Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo - - PowerPoint PPT Presentation

outline
SMART_READER_LITE
LIVE PREVIEW

Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo - - PowerPoint PPT Presentation

Jul 04, 2023 236 likes •469 views

BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-level Analysis Robin David S ebastien Bardin Thanh Dinh Ta Josselin Feist Laurent Mounier Marie-Laure Potet Jean-Yves Marion SANER 2016, Osaka, Japan, March 16th Outline

slide-1
SLIDE 1

BINSEC/SE: A Dynamic

Symbolic Execution Toolkit for Binary-level Analysis

Robin David S´ ebastien Bardin Thanh Dinh Ta Josselin Feist Laurent Mounier Marie-Laure Potet Jean-Yves Marion SANER 2016, Osaka, Japan, March 16th

slide-2
SLIDE 2

Outline

Introduction Dynamic Symbolic Execution Binsec/SE Demo

CEA - - 2/11

slide-3
SLIDE 3

Introduction

The need to reverse engineer an excutable : malware, bug discovery, safety, testing ..

CEA - - 3/11

slide-4
SLIDE 4

Introduction

The need to reverse engineer an excutable : malware, bug discovery, safety, testing .. Current approaches and limitations for binary-level understanding : Static :

allow to choose any path [but not necessarily feasible] Easy to fool → indirect jumps, self-modification etc.

CEA - - 3/11

slide-5
SLIDE 5

Introduction

The need to reverse engineer an excutable : malware, bug discovery, safety, testing .. Current approaches and limitations for binary-level understanding : Static :

allow to choose any path [but not necessarily feasible] Easy to fool → indirect jumps, self-modification etc.

Dynamic :

  • nly doable paths [but depend on inputs]

problem → possibly miss a lot of code areas

CEA - - 3/11

slide-6
SLIDE 6

Introduction

The need to reverse engineer an excutable : malware, bug discovery, safety, testing .. Current approaches and limitations for binary-level understanding : Static :

allow to choose any path [but not necessarily feasible] Easy to fool → indirect jumps, self-modification etc.

Dynamic :

  • nly doable paths [but depend on inputs]

problem → possibly miss a lot of code areas

CEA - - 3/11

Symbolic : best of both world

  • nly doable paths

can recover new paths [regardless of path rarity]

slide-7
SLIDE 7

Running examples

Various problems occurs when trying to cover program paths : Dynamic jumps mov eax, var x shl eax, 2 add eax, off y mov eax, [eax] jmp eax

CEA - - 4/11

slide-8
SLIDE 8

Running examples

Various problems occurs when trying to cover program paths : Dynamic jumps mov eax, var x shl eax, 2 add eax, off y mov eax, [eax] mov edx, eax mov eax, edx jmp eax

CEA - - 4/11

Heuristics limitations

IDA Pro 6.9 fooled by such trick..

slide-9
SLIDE 9

Running examples

Various problems occurs when trying to cover program paths : Dynamic jumps mov eax, var x shl eax, 2 add eax, off y mov eax, [eax] mov edx, eax mov eax, edx jmp eax Call/Ret 1004002 : call 0x100400a 1004007 : (junk byte) 1004008 : 100400a : pop ebp 100400b : inc ebp 100400c : push ebp 100400d : ret 100400e : ...

CEA - - 4/11

Heuristics limitations

IDA Pro 6.9 fooled by such trick..

slide-10
SLIDE 10

Running examples

Various problems occurs when trying to cover program paths : Dynamic jumps mov eax, var x shl eax, 2 add eax, off y mov eax, [eax] mov edx, eax mov eax, edx jmp eax Call/Ret 1004002 : call 0x100400a 1004007 : (junk byte) 1004008 : jmp 0x100400e 100400a : pop ebp 100400b : inc ebp 100400c : push ebp 100400d : ret 100400e : ...

CEA - - 4/11

Heuristics limitations

IDA Pro 6.9 fooled by such trick..

slide-11
SLIDE 11

Running examples

Various problems occurs when trying to cover program paths : Dynamic jumps mov eax, var x shl eax, 2 add eax, off y mov eax, [eax] mov edx, eax mov eax, edx jmp eax Call/Ret 1004002 : call 0x100400a 1004007 : (junk byte) 1004008 : jmp 0x100400e 100400a : pop ebp 100400b : inc ebp 100400c : push ebp 100400d : ret 100400e : ...

