mcsema
play

McSema: Static Translation of X86 Instructions to LLVM ARTEM - PowerPoint PPT Presentation

Oct 09, 2023 •747 likes •1.09k views

McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM ANDREW RUEF, ANDREW@TRAILOFBITS.COM This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The

  1. McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM ANDREW RUEF, ANDREW@TRAILOFBITS.COM “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  2. About Us Artem ◦ Security Researcher ◦ blog.dinaburg.org Andrew ◦ PhD Student, University of Maryland ◦ Trail of Bits ◦ www.cs.umd.edu/~awruef “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  3. What is McSema? Translate existing programs into a representation that can be easily manipulated and reasoned about. The representation we chose is LLVM IR. “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  4. • ■ What is LLVM? ■ ■ Modern Optimizing Compiler Infrastructure ◦ Infrastructure first, compiler second Easy to learn and modify (for a compiler) Very permissive licensing ... X86 PPC C BE clang GC C L TO C ode ... Optzn T arget JIT linker IPO DW AR F gen BC IO LL IO S ystem C ore xforms GC S upport analysis h “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  5. What is LLVM IR? Like a higher level assembly language Typed, Static Single Assignment Simplifies program analysis and transformation define i32 @main(i32 %argc, i8** %argv) { %1 = alloca i32, align 4 %2 = alloca i32, align 4 %3 = alloca i8**, align 8 store i32 0, i32* %1 store i32 %argc, i32* %2, align 4 store i8** %argv, i8*** %3, align 8 %4 = call i32 (i8*, ...)* @printf (… <omitted>) ret i32 0 } “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  6. Why translate x86 to LLVM IR? Use all existing LLVM tools ◦ Optimization ◦ Test Generation ◦ Model Checking “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  7. Why translate x86 to LLVM IR? Portability aarch64 arm hexagon mips mips64 msp430 nvptx nvptx64 ppc32 ppc64 r600 sparc sparcv9 systemz thumb x86 x86-64 xcore “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  8. Why translate x86 to LLVM IR? Foreign Code Integration and Re-Use DLL EXE SOURCE McSema LLVM IR “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  9. Why translate x86 to LLVM IR? Add obfuscation and/or security to existing code. DLL DLL’ LLVM IR McSema Other Tools “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  10. Demo 1 “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  11. Prior Work Dagger Second Write Fracture ◦ Draper Lab BAP ◦ CMU “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  12. Why McSema Open Source Documentation and Unit Tests FPU and SSE Support (incomplete) Modular architecture ◦ Separate control flow recovery from translation ◦ Designed to translate code from arbitrary sources ◦ Control flow graphs specified as Google protocol buffers “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  13. Open Source McSema is DARPA funded. It is in the process of being open sourced. These things take time. Permissively licensed. “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  14. Unit Tests Google test powered unit test for instruction semantics Compares McSema CPU context to native CPU state Intel Native ... ... State PIN ADD PASS FADD PASS FMUL FAIL Mc LLVM McSema ... ... State Sema JIT “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  15. FPU And SSE Support Nearly Complete FPU Support ◦ Many instructions ◦ Some core issues remain: ◦ Precision Control ◦ Rounding Control SSE Support is architecturally implemented ◦ Register state is complete ◦ Needs more instructions “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  16. McSema Architecture Separate control flow recovery from translation Designed to translate code from arbitrary sources Control flow graphs specified as Google protocol buffers IDA CFG Instruction bin_decsen LLVM IR Protobuf Translation d … “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

  17. Control Flow Recovery 1) Start at the entry point 2) BFS through all discovered basic blocks 3) ??? 4) Recover CFG What could go wrong??? “This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA).” “ The views expressed are those of the author(s) and do not reflect the official policy or position of the Department of Defense o r the U.S. Government.” Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lifting program binaries with McSema Peter Goodman, Akshay Kumar Introductions Peter Goodman

Lifting program binaries with McSema Peter Goodman, Akshay Kumar Introductions Peter Goodman

Lifting program binaries with McSema Peter Goodman, Akshay Kumar Introductions Peter Goodman Akshay Kumar Senior Security Engineer Senior Security Engineer peter@trailofbits.com akshay.kumar@trailofbits.com 2 2 Overview of this workshop

1.03k views • 89 slides
Mission The Center will perform advanced research in military information technology, where

Mission The Center will perform advanced research in military information technology, where

GMU C4I Center Poised for Growth Dr. J. Mark Pullen, Director Center of Excellence in Command, Control, Communications, Computing and Intelligence mpullen@gmu.edu http://c4i.gmu.edu Mission The Center will perform advanced research in

458 views • 8 slides
11/10/14 CSCI 1101A How the Internet works Mohammad T. Irfan 1

