simuvex
play

SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili - PowerPoint PPT Presentation

Mar 27, 2023 •544 likes •918 views

SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My name is Yan Shoshitaishvili, and I am a PhD student in the Seclab at UC Santa Barbara. Email: yans@cs.ucsb.edu Twitter: @Zardus Github:

  1. SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014

  2. Who am I? My name is Yan Shoshitaishvili, and I am a PhD student in the Seclab at UC Santa Barbara. Email: yans@cs.ucsb.edu Twitter: @Zardus Github: http://github.com/zardus Blog: http://blog.yancomm.net This work is a collaboration between the UCSB Seclab and the Northeastern Seclab!

  3. Don't Panic! This presentation does have a design! 1. Who (are we)? 2. What (is Symbolic Analysis)? 3. Why (did we choose VEX)? 4. How (do we do it)? 5. Where (does all of this get us)? 6. When (will it be released)?

  4. Why Symbolic Analysis? "How do I trigger path X or condition Y?" ❏ Dynamic analysis ❏ Input A? No. Input B? No. Input C? … ❏ Based on concrete inputs to application. ❏ (Concrete) static analysis ❏ "You can't"/"You might be able to" ❏ Based on various static techniques. We need something slightly different.

  5. What is Symbolic Analysis? "How do I trigger path X or condition Y?" 1. Interpret the application. 2. Track "constraints" on variables. 3. When the required condition is triggered, "concretize" to obtain a possible input.

  6. "Concretize"? Constraints Concretize x = 42 x >= 10 x < 100 Constraint solving: ❏ Conversion from set of constraints to set of concrete values that satisfy them. ❏ NP-complete, in general.

  7. Symbolic Execution Example x = int(input()) if x >= 10: if x < 100: print "Two!" else: print "Lots!" else: print "One!"

  8. Symbolic Execution Example State A x = int(input()) if x >= 10: Variables x = ??? if x < 100: print "Two!" Constraints else: ------ print "Lots!" else: print "One!"

  9. Symbolic Execution Example State A x = int(input()) if x >= 10: Variables x = ??? if x < 100: print "Two!" Constraints else: ------ print "Lots!" else: State AB State AA print "One!" Variables Variables x = ??? x = ??? Constraints Constraints x >= 10 x < 10

  10. Symbolic Execution Example State AA State AB x = int(input()) if x >= 10: Variables Variables x = ??? x = ??? if x < 100: print "Two!" Constraints Constraints else: x < 10 x >= 10 print "Lots!" else: print "One!"

  11. Symbolic Execution Example State AA State AB x = int(input()) if x >= 10: Variables Variables x = ??? x = ??? if x < 100: print "Two!" Constraints Constraints else: x < 10 x >= 10 print "Lots!" else: State ABA State ABB print "One!" Variables Variables x = ??? x = ??? Constraints Constraints x >= 10 x >= 10 x < 100 x >= 100

  12. Concretization Time! x = int(input()) State ABA if x >= 10: Variables if x < 100: x = ??? print "Two!" Constraints else: x >= 10 print "Lots!" x < 100 else: print "One!" Concretized ABA Variables x = 99

  13. Symbolic Analysis Is Useful Lots of uses: ❏ Reasoning about reachability ❏ Bughunting ❏ Test-case generation

  14. Symbolic Analysis Is Hard Two main challenges unique to symbolic analysis: 1. Constraint Solving a. NP-complete, in general b. "not our field" 2. State Explosion a. All outcomes of a piece of code must be considered. b. Loops!

  15. Reinventing the Wheel Existing systems: 1. Source level: EXE, CUTE, KLEE , AEG 2. Binary level: Mayhem, Fuzzball, Avalanche 3. System level: S2E Hard to find a balance of flexibility, usability, and support.

  16. Stand on the Shoulders of Giants Balance between fine-grained control and existing tool/idea reuse: Concepts: related work Binary translation: VEX Constraint solving: Z3

  17. Why Z3? "Shared-source" constraint solver from Microsoft Research. ❏ Actively developed ❏ Powerful and flexible ❏ Python bindings! ❏ Not too hard to switch away from!

