program analysis
play

Program Analysis Attackers: need to analyze our program to modify - PowerPoint PPT Presentation

Mar 16, 2024 •784 likes •1.21k views

Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze our program to protect it! Two kinds of analyses: 1 static analysis tools collect information about a program by studying its code; 2 dynamic

  1. Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze our program to protect it! Two kinds of analyses: 1 static analysis tools collect information about a program by studying its code; 2 dynamic analysis tools collect information from executing the program. 1/22

  2. Static and Dynamic Analyses control-flow graphs: representation of functions. 2/22

  3. Static and Dynamic Analyses control-flow graphs: representation of functions. call graphs: representation of (possible) function calls. 2/22

  4. Static and Dynamic Analyses control-flow graphs: representation of functions. call graphs: representation of (possible) function calls. debugging: what path does the program take? 2/22

  5. Static and Dynamic Analyses control-flow graphs: representation of functions. call graphs: representation of (possible) function calls. debugging: what path does the program take? tracing: which functions/system calls get executed? 2/22

  6. Static and Dynamic Analyses control-flow graphs: representation of functions. call graphs: representation of (possible) function calls. debugging: what path does the program take? tracing: which functions/system calls get executed? profiling: what gets executed the most? 2/22

  7. Static and Dynamic Analyses control-flow graphs: representation of functions. call graphs: representation of (possible) function calls. debugging: what path does the program take? tracing: which functions/system calls get executed? profiling: what gets executed the most? disassembly: turn raw executables into assembly code. 2/22

  8. Static and Dynamic Analyses control-flow graphs: representation of functions. call graphs: representation of (possible) function calls. debugging: what path does the program take? tracing: which functions/system calls get executed? profiling: what gets executed the most? disassembly: turn raw executables into assembly code. decompilation: turn raw assembly code into source code. 2/22

  9. Outline Static Analysis 1 Control-flow analysis Reconstituting source 2 Disassembly Static Analysis 3/22

  10. Control-flow Graphs (CFGs) A way to represent functions. Nodes are called basic blocks. Each block consists of straight-line code ending (possibly) in a branch. An edge A → B : control could flow from A to B . Static Analysis 4/22

  11. ✞ ☎ int modexp ( int y , int x [ ] , int w, int n ) { ✞ ☎ int R , L ; ( 1) k=0 int k = 0; ( 2) s=1 s = 1; ( 3) ( k > = w) goto (12) int i f while ( k < w) { ( 4) i f ( x [ k ]!=1) goto ( 7) ( x [ k] == 1) ( 5) R=(s ∗ y)%n i f R = ( s ∗ y ) % n ; ( 6) goto ( 8) ( 7) R=s else R = s ; ( 8) s=R ∗ R%n s = R ∗ R % n ; ( 9) L=R L = R; (10) k++ k++; (11) goto ( 3) } (12) return L ✝ ✆ return L ; Static Analysis 5/22 }

  12. The resulting graph B 0 : (1) k=0 (2) s=1 B 1 : (3) if (k>=w)goto B 6 B 6 : B 2 : (12) return L (4) if (x[k]!=1) goto B 4 B 4 : B 3 : (7) R=s (5) R=(s*y) mod n (6) goto B 5 B 5 : (8) s=R*R mod n (9) L = R (10) k++ (11) goto B 1 Static Analysis 6/22

  13. BuildCFG( F ) : 1 Mark every instruction which can start a basic block as a leader : the first instruction is a leader; any target of a branch is a leader; the instruction following a conditional branch is a leader. 2 A basic block consists of the instructions from a leader up to, but not including, the next leader. 3 Add an edge A → B if A ends with a branch to B or can fall through to B . Static Analysis 7/22

  14. Interprocedural control flow Interprocedural analysis also considers flow of information between functions. Call graphs are a way to represent possible function calls. Each node represents a function. An edge A → B : A might call B . Static Analysis 8/22

  15. Building call-graphs ✞ ☎ void h ( ) ; f () { void h ( ) ; } void g () { f f ( ) ; } k void h ( ) { main g h f ( ) ; g ( ) ; } void k () {} Static Analysis 9/22

  16. Outline Static Analysis 1 Control-flow analysis Reconstituting source 2 Disassembly Reconstituting source 10/22

  17. Reconstituting source p.o p p.c p.s p’ as cc header ld header strip .data .data header .text .text .data symbols symbols .text relocation relocation trans Reconstituting source 11/22

  18. Attacking stripped binary code p’ hex p’’ editor header header .data .data .text .text dis p’.s p’.c p’’.c p’’ dcc edit cc Reconstituting source 12/22

  19. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Reconstituting source 13/22

  20. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Reconstituting source 13/22

  21. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Indirect jumps — must assume that any location could be the start of an instruction! Reconstituting source 13/22

