reassembleable disassembling
play

Reassembleable Disassembling Shuai Wang, Pei Wang, Dinghao Wu - PowerPoint PPT Presentation

Jul 08, 2023 •311 likes •512 views

Reassembleable Disassembling Shuai Wang, Pei Wang, Dinghao Wu Pennsylvania State University 24th USENIX Security Symposium, August 2015 1 / 14 Motivation Analysing and retrofitting COTS binaries with. . . software fault isolation control-flow

  1. Reassembleable Disassembling Shuai Wang, Pei Wang, Dinghao Wu Pennsylvania State University 24th USENIX Security Symposium, August 2015 1 / 14

  2. Motivation Analysing and retrofitting COTS binaries with. . . software fault isolation control-flow integrity symbolic taint analysis elimination of ROP gadgets 2 / 14

  3. Motivation Analysing and retrofitting COTS binaries with. . . software fault isolation control-flow integrity symbolic taint analysis elimination of ROP gadgets Binary rewriting comes with major drawbacks/limitations runtime overhead from patching due to control-flow transfers patching requires PIC if code is relocated instrumentation significantly increases binary size binary reuse only works for small binaries (coverage) 2 / 14

  4. Goal Produce reassembleable assembly code from stripped COTS binaries in a fully automated manner. Allows binary-based whole program transformations Requires relocatable assembly code → symbolization of immediate values Complementary to existing work 3 / 14

  5. Symbolization Given an immediate value in assembly code, is it a constant or a memory address? Reassembling transformed program changes binary layout Address changes invalidate memory references x86 No distinction between code and data Variable-length instruction encoding 4 / 14

  6. (Un)Relocatable Assembly Code mov 0xc0, %eax .text mov 0xc0, %eax assemble 0xa08 .data .long 0xa08 mov 0xc0, %eax 0xc0: ? unrelocatable 0xc0: 0xa08 .text mov Glob, %eax mov Glob, %eax binary assemble .data Glob: Glob: 0xa08 .long 0xa08 relocatable 5 / 14

  7. Types of Symbol References Code Section Data Section fun1: ptr: call fun2 .long table c2d c2c d2d fun2: table: mov ptr, %eax .long handler1 lea (%eax, %ebx, 4), %ecx .long handler2 call *%ecx handler1: ... d2c handler2: ... 6 / 14

  8. Symbolization of c2c and c2d References Valid memory references point into code or data section Assume all immediates to be references and filter out invalid ones 7 / 14

  9. Symbolization of d2c and d2d References Assumption 1 “ All symbol references stored in data sections are n-byte aligned, where n is 4 for 32-bit binaries and 8 for 64-bit binaries. ” → Consider only n-byte values which are n-byte aligned 8 / 14

  10. Symbolization of d2c and d2d References Assumption 1 “ All symbol references stored in data sections are n-byte aligned, where n is 4 for 32-bit binaries and 8 for 64-bit binaries. ” → Consider only n-byte values which are n-byte aligned Assumption 2 “ Users do not need to perform transformation on the original binary data. ” → Keep start addresses of data sections during reassembly and ignore d2d references 8 / 14

  11. Symbolization of d2c and d2d References Assumption 1 “ All symbol references stored in data sections are n-byte aligned, where n is 4 for 32-bit binaries and 8 for 64-bit binaries. ” → Consider only n-byte values which are n-byte aligned Assumption 2 “ Users do not need to perform transformation on the original binary data. ” → Keep start addresses of data sections during reassembly and ignore d2d references Assumption 3 “ d2c symbol references are only used as function pointers or jump table entries. ” → References need to point to start of a function or form a jump table 8 / 14

  12. Evaluation Uroboros : 13,209 SLOC in OCaml and Python; works with x86/x64 ELF binaries Intel Core i7-3770 @ 3.4GHz with 8GiB RAM running Ubuntu 12.04 122 programs compiled for 32- and 64-bit targets gcc 4.6.3 with default configuration and optimization of each program strip ped before testing Collection Size Content C OREUTILS 103 GNU Core Utilities R EAL 7 bc, ctags, gzip, mongoose, nweb, oftpd, thttpd S PEC 12 C programs in SPEC2006 9 / 14

