sum total of isa sum total of isa knowledge knowledge
play

Sum Total of ISA Sum Total of ISA Knowledge Knowledge Analyzing - PowerPoint PPT Presentation

Mar 17, 2024 •347 likes •726 views

Sum Total of ISA Sum Total of ISA Knowledge Knowledge Analyzing Your Static Analysis Tools Analyzing Your Static Analysis Tools @alexkropivny Unsolicited Firmware Unsolicited Firmware Archeology and You Archeology and You "I bet I

  1. Sum Total of ISA Sum Total of ISA Knowledge Knowledge Analyzing Your Static Analysis Tools Analyzing Your Static Analysis Tools @alexkropivny

  2. Unsolicited Firmware Unsolicited Firmware Archeology and You Archeology and You

  4. "I bet I can hack this"

  6. References References - full work�ow example VMU hackery - long-term toolchain example Nexmon Tools to assist static portion of work�ow: angr (obfuscated interpreters?) Triton or (pure Python) miasm2 amoco (if you have source) KLEE bincat / BAP / Manticore / ...

  7. Manual Static Manual Static Analysis Analysis Automation Automation

  8. Types of Failures Types of Failures 1. False positives discovering more false positives (sev: high) 2. Underapproximations makes you re-visit code (sev: annoying) 3. Script stomped over manually-entered markup (sev: only happens once)

  9. Useful Automation Useful Automation Instruction length disassembler All control �ow e�ects Constant propagation (sometimes)

  10. Useful Automation Useful Automation Command/state machine tables (fancy switches)

  11. Lifter Problems: System Code Lifter Problems: System Code Uncommon instruction classes Once-per-boot setup features Shared memory bus: FIFOs, control �ags, DMA

  12. Lifter Problems: Abstractions Lifter Problems: Abstractions Flattening memory spaces Aliasing with registers (or other memory) Inter- vs intra-procedural analysis C memory and stack model

  13. Examples Examples

  14. Examples Examples

  15. Examples Examples

  16. Examples Examples

  17. Examples Examples

  18. Examples Examples

  19. Examples Examples

  20. Planned Work�ow Planned Work�ow

  21. QA by Concrete Execution QA by Concrete Execution

  22. Sources of Information Sources of Information Emulators! Hacker tools

  23. Emulator Architecture Emulator Architecture

  24. Emulator Architecture Emulator Architecture

  25. Fuzzing A vs B Fuzzing A vs B explore on commonly-occuring instructions bin di�erences on instruction opcodes prioritize on registers a�ected

  26. QA by Symbolic Execution QA by Symbolic Execution

  27. ii = lift.instruction_at(bv, here) # 'swap' MCS-51 instructi emu = lift.function(current_function) # 'swap_a' function on ARM s = ii.solver() emu.constrain(s) s.add(z3.And(ii['A'][0] == emu['mem'][0][0x1ef2608], ii['A'][-1] != emu['mem'][-1][0x1ef2608])) print s.check() # sat print s.model()[x['A'][0]].sexpr(), ':', print s.model()[x['A'][-1]].sexpr()

  29. x = lift.function(current_function) summary = x['Y4'][-1] != x['Y4'][0] & x['Y0'][0] s = x.solver() s.assert_and_track(summary, 'not-equivalent') print s.check() # unsat s.unsat_core() # [not-equivalent]

  31. Program Analysis is a Search Problem Program Analysis is a Search Problem Fast backtracking vs slow complex search Specialized algorithms vs generic solver Heuristics compensating for generic solver Checking results of search vs search ∃ ∀ Approximating state coverage via path coverage

  32. Work�ow and Correctness Work�ow and Correctness

  33. References References - comparison of several major lifters in F# MeanDi� - ambitious academic work Automatic Generation of Peephole Superoptimizers - equivalence checking experiments Fuzzing and Patch Analysis: SAGEly Advice - emulator comparison (would AFL do better?) Hi-Fi Tests for Lo-Fi Emulators Literature reviews to pull terminology from: A Survey of Symbolic Execution Techniques A Vocabulary of Program Slicing-Based Techniques Mechanizing Proof: Computing, Risk, and Trust for a fun historical perspective

