platform independent static
play

Platform-independent static binary code analysis using a meta- - PowerPoint PPT Presentation

May 08, 2023 •141 likes •677 views

Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien, Sebastian Porst zynamics GmbH CanSecWest 2009 Overview The REIL Language Abstract Interpretation MonoREIL Results 2 Motivation Bugs are

  1. Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien, Sebastian Porst zynamics GmbH CanSecWest 2009

  2. Overview The REIL Language Abstract Interpretation MonoREIL Results 2

  3. Motivation • Bugs are getting harder to find • Defensive side (most notably Microsoft) has invested a lot of money in a „bugocide“ • Concerted effort: Lots of manual code auditing aided by static analysis tools • Phoenix RDK: Includes „lattice based“ analysis framework to allow pluggable abstract interpretation in the compiler 3

  4. Motivation • Offense needs automated tools if they want to avoid being sidelined • Offensive static analysis: Depth vs. Breadth • Offense has no source code, no Phoenix RDK, and should not depend on Microsoft • We want a static analysis framework for offensive purposes 4

  5. Overview The REIL Language Abstract Interpretation MonoREIL Results 5

  6. REIL • Reverse Engineering Intermediate Language • Platform-Independent meta-assembly language • Specifically made for static code analysis of binary files • Can be recovered from arbitrary native assembly code – Supported so far: x86, PowerPC, ARM 6

  7. Advantages of REIL • Very small instruction set (17 instructions) • Instructions are very simple • Operands are very simple • Free of side-effects • Analysis algorithms can be written in a platform-independent way – Great for security researchers working on more than one platform 7

  8. Creation of REIL code • Input: Disassembled Function – x86, ARM, PowerPC, potentially others • Each native assembly instruction is translated to one or more REIL instructions • Output: The original function in REIL code 8

  9. Example 9

  10. Design Criteria • Simplicity • Small number of instructions – Simplifies abstract interpretation (more later) • Explicit flag modeling – Simplifies reasoning about control-flow • Explicit load and store instructions • No side-effects 10

  11. REIL Instructions • One Address – Source Address * 0x100 + n – Easy to map REIL instructions back to input code • One Mnemonic • Three Operands – Always • An arbitrary amount of meta-data – Nearly unused at this point 11

  12. REIL Operands • All operands are typed – Can be either registers, literals, or sub-addresses – No complex expressions • All operands have a size – 1 byte, 2 bytes, 4 bytes, ... 12

  13. The REIL Instruction Set • Arithmetic Instructions – ADD, SUB, MUL, DIV, MOD, BSH • Bitwise Instructions – AND, OR, XOR • Data Transfer Instructions – LDM, STM, STR 13

  14. The REIL Instruction Set • Conditional Instructions – BISZ, JCC • Other Instructions – NOP, UNDEF, UNKN • Instruction set is easily extensible 14

  15. REIL Architecture • Register Machine – Unlimited number of registers t 0 , t 1 , ... – No explicit stack • Simulated Memory – Infinite storage – Automatically assumes endianness of the source platform 15

  16. Limitations of REIL • Does not support certain instructions (FPU, MMX, Ring-0, ...) yet • Can not handle exceptions in a platform- independent way • Can not handle self-modifying code • Does not correctly deal with memory selectors 16

  17. Overview The REIL Language Abstract Interpretation MonoREIL Results 17

  18. Abstract Interpretation • Theoretical background for most code analysis • Developed by Patrick and Rhadia Cousot around 1975-1977 • Formalizes „static abstract reasoning about dynamic properties“ • Huh ? • A lot of the literature is a bit dense for many security practitioners 18

  19. Abstract Interpretation • We want to make statements about programs • Example: Possible set of values for variable x at a given program point p • In essence: For each point p, we want to find K p P ( States ) • Problem: is a bit unwieldly P ( States ) • Problem: Many questions are undecidable (where is the w*nker that yells „halting problem“) ? 19

  20. Dealing with unwieldy stuff • Reason about something simpler: Abstraction P ( States ) D Concretisation P ( States ) D • Example: Values vs. Intervals 20

  21. Lattices • In order for this to work, must be structurally D similar to P ( States ) • supports intersection and union P ( States ) • You can check for inclusion (contains, does not contain) • You have an empty set (bottom) and „everything“ (top) 21

  22. Lattices • A lattice is something like a generalized powerset • Example lattices: Intervals, Signs, , P ( Registers ) mod p 22

  23. Dealing with halting • Original program consists of p 1 ... p n program points • Each instruction transforms a set of states into a different set of states • p 1 ... p n are mappings P ( States ) P ( States ) • Specify ' 1  p p ' n : D D ~ • This yields us n n p : D D 23

