Symbion Interleaving Symbolic with Concrete Execution Fabio Gritti - - PowerPoint PPT Presentation

symbion
SMART_READER_LITE
LIVE PREVIEW

Symbion Interleaving Symbolic with Concrete Execution Fabio Gritti - - PowerPoint PPT Presentation

May 21, 2023 734 likes •1.92k views

Symbion Interleaving Symbolic with Concrete Execution Fabio Gritti , Lorenzo Fontana, Eric Gustafson, Fabio Pagani, Andrea Continella, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara 1 Motivation

slide-1
SLIDE 1

Symbion

Interleaving Symbolic with Concrete Execution

1

Fabio Gritti, Lorenzo Fontana, Eric Gustafson, Fabio Pagani, Andrea Continella, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara

slide-2
SLIDE 2

Motivation

  • Symbolically execution of binaries is very useful.

○ Identify bugs and security vulnerabilities ○ Reverse-engineer closed-source software ○ Formally verify properties

  • Scalability of symbolic execution is an issue

○ State/path explosion ○ Program behaviors can’t always be fully modeled by symbolic execution engines ■ Complex state initializations ■ Filesystem accesses ■ Network requests ■ Interrupts

2

slide-3
SLIDE 3

Motivation

  • Symbolically execution of binaries is very useful.

○ Identify bugs and security vulnerabilities ○ Reverse-engineer closed-source software ○ Formally verify properties

  • Scalability of symbolic execution is an issue

○ State/path explosion ○ Program behaviors can’t always be fully modeled by symbolic execution engines ■ Complex state initializations ■ Filesystem accesses ■ Network requests ■ Interrupts

3

CAN’T EXECUTE THE WHOLE PROGRAM SYMBOLICALLY!

slide-4
SLIDE 4

Motivation

  • Idea: why not just focus on a smaller portion of the code?

○ Also known as under-constrained symbolic execution.

4

code [...] P1 EOP Program A Symbolic execution starts here! code [...]

slide-5
SLIDE 5

Motivation

  • Idea: why not just focus on a smaller portion of the code?

○ Also known as under-constrained symbolic execution.

5

code [...] P1 EOP Program A Symbolic execution starts here! code [...]

P1→P2 Independent from EOP → P1?

P2

slide-6
SLIDE 6

Motivation

  • Idea: why not just focus on a smaller portion of the code?

○ Also known as under-constrained symbolic execution.

6

code [...] P1 EOP Program A Symbolic execution starts here! code [...]

Do we care about the real state of the program in P1 to execute P1 → P2?

P2

slide-7
SLIDE 7

Motivation

  • Idea: why not just focus on a smaller portion of the code?

○ Also known as under-constrained symbolic execution.

7

code [...] P1 EOP Program A Symbolic execution starts here! code [...]

Do we care about the real state of the program in P1 to execute P1 → P2?

P2

NO

slide-8
SLIDE 8

Motivation

  • Idea: why not just focus on a smaller portion of the code?

○ Also known as under-constrained symbolic execution.

8

code [...] P1 EOP Program A Symbolic execution starts here! code [...]

Do we care about the real state of the program in P1 to execute P1 → P2?

P2

YES

slide-9
SLIDE 9

Motivation

9

typical concrete execution

S0 S1 S2 S5 S3 S4 S6 S7 S8 S9 Sn

EOP P1

slide-10
SLIDE 10

Motivation

10

typical concrete execution

S0 S1 S2 S5 S3 S4 S6 S7 S8 S9

EOP

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x3d8d4800010a530d 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

Program memory

Sn

P1

slide-11
SLIDE 11

Motivation

11

typical concrete execution

Sn

P1

Sm

P2

S4 S3 S5

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x3d8d4800010a530d 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

Program memory

slide-12
SLIDE 12

Motivation

12

“under-constrained” symbolic execution

Sn

P1

0x0000555555559850│+0x0000 0x000000000000000 0x0000555555559858│+0x0008 0x000000000000000 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 0x000000000000000 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 0x0000555555559898│+0x0048 0x000000000000000 0x00005555555598a0│+0x0050 0x000000000000000 0x00005555555598a8│+0x0058 0x000000000000000 0x00005555555598b0│+0x0060 0x000000000000000 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 0x00005555555598c8│+0x0078 0x000000000000000

Emulated Program memory (Uninitialized)

slide-13
SLIDE 13

Motivation

13

“under-constrained” symbolic execution

Sn

P1

S3

0x0000555555559850│+0x0000 0x000000000000000 0x0000555555559858│+0x0008 <symbolic_variable_1> 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 0x000000000000000 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 0x0000555555559898│+0x0048 0x000000000000000 0x00005555555598a0│+0x0050 0x000000000000000 0x00005555555598a8│+0x0058 0x000000000000000 0x00005555555598b0│+0x0060 0x000000000000000 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 0x00005555555598c8│+0x0078 0x000000000000000