  18. VEX Crash Course VEX is Valgrind's intermediate language, allowing Valgrind's tools to be implemented once for cross-platform analyses. VEX IR t0 = GET:I64(48) Assembly Binary t1 = LDle:I64(t0) t2 = Add64(t0,0x8:I64) Assembler VEX "ret" 0xc3 PUT(48) = t2 PUT(184) = t1 t4 = GET:I64(184) PUT(184) = t4

  19. Code VEXonomy IRSB (superblock) IRExpr IRStmt IRExpr VEX translates instructions to IRStmt IRExpr IRExprs, IRStmts, IRSBs. IRExpr IRStmt IRExpr IRExpr IRStmt IRExpr ❏ IRExprs provide the values ❏ IRStmts "describe" state changes ❏ IRSBs maintain structure/order Creates a reproducible, side-effects-free representation.

  20. Step-by-step VEXample t0 = GET:I32(8) t1 = Sub(t0, 1) 0x8000: dec eax VEX PUT(8) = t1 PUT(68) = 0x8001 IRStmt: set t0 to... IRExpr: value of eax IRStmt: set t1 to... IRExpr: t0 - 1 IRStmt: put into eax... IRExpr: t1 IRStmt: put into eip... IRExpr: addr of next instruction

  21. Step-by-step VEXample (2) t2 = Z_FLAG() t2 Exit 0x9000 if 0x8001: jz 0x9000 VEX PUT(68) = 0x8003 IRStmt: set t0 to... IRExpr: value of eax IRStmt: exit to 0x9000 if... IRExpr: t0 IRStmt: put into eip... IRExpr: addr of next instruction

  22. VEXamorphosis SimuVEX creates a symbolic interpretation layer over VEX: IRSB (superblock) SimIRSB IRExpr IRExpr IRStmt IRExpr SimIRStmt SimIRExpr IRStmt IRExpr SimIRStmt SimIRExpr IRExpr IRExpr IRStmt IRExpr SimIRStmt IRExpr IRExpr SimIRExpr IRStmt IRExpr SimIRStmt SimIRExpr

  23. VEXterpretation ❏ SimIRExprs represent symbolic values. ❏ SimIRStmts modify a symbolic state. What's a symbolic state? SimState symbolic memory ❏ ❏ symbolic registers constraints ❏ ❏ plugins (symbolic) 'kernel' ❏ state for userspace binaries

  24. VEXterpretation Example t0 = GET:I32(8) State A State H State G State F State E State D State C State B State G1 A B Variables Variables Variables Variables Variables Variables Variables Variables Variables t1 = Sub(t0, 1) C eax_0 eax_0 eax_0 eax_0 eax_0 eax_0 eax_0 eax_0 eax_0 PUT(8) = t1 D Temps Temps Temps Temps Temps Temps Temps Temps Temps t0 = eax_0 t0 = eax_0 t0 = eax_0 t0 = eax_0 t0 = eax_0 t0 = eax_0 t0 = eax_0 ---- t0 = eax_0 PUT(68) = 0x8001 E t1 = eax_0 - 1 t1 = eax_0 - 1 t1 = eax_0 - 1 t1 = eax_0 - 1 t1 = eax_0 - 1 t1 = eax_0 - 1 t1 = eax_0 - 1 Registers Registers t2 = eax_0-1 == 0 t2 = eax_0-1 == 0 t2 = eax_0-1 == 0 t2 = eax_0-1 == 0 t2 = Z_FLAG() Registers Registers Registers F eax = eax_0 eax = eax_0 Registers Registers Registers Registers eax = eax_0 - 1 eip = 0x8000 eip = 0x8000 eax = eax_0 eax = eax_0 - 1 t2 Exit 0x9000 if G eax = eax_0 - 1 eax = eax_0 - 1 eip = 0x8000 eax = eax_0 - 1 eip = 0x8000 eip = 0x8001 eax = eax_0 - 1 Constraints Constraints eip = 0x8001 eip = 0x8001 eip = 0x9000 eip = 0x8003 Constraints Constraints Constraints PUT(68) = 0x8003 --- --- H Constraints Constraints Constraints Constraints --- --- --- eax_0 - 1 != 0 --- eax_0 - 1 == 0 eax_0 - 1 != 0