11/10/14 CSCI 1101A How the Internet works Mohammad T. Irfan 1

11/10/14 CSCI 1101A How the Internet works Mohammad T. Irfan 1 11/10/14 Python program to connect to the Internet At a high level u http://www.wimp.com/internetworks/ 2 11/10/14 Two

356 views • 4 slides
Why use GPUs for graph processing? FOSDEM 2020 2 GPUs and Graphs Graphs GPUs Found

Why use GPUs for graph processing? FOSDEM 2020 2 GPUs and Graphs Graphs GPUs Found

Gunrock High-Performance Graph Analytics for the GPU Muhammad Osama University of California, Davis Why use GPUs for graph processing? FOSDEM 2020 2 GPUs and Graphs Graphs GPUs Found everywhere Found everywhere Road &amp;

560 views • 23 slides
The Future of Cyber Experimentation and Testing T he U.S. NAT I O NAL C YBER RANG E

The Future of Cyber Experimentation and Testing T he U.S. NAT I O NAL C YBER RANG E

s The Future of Cyber Experimentation and Testing T he U.S. NAT I O NAL C YBER RANG E Michael VanPutte, Ph.D. Program Manager Distribution Statement A (Approved for Public Release, Distribution Unlimited #14014) DISCLAIMER: The

319 views • 11 slides
??? ??? Group = Symmetry Group = Symmetry Samuel J. Lomonaco, Jr. Dept. of Comp. Sci. &amp;

??? ??? Group = Symmetry Group = Symmetry Samuel J. Lomonaco, Jr. Dept. of Comp. Sci. &amp;

??? ??? Group = Symmetry Group = Symmetry Samuel J. Lomonaco, Jr. Dept. of Comp. Sci. &amp; Electrical Engineering University of Maryland Baltimore County Baltimore, MD 21250 Email: Lomonaco@UMBC.EDU WebPage:

643 views • 4 slides
ARPA-Es Mission Mission: To overcome long-term and high-risk technological barriers in the

ARPA-Es Mission Mission: To overcome long-term and high-risk technological barriers in the

6/10/20 NEXTCAR Next Generation Energy Technologies for Connected and Automated On-Road Vehicles June 10, 2020 Advanced Research Projects Agency Energy 0 ARPA-E NEXTCAR Team Marina Sofos (2020- ) Chris Atkinson (2016-2020) Mary

461 views • 20 slides
DECOY APPLICATIONS FOR CONTINUOUS AUTHENTICATION ON MOBILE DEVICES WAY Workshop July 9 th , 2014

DECOY APPLICATIONS FOR CONTINUOUS AUTHENTICATION ON MOBILE DEVICES WAY Workshop July 9 th , 2014

DECOY APPLICATIONS FOR CONTINUOUS AUTHENTICATION ON MOBILE DEVICES WAY Workshop July 9 th , 2014 Malek Ben Salem Accenture Technology Labs Jonathan Voris and Salvatore J. Stolfo Allure Security Technology This material is based on work

495 views • 10 slides
CS 204: Layering Jiasi Chen MWF 12:10-1pm Humanities and Social Sciences 1403

CS 204: Layering Jiasi Chen MWF 12:10-1pm Humanities and Social Sciences 1403

CS 204: Layering Jiasi Chen MWF 12:10-1pm Humanities and Social Sciences 1403 http://www.cs.ucr.edu/~jiasi/teaching/cs204_spring17/ 1 Overview How to read Q: How to design the History Internet from the Layering ground up?

678 views • 39 slides
CS5530 Mobile/Wireless Systems Introduction Yanyan Zhuang Department of Computer Science

CS5530 Mobile/Wireless Systems Introduction Yanyan Zhuang Department of Computer Science

CS5530 Mobile/Wireless Systems Introduction Yanyan Zhuang Department of Computer Science http://www.cs.uccs.edu/~yzhuang UC. Colorado Springs CS5530 Ref. CN5E, NT@UW Intro of Intro Yanyan Zhuang o PhD in network systems o

656 views • 30 slides
Molecular Computing Dr. Nickolas Chelyapov Cliff Johnson Leonard Adleman Areio Soltani

Molecular Computing Dr. Nickolas Chelyapov Cliff Johnson Leonard Adleman Areio Soltani

Molecular Computing Dr. Nickolas Chelyapov Cliff Johnson Leonard Adleman Areio Soltani Laboratory for Molecular Rolfe Schmidt Science Billal Shaw University of Southern California Dustin Reischus Defense Advanced Research Projects Agency

411 views • 11 slides
Computing Week 9 LBSC 671 Creating Information Infrastructures Muddiest Points BIBFRAME

Computing Week 9 LBSC 671 Creating Information Infrastructures Muddiest Points BIBFRAME

Computing Week 9 LBSC 671 Creating Information Infrastructures Muddiest Points BIBFRAME The analog hole Goals for Today Understand what makes stupid computers seem smart Understand how the Internet works Commercial

1.43k views • 58 slides
Where am I? Operating System And Virtualization Identification Without System Calls Jason L.