Emulated Program memory (Uninitialized)

slide-14
SLIDE 14

Motivation

14

“under-constrained” symbolic execution

Sn

P1

S3

0x0000555555559850│+0x0000 0x000000000000000 0x0000555555559858│+0x0008 <symbolic_variable_1> 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 0x000000000000000 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 0x0000555555559898│+0x0048 0x000000000000000 0x00005555555598a0│+0x0050 0x000000000000000 0x00005555555598a8│+0x0058 0x000000000000000 0x00005555555598b0│+0x0060 0x000000000000000 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 0x00005555555598c8│+0x0078 0x000000000000000

If <symbolic_variable_1> == 0x41 {...} else {...}

Emulated Program memory (Uninitialized)

slide-15
SLIDE 15

Motivation

15

“under-constrained” symbolic execution

Sn

P1

S3

0x0000555555559850│+0x0000 0x000000000000000 0x0000555555559858│+0x0008 <symbolic_variable_1> 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 0x000000000000000 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 0x0000555555559898│+0x0048 0x000000000000000 0x00005555555598a0│+0x0050 0x000000000000000 0x00005555555598a8│+0x0058 0x000000000000000 0x00005555555598b0│+0x0060 0x000000000000000 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 0x00005555555598c8│+0x0078 0x000000000000000

S41 S4 <symbolic_variable_1> == 0x41 <symbolic_variable_1> != 0x41

Emulated Program memory (Uninitialized)

slide-16
SLIDE 16

Motivation

16

“under-constrained” symbolic execution

Sn

P1

S3

0x0000555555559850│+0x0000 0x000000000000000 0x0000555555559858│+0x0008 <symbolic_variable_1> 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 <symbolic_variable_2> 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 0x0000555555559898│+0x0048 0x000000000000000 0x00005555555598a0│+0x0050 0x000000000000000 0x00005555555598a8│+0x0058 0x000000000000000 0x00005555555598b0│+0x0060 0x000000000000000 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 0x00005555555598c8│+0x0078 0x000000000000000

S41 S4 S51 S61 S6 <symbolic_variable_1> == 0x41 <symbolic_variable_1> != 0x41

Emulated Program memory (Uninitialized)

<symbolic_variable_1> < 0x50505050 <symbolic_variable_1> >=0x50505050

slide-17
SLIDE 17

Motivation

17

“under-constrained” symbolic execution

0x0000555555559850│+0x0000 <symbolic_variable_1> 0x0000555555559858│+0x0008 0x000000000ee0000 0x0000555555559860│+0x0010 0x0000000aaabbc34 0x0000555555559868│+0x0018 <symbolic_variable_2> 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 <symbolic_variable_3> 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 <symbolic_variable_4> 0x0000555555559890│+0x0040 <symbolic_variable_5> 0x0000555555559898│+0x0048 <symbolic_variable_6> 0x00005555555598a0│+0x0050 <symbolic_variable_7> 0x00005555555598a8│+0x0058 <symbolic_variable_8> 0x00005555555598b0│+0x0060 0x000000001231284 0x00005555555598b8│+0x0068 0x000000000001212 0x00005555555598c0│+0x0070 <symbolic_variable_9> 0x00005555555598c8│+0x0078 <symbolic_variable_a> 0x00005555555598c8│+0x0078 <symbolic_variable_b> 0x00005555555598c8│+0x0078 <symbolic_variable_c> 0x00005555555598c8│+0x0078 <symbolic_variable_d> 0x00005555555598c8│+0x0078 <symbolic_variable_e> 0x00005555555598c8│+0x0078 <symbolic_variable_f> 0x00005555555598c8│+0x0078 <symbolic_variable_10> 0x00005555555598c8│+0x0078 <symbolic_variable_11>

Emulated Program memory (Uninitialized)

P1 P2

slide-18
SLIDE 18

Motivation

18

“under-constrained” symbolic execution

0x0000555555559850│+0x0000 <symbolic_variable_1> 0x0000555555559858│+0x0008 0x000000000ee0000 0x0000555555559860│+0x0010 0x0000000aaabbc34 0x0000555555559868│+0x0018 <symbolic_variable_2> 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 <symbolic_variable_3> 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 <symbolic_variable_4> 0x0000555555559890│+0x0040 <symbolic_variable_5> 0x0000555555559898│+0x0048 <symbolic_variable_6> 0x00005555555598a0│+0x0050 <symbolic_variable_7> 0x00005555555598a8│+0x0058 <symbolic_variable_8> 0x00005555555598b0│+0x0060 0x000000001231284 0x00005555555598b8│+0x0068 0x000000000001212 0x00005555555598c0│+0x0070 <symbolic_variable_9> 0x00005555555598c8│+0x0078 <symbolic_variable_a> 0x00005555555598c8│+0x0078 <symbolic_variable_b> 0x00005555555598c8│+0x0078 <symbolic_variable_c> 0x00005555555598c8│+0x0078 <symbolic_variable_d> 0x00005555555598c8│+0x0078 <symbolic_variable_e> 0x00005555555598c8│+0x0078 <symbolic_variable_f> 0x00005555555598c8│+0x0078 <symbolic_variable_10> 0x00005555555598c8│+0x0078 <symbolic_variable_11>