  13. Architecture of Uroboros Data Disassembly Module Analysis Module Relocatable Linear Symbol Lifting Binary Assembly Meta-Data Disassembler External Control-Flow Disassembly Code Analyses & Structure Recovery Validator Transformations 10 / 14

  14. Architecture of Uroboros Data Disassembly Module Analysis Module Relocatable Linear Symbol Lifting Binary Assembly Meta-Data Disassembler External Control-Flow Disassembly Code Analyses & Structure Recovery Validator Transformations https://openclipart.org/detail/215030/ 10 / 14

  15. Correctness Test input shipped with programs or custom test of major functionality (some of REAL) Binaries Failing Functionality Tests Assumption Set 32-bit 64-bit {} h264ref, gcc, gobmk, hmmer perlbench, gcc, gobmk, hmmer, sjeng, h264ref, lbm, sphinx3 { A1 } h264ref, gcc, gobmk perlbench, gcc, gobmk { A1 , A2 } h264ref, gcc, gobmk perlbench, gcc, gobmk { A1 , A3 } gobmk gcc, gobmk { A1 , A2 , A3 } gobmk 11 / 14 2 8 Normalized Overhead (%) Normalized Overhead (%) 1.5 6 1 4 0.5 0 2 -0.5 0 -1 -2 -1.5 p b g m g h s l h m l s c g b n t m o i b [ base64 basename cat cksum comm cp csplit cut date tty uname unexpand uniq unlink uptime users vdir wc who b h e z c o m j e 2 p t z c w f c i m a t o t r i c b q 6 l h i t p l p f m n c g p e p n b m u 4 i d 2 g n s b a d g e e r x k e o n r n f 3 o c t u s h m e

  16. Symbolization Errors Table 4: Symbolization false positives of 32-bit S PEC , R EAL and C OREUTILS (Others have zero false positive) Assumption Set Benchmark # of Ref. {} { A1 } { A1 , A2 } { A1 , A3 } { A1 , A2 , A3 } FP FP Rate FP FP Rate FP FP Rate FP FP Rate FP FP Rate perlbench 76538 2 0.026‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ hmmer 13127 12 0.914‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ h264ref 20600 27 1.311‰ 1 0.049‰ 1 0.049‰ 0 0.000‰ 0 0.000‰ gcc 262698 49 0.187‰ 32 0.122‰ 32 0.122‰ 0 0.000‰ 0 0.000‰ gobmk 65244 1348 20.661‰ 985 15.097‰ 912 13.978‰ 78 1.196‰ 5 0.077‰ Table 5: Symbolization false negatives of 32-bit S PEC , R EAL and C OREUTILS (Others have zero false negative) 8 2 Assumption Set Normalized Overhead (%) Normalized Overhead (%) 1.5 Benchmark # of Ref. {} { A1 } { A1 , A2 } { A1 , A3 } { A1 , A2 , A3 } 6 1 FN FN Rate FN FN Rate FN FN Rate FN FN Rate FN FN Rate 4 perlbench 76538 2 0.026‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ 0.5 hmmer 13127 12 0.914‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ 0 2 h264ref 20600 27 1.311‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ -0.5 gcc 262698 11 0.042‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ 0 -1 gobmk 65244 86 1.318‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ 0 0.000‰ -2 -1.5 p b g m g h s l h m l s c g b n t m o [ base64 basename cat cksum comm cp csplit cut date tty uname unexpand uniq unlink uptime users vdir wc who i b h e z c o m j b 2 p t z c w f e m a i c c q i l h i t o t r p b n 6 c p e t p l f m g p n b m u 4 i d 2 g n s b d g e e a r x 12 / 14 k n e o n r 3 f o c t u s h m e 40 2 Processing Time (Seconds) Processing Time (Seconds) 30 1.5 20 1 10 0.5 0 0 m b o n g c t b s l m s m p l h g h g [ base64 basename cat chcon chgrp chmod chown chroot cksum unexpand uniq unlink uptime users vdir wc who whoami yes h i b c f w z t z p b j e m c 2 o a e m o t t q c i p e i p t i p h n l c r c 6 b n g p f l m d i u b 4 m g b s d 2 n g a e e r o x k n e 3 n r o t f c s u h e m

