lifting program binaries with mcsema
play

Lifting program binaries with McSema Peter Goodman, Akshay Kumar - PowerPoint PPT Presentation

Mar 26, 2024 •126 likes •1.03k views

Lifting program binaries with McSema Peter Goodman, Akshay Kumar Introductions Peter Goodman Akshay Kumar Senior Security Engineer Senior Security Engineer peter@trailofbits.com akshay.kumar@trailofbits.com 2 2 Overview of this workshop

  1. Lifting program binaries with McSema Peter Goodman, Akshay Kumar

  2. Introductions Peter Goodman Akshay Kumar Senior Security Engineer Senior Security Engineer peter@trailofbits.com akshay.kumar@trailofbits.com 2 2

  3. Overview of this workshop (1) □ ○ ○ ○ □ ○ ○ ○ ○ 3

  4. Overview of this workshop (2) □ ○ ○ □ ○ ○ ○ 4

  5. Overview of this workshop (3) □ ○ ○ 5

  6. Introduction to LLVM and McSema

  7. What is LLVM bitcode? □ ○ ○ □ ○ ○ 7

  8. Why is LLVM (and its bitcode) so popular? □ ○ ○ ○ □ ○ ○ ○ 8

  9. From source code, to bitcode, to machine code char *concat(char *a, char *b) { size_t a_len = strlen(a); size_t b_len = strlen(b); char *cat = malloc(a_len + b_len + 1); strcpy(cat, a); strcpy(&(cat[a_len]), b); return cat; } define i8* @concat(i8*, i8*) #0 { %3 = call i64 @strlen(i8* %0) #3 %4 = call i64 @strlen(i8* %1) #3 %5 = add i64 %3, 1 %6 = add i64 %5, %4 %7 = call noalias i8* @malloc(i64 %6) #4 %8 = call i8* @strcpy(i8* %7, i8* %0) #4 %9 = getelementptr inbounds i8, i8* %7, i64 %3 %10 = call i8* @strcpy(i8* %9, i8* %1) #4 ret i8* %7 } 9

  10. … and back again with McSema and FCD! char *concat(char *a, char *b) { size_t a_len = strlen(a); size_t b_len = strlen(b); char *cat = malloc(a_len + b_len + 1); strcpy(cat, a); strcpy(&(cat[a_len]), b); return cat; } define i8* @concat(i8*, i8*) #0 { %3 = call i64 @strlen(i8* %0) #3 %4 = call i64 @strlen(i8* %1) #3 %5 = add i64 %3, 1 %6 = add i64 %5, %4 %7 = call noalias i8* @malloc(i64 %6) #4 %8 = call i8* @strcpy(i8* %7, i8* %0) #4 %9 = getelementptr inbounds i8, i8* %7, i64 %3 %10 = call i8* @strcpy(i8* %9, i8* %1) #4 ret i8* %7 } 10

  11. McSema lifts machine code to bitcode □ ○ □ ○ ▹ ○ □ ○ ○ 11

  12. McSema lifts this stuff to bitcode 12

  13. What a binary looks like in a disassembler 13

  14. What a binary looks like in a disassembler Instructions 14

  15. What a binary looks like in a disassembler Instructions Opcodes / Mnemonics 15

  16. What a binary looks like in a disassembler Instructions Opcodes / Mnemonics Numbers / Offsets 16

  17. What a binary looks like in a disassembler Instructions Opcodes / Mnemonics Numbers / Offsets Registers 17

  18. How registers are lifted to bitcode (1) 18

  19. How registers are lifted to bitcode (2) struct State { }; 19

  20. How registers are lifted to bitcode (3) Memory *__remill_basic_block(State &state, addr_t curr_pc, Memory *memory) { bool branch_taken = false; auto &BRANCH_TAKEN = branch_taken; auto &AH = state.gpr.rax.byte.high; auto &AL = state.gpr.rax.byte.low; auto &AX = state.gpr.rax.word; auto &EAX = state.gpr.rax.dword; auto &RAX = state.gpr.rax.qword; ... 20

