superset disassembly statically rewriting x86 binaries
play

Superset Disassembly: Statically Rewriting x86 Binaries Without - PowerPoint PPT Presentation

Dec 28, 2023 •254 likes •1.07k views

Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics Erick Bauman 1 , Zhiqiang Lin 1 , 2 , Kevin Hamlen 1 1 University of Texas at Dallas 2 The Ohio State University NDSS 2018 Introduction Background and Overview Design

  1. Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics Erick Bauman 1 , Zhiqiang Lin 1 , 2 , Kevin Hamlen 1 1 University of Texas at Dallas 2 The Ohio State University NDSS 2018

  2. Introduction Background and Overview Design and Implementation Evaluation Conclusion References Static Binary Rewriting 2 / 34

  3. Introduction Background and Overview Design and Implementation Evaluation Conclusion References Static Binary Rewriting 2 / 34

  4. Introduction Background and Overview Design and Implementation Evaluation Conclusion References Many Static Rewriters Have Been Developed Over the Past Decades L S S P C D R P A F U N R D H H H H P O H C R I Systems Year E TCH [RVL + 97] 1997 � � ✗ ✗ ✗ ✗ � � � ✗ ✗ ✗ SASI [ES99] 1999 ✗ ✗ � � � � ✗ ✗ ✗ � ✗ ✗ P LTO [SDAL01] 2001 ✗ ✗ � � � � � � � ✗ ✗ ✗ V ULCAN [SEV01] 2001 � ✗ � � � � � � � ✗ ✗ ✗ D IABLO [PCB + 05] 2005 ✗ ✗ � � � � � � � ✗ ✗ ✗ CFI [ABEL09] 2005 � ✗ � � � � ✗ ✗ ✗ � � ✗ XFI [EAV + 06] 2006 � ✗ � � � � ✗ ✗ ✗ � ✗ ✗ P ITT SFI ELD [MM06] 2006 ✗ ✗ � � � � ✗ ✗ ✗ � ✗ ✗ B IRD [NLLC06] 2006 � � ✗ � � ✗ � � � � ✗ ✗ N A C L [YSD + 09] 2009 ✗ ✗ � � � � ✗ ✗ ✗ � ✗ ✗ P EBIL [LTCS10] 2010 ✗ ✗ � � � � � � � ✗ ✗ ✗ S ECOND W RITE [OAK + 11] 2011 � � � ✗ ✗ ✗ � � � � ✗ ✗ D YN I NST [BM11] 2011 � � ✗ ✗ � ✗ � � � � � ✗ S TIR /R EINS [WMHL12b, WMHL12a] 2012 � � � ✗ ✗ � ✗ ✗ ✗ � � ✗ C CFIR [ZWC + 13] 2013 ✗ � � � ✗ ✗ ✗ ✗ ✗ � � ✗ B ISTRO [DZX13] 2013 � � � ✗ ✗ ✗ ✗ ✗ ✗ � ✗ � B IN CFI [ZS13] 2013 � � � � � ✗ ✗ ✗ ✗ � � ✗ P SI [ZQHS14] 2014 � � � � � ✗ � � � � � ✗ U ROBOROS [WWW16] 2016 � � ✗ ✗ ✗ ✗ � � � � � � R AMBLR [WSB + 17] 2017 � � � ✗ ✗ ✗ � � � � � � 3 / 34

  5. Introduction Background and Overview Design and Implementation Evaluation Conclusion References Many Static Rewriters Have Been Developed Over the Past Decades C D P A L S S P R F U N O R D H H H H P H C R Systems Year I E TCH [RVL + 97] 1997 � � ✗ ✗ ✗ ✗ � � � ✗ ✗ ✗ SASI [ES99] 1999 ✗ ✗ � � � � ✗ ✗ ✗ � ✗ ✗ P LTO [SDAL01] 2001 ✗ ✗ � � � � � � � ✗ ✗ ✗ V ULCAN [SEV01] 2001 � ✗ � � � � � � � ✗ ✗ ✗ D IABLO [PCB + 05] 2005 ✗ ✗ � � � � � � � ✗ ✗ ✗ CFI [ABEL09] 2005 � ✗ � � � � ✗ ✗ ✗ � � ✗ XFI [EAV + 06] 2006 � ✗ � � � � ✗ ✗ ✗ � ✗ ✗ P ITT SFI ELD [MM06] 2006 ✗ ✗ � � � � ✗ ✗ ✗ � ✗ ✗ B IRD [NLLC06] 2006 � � ✗ � � ✗ � � � � ✗ ✗ These tools rely on various N A C L [YSD + 09] 2009 ✗ ✗ � � � � ✗ ✗ ✗ � ✗ ✗ assumptions and heuristics! P EBIL [LTCS10] 2010 ✗ ✗ � � � � � � � ✗ ✗ ✗ S ECOND W RITE [OAK + 11] 2011 � � � ✗ ✗ ✗ � � � � ✗ ✗ D YN I NST [BM11] 2011 � � ✗ ✗ � ✗ � � � � � ✗ S TIR /R EINS [WMHL12b, WMHL12a] 2012 � � � ✗ ✗ � ✗ ✗ ✗ � � ✗ C CFIR [ZWC + 13] 2013 ✗ � � � ✗ ✗ ✗ ✗ ✗ � � ✗ B ISTRO [DZX13] 2013 � � � ✗ ✗ ✗ ✗ ✗ ✗ � ✗ � B IN CFI [ZS13] 2013 � � � � � ✗ ✗ ✗ ✗ � � ✗ P SI [ZQHS14] 2014 � � � � � ✗ � � � � � ✗ U ROBOROS [WWW16] 2016 � � ✗ ✗ ✗ ✗ � � � � � � R AMBLR [WSB + 17] 2017 � � � ✗ ✗ ✗ � � � � � � 3 / 34