Emulated Program memory (Uninitialized)

P1 P2

slide-19
SLIDE 19

Motivation

19 Sn

P1

0x0000555555559850│+0x0000 0x000000000000000 0x0000555555559858│+0x0008 0x000000000000000 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 0x000000000000000 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 0x0000555555559898│+0x0048 0x000000000000000 0x00005555555598a0│+0x0050 0x000000000000000 0x00005555555598a8│+0x0058 0x000000000000000 0x00005555555598b0│+0x0060 0x000000000000000 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 0x00005555555598c8│+0x0078 0x000000000000000

Emulated Program memory (Uninitialized)

THIS WAS THE CAUSE!

slide-20
SLIDE 20

Motivation

20 Sn

P1

Emulated Program memory

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x3d8d4800010a530d 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

CAN WE HAVE THIS?

slide-21
SLIDE 21

Approach

21

Interleaved symbolic execution

S0 S1 S2 S5 S3 S4 S6 S7 S8 S9 Sn

EOP

slide-22
SLIDE 22

Approach

22

Interleaved symbolic execution

S0 S1 S2 S5 S3 S4 S6 S7 S8 S9 Sn

P1

slide-23
SLIDE 23

Approach

23

Interleaved symbolic execution

S0 S1 S2 S5 S3 S4 S6 S7 S8 S9

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x3d8d4800010a530d 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

Program memory

Sn

P1

slide-24
SLIDE 24

Approach

24

Interleaved symbolic execution

Sn

P1

Emulated Program memory

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x3d8d4800010a530d 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

slide-25
SLIDE 25

Approach

25

Interleaved symbolic execution

Sn

P1

Emulated Program memory

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

User controlled

slide-26
SLIDE 26

Approach

26

Interleaved symbolic execution

Sn

P1

S3

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

Emulated Program memory

slide-27
SLIDE 27

Approach

27

Interleaved symbolic execution

Sn

P1

S3

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

S4

Emulated Program memory

slide-28
SLIDE 28

Approach

28

Interleaved symbolic execution

Sn

P1

S3

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

S4 S51 S61 S6

Emulated Program memory

slide-29
SLIDE 29

Approach

29

P1 P2

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 <symbolic_variable_2> 0x00005555555598a8│+0x0058 <symbolic_variable_3> 0x00005555555598b0│+0x0060 <symbolic_variable_4> 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 <symbolic_variable_5>

Emulated Program memory Interleaved symbolic execution

slide-30
SLIDE 30

Approach

30

P1

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 <symbolic_variable_2> 0x00005555555598a8│+0x0058 <symbolic_variable_3> 0x00005555555598b0│+0x0060 <symbolic_variable_4> 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 <symbolic_variable_5>

Emulated Program memory Interleaved symbolic execution

<symbolic_variable_1> = ????? To reach P2

P2

slide-31
SLIDE 31

Approach

31

P1

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 <symbolic_variable_2> 0x00005555555598a8│+0x0058 <symbolic_variable_3> 0x00005555555598b0│+0x0060 <symbolic_variable_4> 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 <symbolic_variable_5>

Emulated Program memory Interleaved symbolic execution

<symbolic_variable_1> = 0xdeadbeef To reach P2

P2

slide-32
SLIDE 32

Approach

32

Interleaved symbolic execution

Sn

P1

Sm S4 S3 S5

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x8d4800010aca058d 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

Program memory

slide-33
SLIDE 33

Approach

33

Interleaved symbolic execution

Sn

P1

Sm S4 S3 S5

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x00000000deadbeef 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

Program memory

slide-34
SLIDE 34

Approach

34

Interleaved symbolic execution

Sn

P2

Sm S4 S3 S5

0x0000555555559850│+0x0000 0x0000000111111111 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x00000000deadbeef 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x1123012312310010 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x4141414141414141 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x0000100100000000 0x00005555555598c8│+0x0078 0x48550021a99a358d

Program memory

slide-35
SLIDE 35

Approach

35

slide-36
SLIDE 36

Approach

36

P1

concrete execution

slide-37
SLIDE 37

Approach

37

P1 P1 P2

concrete execution under-constrained symbolic exec.

slide-38
SLIDE 38

Approach

38

P1 P1 P2

under-constrained symbolic exec. concrete execution

P1 P2

Interleaved symbolic execution

slide-39
SLIDE 39

System Overview

39 39 39

SimEngineConcrete Symbion ( Exploration Technique ) Concrete environment ConcreteTarget Concrete SimPlugin Debugging Component Symbolic execution engine Binary angr

slide-40
SLIDE 40
  • Interface used to implement objects that will control the program executed

inside the concrete analysis environment.