  22. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Indirect jumps — must assume that any location could be the start of an instruction! Find the beginning of functions if all calls are indirect. Reconstituting source 13/22

  23. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Indirect jumps — must assume that any location could be the start of an instruction! Find the beginning of functions if all calls are indirect. Finding the end of fuctions — if no dedicated return instruction. Reconstituting source 13/22

  24. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Indirect jumps — must assume that any location could be the start of an instruction! Find the beginning of functions if all calls are indirect. Finding the end of fuctions — if no dedicated return instruction. Handwritten assembly code — won’t conform to the standard calling conventions. Reconstituting source 13/22

  25. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Indirect jumps — must assume that any location could be the start of an instruction! Find the beginning of functions if all calls are indirect. Finding the end of fuctions — if no dedicated return instruction. Handwritten assembly code — won’t conform to the standard calling conventions. code compression — the code of two functions may overlap. Reconstituting source 13/22

  26. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Indirect jumps — must assume that any location could be the start of an instruction! Find the beginning of functions if all calls are indirect. Finding the end of fuctions — if no dedicated return instruction. Handwritten assembly code — won’t conform to the standard calling conventions. code compression — the code of two functions may overlap. Self-modifying code. Reconstituting source 13/22

  27. Instruction set 1 opcode mnemonic operands semantics 0 function call to addr addr call 1 function call to address in reg reg calli 2 branch to pc + offset if flags for brg offset > are set 3 reg reg ← reg + 1 inc 4 offset branch to pc + offset bra 5 reg jump to address in reg jmpi 6 beginning of function prologue 7 return from function ret Instruction set for a small architecture. All operators and operands are one byte long. Instructions can be 1-3 bytes long. Reconstituting source 14/22

  28. Instruction set 2 opcode mnemonic operands semantics 8 reg 1 , ( reg 2 ) reg 1 ← [ reg 2 ] load 9 reg , imm reg ← imm loadi 10 reg , imm compare reg and imm and set cmpi flags 11 reg 1 ← reg 1 + reg 2 add reg 1 , reg 2 12 branch to pc + offset if flags for brge offset ≥ are set 13 offset branch to pc + offset if flags for breq = are set 14 ( reg 1 ) , reg 2 [ reg 1 ] ← reg 2 store Reconstituting source 15/22

  29. Disassembly — example ✞ ☎ 6 0 1 0 9 0 4 3 1 0 7 0 6 9 0 1 1 0 0 1 2 2 6 9 1 3 0 1 1 1 0 8 2 1 5 2 3 2 3 7 9 1 3 4 7 9 1 4 4 2 7 6 9 0 3 7 6 9 0 1 7 4 2 2 4 3 1 7 4 3 4 1 ✝ ✆ Next few slides show the results of different disassembly algorithms. Correctly disassembled regions are in pink. Reconstituting source 16/22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program Optimizations Using Program Analysis Use analysis results to transform program for Optimization Goal: improve some aspect of program

232 views • 12 slides
Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis

Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis

Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis Discovers properties of a program Optimizations Using Program Analysis Use analysis results to transform program Use analysis results

744 views • 17 slides
EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last lecture. . . Uses of Program Analysis Static vs. Dynamic Program Analysis Soundness, Precision, Termination Abstraction and Simplification

4.44k views • 52 slides
Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28.

Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28.

Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28. 9. 2016 2 / 43 Program correctness Is my program correct? Central question for this and the next lecture. Does a given program behave as intended?

880 views • 43 slides
Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and

Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and

Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and transforms a program to the stream of tokens: removes empty symbols and commentaries; identifies keywords, indentifiers and literal

400 views • 37 slides
Program Analysis in Software Development Summary of Papers Program Analysis Application Areas

Program Analysis in Software Development Summary of Papers Program Analysis Application Areas

Program Analysis in Software Development Summary of Papers Program Analysis Application Areas Compilation and Optimization LLVM: A Compilation Framework for Lifelong Program Analysis &amp; Transformation Obfuscation Generation and

1.64k views • 6 slides
Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le Goues January 14, 2020 * Course materials developed with Jonathan Aldrich (c) 2020 C. Le Goues 1 Learning objectives Provide a high level

788 views • 50 slides
Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany IFIP WG 2.2 Meeting Singapore, September 13-16, 2016 Project Context Work in progress from a joint project with

762 views • 19 slides
Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations cs6363 1 The Nature of static analysis --- approximation Static program analysis --- predict the dynamic behavior of programs without running

368 views • 19 slides
1 Programmers often use analysis tools to improve program quality. These are just tools to

1 Programmers often use analysis tools to improve program quality. These are just tools to

1 Programmers often use analysis tools to improve program quality. These are just tools to analyze, or carefully examine, some aspect of a program. We can categorize program analyses into two groups: Static analysis involves analyzing a program's