  6. Introduction Background and Overview Design and Implementation Evaluation Conclusion References M ULTIVERSE : the first heuristic-free static binary rewriter “Everything that can happen does happen.” [CF12] 4 / 34

  7. Introduction Background and Overview Design and Implementation Evaluation Conclusion References Fundamental Challenges Recognizing and relocating static memory addresses 1 Handling dynamically computed memory addresses 2 Differentiating code and data 3 Handling function pointer arguments (e.g., callbacks) 4 Handling PIC 5 5 / 34

  8. Introduction Background and Overview Design and Implementation Evaluation Conclusion References Working Example 6 / 34

  9. Introduction Background and Overview Design and Implementation Evaluation Conclusion References Working Example 6 / 34

  10. Introduction Background and Overview Design and Implementation Evaluation Conclusion References Working Example 6 / 34

  11. Introduction Background and Overview Design and Implementation Evaluation Conclusion References Challenge (C)1: Recognizing and relocating static addresses 7 / 34

  12. Introduction Background and Overview Design and Implementation Evaluation Conclusion References Challenge (C)1: Recognizing and relocating static addresses 7 / 34

  13. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C1: Recognizing and relocating static memory addresses Data may contain function pointers Must identify pointers to transformed code Difficult to reliably distinguish pointer-like integers from pointers 8 / 34

  14. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C1: Recognizing and relocating static memory addresses Data may contain function pointers Must identify pointers to transformed code Difficult to reliably distinguish pointer-like integers from pointers Keeping original data space intact No need to modify data addresses if data unchanged Keep read-only copy of code for inline data in original code section [OAK + 11, ZS13, WMHL12b, WMHL12a] 8 / 34

  15. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C2: Handling dynamically computed memory addresses 9 / 34

  16. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C2: Handling dynamically computed memory addresses 9 / 34

  17. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C2: Handling dynamically computed memory addresses Indirect control flow transfer (iCFT) targets computed at runtime May use base+offset or arbitrary arithmetic Difficult to predict iCFT targets statically 10 / 34

  18. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C2: Handling dynamically computed memory addresses Indirect control flow transfer (iCFT) targets computed at runtime May use base+offset or arbitrary arithmetic Difficult to predict iCFT targets statically Creating mapping from old code space to rewritten code space Do not attempt to identify original addresses to rewrite Ignore how address is computed; only focus on final target Rewrite all iCFTs to use mapping to dynamically translate address on use [PCC + 04] 10 / 34

  19. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C3: Differentiating code and data 11 / 34

  20. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C3: Differentiating code and data 11 / 34

  21. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C3: Differentiating code and data Code and data can be freely interleaved Found in hand-written assembly and optimizing compilers Linear sweep fails on inline data Recursive traversal lacks full coverage 12 / 34

  22. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C3: Differentiating code and data Code and data can be freely interleaved Found in hand-written assembly and optimizing compilers Linear sweep fails on inline data Recursive traversal lacks full coverage Brute force disassembling of all possible code Disassemble every offset [KRVV04, WZHK14, LVP + 15] All intended code will be within resulting superset 12 / 34

  23. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C4: Handling function pointer arguments (e.g., callbacks) 13 / 34

  24. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C4: Handling function pointer arguments (e.g., callbacks) 13 / 34

  25. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C4: Handling function pointer arguments (e.g., callbacks) Callbacks will fail if function pointer not updated Library code uses callbacks Difficult to identify function pointer arguments 14 / 34