  • Exposes the following methods:

○ def read_memory(self, address, length) ○ def write_memory(self, address, data) ○ def read_register(self, register) ○ def write_register(self, register, value) ○ def set_breakpoint(self, address) ○ def remove_breakpoint(self, address) ○ def set_watchpoint(self, address) ○ def remove_watchpoint(self, address) ○ def get_mappings(self) ○ def run(self)

ConcreteTarget

40

ConcreteTarget ( Interface ) GDBTarget implements

slide-41
SLIDE 41

ConcreteTarget

41

  • It can have different interesting implementations!

GDBTarget implements ConcreteTarget ( Interface ) WinDBGTarget implements IDATarget implements

slide-42
SLIDE 42

ConcreteTarget

42

GDBServer Target binary Analysis Environment Concrete Environment GDBTarget Linux QEMU

slide-43
SLIDE 43

ConcreteTarget

43

GDBServer Target binary Analysis Environment Concrete Environment GDBTarget Linux VirtualBox

slide-44
SLIDE 44

ConcreteTarget

44

WinDBG Target binary Analysis Environment Concrete Environment WinDBGTarget Windows Real PC

slide-45
SLIDE 45

ConcreteTarget

45

Jlink Embedded System Target binary Analysis Environment Concrete Environment JLinkTarget

slide-46
SLIDE 46

Let’s put all the pieces together

46

slide-47
SLIDE 47

Use Cases

(malware reverse engineering)

47

Detect DGA Study packed code Study evasion techniques Study commands sent by C&C

slide-48
SLIDE 48

Use Cases

(malware reverse engineering)

48

Study packed code Study evasion techniques Study commands sent by C&C Detect DGA

wgxododfj2e7y990ueey2ywc22.info?

slide-49
SLIDE 49

Use Case

49

  • Symmi Trojan

○ Detecting a domain generation algorithm (DGA) inside the binary. GetFileSystemTime gethostbyname processing

Wed Tue 30 10:12:42 PDT 2020

wgxododfj2e7y990ueey2ywc22.info

slide-50
SLIDE 50

Use Case

50

  • Symmi Trojan

○ Detecting a domain generation algorithm (DGA) inside the binary. GetFileSystemTime gethostbyname processing

<symbolic_buffer>

<BV32 (if ((((0x0 .. __add__(0xfe624e21, symbolic_buffer[63:32], 0x0 .. (if (symbolic_buffer[31:0] ...

slide-51
SLIDE 51

Use Case

51

  • Symmi Trojan

○ Detecting a domain generation algorithm (DGA) inside the binary. ○ Challenges: ■ Malware has noisy initialization code and evasion:

  • “API Hammering”
  • Junk code
  • Self-checks

■ Vanilla symbolic execution or under-constrained symbolic execution won’t work.

slide-52
SLIDE 52

Use Case

52

  • Symmi Trojan

○ Detecting a domain generation algorithm (DGA) inside the binary. GDBServer VirtualBox GDBTarget Windows

slide-53
SLIDE 53

53

Analysis environment Process Memory

SimEngineConcrete ConcreteTarget Symbion find= call_getfilesystime Process memory

CLEmory

EIP

Binary

Initialization code

(threads and API hammering)

angr Concrete environment Symbolic → Concrete

CALL GetFileSystemTime

Symbolic → Concrete

slide-54
SLIDE 54

54

Analysis environment Process Memory

SimEngineConcrete ConcreteTarget Symbion find= call_getfilesystime Process memory

CLEmory

EIP

Binary

Initialization code

(threads and API hammering)

angr Concrete environment Symbolic → Concrete

CALL GetFileSystemTime

slide-55
SLIDE 55

55

Analysis environment Process Memory

SimEngineConcrete ConcreteTarget Symbion find= call_getfilesystime Process memory

CLEmory

EIP

Binary

Initialization code

(threads and API hammering)

angr Concrete environment Symbolic → Concrete

CALL GetFileSystemTime

slide-56
SLIDE 56

56

Analysis environment Process Memory

SimEngineConcrete ConcreteTarget Symbion Process memory

CLEmory

Binary

CALL GetFileSystemTime

EIP

Concrete SimPlugin

sync

CALL gethostbyname

angr Concrete environment

EIP

Initialization code

(threads and API hammering)