511 views • 35 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

csci 210: Data Structures Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis big-O big-Omega big-theta asymptotic notation commonly used functions discrete math

500 views • 33 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
Nutrition Program Secondary 2014 DHS Analysis Reference: National Nutrition Program,

Nutrition Program Secondary 2014 DHS Analysis Reference: National Nutrition Program,

Nutrition Program Secondary 2014 DHS Analysis Reference: National Nutrition Program, Nutrition secondary analysis 2014 CDHS, UNICEF/IRD/MOH, Phnom Penh, Cambodia, January 2016 Team For the secondary analysis: IRD MOH Dr Frank Wieringa

826 views • 57 slides
Program Analysis discrete math refresher READING: Textbook chapter 2 (p. 13-26)

Program Analysis discrete math refresher READING: Textbook chapter 2 (p. 13-26)

Summary Summary analysis of algorithms asymptotic analysis big-O big-Omega csci 210: Data Structures big-theta asymptotic notation commonly used functions Program Analysis discrete math

112 views • 9 slides
EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last lecture. . . More Points-to Analysis Memory Errors 2 / 44 Challenges to Static Analysis Static analysis is far from solved Very active

574 views • 42 slides
Managing KVM with CIM Kaitlin Rupert Linux Plumbers Conference 2009 Topics What is CIM

Managing KVM with CIM Kaitlin Rupert Linux Plumbers Conference 2009 Topics What is CIM

Managing KVM with CIM Kaitlin Rupert Linux Plumbers Conference 2009 Topics What is CIM CIM glossary What CIM provides for virtualization Managing KVM with libvirt-cim libvirt-cim versus libvirt Why CIM? Drawbacks of

436 views • 16 slides
CS406: Compilers Spring 2020 Week1: Overview, Structure of a compiler 1 Intro to Compilers

CS406: Compilers Spring 2020 Week1: Overview, Structure of a compiler 1 Intro to Compilers

CS406: Compilers Spring 2020 Week1: Overview, Structure of a compiler 1 Intro to Compilers Way to implement programming languages Programming languages are notations for specifying computations to machines Program Program Compiler

680 views • 45 slides
CR16 Architecture Part of a microcontroller family from National Semiconductor 16-bit

CR16 Architecture Part of a microcontroller family from National Semiconductor 16-bit

CS/EE 3710 National Semiconductor CR16 Compact RISC Processor Baseline ISA and Beyond CR16 Architecture Part of a microcontroller family from National Semiconductor 16-bit embedded RISC processor core Available in Synethesizeable

1.12k views • 13 slides
Large scale data processing pipelines at trivago: a use case 2016-11-15, Sevilla, Spain Clemens

Large scale data processing pipelines at trivago: a use case 2016-11-15, Sevilla, Spain Clemens

Large scale data processing pipelines at trivago: a use case 2016-11-15, Sevilla, Spain Clemens Valiente Clemens Valiente Senior Data Engineer trivago Dsseldorf Originally a mathematician Studied at Uni Erlangen At trivago for 5 years

583 views • 45 slides
Specialized Network Topologies for Efficient Communication in Computer Clusters Urban Bor

Specialized Network Topologies for Efficient Communication in Computer Clusters Urban Bor

Specialized Network Topologies for Efficient Communication in Computer Clusters Urban Bor stnik, Milan Hodo s cek, and Du sanka Jane zi c urban@cmm.ki.si National Institute of Chemistry Ljubljana, Slovenia Specialized

178 views • 14 slides
Health Enterprise Computing Long Term Care and Patient Identification Specialists

Health Enterprise Computing Long Term Care and Patient Identification Specialists

Integrated Delivery System... Integrated Delivery System... XXX Health System Health Enterprise Computing Long Term Care and Patient Identification Specialists 6.872/HST.950 Home Health Pharmacy Tertiary Care February 13, 2003 Peter

294 views • 14 slides
Analysis of path exclusions at the assembly level 7th Int'l Workshop on Worst-Case Execution

Analysis of path exclusions at the assembly level 7th Int'l Workshop on Worst-Case Execution

Analysis of path exclusions at the assembly level 7th Int'l Workshop on Worst-Case Execution Time (WCET) Analysis Ingmar Stein, Florian Martin ingmar@absint.com The Goal A Jump conditions B C are equivalent 10 100 D E F 200 110

411 views • 24 slides
COMP 633 - Parallel Computing Lecture 12 September 22, 2020 CC-NUMA (3) Synchronization

COMP 633 - Parallel Computing Lecture 12 September 22, 2020 CC-NUMA (3) Synchronization

COMP 633 - Parallel Computing Lecture 12 September 22, 2020 CC-NUMA (3) Synchronization Operations COMP 633 - Prins CC-NUMA (3) Synchronizing Operations Examples locks to gain exclusive access for manipulation of shared variables

609 views • 11 slides

More recommend