  24. Dealing with halting • We cheat: Let be finite  n is finite D D ~ • Make sure that is monotonous (like this talk) p • Begin with initial state I ~ l • Calculate p ( ) ~ ~ • Calculate p ( p ( l )) 1 l ~ ~ • Eventually, you reach n n p ( l ) p ( ) • You are done – read off the results and see if your question is answered 24

  25. Theory vs. practice • A lot of the academic focus is on proving correctness of the transforms p i P ( States ) P ( States ) p ' i D D • As practitioner we know that p i is probably not fully correctly specified • We care much more about choosing and constructing a so that we get the results we need D 25

  26. Overview The REIL Language Abstract Interpretation MonoREIL Results 26

  27. MonoREIL • You want to do static analysis • You do not want to write a full abstract interpretation framework • We provide one: MonoREIL • A simple-to-use abstract interpretation framework based on REIL 27

  28. What does it do ? • You give it – The control flow graph of a function (2 LOC) – A way to walk through the CFG (1 + n LOC) – The lattice (15 + n LOC) D • Lattice Elements • A way to combine lattice elements – The initial state (12 + n LOC) – Effects of REIL instructions on (50 + n LOC) D 28

  29. How does it work? • Fixed-point iteration until final state is found • Interpretation of result – Map results back to original assembly code • Implementation of MonoREIL already exists • Usable from Java, ECMAScript, Python, Ruby 29

  30. Overview The REIL Language Abstract Interpretation MonoREIL Results 30

  31. Register Tracking • First Example: Simple • Question: What are the effects of a register on other instructions? • Useful for following register values 31

  32. Register Tracking • Demo 32

  33. Register Tracking • Lattice: For each instruction, set of influenced registers, combine with union • Initial State – Empty (nearly) everywhere – Start instruction: { tracked register } • Transformations for MNEM op1, op2, op3 – If op1 or op2 are tracked  op3 is tracked too – Otherwise: op3 is removed from set 33

  34. Negative indexing • Second Example: More complicated • Question: Is this function indexing into an array with a negative value ? • This gets a bit more involved 34

  35. Negative indexing • Simple intervals alone do not help us much • How would you model a situation where – A function gets a structure pointer as argument – The function retrieves a pointer to an array from an array of pointers in the structure – The function then indexes negatively into this array • Uh. Ok. 35

  36. Abstract locations • For each instruction, what are the contents of the registers ? Let‘s slowly build complexity: • If eax contains arg_4, how could this be modelled ? – eax = *(esp.in + 8) • If eax contains arg_4 + 4 ? – eax = *(esp.in + 8) + 4 • If eax can contain arg_4+4, arg_4+8, arg_4+16, arg_4 + 20 ? – eax = *(esp.in + 8) + [4, 20] 36

  37. Abstract locations • If eax can contain arg_4+4, arg_8+16 ? – eax = *(esp.in + [8,12]) + [4,16] • If eax can contain any element from – arg_4  mem[0] to arg_4  mem[10], incremented once, how do we model this ? – eax = *(*(esp.in + [8,8]) + [4, 44]) + [1,1] • OK. An abstract location is a base value and a list of intervals, each denoting memory dereferences (except the last) 37

  38. Range Tracking eax.in + [a, b] + [0, 0] eax.in + a eax.in + b 38

  39. Range Tracking eax + [a, b] + [c, d] + [0, 0] eax + a eax + b [eax+a]+c [eax+a]+d [eax+a+4]+c [eax+a+4]+d [eax+b]+c [eax+b]+d 39

  40. Range Tracking • Lattice: For each instruction, a map:  Register Aloc Aloc • Initial State – Empty (nearly) everywhere – Start instruction: { reg -> reg.in + [0,0] } • Transformations – Complicated. Next slide. 40

  41. Range Tracking • Transformations – ADD/SUB are simple: Operate on last intervals – STM op 1 , , op 3 • If op 1 or op 3 not in our input map M skip • Otherwise, M[ M[op 3 ] ] = op 1 – LDM op 1 , , op 3 • If op 1 or op 3 is not in our input map M skip • M[ op 3 ] = M[ op 1 ] – Others: Case-specific hacks 41

  42. Range Tracking • Where is the meat ? • Real world example: Find negative array indexing 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automated Generation of Platform-Variant Applications from Platform-Independent Models via

Automated Generation of Platform-Variant Applications from Platform-Independent Models via

