RevNIC ReverseEngineeringofBinaryDeviceDrivers - PowerPoint PPT Presentation

RevNIC Reverse
Engineering
of
Binary
Device
Drivers Vitaly
Chipounov
and
George
Candea School
of
Computer
&
Communica3on
Sciences jeudi, 15 avril 2010

Drivers:
Hard
to
Write
and
Hard
to
Port
 • Drivers
are
o@en
closed
source Por3ng
from
exis3ng
drivers
is
difficult • Devices
rarely
come
with
an
interface
specificaDon Hard
to
write
a
driver
from
scratch • SpecificaDons
are
o@en
incomplete
and
buggy Buggy
driver
implementa3on jeudi, 15 avril 2010

ExisDng
SoluDons • EmulaDng
source
OS
(VMs,
NDISwrapper...) Run‐3me
overhead,
hard
to
maintain • Making
drivers
from
specificaDons
(Termite) Requires
formal
specifica3ons • Manual
trace
analysis,
decompilaDon Tedious,
imprecise jeudi, 15 avril 2010

Windows Windows Linux KitOS μ C/OS II x86 PC FPGA Virtual Machines http://bplteensofwa.files.wordpress.com/2009/07/computer.jpg jeudi, 15 avril 2010

RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac3on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac3on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac3on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac3on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

High
Coverage
Driver
Exerciser • Hand‐cra@ed
workload
is
not
enough jeudi, 15 avril 2010

int irq_handler(device_t *dev) { status = hw_read(STATUS_REG); if (status == RX){ pkt_size = hw_read(RX_SIZE_REG); if (pkt_size < 1514) { recv_packet(dev); }else { drop_packet(dev); } }else if (status == TX) { ... } } jeudi, 15 avril 2010

int irq_handler(device_t *dev) { status = hw_read(STATUS_REG); if (status == RX){ • Boundary
condiDons pkt_size = hw_read(RX_SIZE_REG); if (pkt_size < 1514) { recv_packet(dev); • Error
recovery
code }else { drop_packet(dev); } }else if (status == TX) { ... } } jeudi, 15 avril 2010

int irq_handler(device_t *dev) { status = hw_read(STATUS_REG); if (status == RX){ pkt_size = hw_read(RX_SIZE_REG); if (pkt_size < 1514) { recv_packet(dev); }else { drop_packet(dev); } }else if (status == TX) { ... } } jeudi, 15 avril 2010

int irq_handler(device_t *dev) { status = hw_read(STATUS_REG); if (status == RX){ pkt_size = hw_read(RX_SIZE_REG); if (pkt_size < 1514) { recv_packet(dev); }else { drop_packet(dev); } }else if (status == TX) { ... } } jeudi, 15 avril 2010

int irq_handler(device_t *dev) { status = hw_read(STATUS_REG); if (status == RX){ pkt_size = hw_read(RX_SIZE_REG); if (pkt_size < 1514) { status == RX recv_packet(dev); }else { T F drop_packet(dev); pkt_size < 1514 status == TX } }else if (status == TX) { ... ... ... drop receive packet packet } } jeudi, 15 avril 2010

int irq_handler(device_t *dev) { status = hw_read(STATUS_REG); if (status == RX){ pkt_size = hw_read(RX_SIZE_REG); if (pkt_size < 1514) { status == RX recv_packet(dev); }else { T F drop_packet(dev); pkt_size < 1514 status == TX } }else if (status == TX) { ... ... ... drop receive packet packet } } High
coverage
automated
driver
exerciser jeudi, 15 avril 2010

. . . Applications and e x p l o r e r . e x e libraries a d v a p i 3 2 . d l l . . . m s v c r t . d l l u s e r 3 2 . d l l . . . n t d l l . d l l Device Drivers Windows ndis.sys . . . Kernel rtl8139.sys jeudi, 15 avril 2010

Exercising
Windows
NIC
Drivers NICDRIVER.SYS IniDalize(...) QueryInformaDon(...) ... SendPacket(...) HandleInterrupt(...) Unload(...) jeudi, 15 avril 2010

Exercising
Windows
NIC
Drivers NICDRIVER.SYS IniDalize(...) QueryInformaDon(...) ... SendPacket(...) HandleInterrupt(...) Unload(...) jeudi, 15 avril 2010

Exercising
Windows
NIC
Drivers IniDalize(...) jeudi, 15 avril 2010

Exercising
Windows
NIC
Drivers IniDalize(...) ☹ ☹ ☺ ☹ ☹ ☹ ☺ jeudi, 15 avril 2010

Exercising
Windows
NIC
Drivers IniDalize(...) ☹ ☹ ☺ ☹ ☹ ☹ ☺ ☺ jeudi, 15 avril 2010

IniDalize(...) ☹ ☹ ☺ ☹ ☹ ☹ ☺ ☺ jeudi, 15 avril 2010

IniDalize(...) ☹ ☹ ☺ ☹ ☹ ☹ ☺ ☺ Send(...,
Packet,
...) jeudi, 15 avril 2010

IniDalize(...) ☹ ☹ ☺ ☹ ☹ ☹ 001a706650e3... ☺ ☺ Send(...,
Packet,
...) jeudi, 15 avril 2010