  26. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C4: Handling function pointer arguments (e.g., callbacks) Callbacks will fail if function pointer not updated Library code uses callbacks Difficult to identify function pointer arguments Rewriting all user level code including libraries Hard to automatically identify all function pointer arguments Instead, rewrite everything [ZS13] Use mapping (from Solution ❷ ) to translate callback upon use 14 / 34

  27. Introduction Background and Overview Design and Implementation Evaluation Conclusion References C5: Handling PIC 15 / 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries Dennis Andriesse , Xi Chen

An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries Dennis Andriesse , Xi Chen

An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries Dennis Andriesse , Xi Chen , Victor van der Veen , Asia Slowinska , Herbert Bos Vrije Universiteit Amsterdam Lastline, Inc. USENIX Security 2016

508 views • 19 slides
Compiler-Agnostic Function Detection in Binaries Dennis Andriesse , Asia Slowinska, Herbert Bos

Compiler-Agnostic Function Detection in Binaries Dennis Andriesse , Asia Slowinska, Herbert Bos

Compiler-Agnostic Function Detection in Binaries Dennis Andriesse , Asia Slowinska, Herbert Bos Vrije Universiteit Amsterdam EuroS&P 2017 Introduction Disassembly in Systems Security Disassembly is the backbone of all

496 views • 20 slides
Supermodule Disassembly Tom Dietel WWU M unster TRD Status Meeting 3.11.2008 Supermodule

Supermodule Disassembly Tom Dietel WWU M unster TRD Status Meeting 3.11.2008 Supermodule

Supermodule Disassembly Supermodule Disassembly Tom Dietel WWU M unster TRD Status Meeting 3.11.2008 Supermodule Disassembly Disassembly of SM-II Cooling problems in L5 short silicone hoses, bends problem has been solved in

321 views • 4 slides
Finding library subroutines in stripped statically-linked binaries findmagic Katharina Bogad

Finding library subroutines in stripped statically-linked binaries findmagic Katharina Bogad

Finding library subroutines in stripped statically-linked binaries findmagic Katharina Bogad Technische Universitt Mnchen Computer Science Department SS 2015 January 18, 2017 K. Bogad findmagic SS 2015 January 18, 2017 1 / 39

1.15k views • 58 slides
Introduction to Introduction to Statically Statically c ompatibility relationships ,

Introduction to Introduction to Statically Statically c ompatibility relationships ,

Additional equations come from Introduction to Introduction to Statically Statically c ompatibility relationships , Indeterminate Analysis Indeterminate Analysis which ensure continuity of displacements throughout the structure . The

402 views • 15 slides
Approximate Analysis of pproximate Analysis of Statically Indeterminate Statically Indeterminate

Approximate Analysis of pproximate Analysis of Statically Indeterminate Statically Indeterminate

Approximate Analysis of pproximate Analysis of Statically Indeterminate Statically Indeterminate Structures Structures Every successful structure must be capable of reaching stable equilibrium under its applied loads, regardless of

470 views • 32 slides
No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
The history and anatomy of Apache Superset Maxime Beauchemin Open source leader &

The history and anatomy of Apache Superset Maxime Beauchemin Open source leader &

The history and anatomy of Apache Superset Maxime Beauchemin Open source leader & community builder Creator of Apache Superset Creator of Apache Airflow Digital artist Influencer in the data engineering space 15+

2.72k views • 23 slides
Airflow Summit Advanced Apache Superset for Data Engineers A passion for building data tools!

Airflow Summit Advanced Apache Superset for Data Engineers A passion for building data tools!

Airflow Summit Advanced Apache Superset for Data Engineers A passion for building data tools! Started Apache Airflow at Airbnb in 2014 Started Apache Superset at Airbnb in 2015 Started Preset - The Apache Superset company in 2019

564 views • 17 slides
Introduction to Statically Introduction to Statically Indeterminate Indeterminate Analysis

Introduction to Statically Introduction to Statically Indeterminate Indeterminate Analysis

Introduction to Statically Introduction to Statically Indeterminate Indeterminate Analysis Indeterminate Indeterminate Analysis Analysis nalysis S pport reactions and internal Support reactions and internal forces of statically determinate

887 views • 60 slides
Statically Calculating Secondary Thread Statically Calculating Secondary Thread Performance in

Statically Calculating Secondary Thread Statically Calculating Secondary Thread Performance in

Statically Calculating Secondary Thread Statically Calculating Secondary Thread Performance in ASTI Systems Performance in ASTI Systems Siddhartha Shivshankar, Sunil Vangara and Alex Guimares Dean alex_dean@ncsu.edu Center for Embedded