  34. What Went Right & What Went Right & What Went Wrong What Went Wrong

  35. 1. Approximations: acceptable, but validate major assumptions 2. Partial lifting: acceptable and commonplace 3. Emulator-as-oracle: less partial, needs a map to lifted model 4. Full equivalence checking versus emulator: hampered by 2 and 3, but sometimes works

  36. Example Tools Example Tools i8051 - minimum viable processor module for 8051 STC - (WIP) attempt at generic lifter analysis tools slides ( PDF render, reveal.js with notes)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

KNOWLEDGE ACQUISITION AND CONSTRUCTION Transfer of Knowledge Knowledge acquisition is the

KNOWLEDGE ACQUISITION AND CONSTRUCTION Transfer of Knowledge Knowledge acquisition is the

KNOWLEDGE ACQUISITION AND CONSTRUCTION Transfer of Knowledge Knowledge acquisition is the process of extracting knowledge from whatever source including document, manuals, case studies, etc. Knowledge elicitation is a type of the

373 views • 26 slides
Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In

Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In

Short Pairing-based Non-interactive Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In a zero knowledge protocol a prover can convince a verifier that some statement is true without leaking any side

628 views • 14 slides
National Budget Meeting FY 2019 Total Agencies\Field Offices: 5 Total Tribes: 24

National Budget Meeting FY 2019 Total Agencies\Field Offices: 5 Total Tribes: 24

National Budget Meeting FY 2019 Total Agencies\Field Offices: 5 Total Tribes: 24 Total Reservations: 20 Total Acres: 479,015.38 Total Tribal Enrollment: 119,327 Total Programs Funded: 41 Total Employees: 225

541 views • 17 slides
Knowledge-Based Agents knowledge knowledge representation, knowledge base, types of knowledge

Knowledge-Based Agents knowledge knowledge representation, knowledge base, types of knowledge

CPE/CSC 580-S06 Artificial Intelligence Intelligent Agents Knowledge-Based Agents knowledge knowledge representation, knowledge base, types of knowledge wumpus world example of knowledge-based agents knowledge representation language

325 views • 31 slides
OUTLINE CAPITALIZATION OF COLLECTIVE KNOWLEDGE: Knowledge management and Knowledge

OUTLINE CAPITALIZATION OF COLLECTIVE KNOWLEDGE: Knowledge management and Knowledge

OUTLINE CAPITALIZATION OF COLLECTIVE KNOWLEDGE: Knowledge management and Knowledge Engineering FROM KNOWLEDGE Definitions ENGINEERING, MULTI- Process AGENTS TO CSCW AND SOCIO Knowledge Capitalization approaches Cooperative

976 views • 51 slides
Plan for today Knowledge-based systems 1 Explicit knowledge Knowledge Representation Inferred

Plan for today Knowledge-based systems 1 Explicit knowledge Knowledge Representation Inferred

Knowledge Representation Knowledge Representation Plan for today Knowledge-based systems 1 Explicit knowledge Knowledge Representation Inferred knowledge Domain-specific stuff A very brief intro Changing premises Uncertainty Jacek Malec

179 views • 13 slides
Plan for today Knowledge-based systems 1 Tacit knowledge Knowledge Representation Inferred

Plan for today Knowledge-based systems 1 Tacit knowledge Knowledge Representation Inferred

Knowledge Representation Knowledge Representation Plan for today Knowledge-based systems 1 Tacit knowledge Knowledge Representation Inferred knowledge Domain-specific stuff A very brief intro Changing premises Uncertainty Jacek Malec

265 views • 13 slides
Knowledge-based Agents Can represent knowledge And reason with this knowledge CS 331:

Knowledge-based Agents Can represent knowledge And reason with this knowledge CS 331:

Knowledge-based Agents Can represent knowledge And reason with this knowledge CS 331: Artificial Intelligence How is this different from the knowledge Propositional Logic I used by problem-specific agents? More general More

221 views • 9 slides
CORRECT? Introduction Working hypothesis Observations: Hypothesis: Human intelligence

CORRECT? Introduction Working hypothesis Observations: Hypothesis: Human intelligence

The Knowledge Representation Hypothesis (Brian Smith, 1982): IT3706 Knowledge Representation An intelligent systems competence is Rodney Brooks: determined by its knowledge. Knowledge without The knowledge is contained within

405 views • 5 slides
The MJO in Tropical Total Ozone The MJO in Tropical Total Ozone The MJO in Tropical Total Ozone

The MJO in Tropical Total Ozone The MJO in Tropical Total Ozone The MJO in Tropical Total Ozone

The MJO in Tropical Total Ozone The MJO in Tropical Total Ozone The MJO in Tropical Total Ozone The MJO in Tropical Total Ozone Baijun Tian Jet Propulsion Laboratory, California Institute of Technology Thanks Y. L. Yung, T. Tyranowski and L.

453 views • 28 slides
Knowledge Model Basics Challenges in knowledge modeling Basic knowledge-modeling constructs

Knowledge Model Basics Challenges in knowledge modeling Basic knowledge-modeling constructs

Knowledge Model Basics Challenges in knowledge modeling Basic knowledge-modeling constructs Comparison to general software analysis Knowledge model specialized tool for specification of knowledge- intensive tasks abstracts from

758 views • 44 slides
So You re Having re Having So You a Total Hip a Total Hip Replacement? Replacement? Your

So You re Having re Having So You a Total Hip a Total Hip Replacement? Replacement? Your

So You re Having re Having So You a Total Hip a Total Hip Replacement? Replacement? Your team of nurses, surgeons, therapists and social workers are here to help you every step of the way. This presentation is meant to assist you before,

723 views • 36 slides
Recording the Knowledge Footprints February 4, 2015 The Knowledge Problem Those who cannot

Recording the Knowledge Footprints February 4, 2015 The Knowledge Problem Those who cannot

Recording the Knowledge Footprints February 4, 2015 The Knowledge Problem Those who cannot remember the past are condemned to repeat it. George Santayana 2 7 Myths of Knowledge Management Knowledge management is about knowledge

422 views • 19 slides
Building Knowledge & Networking Capacities How to Succeed and Fail at Knowledge Sharing

Building Knowledge & Networking Capacities How to Succeed and Fail at Knowledge Sharing

Building Knowledge & Networking Capacities How to Succeed and Fail at Knowledge Sharing Cheryl Cooper, Applied Wisdom International Knowledge & Learning Consultant CherylAppliedWisdom@gmail.com Since 2002... Strategic Knowledge

490 views • 23 slides
Knowledge Management KNOWLEDGE INSPIRED INNOVATION An investment in knowledge always pays the

Knowledge Management KNOWLEDGE INSPIRED INNOVATION An investment in knowledge always pays the

KAIETEUR INSTITUTE FOR KNOWLEDGE MANAGEMENT Kaieteur Institute for Knowledge Management KNOWLEDGE INSPIRED INNOVATION An investment in knowledge always pays the best interest. Benjamin Franklin US author, diplomat, inventor, physicist,

1.09k views • 66 slides
Dog Knowledge The 3rd pillar of the Dog Program Index What is Dog knowledge? Topics

Dog Knowledge The 3rd pillar of the Dog Program Index What is Dog knowledge? Topics

Dog Knowledge The 3rd pillar of the Dog Program Index What is Dog knowledge? Topics Studying Sources Making study guides Quiz bowl Introduction Knowledge Tests Ticket to Big-E 2 Topics The curriculum for 4-H