CALL GetFileSystemTime

Symbolic ← Concrete

Symbolic ← Concrete

slide-57
SLIDE 57

57

Analysis environment Process Memory

SimEngineConcrete ConcreteTarget Symbion Process memory

CLEmory

Binary

CALL GetFileSystemTime

EIP

Concrete SimPlugin

sync

CALL gethostbyname

angr Concrete environment Symbolic ← Concrete

EIP

Initialization code

(threads and API hammering)

CALL GetFileSystemTime

slide-58
SLIDE 58

58

Analysis environment Process Memory

Process memory

CLEmory

Binary

CALL GetFileSystemTime

EIP

CALL gethostbyname

SimVexEngine

Explore

find = call_gethostbyname

angr Concrete environment

EIP

Initialization code

(threads and API hammering)

CALL GetFileSystemTime

Symbolic Exploration

slide-59
SLIDE 59

Process memory

CLEmory

CALL GetFileSystemTime

EIP

CALL gethostbyname

SimVexEngine

Explore

find = call_gethostbyname

angr

59

Analysis environment Process Memory Binary Concrete environment

EIP

Initialization code

(threads and API hammering)

CALL GetFileSystemTime

slide-60
SLIDE 60

Process memory

CLEmory

CALL GetFileSystemTime

EIP

CALL gethostbyname

SimVexEngine

Explore

find = call_gethostbyname

angr

60

Analysis environment Process Memory Binary Concrete environment

EIP

Initialization code

(threads and API hammering)

CALL GetFileSystemTime

Page1 sym_buffer_SystemTimeAsFIleTime

slide-61
SLIDE 61

61

Process memory

CLEmory

CALL GetFileSystemTime

CALL gethostbyname

SimVexEngine

Explore

find = call_gethostbyname

angr

61

Analysis environment Process Memory Binary Concrete environment

EIP

Initialization code

(threads and API hammering)

CALL GetFileSystemTime

Page1 sym_buffer_SystemTimeAsFIleTime

slide-62
SLIDE 62

62

Process memory

CLEmory

CALL GetFileSystemTime

CALL gethostbyname

SimVexEngine

Explore

find = call_gethostbyname

angr

62

Analysis environment Process Memory Binary Concrete environment

EIP

Initialization code

(threads and API hammering)

CALL GetFileSystemTime

Page1 sym_buffer_SystemTimeAsFIleTime

slide-63
SLIDE 63

63

Process memory

CLEmory

CALL GetFileSystemTime

CALL gethostbyname

SimVexEngine

Explore

find = call_gethostbyname

EIP

Page1 sym_buffer_SystemTimeAsFIleTime

angr

63

Analysis environment Process Memory Binary Concrete environment

EIP

Initialization code

(threads and API hammering)

CALL GetFileSystemTime

slide-64
SLIDE 64

64

Process memory

CLEmory

CALL GetFileSystemTime

CALL gethostbyname

SimVexEngine

Explore

find = call_gethostbyname

EIP

Page1 sym_buffer_SystemTimeAsFIleTime

angr

64

Analysis environment Process Memory Binary Concrete environment

EIP

Initialization code

(threads and API hammering)

CALL GetFileSystemTime

EIP arg0 = <BV32 (if ((((0x0 .. __add__(0xfe624e21, SystemTimeAsFileTime_0_64[63:32], 0x0 .. (if (SystemTimeAsFileTime_0_64[31:0] <= (0x2ac18000 + SystemTimeAsFileTime_0_64[31:0])) then 0 else 1))

CALL gethostbyname

slide-65
SLIDE 65

(More) Use Cases

65

Vulnerabilities Hunting Exploit Writing/Generation More!

slide-66
SLIDE 66

Comparison

66

  • Question prediction: Why isn’t this just “Concolic Execution?”
slide-67
SLIDE 67
  • Question prediction: Why isn’t this just “Concolic Execution?”
  • Concolic execution has the goal of improving code coverage of vanilla

symbolic execution.

  • The techniques are orthogonal and can be chained together

Comparison

67

slide-68
SLIDE 68

Comparison

68

  • Other similar tools have been developed in the past:

○ Avatar2 ○ Triton ○ S2E ○ Mayhem (not freely available to the community)

  • None was really making available this kind of technique in a customizable,

general purpose and easy to use/programmatic way

slide-69
SLIDE 69

Limitations

69

  • Program execution correctness not guaranteed by default

○ Users could force executions that are not feasible ○ Solutions to mitigate this can be implemented on top of the technique

  • Desynchronized environment interactions

○ Only registers and memory are synchronized ○ States of other objects (socket,file,stdin/stdout) are not sync with the symbolic engine

  • Targets support

○ Limited amount of Concrete Targets ○ “Lazy developing” (as needed)

slide-70
SLIDE 70

Takeaways

70

1. Symbion is a building block that can empower different new analyses applied to many scenarios 2. Supporting symbolic execution at real-world-program scale is essential 3. Symbion provides a compromise between the power of symbolic execution and the ability to operate on real-world programs

slide-71
SLIDE 71

Support

71

  • Open source

○ https://github.com/angr/angr ○ https://github.com/degrigis/symbion-use-cases ○ https://github.com/angr/angr-targets

  • Docs & Tutorials

○ https://angr.io/blog/angr_symbion/ ○ https://docs.angr.io/advanced-topics/symbion

  • Support

https://angr.io/invite/ ○ Just yell in #help or directly ping me @degrigis

slide-72
SLIDE 72

Thanks!

