Taint Source: Taint policy Taint Sink:

  24. Connect the Dots • TREE connects dots -- using taint analysis Taint Source: Taint policy Taint Sink: - Dynamic Slicing

  25. Find the Dots and Slice that Matter In practice, most dots don’t matter – eliminate them quickly to focus on what matters

  26. Connecting Dots in Running Example The Slice The Taint Graph Taint Source: call ds:ReadFile (Input) movb (%eax), %dl Taint policy (Data) movb %dl, -0x8(%ebp,%ecx,1) retl Taint Sink: eip

  27. What You Connect is What You Get • Dots can be connected in different ways – Data dependency – Address dependency – Branch conditions – Loop counter • Connect dots in different taint policies

  28. TAINT-ENABLED REVERSE ENGINEERING ENVIRONMENT

  29. TREE Key Components IDA Plug-in TREE Replay Taint Taint Visualizer Execution Taint Analyzer & & Slice Navigator Trace Graph Slicing (IDA Native/Qt) Execution Tracer (Cross-platform Debugging)

  30. TREE: The Front-end of Our Interactive Analysis System Taint Graph

  31. TREE: The Front-end of Our Interactive Analysis System Taint Table

  32. TREE: The Front-end of Our Interactive Analysis System Execution Trace Table

  33. TREE: The Front-end of Our Interactive Analysis System Register/stack/ memory Views

  34. TREE: The Front-end of Our Interactive Analysis System Replay is focal point of user interaction

  35. Tree Demo Using TREE to Analyze a Crash

  36. Our Tools Support Exploring New Dots

  37. A Key Branch Point for a Duck Connects 16 ->17

  38. The Path for a … • Reverse engineers don’t just connect dots; they want to explore new dots: Connects 16 ->26

  39. Explore New Dots • How do you force the program to take a different path to lead to “bad!”? //INPUT ReadFile(hFile, sBigBuf, 16, &dwBytesRead, NULL); …… //PATH CONDITION if(sBigBuf[0]=='b') iCount++; if(sBigBuf[1]=='a') iCount++; if(sBigBuf[2]=='d') iCount++; if(sBigBuf[3]=='!') iCount++; if(iCount==4) // “bad!” path StackOVflow(sBigBuf,dwBytesRead) ? Else // “Good” path printf (“Good!”);

  40. Explore New Dots • User wants execution to take different path at a branch point Y – what input will make that happen? User: TREE: Can How to execute we negate different path path at branch Y? condition at Y? TREE: Input CBASS [0] must be ‘b’ TREE (symbolic CBASS: execution) This byte must be ‘b’

  41. Explore New Dots Demo IDA Plugin TREE (Front End) 1 Replay Execution Taint Execution 4 Taint Taint Visualizer Trace 3 Graph Tracer Analyzer & & Slice Navigator (Cross-platform Slicing (IDA Native Qt) 8 Debugging) 5 New On-demand Path 2 input Selection Symbolic Execution & Constraint Generation Path 6 Satisfiable 7 CBASS constraints input (BACK End) SMT Solver

  42. Task 1: Force the Program to Take “bad!” Path Branch Conditions In Disassembly //INPUT ReadFile(hFile, sBigBuf, 16, &dwBytesRead, NULL); //INPUT TRANSFORMATION …… //PATH CONDITION if(sBigBuf[0]=='b') iCount++; if(sBigBuf[1]=='a') iCount++; if(sBigBuf[2]=='d') iCount++; if(sBigBuf[3]=='!') iCount++; if(iCount==4) // “bad!” path //Vulnerable Function StackOVflow(sBigBuf,dwBytesRead) else printf (“Good!”);

  43. TREE Pin Trace 1 PIN: A popular Dynamic Binary Instrumentation (DBI) Framework http://software.intel.com/en-us/articles/pin-a-dynamic-binary- instrumentation-tool

  44. TREE Console: Trace Generation 2 PINAgent: Connects TREE with PIN tracer

  45. TREE: Taint Analysis Configuration 3

  46. TREE: Branch Taint Graph 4

  47. Negate Tainted Path Condition to 5 Exercise a New (“Bad”) Path CBASS (Cross-platform “Bad!” Path Query Symbolic Execution) Result ‘ b ’ ‘ a ’ ‘ d ’

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Foundation: Plant a Tree, Grow a Community Mission: To grow healthy, livable communities in

Foundation: Plant a Tree, Grow a Community Mission: To grow healthy, livable communities in

Sacramento Tree Foundation: Plant a Tree, Grow a Community Mission: To grow healthy, livable communities in the Sacramento region by building the best urban forest in the nation. Why y Trees? Trees? Why y Trees? Trees? Why y Trees?