  21. How instructions are lifted to bitcode (1) 21

  22. How instructions are lifted to bitcode (2) Memory *lifted_main(State &state, addr_t curr_pc, Memory *memory) { bool branch_taken = false; auto &BRANCH_TAKEN = branch_taken; auto &RDI = state.gpr.rdi.qword; auto &RBP = state.gpr.rbp.qword; auto &RSP = state.gpr.rsp.qword; auto &EAX = state.gpr.rax.dword; memory = PUSH<R64>(memory, state, RBP); memory = MOV<R64W, R64>(memory, state, &RBP, RSP); memory = SUB<R64W, R64, I64>(memory, state, &RSP, RSP, 0x10); memory = MOV<M32W, I32>(memory, state, RBP - 0x4, 0x0); memory = LEA<R64W, M8>(memory, state, &RDI, RBP - 0x4); memory = CALL<PC>(memory, state, 0x…); memory = lifted_verify_pin(state, …, memory); memory = TEST<R32, R32>(memory, state, EAX, EAX); memory = JZ<R8W, PC, PC>(memory, state, &BRANCH_TAKEN, …, …); if (BRANCH_TAKEN) { … } … 22

  23. How instructions are lifted to bitcode (3) Memory *lifted_main(State &state, addr_t curr_pc, Memory *memory) { bool branch_taken = false; auto &BRANCH_TAKEN = branch_taken; auto &RDI = state.gpr.rdi.qword; auto &RBP = state.gpr.rbp.qword; auto &RSP = state.gpr.rsp.qword; auto &EAX = state.gpr.rax.dword; memory = PUSH<R64>(memory, state, RBP); memory = MOV<R64W, R64>(memory, state, &RBP, RSP); memory = SUB<R64W, R64, I64>(memory, state, &RSP, RSP, 0x10); Instructions memory = MOV<M32W, I32>(memory, state, RBP - 0x4, 0x0); memory = LEA<R64W, M8>(memory, state, &RDI, RBP - 0x4); Opcodes / Mnemonics memory = CALL<PC>(memory, state, 0x…); memory = lifted_verify_pin(state, RIP, memory); Numbers / Offsets memory = TEST<R32, R32>(memory, state, EAX, EAX); memory = JZ<R8W, PC, PC>(memory, state, &BRANCH_TAKEN, …, …); Registers if (BRANCH_TAKEN) { … } … 23

  24. How instructions are lifted to bitcode (4) Memory *lifted_main(State &state, addr_t curr_pc, Memory *memory) { auto &RBP = state.gpr.rbp.qword; auto &RSP = state.gpr.rsp.qword; // memory = PUSH<R64>(memory, state, RBP); memory = __remill_write_memory(memory, RSP, RBP); RSP -= 8; // memory = MOV<R64W, R64>(memory, state, &RBP, RSP); RBP = RSP; // memory = SUB<R64W, R64, I64>(memory, state, &RSP, RSP, 0x10); RSP = RSP - 0x10; ZF = RSP == 0x0; // Result is zero flag. … // More flags computations. // memory = MOV<M32W, I32>(memory, state, RBP - 0x4, 0x0); memory = __remill_write_memory_32(memory, RBP - 0x4, 0x0); 24

  25. How instructions are lifted to bitcode (5) define %struct.Memory* @lifted_main(%struct.State*, i64, %struct.Memory*) #2 { entry: … %10 = load i64, i64* %9, align 8 %11 = load i64, i64* %8, align 8, !tbaa !1303 %12 = add i64 %11, -8 %13 = inttoptr i64 %12 to i64* store i64 %10, i64* %13 store i64 %12, i64* %9, align 8, !tbaa !1299 … %20 = add i64 %11, -12 %21 = inttoptr i64 %20 to i32* store i32 0, i32* %21 store i64 %20, i64* %7, align 8, !tbaa !1299 %22 = add i64 %1, -112 %23 = add i64 %1, 24 %24 = add i64 %11, -32 %25 = inttoptr i64 %24 to i64* store i64 %23, i64* %25 store i64 %24, i64* %8, align 8, !tbaa !1299 %26 = tail call %struct.Memory* @lifted_verify_pin(%struct.State* %0, i64 %22, %struct.Memory* %2) … 25