Where am I? Operating System And Virtualization Identification Without System Calls Jason L.

Where am I? Operating System And Virtualization Identification Without System Calls Jason L. Wright (jason@thought.net) Cyber Security Symposium April 17-19, 2017 Coeur dAlene, Idaho, USA This research was developed with funding from the

457 views • 13 slides
Crowdsourcing CSCI 470: Web Science Keith Vertanen

Crowdsourcing CSCI 470: Web Science Keith Vertanen

Crowdsourcing CSCI 470: Web Science Keith Vertanen Overview Crowdsourcing = Crowd + Outsourcing Incented coopera6on Paid tasks Compe66ons

544 views • 17 slides
X10: New opportunities for X10: New opportunities for Compiler-Driven Performance

X10: New opportunities for X10: New opportunities for Compiler-Driven Performance

X10: New opportunities for X10: New opportunities for Compiler-Driven Performance Compiler-Driven Performance via a new Programming Model via a new Programming Model Kemal Ebcioglu Kemal Ebcioglu Vijay Saraswat Vijay Saraswat Vivek Sarkar

460 views • 27 slides
Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1 CS 236, Spring 2008 Outline Subject of class Class topics and organization Reading material Class web page Grading Projects

838 views • 50 slides
CS535 Big Data 1/22/2020 Sangmi Lee Pallickara CS535 Big Data | Computer Science Department

CS535 Big Data 1/22/2020 Sangmi Lee Pallickara CS535 Big Data | Computer Science Department

CS535 Big Data 1/22/2020 Sangmi Lee Pallickara CS535 Big Data | Computer Science Department | Colorado State University CS535 BIG DATA PART A. BIG DATA TECHNOLOGY 1. INTRODUCTION TO BIG DATA What is Big Data? Sangmi Lee Pallickara

569 views • 7 slides
Welcome to the Government Blockchain Association (GBA) Meet Up May 15 th , 2017 Blockchain

Welcome to the Government Blockchain Association (GBA) Meet Up May 15 th , 2017 Blockchain

Welcome to the Government Blockchain Association (GBA) Meet Up May 15 th , 2017 Blockchain for Homeland Security, Defense and Law Enforcement Agenda Brief Review What is blockchain and why is it important? What are the defining

795 views • 31 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

301 views • 8 slides
A Minicourse on Multithreaded Programming Charles E Leiserson Harald Prok op MIT Lab

A Minicourse on Multithreaded Programming Charles E Leiserson Harald Prok op MIT Lab

A Minicourse on Multithreaded Programming Charles E Leiserson Harald Prok op MIT Lab oratory for Computer Science T ec hnology Square Cam bridge Massac h usetts f celprokop g l cs

370 views • 13 slides
CSCI 21 215 Soc ocial &amp; Eth thical Iss Issues In In Com omputing Class 11 Malware

CSCI 21 215 Soc ocial &amp; Eth thical Iss Issues In In Com omputing Class 11 Malware

CSCI 21 215 Soc ocial &amp; Eth thical Iss Issues In In Com omputing Class 11 Malware (1988) &quot;We're dealing with an urban myth. It's like the story of alligators in the sewers of New York. Everyone knows about them, but no one's ever

293 views • 16 slides
Networking and the Internet Lecture 4 COMPSCI.111 Todays lecture u History of the

Networking and the Internet Lecture 4 COMPSCI.111 Todays lecture u History of the

Networking and the Internet Lecture 4 COMPSCI.111 Todays lecture u History of the Internet u How the Internet works u Network protocols The telephone u 1876: first successful bi-directional transmission of clear speech by Alexander Bell

534 views • 29 slides
15-292 History of Computing The Internet 1 A Vision of Connecting the World the Memex

15-292 History of Computing The Internet 1 A Vision of Connecting the World the Memex

2/25/20 15-292 History of Computing The Internet 1 A Vision of Connecting the World the Memex Proposed by Vannevar Bush first published in the essay &quot;As We May Think&quot; in Atlantic Monthly in 1945 and subsequently in Life

374 views • 16 slides
Lecture 7: Internetworking CSE 123: Computer Networks Chris Kanich Extra project discussion:

Lecture 7: Internetworking CSE 123: Computer Networks Chris Kanich Extra project discussion:

Lecture 7: Internetworking CSE 123: Computer Networks Chris Kanich Extra project discussion: Friday 3:30pm WLH 2204 Lecture 8 Overview Internet Protocol Service model Packet format Fragmentation Addressing Subnetting

306 views • 8 slides

More recommend