  25. Symbolic Interpretation (IRStmt) Every SimIRStmt takes a state, makes changes to memory, registers, and constraints, and outputs a set of states. New SimState symbolic memory ❏ ❏ symbolic registers Initial SimState constraints ❏ … etc symbolic memory ❏ ❏ symbolic registers constraints SimIRStmt ❏ ❏ plugins New SimState (symbolic) 'kernel' ❏ state for userspace symbolic memory ❏ binaries ❏ symbolic registers constraints ❏ … etc

  26. Symbolic Interpretation (IRSB) These statements are aggregated in SimIRSBs. New SimState symbolic memory ❏ ❏ symbolic registers Initial SimState constraints ❏ SimIRSB … etc symbolic memory ❏ ❏ symbolic registers constraints ❏ SimIRStmt ❏ plugins New SimState (symbolic) 'kernel' ❏ state for userspace SimIRStmt symbolic memory ❏ binaries ❏ symbolic registers constraints ❏ … etc

  27. Complications... The naive approach has some issues. void *memcpy(void *dst, void *src, int n) { for (int i = 0; i < n; i++) dst[i] = src[i]; return dst; } What happens with a symbolic "n"?

  28. Complications... for (int i = 0; i < n; i++) {...} State A+ State B+ State C+ Variables Variables Variables i = 0 i = 0 i = 0 n = ? n = ? n = ? State Initial Constraints Constraints Constraints Variables n > 0 n > 1 n > 2 --- State A- State B- State C- Constraints Variables Variables Variables --- i = 0 i = 0 i = 0 n = ? n = ? n = ? Constraints Constraints Constraints n <= 0 n <= 1 n <= 2

  29. Symbolic Summaries Solution: replace it with a manually written "symbolic summary". Pro: intelligently reason about conditions Pro: increased analysis speed Con: manual implementation Also used to abstract away system calls.

  30. Useful Abstractions To support symbolic summaries, we abstract anything that takes an input state and produces output states as a "SimRun". New SimState symbolic memory ❏ ❏ symbolic registers Initial SimState constraints ❏ … etc symbolic memory ❏ ❏ symbolic registers SimRun constraints ❏ ❏ plugins New SimState (symbolic) 'kernel' ❏ state for userspace symbolic memory ❏ binaries ❏ symbolic registers constraints ❏ … etc

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing Timotej Kapus, Cristian Cadar Department of Computing Imperial College London if (x &gt; 2294967295) { assert(false); } printf(&quot;x:

1.08k views • 45 slides
Thermodynamic Geometry of Yang-Mills Gauge Theory Bhupendra Nath Tiwari University of Information

Thermodynamic Geometry of Yang-Mills Gauge Theory Bhupendra Nath Tiwari University of Information

Thermodynamic Geometry of Yang-Mills Gauge Theory Bhupendra Nath Tiwari University of Information Science and Technology, St. Paul the Apostle, Partizanska Str. bb 6000 Ohrid, Republic of Macedonia a INFN-Laboratori Nazionali di Frascati,

920 views • 44 slides
Recent Developments in The Black Hole Microstate Geometry Program Masaki Shigemori Strings and

Recent Developments in The Black Hole Microstate Geometry Program Masaki Shigemori Strings and

Recent Developments in The Black Hole Microstate Geometry Program Masaki Shigemori Strings and Fields YITP, Kyoto U August 2017 Based on 1607.03908, 170x.xxxxx with I. Bena, S. Giusto, E. Martinec, R. Russo, D. Turton, N. P. Warner

537 views • 21 slides
A Potential Astrophysical Test of Quantum Gravity Ue-Li Pen CITA November 12, 2013 U. Pen A

A Potential Astrophysical Test of Quantum Gravity Ue-Li Pen CITA November 12, 2013 U. Pen A

Introduction Pulsar-Black Hole Binaries Lensing Summary A Potential Astrophysical Test of Quantum Gravity Ue-Li Pen CITA November 12, 2013 U. Pen A Potential Astrophysical Test of Quantum Gravity Introduction Pulsar-Black Hole Binaries

488 views • 14 slides
Doing the unexpected with binary black holes ICERM Brown University Steve Liebling Work

Doing the unexpected with binary black holes ICERM Brown University Steve Liebling Work

Motivation Charged BBH Einstein-Maxwell-Dilaton BBH w/QG BBH w/axions mPBHs Doing the unexpected with binary black holes ICERM Brown University Steve Liebling Work mentioned here with: John Estes (SUNY Westbury) Eric Hirschmann (BYU)