72

degrigis@cs.ucsb.edu @degrigis

slide-73
SLIDE 73

Motivation

73

code [...]

0x0000555555559850│+0x0000 0x000000000000000 0x0000555555559858│+0x0008 0x000000000000000 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 0x000000000000000 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 0x0000555555559898│+0x0048 0x000000000000000 0x00005555555598a0│+0x0050 0x000000000000000 0x00005555555598a8│+0x0058 0x000000000000000 0x00005555555598b0│+0x0060 0x000000000000000 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 0x00005555555598c8│+0x0078 0x000000000000000

P1 EOP Program A Symbolic execution from here! “under-constrained” symbolic execution code [...] Emulated Program A (uninitialized) memory

slide-74
SLIDE 74

Motivation

74

code [...]

0x0000555555559850│+0x0000 0x000000000000000 0x0000555555559858│+0x0008 0x000000000000000 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 0x000000000000000 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 0x0000555555559898│+0x0048 0x000000000000000 0x00005555555598a0│+0x0050 0x000000000000000 0x00005555555598a8│+0x0058 0x000000000000000 0x00005555555598b0│+0x0060 0x000000000000000 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 0x00005555555598c8│+0x0078 0x000000000000000

P1 EOP Program A Symbolic execution from here!

mov rax, [0x555555559850]

“under-constrained” symbolic execution Emulated Program A (uninitialized) memory

slide-75
SLIDE 75

Motivation

75

code [...]

0x0000555555559850│+0x0000 <symbolic_variable_1> 0x0000555555559858│+0x0008 0x000000000000000 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 0x000000000000000 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 0x0000555555559898│+0x0048 0x000000000000000 0x00005555555598a0│+0x0050 0x000000000000000 0x00005555555598a8│+0x0058 0x000000000000000 0x00005555555598b0│+0x0060 0x000000000000000 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 0x00005555555598c8│+0x0078 0x000000000000000

P1 EOP Program A Symbolic execution from here!

mov rax, [0x555555559850]

“under-constrained” symbolic execution Emulated Program A (uninitialized) memory

slide-76
SLIDE 76

Motivation

76

code [...]

0x0000555555559850│+0x0000 <symbolic_variable_1> 0x0000555555559858│+0x0008 0x000000000000000 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 <symbolic_variable_2> 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 0x0000555555559898│+0x0048 0x000000000000000 0x00005555555598a0│+0x0050 0x000000000000000 0x00005555555598a8│+0x0058 0x000000000000000 0x00005555555598b0│+0x0060 0x000000000000000 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 0x00005555555598c8│+0x0078 0x000000000000000

P1 EOP Program A Symbolic execution from here!

mov rax, [0x555555559850] … … mov rbx, [0x555555559868]

“under-constrained” symbolic execution Emulated Program A (uninitialized) memory

slide-77
SLIDE 77

Motivation

77

code [...]

0x0000555555559850│+0x0000 <symbolic_variable_1> 0x0000555555559858│+0x0008 0x000000000ee0000 0x0000555555559860│+0x0010 0x0000000aaabbc34 0x0000555555559868│+0x0018 <symbolic_variable_2> 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 <symbolic_variable_3> 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 <symbolic_variable_4> 0x0000555555559890│+0x0040 <symbolic_variable_5> 0x0000555555559898│+0x0048 <symbolic_variable_6> 0x00005555555598a0│+0x0050 <symbolic_variable_7> 0x00005555555598a8│+0x0058 <symbolic_variable_8> 0x00005555555598b0│+0x0060 0x000000001231284 0x00005555555598b8│+0x0068 0x000000000001212 0x00005555555598c0│+0x0070 <symbolic_variable_9> 0x00005555555598c8│+0x0078 <symbolic_variable_a>

P1 EOP Program A Symbolic execution from here!

mov rax, [0x555555559850] … … mov rbx, [0x555555559868] … … … ...