IniDalize(...) ☹ ☹ ☺ ☹ ☹ ☹ α β γ δ ε ϛ ... ☺ ☺ Send(...,
Packet,
...) ☹ ☹ ☺ ☹ ☹ ☹ ☺ jeudi, 15 avril 2010

☹ ☺ ☹ ☹ ☹ α β γ δ ε ϛ ... ☺ ☺ Send(...,
Packet,
...) ☹ ☹ ☹ ☹ ☺ jeudi, 15 avril 2010

☹ ☺ ☹ ☹ ☹ α β γ δ ε ϛ ... ☺ ☺ Send(...,
Packet,
...) Interrupt ☹ ☹ ☹ ☹ ☺ jeudi, 15 avril 2010

☹ ☺ ☹ ☹ ☹ α β γ δ ε ϛ ... ☺ ☺ Send(...,
Packet,
...) Interrupt ☹ ☹ ☹ ☹ ☺ HandleInterrupt(...) jeudi, 15 avril 2010

Send(...,
Packet,
...) Interrupt ☹ ☹ ☺ HandleInterrupt(...) jeudi, 15 avril 2010

Send(...,
Packet,
...) Interrupt ☹ ☹ ☺ HandleInterrupt(...) Unload(...) jeudi, 15 avril 2010

RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac3on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac,on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

Hardware
InteracDon
Traces Virtual
Machine Guest
OS • ExecuDon
tree Original
Binary
Driver • Machine
instrucDons Driver
Exerciser • Memory
accesses • Register
values • (Memory‐Mapped)
I/O Trace
Files jeudi, 15 avril 2010

RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac,on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac3on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template Traces ➔ 
 C code SyntheDc
Driver jeudi, 15 avril 2010

ExecuDon
Tree jeudi, 15 avril 2010

Sequences
of ExecuDon
Tree basic
blocks BB
1 BB
2 BB
3 BB
4 BB
5 BB
6 BB
7 Trace
#1 jeudi, 15 avril 2010

Sequences
of ExecuDon
Tree basic
blocks BB
1 BB
1 BB
2 BB
2 BB
3 BB
3 BB
4 BB
4 BB
5 BB
8 BB
6 BB
9 BB
7 BB
7 Trace
#1 Trace
#2 jeudi, 15 avril 2010

BB
1 BB
1 BB
2 BB
2 BB
3 BB
3 BB
4 BB
4 BB
5 BB
8 BB
6 BB
9 BB
7 BB
7 Trace
#1 Trace
#2 jeudi, 15 avril 2010

BB
1 BB
1 BB
1 BB
1 BB
2 BB
2 BB
2 BB
2 BB
3 BB
3 BB
3 BB
3 BB
4 BB
4 BB
4 BB
4 BB
5 BB
5 BB
8 BB
8 BB
6 BB
6 BB
9 BB
9 BB
7 BB
7 BB
7 BB
7 Trace
#1 Trace
#2 jeudi, 15 avril 2010

BB
1 BB
1 BB
1 BB
1 BB
2 BB
2 BB
2 BB
2 BB
3 BB
3 BB
3 BB
3 BB
4 BB
4 BB
4 BB
4 BB
5 BB
8 BB
5 BB
8 BB
6 BB
9 BB
7 BB
7 BB
6 BB
9 Trace
#1 Trace
#2 BB
7 BB
7 jeudi, 15 avril 2010

CFG BB
1 BB
1 BB
1 BB
1 BB
2 BB
2 BB
2 BB
2 BB
3 BB
3 BB
3 BB
3 BB
4 BB
4 BB
4 BB
4 BB
5 BB
8 BB
5 BB
8 BB
6 BB
9 BB
7 BB
7 BB
6 BB
9 Trace
#1 Trace
#2 BB
7 BB
7 jeudi, 15 avril 2010

CFG BB
1 BB
1 BB
2 BB
2 BB
3 BB
3 BB
4 BB
4 BB
5 BB
8 BB
6 BB
9 BB
7 BB
7 jeudi, 15 avril 2010

CFG uint32_t function_0001(...) { BB
1 BB
1 BB1: BB
2 BB
2 BB2: BB
3 BB
3 BB3: BB
4 BB
4 BB4: BB5: BB
5 BB
8 BB6: BB
6 BB
9 BB8: BB9: BB
7 BB
7 BB7: } jeudi, 15 avril 2010

CFG uint32_t function_0001(uint32_t param1, uint32_t param2) { /* ... */ BB
1 BB
1 BB1: BB
2 BB
2 goto BB2; BB2: BB
3 BB
3 v1 = read_port(param1); BB3: BB
4 BB
4 v2 = read_port(param2); BB4: if (v1 & 0x21) goto BB8; BB5: BB
5 BB
8 write_port(param2, 0x1234); BB6: goto BB7; BB
6 BB
9 BB8: write_port(param1, 0x4567); BB9: goto BB7; BB
7 BB
7 BB7: } jeudi, 15 avril 2010