379 views • 16 slides
12/22/2009 How does a tiny seed grow into a massive tree? Photosynthesis Where did all of that

12/22/2009 How does a tiny seed grow into a massive tree? Photosynthesis Where did all of that

12/22/2009 How does a tiny seed grow into a massive tree? Photosynthesis Where did all of that mass come from? Visible light is a small band within a very broad electromagnetic spectrum. Chloroplasts capture sunlight energy for

233 views • 4 slides
Topic 18 Binary Trees &quot;A tree may grow a thousand feet tall, but its leaves will return to

Topic 18 Binary Trees &quot;A tree may grow a thousand feet tall, but its leaves will return to

Topic 18 Binary Trees &quot;A tree may grow a thousand feet tall, but its leaves will return to its roots.&quot; -Chinese Proverb Definitions A tree is an abstract data type root node internal one entry point, the root nodes

716 views • 52 slides
Dr Sean Simpson Cofounder and Chief Scientist of LanzaTech 1 Consider the Cherry Tree &quot; A

Dr Sean Simpson Cofounder and Chief Scientist of LanzaTech 1 Consider the Cherry Tree &quot; A

Dr Sean Simpson Cofounder and Chief Scientist of LanzaTech 1 Consider the Cherry Tree &quot; A cherry tree produces thousands of blossoms which create fruit for birds, humans and other animals in an effort to grow one tree. The blossoms and

364 views • 18 slides
Presented by: Attorney Patricia Bloom-McDonald 1017 Turnpike Street, Route 138 Suite 23 Canton,

Presented by: Attorney Patricia Bloom-McDonald 1017 Turnpike Street, Route 138 Suite 23 Canton,

Presented by: Attorney Patricia Bloom-McDonald 1017 Turnpike Street, Route 138 Suite 23 Canton, MA Is like building a house Do you want a tree to grow in front of your home or . . . Do you want a tree to grow through your home? Does it

541 views • 13 slides
GROW &amp; FORTIFY Ag Commission Update 6/13/18 Kelly Dudeck Grow &amp; Fortify GROW &amp;

GROW &amp; FORTIFY Ag Commission Update 6/13/18 Kelly Dudeck Grow &amp; Fortify GROW &amp;

GROW &amp; FORTIFY Ag Commission Update 6/13/18 Kelly Dudeck Grow &amp; Fortify GROW &amp; FORTIFY MISSION To cultivate an environment where value- added agricultural producers, operators and growers innovate and thrive. WHAT IS

173 views • 14 slides
Tree-sitter @maxbrunsfeld What is Tree-sitter? Why I wrote Tree-sitter What were

Tree-sitter @maxbrunsfeld What is Tree-sitter? Why I wrote Tree-sitter What were

Tree-sitter @maxbrunsfeld What is Tree-sitter? Why I wrote Tree-sitter What were building with Tree-sitter at GitHub Algorithms behind Tree-sitter What is Tree-si tu er? Uniform parsing of di ff erent languages if (a) c();

772 views • 75 slides
GROW IT TO THE MAX WITH GROWMAX WATER! GROW IT TO THE MAX WITH GROWMAX WATER! ELIMINATE

GROW IT TO THE MAX WITH GROWMAX WATER! GROW IT TO THE MAX WITH GROWMAX WATER! ELIMINATE

Strengthens plant roots Healthier plants, fmowers and vegetables Protects benefjcial micro - organisms in your soil Get maximum efgectjveness from nutrients and fertjlizers GROW IT TO THE MAX WITH GROWMAX WATER! GROW IT TO THE MAX WITH GROWMAX

774 views • 8 slides
Another tree example Phylogenetic tree Patient 1 Plan Clone Phylogeny B C RFTA16 Om1

Another tree example Phylogenetic tree Patient 1 Plan Clone Phylogeny B C RFTA16 Om1

Another tree example Phylogenetic tree Patient 1 Plan Clone Phylogeny B C RFTA16 Om1 Tree ADT A E ROv1 SBwl D G Tree recursion F H I Tree traversal ROv2 SBwlE4 Search and score n Search runtime O(2 ) Pass message

311 views • 9 slides
PLTree A tree programming language Overview Philosophy: Everything is a tree All data structures

PLTree A tree programming language Overview Philosophy: Everything is a tree All data structures

PLTree A tree programming language Overview Philosophy: Everything is a tree All data structures are built on the tree A primitive type is a tree with a single node at the root and no leaves A string is a tree of characters A function is a

370 views • 13 slides
2 0 1 4 - 2 0 1 8 Grow ing four years four years of grow ing Early Career Investigator Think

2 0 1 4 - 2 0 1 8 Grow ing four years four years of grow ing Early Career Investigator Think

2 0 1 4 - 2 0 1 8 Grow ing four years four years of grow ing Early Career Investigator Think Tank in COST Action BIRTH, IS 140 Lucerne University of Applied Sciences and Arts Center for Health Promotion and Participation Prof. Dr. Claudia

716 views • 23 slides
How to grow London How to grow London Londons growth how big and how fast? Does

How to grow London How to grow London Londons growth how big and how fast? Does

11/04/2018 How to grow London How to grow London Londons growth how big and how fast? Does size matter? Key implications for sustainable development, housing and the environment Things to watch out for Mayor and

253 views • 23 slides
Plants From around the World North America Asia Europe Africa South America Australasia

Plants From around the World North America Asia Europe Africa South America Australasia

Plants From around the World North America Asia Europe Africa South America Australasia Antarctica South America ] ] rubber tree cacao tree Rubber Tree Rubber trees like to grow in hot, damp environments, like a rainforest.