Automated Generation of Platform-Variant Applications from Platform-Independent Models via Templates Nuno Amlio, Christian Glodt, Frederico Pinto, Pierre Kelsen University of Luxembourg Introduction Manual code development is expensive

243 views • 21 slides
Technical Specifications Platform will have Independent chassis To-do and the balance of the

Technical Specifications Platform will have Independent chassis To-do and the balance of the

Technical Specifications Platform will have Independent chassis To-do and the balance of the platform will be mounted to the chassis outrigger detached. The chassis of the crane will install by screw sand studs to the carrier chassis. In the

117 views • 8 slides
Static and Method Overloading static One per class, not per object static variables

Static and Method Overloading static One per class, not per object static variables

Static and Method Overloading static One per class, not per object static variables all instances of the class share the same static variable example: serial/VIN number for Car static methods invoked through class

324 views • 7 slides
An Integrated Approach for Platform-Independent Web Applications W3C Multimodal Interaction

An Integrated Approach for Platform-Independent Web Applications W3C Multimodal Interaction

An Integrated Approach for Platform-Independent Web Applications W3C Multimodal Interaction Workshop Sophia-Antipolis, 19.-20.7.2004 Gerald Hbsch and Thomas Springer Dresden University of Technology {huebsch,springet}@rn.inf.tu-dresden.de

519 views • 26 slides
Getting Serious About a Platform Independent Application for the Usage of Mobile Moodle Quizzes:

Getting Serious About a Platform Independent Application for the Usage of Mobile Moodle Quizzes:

Getting Serious About a Platform Independent Application for the Usage of Mobile Moodle Quizzes: A Case Study Stefan Geisler, Marc Jansen 1 S. Geisler, M. Jansen: A Platform Independent App for Mobile Moodle Quizzes: A Case Study Contents

656 views • 20 slides
1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

Static/ Dynamic Deformation I ntroduction to Static deformation Dynamic deformation Static/ Dynamic Deformation with Mass-Spring Systems undeformed shape f internal + = f inertia = 0 f external Min Gyu Choi deformed

426 views • 4 slides
Keeping modular and platform- independent software up-to-date: benefits from the Semantic Web

Keeping modular and platform- independent software up-to-date: benefits from the Semantic Web

Keeping modular and platform- independent software up-to-date: benefits from the Semantic Web Olivier Dameron SMI - Stanford University 8 th International Protg Conference July 18-21, 2005 Problem Keeping local installation of

736 views • 39 slides
Egyptian Research and Evaluation Network EREN is a distinct and independent platform whose

Egyptian Research and Evaluation Network EREN is a distinct and independent platform whose

Egyptian Research and Evaluation Network EREN is a distinct and independent platform whose purpose is to enhance the effectiveness, impact and sustainability of development in Egypt by supporting quality evaluation, advancing generation

311 views • 16 slides
SciViews-K and Komodo Edit, a new platform-independent GUI/IDE for R Ph. Grosjean, R. Franois

SciViews-K and Komodo Edit, a new platform-independent GUI/IDE for R Ph. Grosjean, R. Franois

SciViews-K and Komodo Edit, a new platform-independent GUI/IDE for R Ph. Grosjean, R. Franois & K. Barton Acadmie Universitaire Universit de Mons Wallonie-Bruxelles What is SciViews? SciViews was one of the first GUI for R (back to

204 views • 8 slides
Independent specialist platform provider Relaunching for growth. A WORLD OF visit INVESTMENTS

Independent specialist platform provider Relaunching for growth. A WORLD OF visit INVESTMENTS

Independent specialist platform provider Relaunching for growth. A WORLD OF visit INVESTMENTS xplorewealth.com.au Name change subject to Managed Accounts Holdings shareholder approval at an EGM on 12 April 2019. 1 Disclaimer Summary

698 views • 24 slides
Format for 2013 Report 300+ word e-book Fully Interactive pdf Platform independent

Format for 2013 Report 300+ word e-book Fully Interactive pdf Platform independent

Format for 2013 Report 300+ word e-book Fully Interactive pdf Platform independent More like a magazine style than a straight e-book sort of idea Multiple links within the document 50-page printed synthesis report 2 pages

443 views • 6 slides
Platform-Independent Debugging of Physical Interaction and Signal Flow Models Mehdi Dadfarnia 1

Platform-Independent Debugging of Physical Interaction and Signal Flow Models Mehdi Dadfarnia 1

Intro Background Debugging Methods Conclusions & Future Work References & Backup Slides Platform-Independent Debugging of Physical Interaction and Signal Flow Models Mehdi Dadfarnia 1 Raphael Barbau 2 1 National Institute of Standards