229 views • 20 slides
EMU without fiscal and poli3cal union why and how it could work? Vesa Vihril 3 June 2016

EMU without fiscal and poli3cal union why and how it could work? Vesa Vihril 3 June 2016

EMU without fiscal and poli3cal union why and how it could work? Vesa Vihril 3 June 2016 The mainstream argument 1. Monetary union => fiscal union Conjunctural differences => cross-country fiscal stabilisa3on needed in the

221 views • 11 slides
Sovereign Defaults: The Price of Haircuts Juan Cruces Univ. Torcuato Di Tella Christoph

Sovereign Defaults: The Price of Haircuts Juan Cruces Univ. Torcuato Di Tella Christoph

Sovereign Defaults: The Price of Haircuts Juan Cruces Univ. Torcuato Di Tella Christoph Trebesch University of Munich and CESIfo Debt Crisis Conference, Reykjavik University, 08.10.2011 1 INTROD ODUCTION ON Theory predicts exclusion

380 views • 12 slides
Discovery Prospects for tt Resonances in dilepton+jets final states SUNY, Buffalo: Supriya Jain,

Discovery Prospects for tt Resonances in dilepton+jets final states SUNY, Buffalo: Supriya Jain,

Discovery Prospects for tt Resonances in dilepton+jets final states SUNY, Buffalo: Supriya Jain, Ia Iashvili Avto Kharchilava Florida State Univ: Harrison B. Prosper Snowmass 2013, Minnesota Top Group Meeting, July 31 Snowmass 2013,

309 views • 18 slides
Discussion of: Fiscal policy in EMU with downward nominal wage rigidity by Matthias Burgert,

Discussion of: Fiscal policy in EMU with downward nominal wage rigidity by Matthias Burgert,

Discussion of: Fiscal policy in EMU with downward nominal wage rigidity by Matthias Burgert, Philipp Pfeiffer and Werner Roeger Brigitte Hochmuth University of Erlangen-Nuremberg, Germany 3rd MMCN Conference, Goethe University Frankfurt June

127 views • 11 slides
The structure of European development Community detection in inter-industry and external

The structure of European development Community detection in inter-industry and external

Introduction Methodology Community Detection Labour and Subsystems From IO to Countries From Trade to Commodities The structure of European development Community detection in inter-industry and external trade networks Nadia Garbellini

839 views • 65 slides
Limited Domain Synthesis Unit selection gives: high quality but sometimes low quality

Limited Domain Synthesis Unit selection gives: high quality but sometimes low quality

Limited Domain Synthesis Unit selection gives: high quality but sometimes low quality (currently) difficult to build Limited domain: every synthesis use is in a domain often the domain is restricted Can you get the

478 views • 22 slides
CHANGING WELFARE STATES FROM COMPENSATING TO CAPACITATING SOLIDARITY IN EURO CRISIS TIMES ANTON

CHANGING WELFARE STATES FROM COMPENSATING TO CAPACITATING SOLIDARITY IN EURO CRISIS TIMES ANTON

CHANGING WELFARE STATES FROM COMPENSATING TO CAPACITATING SOLIDARITY IN EURO CRISIS TIMES ANTON HEMERIJCK , VU UNIVERSITY AMSTERDAM BOOK LAUNCH NEUJOBS/OSE NAR/CNT, BRUSSELS, 29 JANUARY 2013 OUTLINE 1. Economic crises and welfare regime

707 views • 29 slides
Experimental Evaluation of the Cloud- Native Application Design Sandro Brunner, Martin

Experimental Evaluation of the Cloud- Native Application Design Sandro Brunner, Martin

Experimental Evaluation of the Cloud- Native Application Design Sandro Brunner, Martin Blchlinger, Giovanni Toffetti, Josef Spillner, Thomas Michael Bohnert <josef.spillner@zhaw.ch> Service Prototyping Lab ( blog.zhaw.ch/icclab ) Zurich

333 views • 15 slides

More recommend