290 views • 27 slides
Running a Stress (ish) -Free Company Thanks for joining todays talk and Ill be explaining

Running a Stress (ish) -Free Company Thanks for joining todays talk and Ill be explaining

Running a Stress (ish) -Free Company Thanks for joining todays talk and Ill be explaining how you can run a stress(ish) free company - yes, such a thing is possible! Me: Owen Lansbury Co-Founder - PreviousNext Sydney, Australia

875 views • 46 slides
The bright side of black holes Vtor Cardoso [Tcnico &amp; CERN] Fundamental questions a.

The bright side of black holes Vtor Cardoso [Tcnico &amp; CERN] Fundamental questions a.

The bright side of black holes Vtor Cardoso [Tcnico &amp; CERN] Fundamental questions a. BH seeds, BH demography, galaxy co-evolution (how many, where, how?) Barack+ arXiv:1806.05195 b. What is graviton mass or speed? See review Barack+

513 views • 33 slides
Resolving the Structure of Black Holes IHES September 19, 2013 Recent work with: Iosif Bena,

Resolving the Structure of Black Holes IHES September 19, 2013 Recent work with: Iosif Bena,

Resolving the Structure of Black Holes IHES September 19, 2013 Recent work with: Iosif Bena, Gary Gibbons Based on Collaborations with: N. Bobev, G. DallAgata, J. de Boer, S. Giusto, Ben Niehoff, M. Shigemori, A. Puhm, C. Ruef, O.

809 views • 32 slides
5. Using language signs on suitable contexts 5.1 Bhlers organon model 5.1.1 Theory of

5. Using language signs on suitable contexts 5.1 Bhlers organon model 5.1.1 Theory of

FoCL, Chapter 5: Using language signs on suitable contexts 69 5. Using language signs on suitable contexts 5.1 Bhlers organon model 5.1.1 Theory of pragmatics Analyzes the general principles of purposeful action. Describes how a cognitive

332 views • 15 slides
(Supersymmetric) Godel Space from Wrapped M2 Branes Bert Vercnocke, ITF, K.U.Leuven in

(Supersymmetric) Godel Space from Wrapped M2 Branes Bert Vercnocke, ITF, K.U.Leuven in

(Supersymmetric) Godel Space from Wrapped M2 Branes Bert Vercnocke, ITF, K.U.Leuven in collaboration with: Tommy Levi (NYU) Joris Raeymaekers (FZU Prague) Dieter Van den Bleeken (Rutgers U.) Walter Van Herck (K.U.Leuven)

681 views • 33 slides
Towards Field Theory of D-Branes Tamiaki Yoneya (University of Tokyo, Komaba) Motivations:

Towards Field Theory of D-Branes Tamiaki Yoneya (University of Tokyo, Komaba) Motivations:

Towards Field Theory of D-Branes Tamiaki Yoneya (University of Tokyo, Komaba) Motivations: D-brane field theory ? Free-fermion representation of single-charge 1/2-BPS operators: Puzzles and resolution A Toy Theory: D3-brane field

712 views • 32 slides
On the Analysis of the Internet from a Geographic and Economic Perspective via BGP Raw Data

On the Analysis of the Internet from a Geographic and Economic Perspective via BGP Raw Data

On the Analysis of the Internet from a Geographic and Economic Perspective via BGP Raw Data Alessandro Improta Advisors: Prof. Luciano Lenzini Prof. Gigliola Vaglini Ing. Enrico Gregori Pisa - May 24th, 2013 Alessandro Improta On the

336 views • 32 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer , Vincent Rahli, Ivana Vukotic, Marcus Vlp, Andr Platzer Thanks to: Johannes Hlzl, Fabian Immler, Tobias Nipkow, et. al. + Coquelicot team

540 views • 38 slides
Visib isible Dep e Depen ende dent nt Quan uantifjcati tifjcation on (V (VDQ) Q) Ryan

Visib isible Dep e Depen ende dent nt Quan uantifjcati tifjcation on (V (VDQ) Q) Ryan

Visib isible Dep e Depen ende dent nt Quan uantifjcati tifjcation on (V (VDQ) Q) Ryan Scott PL Wonks March 8, 2019 Code t Code time! me! The VDQ p he VDQ pat atch ch --- a/compiler/parser/Parser.y +++