590 views • 40 slides
bigmemory : bigger, better, and platform independent John W. Emerson Jay Associate

bigmemory : bigger, better, and platform independent John W. Emerson Jay Associate

UseR! 2009 bigmemory : bigger, better, and platform independent John W. Emerson Jay Associate Professor Department of Statistics Yale University john.emerson@yale.edu http://www.stat.yale.edu/~jay/ Collaborator: Michael J Kane Yale

601 views • 35 slides
Independent specialist platform provider A WORLD OF visit INVESTMENTS xplorewealth.com.au 1

Independent specialist platform provider A WORLD OF visit INVESTMENTS xplorewealth.com.au 1

Independent specialist platform provider A WORLD OF visit INVESTMENTS xplorewealth.com.au 1 Disclaimer Summary information This presentation contains summary information about Xplore Wealth Limited (Company) (ASX: XPL) and its activities as

338 views • 10 slides
A Platform-Independent Tool for Modeling Parallel Programs ACM Southeast 2011 Kennesaw State

A Platform-Independent Tool for Modeling Parallel Programs ACM Southeast 2011 Kennesaw State

A Platform-Independent Tool for Modeling Parallel Programs ACM Southeast 2011 Kennesaw State University March 2011 Ferosh Jacob, Jeff Gray, Yu Sun, Purushotham Bangalore Department of Computer Science University of Alabama

169 views • 15 slides
Static and dynamic verification Static and dynamic V&V Software inspections Concerned

Static and dynamic verification Static and dynamic V&V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Computing - Java Intro to CSC116 Course Information Introductions Website

Computing - Java Intro to CSC116 Course Information Introductions Website

CSC116: Introduction to Computing - Java Intro to CSC116 Course Information Introductions Website Syllabus Schedule Computing Environment AFS (Andrew File System) Linux/Unix Commands Helpful Tricks

799 views • 50 slides
FEC-Based File Transfer in Communication Networks John N. Daigle and Nail Akar

FEC-Based File Transfer in Communication Networks John N. Daigle and Nail Akar

Introduction Luby transform FEC Luby transform performance Luby transform-based file transfer Raptor code-based file transfer Conclusions FEC-Based File Transfer in Communication Networks John N. Daigle and Nail Akar wcdaigler@olemiss.edu,

944 views • 19 slides
Internet Security [1] VU 184.216 Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel

Internet Security [1] VU 184.216 Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel

Internet Security [1] VU 184.216 Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel chris@auto.tuwien.ac.at Administration Challenge 2 deadline is tomorrow 177 correct solutions Challenge 4 will be issued next

617 views • 34 slides
Midterm 2 Review Chapters 4-16 LC-3 ISA You will be allowed to use the one page summary. 8-2

Midterm 2 Review Chapters 4-16 LC-3 ISA You will be allowed to use the one page summary. 8-2

Midterm 2 Review Chapters 4-16 LC-3 ISA You will be allowed to use the one page summary. 8-2 LC-3 Overview: Instruction Set Opcodes 15 opcodes Operate instructions: ADD, AND, NOT Data movement instructions: LD, LDI, LDR, LEA, ST,

999 views • 55 slides
LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary to decimal conversions and vice versa IEEE 754 Floating point representations Binary Arithmetic Decimal representation of binary numbers

1.66k views • 118 slides
EXPLANATION 1. At 6:30 in the morning on December 12th, start the job. 2. At noon tomorrow start

EXPLANATION 1. At 6:30 in the morning on December 12th, start the job. 2. At noon tomorrow start

atat, batchexecute commands at a later time at [csm] [f script] [qqueue] time [date] [+ increment] at l [ job...] at r job... batch at and batch read commands from standard input to be executed at a later time. at allows you

1.37k views • 114 slides
Data Representation 15-110 Friday 09/04 Learning Objectives Understand how different

Data Representation 15-110 Friday 09/04 Learning Objectives Understand how different

Data Representation 15-110 Friday 09/04 Learning Objectives Understand how different number systems can represent the same information Translate binary numbers to decimal, and vice versa Interpret binary numbers as abstracted

670 views • 40 slides
Whats new in HTCondor? Whats coming? Todd Tannenbaum Center for High Throughput Computing

Whats new in HTCondor? Whats coming? Todd Tannenbaum Center for High Throughput Computing

Whats new in HTCondor? Whats coming? Todd Tannenbaum Center for High Throughput Computing Department of Computer Sciences University of Wisconsin-Madison (and HTCondor Week 2020!) 2 Release Series Stable Series ( bug fixes only )

670 views • 39 slides

More recommend