“under-constrained” symbolic execution Emulated Program A (uninitialized) memory

slide-78
SLIDE 78

Approach

78

Interleaved symbolic execution

S0 S1 S2 S5 S3 S4 S6 S7 S8 S9

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x3d8d4800010a530d 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

Program memory

Sn

P1

slide-79
SLIDE 79

Approach

79

Interleaved symbolic execution

S0 S1 S2 S5 S3 S4 S6 S7 S8 S9

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x00000000deadbeef 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

Program memory

Sn

P1

slide-80
SLIDE 80

Approach

80

code [...]

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x3d8d4800010a530d 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

P1 EOP Program A

mov rax, [0x555555559850]

Interleaved symbolic execution ( Phase 1: concrete execution to P1 ) Program A memory Breakpoint! Init memory

slide-81
SLIDE 81

Approach

81

code [...]

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

P1 EOP Program A

mov rax, [0x555555559850]

Symbolic execution from here! Interleaved symbolic execution ( Phase 2: setup symbolic data ) Emulated Program A (uninitialized) memory

slide-82
SLIDE 82

Approach

82

code [...]

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

P1 EOP Program A

mov rax, [0x555555559850]

Interleaved symbolic execution ( Phase 3: symbolic execution ) P2 Emulated Program A (uninitialized) memory

slide-83
SLIDE 83

Approach

83

code [...]

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

P1 EOP Program A

mov rax, [0x555555559850] … … mov rbx, [0x555555559868]

Interleaved symbolic execution ( Phase 3: symbolic execution ) P2 Emulated Program A (uninitialized) memory

slide-84
SLIDE 84

Approach

84

code [...]

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

P1 EOP Program A

mov rax, [0x555555559850] … … mov rbx, [0x555555559868] … … … ...

Emulated Program A (uninitialized) memory P2 Interleaved symbolic execution ( Phase 3: symbolic execution )

slide-85
SLIDE 85

Approach

85

code [...]

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

P1 EOP Program A

mov rax, [0x555555559850] … … mov rbx, [0x555555559868] … …

Interleaved symbolic execution ( Phase 3: symbolic execution )

<symbolic_variable_1> = ????? To reach P2

P2 Emulated Program A (uninitialized) memory

slide-86
SLIDE 86

Approach

86

code [...]

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

P1 EOP Program A

mov rax, [0x555555559850] … … mov rbx, [0x555555559868] … …

Interleaved symbolic execution ( Phase 3: symbolic execution )

<symbolic_variable_1> = 0xdeadbeef To reach P2

P2 Emulated Program A (uninitialized) memory

slide-87
SLIDE 87

Approach

87

code [...]

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x00000000deadbeef 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

P1 EOP Program A

mov rax, [0x555555559850] … … mov rbx, [0x555555559868] … …

Interleaved symbolic execution ( Phase 4: Edit program A concrete memory )

<symbolic_variable_1> = 0xdeadbeef To reach P2

P2 Program A memory

slide-88
SLIDE 88

Approach

88

code [...]

0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x00000000deadbeef 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d

P2 Program A code [...] Interleaved symbolic execution ( Phase 5: Resume concrete execution ) Program A memory P3

slide-89
SLIDE 89

Symbion - Exploration Technique

  • API provided to the users in order to control the concrete execution of the

binary inside the concrete environment

89

Symbion ( Exploration Technique )

rax

0x00000012

rbx

0x00000001

addr_1

0x4141

addr_2

0xff0000

breakpoints [0x555555559856]

Concrete process Modifications (OPTIONAL)

Where to stop!

slide-90
SLIDE 90

System Overview

90 90 90

SimEngineConcrete Symbion ( Exploration Technique ) Concrete environment ConcreteTarget Concrete SimPlugin Debugging Component Symbolic execution engine Binary

rax 0x00000012 rbx 0x00000001 addr_1 0x4141 addr_2 0xff0000 breakpoints [0x555555559856]
slide-91
SLIDE 91

SimEngineConcrete

  • Engine used by the Symbion Exploration Technique in order to step the

concrete execution of the binary in the analysis environment.

  • Consists of two main parts:

○ to_engine( ) ■ Handle the “jump” inside the concrete world! ○ from_engine( ) ■ Handle the “jump” outside the concrete world leveraging the Concrete SimPlugin.

91

slide-92
SLIDE 92

SimEngineConcrete

  • to_engine( ):

○ Leverages the ConcreteTarget object to: ■ Set breakpoints on the concrete execution instance of the program. ■ Modify the concrete memory. ■ Resume the concrete execution by exploiting.

92

rax

0x00000012

rbx

0x00000001

addr_1

0x4141

addr_2

0xff0000

breakpoints [0x555555559856]

GDBTarget write_register() write_memory() set_breakpoint() Commands to debugging components

slide-93
SLIDE 93

System Overview

93 93 93

SimEngineConcrete Symbion ( Exploration Technique ) Concrete environment ConcreteTarget Concrete SimPlugin Debugging Component Symbolic execution engine Binary

rax 0x00000012 rbx 0x00000001 addr_1 0x4141 addr_2 0xff0000 breakpoints [0x555555559856]
slide-94
SLIDE 94

SimConcrete Plugin

  • Synchronize the concrete process with angr and returns a

a new SimState.