  26. How instructions are lifted to bitcode (6) Original Binary Lifted Bitcode Compiled Bitcode 26

  27. Now you can lift binaries too! □ ○ ○ ○ □ ○ ○ ○ 27

  28. A vulnerable program

  29. Time to apply our newfound knowledge We’ll start with a simple authentication program $ cd ~/mcsema $ git clone git@github.com:trailofbits/issisp-2018.git $ cd issisp-2018 $ cat authenticate.c void admin_control(void); bool verify_pin(bool *is_admin) { void user_control(void); char pin[5]; puts("Enter PIN: "); int main(int argc, char *argv[]) { gets(pin); bool is_admin = false; if (!strcmp(pin, "1337")) { bool is_logged = verify_pin(&is_admin); return true; if (is_admin) { } else if (!strcmp(pin, "w00t")) { admin_control(); *is_admin = true; } else if (is_logged) { return true; user_control(); } else { } else { return false; return EXIT_FAILURE; } } } return EXIT_SUCCESS; } 29

  30. What is done right, and what is wrong? (1) BAD : Never use gets , no way to limit how much input is read void admin_control(void); bool verify_pin(bool *is_admin) { void user_control(void); char pin[5]; puts("Enter PIN: "); int main(int argc, char *argv[]) { gets(pin); bool is_admin = false; if (!strcmp(pin, "1337")) { bool is_logged = verify_pin(&is_admin); return true; if (is_admin) { } else if (!strcmp(pin, "w00t")) { admin_control(); *is_admin = true; } else if (is_logged) { return true; user_control(); } else { } else { return false; return EXIT_FAILURE; } } } return EXIT_SUCCESS; } 30

  31. What is done right, and what is wrong? (2) GOOD-ish : Make sure there’s room for gets to replace the \n with a \0 (NUL char) void admin_control(void); bool verify_pin(bool *is_admin) { void user_control(void); char pin[5]; puts("Enter PIN: "); int main(int argc, char *argv[]) { gets(pin); bool is_admin = false; if (!strcmp(pin, "1337")) { bool is_logged = verify_pin(&is_admin); return true; if (is_admin) { } else if (!strcmp(pin, "w00t")) { admin_control(); *is_admin = true; } else if (is_logged) { return true; user_control(); } else { } else { return false; return EXIT_FAILURE; } } } return EXIT_SUCCESS; } 31

  32. What is done right, and what is wrong? (3) BAD-ish : Not checking is_logged && is_admin void admin_control(void); bool verify_pin(bool *is_admin) { void user_control(void); char pin[5]; puts("Enter PIN: "); int main(int argc, char *argv[]) { gets(pin); bool is_admin = false; if (!strcmp(pin, "1337")) { bool is_logged = verify_pin(&is_admin); return true; if (is_admin) { } else if (!strcmp(pin, "w00t")) { admin_control(); *is_admin = true; } else if (is_logged) { return true; user_control(); } else { } else { return false; return EXIT_FAILURE; } } } return EXIT_SUCCESS; } 32

  33. Let’s see the binary (1) Back in the terminal, please compile the program $ cd ~/mcsema $ git clone git@github.com:trailofbits/issisp-2018.git $ cd issisp-2018 $ cat authenticate.c $ gcc -fno-stack-protector -O1 -g3 authenticate.c 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

JEFFERSON JOBOY 27 November 2018 1 LIFTING AWARENESS 2 GROUND RULES 3 What is a lifting

JEFFERSON JOBOY 27 November 2018 1 LIFTING AWARENESS 2 GROUND RULES 3 What is a lifting

JEFFERSON JOBOY 27 November 2018 1 LIFTING AWARENESS 2 GROUND RULES 3 What is a lifting operation? An operation concerned with the lifting or lowering of a load'. A 'load' is the item or items being lifted, which includes a person or people

380 views • 27 slides
From Program Verification to Certified Binaries Angelos Manousaridis Michalis A. Papakyriakou

From Program Verification to Certified Binaries Angelos Manousaridis Michalis A. Papakyriakou

From Program Verification to Certified Binaries Angelos Manousaridis Michalis A. Papakyriakou Nikolaos S. Papaspyrou National Technical University of Athens School of Electrical and Computer Engineering Software Engineering Laboratory

360 views • 32 slides
McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM

McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM

McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM ANDREW RUEF, ANDREW@TRAILOFBITS.COM This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The