441 views • 32 slides
SUPERSET LEARNING AND DATA IMPRECISIATION Eyke Hllermeier Intelligent Systems Group

SUPERSET LEARNING AND DATA IMPRECISIATION Eyke Hllermeier Intelligent Systems Group

SUPERSET LEARNING AND DATA IMPRECISIATION Eyke Hllermeier Intelligent Systems Group Department of Computer Science University of Paderborn, Germany eyke@upb.de TFML 2017, Krakow, 15-FEB-2017 O UTLI NE PART 1 PART 2 PART 3 Superset

1.51k views • 62 slides
Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone Jan 14, 2017, 2nd Fudan Winter School on Black Hole Astrophysics Overview Phenomena associated with binary evolution Formation of close binaries

651 views • 30 slides
Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook

Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook

Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook Oh(mat@monkey.org,oh.jeongwook@gmail.com) Jeongwook Oh works on eEye's flagship product called "Blink". He develops traffic analysis module that filters

841 views • 60 slides
Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET

Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET

Coalescences of IMBH binaries as sources for the future ET detector Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET detector detectors The (disputed) existence of IMBHs Modeling BBH Luca

199 views • 16 slides
Successful Online and Offline Cleaning of Steam Turbines With and Without Disassembly Successful

Successful Online and Offline Cleaning of Steam Turbines With and Without Disassembly Successful

Successful Online and Offline Cleaning of Steam Turbines With and Without Disassembly Successful Online and Offline Cleaning of Steam Turbines With and Without Disassembly Bladimir Gomez Supervisor, Rotating Equipment Engineering PDVSA CRP

354 views • 21 slides
Pulmonary Embolism Thrombolysis Study an investigator-initiated, investigator-sponsored trial The

Pulmonary Embolism Thrombolysis Study an investigator-initiated, investigator-sponsored trial The

Pulmonary Embolism Thrombolysis Study an investigator-initiated, investigator-sponsored trial The PEITH Investigators ClinicalTrials.gov # NCT00639743 EudraCT # 2006-005328-18 Rationale: risk-adjusted treatment of acute PE Thrombolysis?

462 views • 27 slides
Its Not A Tumor! n Increasing incidence of cancer Oncologic Emergencies n Improved survival n

Its Not A Tumor! n Increasing incidence of cancer Oncologic Emergencies n Improved survival n

Oncologic Emergencies Its Not A Tumor! n Increasing incidence of cancer Oncologic Emergencies n Improved survival n Patients with malignancies may present to Diane M. Birnbaumer, M.D., FACEP EDs and general medical offices Professor of

529 views • 13 slides
22/3/2017

22/3/2017

22/3/2017

496 views • 16 slides
Marketing and CS 2. Where to advertise? TV, radio, newspaper, magazine, internet, 3. Who

Marketing and CS 2. Where to advertise? TV, radio, newspaper, magazine, internet, 3. Who

Enticing you to buy a product 1. What is the content of the ad? Marketing and CS 2. Where to advertise? TV, radio, newspaper, magazine, internet, 3. Who is the target audience/customers? Philip Chan Which question is the most

422 views • 14 slides
Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution Xiangyang Jia (Wuhan

Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution Xiangyang Jia (Wuhan

Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution Xiangyang Jia (Wuhan University) Carlo Ghezzi (Politecnico di Milano) Shi Ying (Wuhan University) Outline Motivation Logical Basis of our Approach GreenTrie

589 views • 36 slides
Efficiently Mining Long Patterns from Databases Roberto Bayardo IBM Almaden Research Center 1

Efficiently Mining Long Patterns from Databases Roberto Bayardo IBM Almaden Research Center 1

Efficiently Mining Long Patterns from Databases Roberto Bayardo IBM Almaden Research Center 1 of 22 The Problem Current flock of algorithms for mining frequent itemsets in databases: Use (almost exclusively) subset-infrequency pruning -

858 views • 22 slides
CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Today's

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Today's

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Today's learning goals Sipser Sec 3.2, 4.1 Use diagonalization in a proof of undecidability. Trace TMs whose inputs are representations of other TMs

710 views • 30 slides
Hardware Design with Generalized Arrows Adam Megacz megacz@cs.berkeley.edu 03.Oct.2011 1/51

Hardware Design with Generalized Arrows Adam Megacz megacz@cs.berkeley.edu 03.Oct.2011 1/51

Hardware Design with Generalized Arrows Adam Megacz megacz@cs.berkeley.edu 03.Oct.2011 1/51 This Project First nontrivial application of generalized arrows . Not (even close to) a complete circuit-design solution. 3/51 Metaprogramming

639 views • 41 slides

More recommend