  17. Overhead for REAL and SPEC 8 2 2 40 Processing Time (Seconds) Processing Time (Seconds) Normalized Overhead (%) Normalized Overhead (%) 1.5 6 30 1.5 1 4 0.5 20 1 0 2 -0.5 10 0.5 0 -1 -2 0 -1.5 0 m b o n g c t b s l m s m p l h g h g [ base64 basename cat chcon chgrp chmod chown chroot cksum unexpand uniq unlink uptime users vdir wc who whoami yes p b g m g h s l i h m l b s c g b n t m o [ base64 basename cat cksum comm cp csplit h cut date i tty uname unexpand uniq unlink b uptime users vdir wc who b h c f w z t z p b j e m c 2 o e z c o m j 2 p t z c w f o t a t c e i m c e i m a t o t i i h q l c r i c b q 6 l h i t p p e p g t p f n c r 6 b l p f m n c g p e p n n p u l m b m u 4 i d d i b 4 m 2 g n s b g b s d 2 n g a d g a e e r e e r x o x e k k n e o n n r n r 3 o 3 f o t f c t u c u s s h h m e e m No increase in binary size after first disassemble-assemble cycle 13 / 14

  18. Conclusion Heuristic-based symbolization of memory references Uroboros 1 provides reassembleable disassembly Assumes availability of raw disassembly and function starting addresses Tested with gcc and Clang compiled binaries Limited support for C++ (need to parse DWARF) 1 Available at https://github.com/s3team/uroboros 14 / 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE 351 GDB Introduction Lab 2 Reading and understanding x86_64 assembly Debugging and

CSE 351 GDB Introduction Lab 2 Reading and understanding x86_64 assembly Debugging and

CSE 351 GDB Introduction Lab 2 Reading and understanding x86_64 assembly Debugging and disassembling programs Today: General debugging for C with GDB 2 scanf and sscanf() Lab 2 uses sscanf ( s tring scan f ormat), which parses

430 views • 16 slides
MIPS Assembly (Arithmetic, Branches) 2 Lab Schedule Activities Assignments Due This Week Lab

MIPS Assembly (Arithmetic, Branches) 2 Lab Schedule Activities Assignments Due This Week Lab

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific MIPS Assembly (Arithmetic, Branches) 2 Lab Schedule Activities Assignments Due This Week Lab 10 Due by Apr 11 th 5:00am Tuesday: MIPS lecture

726 views • 47 slides
Using Alloy in a Language Lab Approach to Introductory Discrete Mathematics Charles Wallace

Using Alloy in a Language Lab Approach to Introductory Discrete Mathematics Charles Wallace

Using Alloy in a Language Lab Approach to Introductory Discrete Mathematics Charles Wallace Michigan Technological University In collaboration with Laura Brown, Adam Feltz Supported by the National Science Foundation under grant DUE-1504860

368 views • 15 slides
Environment Setup Assignment 0 The Technology Stack Manages node_modules (external tools)

Environment Setup Assignment 0 The Technology Stack Manages node_modules (external tools)

Environment Setup Assignment 0 The Technology Stack Manages node_modules (external tools) Creates web server Stores data persistently with JSON logic. Utilizes NoSQL instead of SQL Facilitates HTTP requests and

350 views • 11 slides
W EB T ELEPHONY S ERVICES BASED ON F REESWITCH AND P LIVO MOOC on M4D 2013 Contents

W EB T ELEPHONY S ERVICES BASED ON F REESWITCH AND P LIVO MOOC on M4D 2013 Contents

W EB T ELEPHONY S ERVICES BASED ON F REESWITCH AND P LIVO MOOC on M4D 2013 Contents Introduction Architecture for Web Telephony Services Setting up the Web Telephony Server X2Y Call Blasting Service Content Delivery Service

399 views • 18 slides
Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why using a database Persistency Concurrency (avoid race conditions) Query Scalability SQL vs NoSQL databases Relational database (SQL

475 views • 10 slides
CISC 322 Software Architecture Lecture 13: Reflexion Models and Source Sticky Notes Emad