1.09k views • 34 slides
Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone Jan 14, 2017, 2nd Fudan Winter School on Black Hole Astrophysics Overview Phenomena associated with binary evolution Formation of close binaries

651 views • 30 slides
Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook

Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook

Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook Oh(mat@monkey.org,oh.jeongwook@gmail.com) Jeongwook Oh works on eEye's flagship product called &quot;Blink&quot;. He develops traffic analysis module that filters

841 views • 60 slides
Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET

Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET

Coalescences of IMBH binaries as sources for the future ET detector Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET detector detectors The (disputed) existence of IMBHs Modeling BBH Luca

199 views • 16 slides
Galactic Center, Colliding Wind Binaries, &amp; Gamma-ray Binaries: Hydro simulations to do with

Galactic Center, Colliding Wind Binaries, &amp; Gamma-ray Binaries: Hydro simulations to do with

Galactic Center, Colliding Wind Binaries, &amp; Gamma-ray Binaries: Hydro simulations to do with Phantom Christopher M. P . Russell Pontificia Universidad Catlica de Chile crussell@udel.edu @chrastropher astro.puc.cl/~crussell Phantom

589 views • 43 slides
Observations of jets in X-ray binaries Tom Maccarone (University of Southampton) ING

Observations of jets in X-ray binaries Tom Maccarone (University of Southampton) ING

Observations of jets in X-ray binaries Tom Maccarone (University of Southampton) ING archive/Nick Szymanek Russell et al. 2007 Stirling et al. 2001 Black Hole X-ray binaries: key sources for understanding accretion-ejection phenomenology

347 views • 21 slides
NIOSH revised lifting equation Week 8 Dr. Belal Gharaibeh 1 Why use the NIOSH lifting equation?

NIOSH revised lifting equation Week 8 Dr. Belal Gharaibeh 1 Why use the NIOSH lifting equation?

NIOSH revised lifting equation Week 8 Dr. Belal Gharaibeh 1 Why use the NIOSH lifting equation? National Institute for Occupational Safety and Health (NIOSH) in the USA made a standard procedure for assessing the physical demands of

540 views • 14 slides
Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin

Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin

Departm ent Physics &amp; Astronom y The University of Texas at Brow nsville Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin Carlos Lousto with Manuela Campanelli &amp; Yosef Zlochower

365 views • 20 slides
Lifting Jonathan Templeman Chief Executive 53% of Lifting 22% of Melrose Products overview

Lifting Jonathan Templeman Chief Executive 53% of Lifting 22% of Melrose Products overview

Lifting Jonathan Templeman Chief Executive 53% of Lifting 22% of Melrose Products overview Oil &amp; Gas Mining Crane and industrial Specialist fibre and steel rope High quality steel wire ropes High performance wire ropes Mooring,

341 views • 15 slides
Lifting Applied to Proof Complexity Marc Vinyals Technion Haifa, Israel FSTTCS Workshop on

Lifting Applied to Proof Complexity Marc Vinyals Technion Haifa, Israel FSTTCS Workshop on

Lifting Applied to Proof Complexity Marc Vinyals Technion Haifa, Israel FSTTCS Workshop on Extension Complexity and Lifting Theorems Supported by ERC project HARMONIC Proof Complexity Lifting Examples Wishlist SAT Is this formula

1.26k views • 82 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Strategy of lifting up Strategy of lifting up small or medium scale rabbit farming into small or

Strategy of lifting up Strategy of lifting up small or medium scale rabbit farming into small or

First Jilin Rabbit Fair and Conference on Asian Rabbit Production Development, Changchun (China), 8-10 September 2009. Strategy of lifting up Strategy of lifting up small or medium scale rabbit farming into small or medium scale rabbit farming

333 views • 29 slides
Numerical simulations of eccentric neutron star binaries N. K. Johnson-McDaniel TPI, Uni Jena

Numerical simulations of eccentric neutron star binaries N. K. Johnson-McDaniel TPI, Uni Jena

Numerical simulations of eccentric neutron star binaries N. K. Johnson-McDaniel TPI, Uni Jena 2nd GW Bursts Workshop May 28th, 2012 In collaboration with S. Bernuzzi, M. Thierfelder, and B. Br ugmann Why (highly) eccentric NS binaries? NR