CEA - - 4/11

Heuristics limitations

IDA Pro 6.9 fooled by such trick..

Heuristics limitations

Common disassemblers does not disassemble after unknown byte and ret instructions

slide-12
SLIDE 12

Running examples

Various problems occurs when trying to cover program paths : Dynamic jumps mov eax, var x shl eax, 2 add eax, off y mov eax, [eax] mov edx, eax mov eax, edx jmp eax Call/Ret 1004002 : call 0x100400a 1004007 : (junk byte) 1004008 : jmp 0x100400e 100400a : pop ebp 100400b : inc ebp 100400c : push ebp 100400d : ret 100400e : ... And many others..

CEA - - 4/11

Heuristics limitations

IDA Pro 6.9 fooled by such trick..

Heuristics limitations

Common disassemblers does not disassemble after unknown byte and ret instructions

slide-13
SLIDE 13

Outline

Introduction Dynamic Symbolic Execution Binsec/SE Demo

CEA - - 5/11

slide-14
SLIDE 14

DSE : In brief

Definition Symbolic execution is the mean of executing a program using symbolic values (logical symbols) rather than actual values (bitvectors) in order to obtain in-out relationship of a path. Dynamic Symbolic Execution [DSE] : precise reasoning on a single path sound execution of the program (path necessarily feasible) can recover new paths (goto eax, call/ret, etc.) thwart basic tricks (code overlapping..)

CEA - - 6/11

slide-15
SLIDE 15

Outline

Introduction Dynamic Symbolic Execution Binsec/SE Demo

CEA - - 7/11

slide-16
SLIDE 16

Binsec : Global overview

CEA - - 8/11

slide-17
SLIDE 17

Binsec : Global overview

CEA - - 8/11

slide-18
SLIDE 18

Binsec/SE : In depth

Tracing (Pin)

gather certain library calls concrete infos arbitrary value retrieval (registers/memory) On-the-fly value patching Linux/Windows Remote control

Core (10K OCaml loc)

stub engine for library calls generic path selection path predicate

  • ptimization :

handle JSON conf. files Solvers : Z3, boolector, ..

CEA - - 9/11

slide-19
SLIDE 19

Outline

Introduction Dynamic Symbolic Execution Binsec/SE Demo

CEA - - 10/11

slide-20
SLIDE 20

Demo : Call/Ret violation

Example code obfuscated by the ASPack packer :

1 1004002 e8 03 00 00 00 c a l l 0 x100400a //push 0x1004007 as return 2 100400 a 5d pop ebp //pop return address in ebp 3 100400b 45 i n c ebp //increment ebp 4 100400 c 55 push ebp //push back the value 5 100400d c3 r e t //return on 0x1004008 6 1004008 eb 04 jmp 0 x100400e

→ Fool the disassembler (which works here). (Goal : Trying to find the violations with DSE)

CEA - - 11/11

slide-21
SLIDE 21

Demo : Call/Ret violation

Example code obfuscated by the ASPack packer :

1 1004002 e8 03 00 00 00 c a l l 0 x100400a //push 0x1004007 as return 2 100400 a 5d pop ebp //pop return address in ebp 3 100400b 45 i n c ebp //increment ebp 4 100400 c 55 push ebp //push back the value 5 100400d c3 r e t //return on 0x1004008 6 1004008 eb 04 jmp 0 x100400e

→ Fool the disassembler (which works here). (Goal : Trying to find the violations with DSE)

CEA - - 11/11

slide-22
SLIDE 22

Thank you ! あ あ あり り りが が がと と とう う うご ご ござ ざ ざい い いま ま ます す す

Direction de la Recherche Technologique D´ epartement d’Ing´ enierie des Logiciels et des Syst` emes Laboratoire de Sˆ uret´ e des Logiciels Commissariat ` a l’´ energie atomique et aux ´ energies alternatives Institut Carnot CEA LIST Centre de Saclay — 91191 Gif-sur-Yvette Cedex Etablissement public ` a caract` ere industriel et commercial — RCS Paris B 775 685 019