547 views • 27 slides
Computer Graphics III Monte Carlo integration Direct illumination Jaroslav Kivnek, MFF

Computer Graphics III Monte Carlo integration Direct illumination Jaroslav Kivnek, MFF

Computer Graphics III Monte Carlo integration Direct illumination Jaroslav Kivnek, MFF UK Jaroslav.Krivanek@mff.cuni.cz Entire the lecture in 5 slides in out Reflection equation Total reflected radiance: integrate

1.12k views • 62 slides
b d q d + + q kd kd kq kq f f a c (a) (b) - d d + q + - -

b d q d + + q kd kd kq kq f f a c (a) (b) - d d + q + - -

b d q d + + q kd kd kq kq f f a c (a) (b) - d d + q + - - kq - kd Vs + ( r) E - + f Ep + q a t (ref) 1 ref Is (b) (a) Three-phase machine Two-phase

527 views • 16 slides
Tensor optimized antisymmetrized molecular dynamics (TOAMD) for relativistic nuclear matter

Tensor optimized antisymmetrized molecular dynamics (TOAMD) for relativistic nuclear matter

Tensor optimized antisymmetrized molecular dynamics (TOAMD) for relativistic nuclear matter Hiroshi Toki RCNP/Osaka with Takayuki MyoOsaka IT Kiyomi IkedaRIKEN Hisashi HoriuchiRCNP/Osaka Tadahiro SuharaMatsue TC

297 views • 17 slides
V.2.6 Appraisal and Produc/on Geoscience: The Earth and its

V.2.6 Appraisal and Produc/on Geoscience: The Earth and its

V.2.6 Appraisal and Produc/on Geoscience: The Earth and its resources Prof. Dr. G. Berto, A promising prospect? producing source rock reservoir trap

479 views • 15 slides
from images and video Ivan Laptev ivan.laptev@inria.fr WILLOW, INRIA/ENS/CNRS, Paris Joint work

from images and video Ivan Laptev ivan.laptev@inria.fr WILLOW, INRIA/ENS/CNRS, Paris Joint work

See.4C Spatio-temporal Series Hackathon February 14, 2017 Weakly supervised learning from images and video Ivan Laptev ivan.laptev@inria.fr WILLOW, INRIA/ENS/CNRS, Paris Joint work with: Maxime Oquab Piotr Bojanowski Rmi Lajugie

1.23k views • 48 slides
Logics, automata, and behavioural properties of discrete event systems Andr Arnold MOVEP 2006

Logics, automata, and behavioural properties of discrete event systems Andr Arnold MOVEP 2006

1 Logics, automata, and behavioural properties of discrete event systems Andr Arnold MOVEP 2006 Bordeaux, june 2006 2 WHAT Definition of a (finite) discrete event system P Definition of a finite or infinite object Beh ( P ) representing

1.36k views • 110 slides
3D Descriptor Design and Learning for Robust Non-rigid Shape Matching Jianwei Guo NLPR,

3D Descriptor Design and Learning for Robust Non-rigid Shape Matching Jianwei Guo NLPR,

3D Descriptor Design and Learning for Robust Non-rigid Shape Matching Jianwei Guo NLPR, Institute of Automation, Chinese Academy of Sciences Sept.17, 2020 GAMES Webinar 1 Team--3D Visual Computing [ACM TOG (SIGGRAPH Asia) 2012]

611 views • 46 slides
July 23, 2016 STM 2016 Outline Background Additively homomorphic encryption Beacon

July 23, 2016 STM 2016 Outline Background Additively homomorphic encryption Beacon

July 23, 2016 STM 2016 Outline Background Additively homomorphic encryption Beacon search by Oblivious transfer Genome sequence search Overview of the proposed method Recursive oblivious transfer Burrows Wheeler

974 views • 70 slides
Mria Markoov Graph definition Degree, in, out degree, oriented graph.

Mria Markoov Graph definition Degree, in, out degree, oriented graph.

Mria Markoov Graph definition Degree, in, out degree, oriented graph. Complete, regular, bipartite graph. Graph representation, connectivity, adjacency. Isomorphism of graphs. Paths, cycles, trials. Random

735 views • 42 slides

More recommend