404 views • 12 slides
Modeling Compact Object Binaries (very briefly) Compact Objects: neutron stars (NSs) or black

Modeling Compact Object Binaries (very briefly) Compact Objects: neutron stars (NSs) or black

Motivation EM Counterparts Extreme Matter Single Star Binary NS Conclusions Modeling Compact Object Binaries (very briefly) Compact Objects: neutron stars (NSs) or black holes (BHs) Binaries: tend to only consider last n orbits before

185 views • 14 slides
1 2/26/2020 void multstore Today Code Examples (long x, long y, long *dest) { long t =

1 2/26/2020 void multstore Today Code Examples (long x, long y, long *dest) { long t =

2/26/2020 Mechanisms in Procedures P( ) { Passing control To beginning of procedure code Machine-Level Programming III: y = Q(x); Back to return point print(y) Procedures Passing data } Procedure

496 views • 11 slides
Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture

Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture

Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture Sebastian Vogl and Claudia Eckert {vogls,eckertc}@in.tum.de Chair for IT Security Technische Universitt Mnchen Munich, Germany 10.04.2012 S. Vogl

759 views • 71 slides
Learning Automatic Schedulers through Projective Reparameterization Ajay Jain Saman Amarasinghe

Learning Automatic Schedulers through Projective Reparameterization Ajay Jain Saman Amarasinghe

Learning Automatic Schedulers through Projective Reparameterization Ajay Jain Saman Amarasinghe Challenges in ML for Systems Ajay Jain Learning automatic schedulers through projective reparameterization Challenges in ML for Systems 1.

384 views • 19 slides
STACK AND HEAP: COMMONLY ABUSED TERMS Simon Brand Codeplay Soware Ltd. AGENDA A bit about

STACK AND HEAP: COMMONLY ABUSED TERMS Simon Brand Codeplay Soware Ltd. AGENDA A bit about

STACK AND HEAP: COMMONLY ABUSED TERMS Simon Brand Codeplay Soware Ltd. AGENDA A bit about me What misuse am I talking about? Why is it wrong? What does the standard say? What terms should we use instead? C++ AND ME Work with C++ daily

637 views • 24 slides
Livepatching FreeBSD kernel Maciej Grochowski Maciej.Grochowski[at]protonmail.com EuroBSDcon

Livepatching FreeBSD kernel Maciej Grochowski Maciej.Grochowski[at]protonmail.com EuroBSDcon

Livepatching FreeBSD kernel Maciej Grochowski Maciej.Grochowski[at]protonmail.com EuroBSDcon 2018 University Politehnica of Bucharest Bucuresti, Romania September 22 23, 2018 Outline Problem statement Some background Why we

710 views • 19 slides
CS356 Unit 6 x86 Procedures Basic Stack Frames 6.2 Review of Program Counter (Instruc. Pointer)

CS356 Unit 6 x86 Procedures Basic Stack Frames 6.2 Review of Program Counter (Instruc. Pointer)

6.1 CS356 Unit 6 x86 Procedures Basic Stack Frames 6.2 Review of Program Counter (Instruc. Pointer) PC/IP is used to fetch an instruction PC/IP contains the address of the next instruction The value in the PC/IP is placed on the

1.5k views • 33 slides
Lets Stay Together: Towards Traffic Aware Virtual Machine Placement in Data Centers Manar

Lets Stay Together: Towards Traffic Aware Virtual Machine Placement in Data Centers Manar

Lets Stay Together: Towards Traffic Aware Virtual Machine Placement in Data Centers Manar Alqarni Proff. Tang 1 Topics covered INTRODUCTION HOMOGENEOUS CASE -Algorithm 1 Recursive-based Placement RBP (m, c, n, r) -Algorithm 2

614 views • 24 slides
Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1.

Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1.

Obfuscation vs. Deobfuscation ISSISP 2018 Christian Collberg University of Arizona 1. Obfuscating Arithmetic 2. Opaque Expressions 3. Control Flow Flattening 4. Constructing Opaque Expressions 5. Generic Deobfuscation 6. Turning up

1.39k views • 95 slides

More recommend