360 views • 31 slides
Education Endowment (TREE) Fund TREE Fund is a 501(c)3 nonprofit organization that supports

Education Endowment (TREE) Fund TREE Fund is a 501(c)3 nonprofit organization that supports

Tree Research and Education Endowment (TREE) Fund TREE Fund is a 501(c)3 nonprofit organization that supports scientific discovery and dissemination of new knowledge in arboriculture and urban forestry. TREE Fund Grant Awards TREE Fund has

441 views • 10 slides
Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like

Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like

Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible MSE 2400 EaLiCaRA consequences, including chance event Dr. Tom Way outcomes, resource costs, and

568 views • 8 slides
The R-Tree Yufei Tao ITEE University of Queensland INFS4205/7205, Uni of Queensland The R-Tree

The R-Tree Yufei Tao ITEE University of Queensland INFS4205/7205, Uni of Queensland The R-Tree

The R-Tree Yufei Tao ITEE University of Queensland INFS4205/7205, Uni of Queensland The R-Tree We will study a new structure called the R-tree, which can be thought of as a multi-dimensional extension of the B-tree. The R-tree supports e ffi

1.11k views • 85 slides
Objectives Discuss current barriers in achieving an effective and sustainable hand hygiene

Objectives Discuss current barriers in achieving an effective and sustainable hand hygiene

Chasing Zero Infections November 16, 2017 Connecting the Dots to Reduce Patient Harm: Hot Topics in Infection Prevention SOAP- UP : Improving Hand Hygiene as a Comprehensive Infection Prevention Strategy Linda R. Greene, RN,MPS,CIC, FAPIC

337 views • 17 slides
Development of an EHR System for Sharing - a Semantic Perspective , black Recommended maximum

Development of an EHR System for Sharing - a Semantic Perspective , black Recommended maximum

For the latest, go to http://w3.ibm.com/ibm/presentations ! IBM logo must not be moved, added to, or altered in any way China Research Laboratory , white Maximum length: 1 line Development of an EHR System for Sharing - a Semantic

567 views • 40 slides
Io IoPPN PPN Po Post stdoc doc Fe Fell llows owship hip Ap Appli plication cation Tra

Io IoPPN PPN Po Post stdoc doc Fe Fell llows owship hip Ap Appli plication cation Tra

Io IoPPN PPN Po Post stdoc doc Fe Fell llows owship hip Ap Appli plication cation Tra Traini ining ng Postdoc Fell llowship application training Wed 23 rd Nov 2016 13:30 16:00 SGDP seminar room A&amp;B 13.30 13:40 Welcome

831 views • 52 slides
Investigating Techniques for Evaluating Fly Ash Behaviour in Air-entrained Concrete G M Sadiqul

Investigating Techniques for Evaluating Fly Ash Behaviour in Air-entrained Concrete G M Sadiqul

Proceedings of the EUROCOALASH 2012 Conference, Thessaloniki Greece, September 25-27 2012 http:// www.evipar.org/ Investigating Techniques for Evaluating Fly Ash Behaviour in Air-entrained Concrete G M Sadiqul Islam 1 , M J McCarthy 2 , L J

325 views • 14 slides
CS 188: Artificial Intelligence Search Instructor: Anca Dragan University of California,

CS 188: Artificial Intelligence Search Instructor: Anca Dragan University of California,

CS 188: Artificial Intelligence Search Instructor: Anca Dragan University of California, Berkeley [These slides adapted from Dan Klein and Pieter Abbeel] Today o Agents that Plan Ahead o Search Problems o Uninformed Search Methods o Depth-First

784 views • 54 slides
Race, Exclusionary School Discipline, and the Cycle of Trauma - Connecting the Dots Camila Cribb

Race, Exclusionary School Discipline, and the Cycle of Trauma - Connecting the Dots Camila Cribb

2/27/2019 Race, Exclusionary School Discipline, and the Cycle of Trauma - Connecting the Dots Camila Cribb Fabersunne, MD MPH Dannielle McBride, MD No DISCLOSURES 1 2/27/2019 Objectives Understand the epidemiology of trauma and its

539 views • 40 slides
Quick Images How many dots? What did you see? 2 So we are all together . Our goal

Quick Images How many dots? What did you see? 2 So we are all together . Our goal

Quick Images How many dots? What did you see? 2 So we are all together . Our goal for this workshop is to get you familiar and comfortable with the mathematical processes and content of the CCSSM through providing you with some

1.04k views • 57 slides
Previous lecture User-defined functions Differences vs. scripts When and how to

Previous lecture User-defined functions Differences vs. scripts When and how to

Previous lecture User-defined functions Differences vs. scripts When and how to write Todays lecture User-defined functions Declaration and invocation Subfunctions Function scope did you watch MatTV epsiode

514 views • 22 slides

More recommend