CISC 322 Software Architecture Lecture 13: Reflexion Models and Source Sticky Notes Emad

CISC 322 Software Architecture Lecture 13: Reflexion Models and Source Sticky Notes Emad Shihab Paper by: Ahmed E. Hassan and Richard C. Holt Slides adapted from Ahmed E. Hassan Midterm Group presentations Tuesday Team Phoenix

669 views • 29 slides
Continuous Database Evolution Prof. Dr. Uta Strl Darmstadt University of Applied Sciences

Continuous Database Evolution Prof. Dr. Uta Strl Darmstadt University of Applied Sciences

Continuous Database Evolution Prof. Dr. Uta Strl Darmstadt University of Applied Sciences Application version n Application version n + Schema Management Schema Management Schema Evolution Data Migration February 2019 Motivation

679 views • 31 slides
Peter Doschkinow ORACLE Deutschland B.V. & Co. KG The following is intended to outline our

Peter Doschkinow ORACLE Deutschland B.V. & Co. KG The following is intended to outline our

Avatar Erweiterung der Java EE Plattform fr JavaScript Fans Peter Doschkinow ORACLE Deutschland B.V. & Co. KG The following is intended to outline our general product direction. It is intended for information purposes only, and may not be

719 views • 42 slides
Node.js MVC Construction Rabbit.js MVC @ Rabbit.js a fast

Node.js MVC Construction Rabbit.js MVC @ Rabbit.js a fast

Node.js MVC Construction Rabbit.js MVC @ Rabbit.js a fast and light mvc framework for Nodejs https://github.com/xinyu198736/Rabbit.js sudo npm install rabbitjs -g FAST LIGHT why use it light

484 views • 19 slides
How to migrate da data from Mo Mong ngoDB B to Postgres with h ToroDB Wh Who we are Ex

How to migrate da data from Mo Mong ngoDB B to Postgres with h ToroDB Wh Who we are Ex

How to migrate da data from Mo Mong ngoDB B to Postgres with h ToroDB Wh Who we are Ex Exper perts At Your ur Ser ervice > Over 50 specialists in IT infrastructure > Certified, experienced, passionate Based In Switzerland Ba >

660 views • 39 slides
Scaling Log-Structured KV-Stores featuring Monkey and Dostoevsky SIGMOD17 / SIGMOD18 Niv Dayan

Scaling Log-Structured KV-Stores featuring Monkey and Dostoevsky SIGMOD17 / SIGMOD18 Niv Dayan

Scaling Log-Structured KV-Stores featuring Monkey and Dostoevsky SIGMOD17 / SIGMOD18 Niv Dayan Log-Structured KV-Stores Log-Structured KV-Stores Why Log-Structured KV-Stores? Why Log-Structured KV-Stores? fast writes Why Log-Structured

2.34k views • 198 slides
PERFORMANCE FAULT TOLERANCE AVAILABILITY FEATURE VELOCITY PERFORMANCE FAULT TOLERANCE

PERFORMANCE FAULT TOLERANCE AVAILABILITY FEATURE VELOCITY PERFORMANCE FAULT TOLERANCE

PERFORMANCE FAULT TOLERANCE AVAILABILITY FEATURE VELOCITY PERFORMANCE FAULT TOLERANCE AVAILABILITY SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E SERVICE F SERVICE G SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E SERVICE F

787 views • 50 slides
Macaques Capuchin monkeys Lemurs Lorises Bush babies Pointed muzzles with wet noses and

Macaques Capuchin monkeys Lemurs Lorises Bush babies Pointed muzzles with wet noses and

Humans Chimpanzees Gibbons Spider monkeys Macaques Capuchin monkeys Lemurs Lorises Bush babies Pointed muzzles with wet noses and long whiskers Often nocturnal Stronger senses of smell and hearing Toothcomb Toilet claw

313 views • 16 slides
Character Analysis: Monkey King Ryan C 4/8/2020 English 10 He wants to be god He is

Character Analysis: Monkey King Ryan C 4/8/2020 English 10 He wants to be god He is

Character Analysis: Monkey King Ryan C 4/8/2020 English 10 He wants to be god He is ambitious Character He is determined Background Include picture Internals Mental: stubborn Spiritual: superior to others Emotional:

572 views • 7 slides
Making Tweet Monkey by codefoster Who am I? codefoster codefoster.com || @codefoster ||

Making Tweet Monkey by codefoster Who am I? codefoster codefoster.com || @codefoster ||

Making Tweet Monkey by codefoster Who am I? codefoster codefoster.com || @codefoster || github.com/codefoster || upverter.com/codefoster jeremy.foster@microsoft.com 206-250-7637 278-21-8879

295 views • 15 slides
Or a good one? With Karen Main, Principal Note: todays presentation includes an interactive

Or a good one? With Karen Main, Principal Note: todays presentation includes an interactive

Are you a nice boss? Or a good one? With Karen Main, Principal Note: todays presentation includes an interactive component { PLEASE use your device! Practice question! Please take out your phone or device SMART DEVICE: Text

696 views • 38 slides
Neural Monkey Du san Vari s Institute of Formal and Applied Linguistics Faculty of

Neural Monkey Du san Vari s Institute of Formal and Applied Linguistics Faculty of

Neural Monkey Du san Vari s Institute of Formal and Applied Linguistics Faculty of Mathematics and Physics Charles University September 4, 2018 Neural Monkey Toolkit for training neural models for sequence-to-sequence tasks

257 views • 21 slides
Chapter 11 Planning Planning examples PDDL (Planning Domain Definition Language) Planning

Chapter 11 Planning Planning examples PDDL (Planning Domain Definition Language) Planning

Chapter 11 Planning Planning examples PDDL (Planning Domain Definition Language) Planning systems 1 Monkeys can plan Why shouldnt computers? The problem statement: A monkey is in a laboratory room containing a box, a knife and a bunch of

1.02k views • 69 slides
Neural Monkey Jind rich Helcl, Du san Vari s Institute of Formal and Applied Linguistics

Neural Monkey Jind rich Helcl, Du san Vari s Institute of Formal and Applied Linguistics

Neural Monkey Jind rich Helcl, Du san Vari s Institute of Formal and Applied Linguistics Faculty of Mathematics and Physics Charles University August 30, 2017 Outline Introduction General Architecture Configuration Files Getting

496 views • 11 slides
A Summar y of E duc ational Ac tivitie s NSF Pr oje c t Minjua n Wa ng (c o -PI ) T re vo

A Summar y of E duc ational Ac tivitie s NSF Pr oje c t Minjua n Wa ng (c o -PI ) T re vo

A Summar y of E duc ational Ac tivitie s NSF Pr oje c t Minjua n Wa ng (c o -PI ) T re vo re Humphre y (a ssista nt & c o nsulta nt) F o ur Wo rksho ps fo r Sa n Die g o T e a c he rs June 14-16, 2013 No v. 1-2, 2014

751 views • 30 slides
NP Completeness Prof. Dr. Debora Weber-Wulff Winter term 2006/07 Inefficiency and Intractability

NP Completeness Prof. Dr. Debora Weber-Wulff Winter term 2006/07 Inefficiency and Intractability

NP Completeness Prof. Dr. Debora Weber-Wulff Winter term 2006/07 Inefficiency and Intractability From the book: Algorithmics, the Spirit of Computing, David Harel. Addison-Wesley, 1992 Complexity Paradox? Complicated algorithms often

840 views • 36 slides
Edit distance smallest number of inserts/deletes to turn arg#1 into arg#2 dist :: Eq a =>

Edit distance smallest number of inserts/deletes to turn arg#1 into arg#2 dist :: Eq a =>

Edit distance smallest number of inserts/deletes to turn arg#1 into arg#2 dist :: Eq a => [a] -> [a] -> Int Main> dist abcd xaby 4 Main> dist monkey 6 Main> dist Haskell 7 Main> dist

348 views • 10 slides
No Game Natives Jesper Juul New York University Game Center Kids Students know all about games!

No Game Natives Jesper Juul New York University Game Center Kids Students know all about games!

No Game Natives Jesper Juul New York University Game Center Kids Students know all about games! 97% of 12-17 year olds play games! Digital Natives! So easy to teach! No. Game Natives Majority of students play digital games.

373 views • 18 slides

More recommend