○ Copy values of ALL registers.

94

GDBTarget read_register() read_memory() SimState Concrete Program State get_mapping() rax 0x0000a44 rbx 0x0000001 rcx 0x0000000 rax rbx rcx

slide-95
SLIDE 95

SimConcrete Plugin

  • Synchronize the concrete process with angr and returns a

a new SimState.

○ Copy values of ALL registers.

95

GDBTarget read_register() read_memory() SimState Concrete Program State get_mapping() rax 0x0000a44 rbx 0x0000001 rcx 0x0000000 rax 0x0000a44 rbx 0x0000001 rcx 0x0000000

slide-96
SLIDE 96

SimConcrete Plugin

  • Synchronize the concrete process with angr and returns a

a new SimState.

○ Copy values of ALL registers. ○ Hook new SimState memory backend to redirect reads to concrete process.

96

GDBTarget read_register() SimState Concrete Program State CLE (memory backend)

0x0000555555559850│ 0x89485ed18949ed31 0x0000555555559858│ 0x4c5450f0e48348e2 0x0000555555559860│ 0x8d4800010aca058d 0x0000555555559868│0x3d8d4800010a530d 0x0000555555559870│0xa75e15ffffffe61c 0x0000555555559878│0x0000441f0ff40021 0x0000555555559880│0x550021a9e13d8d48

get_mapping() read_memory()

slide-97
SLIDE 97

SimConcrete Plugin

  • Synchronize the concrete process with angr and returns a

a new SimState.

○ Copy values of ALL registers. ○ Hook new SimState memory backend to redirect reads to concrete process. ○ Updates memory mapping information.

97

GDBTarget read_register() read_memory()

0x54000 0x64000 r-x /bin/ls 0x64000 0x84000 r-- /bin/ls 0x84000 0x94000 rw- /bin/ls 0x94000 0xf0000 rw- [heap] 0xf1000 0xffff00 rw- [stack]

SimState Concrete Program State get_mapping()

slide-98
SLIDE 98

SimConcrete Plugin

  • Synchronize the concrete process with angr and returns a

a new SimState.

○ Copy values of ALL registers. ○ Hook new SimState memory backend to redirect reads to concrete process. ○ Updates memory mapping information.

98

GDBTarget read_register() read_memory()

0x54000 0x64000 r-x /bin/ls 0x64000 0x84000 r-- /bin/ls 0x84000 0x94000 rw- /bin/ls 0x94000 0xf0000 rw- [heap] 0xf1000 0xffff00 rw- [stack] 0x54000 0x64000 r-x /bin/ls 0x64000 0x84000 r-- /bin/ls 0x84000 0x94000 rw- /bin/ls 0x94000 0xf0000 rw- [heap] 0xf1000 0xffff00 rw- [stack]

SimState Concrete Program State get_mapping()

slide-99
SLIDE 99

99

angr Analysis environment Process Memory

bp

SimEngineConcrete ConcreteTarget Symbion Process memory

CLEmory

SymSimbolic Memory SimPaged Memory Page0 Page1 Page2

to_engine( )

find= 0x5555555540

Concrete environment Binary

EIP

slide-100
SLIDE 100

100

angr Concrete environment Analysis environment Binary Process Memory

bp

SimEngineConcrete ConcreteTarget Symbion

from_engine()

EIP

Process memory

CLEmory

ConcreteTarget SymSimbolic Memory SimPaged Memory

EIP

Concrete SimPlugin

sync

slide-101
SLIDE 101

101

Analysis environment Process Memory

bp EIP

CLEmory

ConcreteTarget SymSimbolic Memory SimPaged Memory page_initialization

SimVexEngine

Explore

find = 0x55555555f0

EIP

angr Concrete environment

Process memory

Binary

slide-102
SLIDE 102

102

Analysis environment Process Memory

bp EIP

CLEmory

ConcreteTarget SymSimbolic Memory SimPaged Memory page_initialization

SimVexEngine

Explore

find = 0x55555555f0

EIP

angr Concrete environment

Process memory

Binary

Page0 Page0 Page0

slide-103
SLIDE 103

103

Analysis environment Process Memory

bp EIP

CLEmory

ConcreteTarget SymSimbolic Memory SimPaged Memory page_initialization

SimVexEngine

Explore

find = 0x55555555f0

EIP

angr Concrete environment

Process memory

Binary

Page0 Page0 arg0

slide-104
SLIDE 104

104

Analysis environment Process Memory

bp

CLEmory

ConcreteTarget SymSimbolic Memory SimPaged Memory page_initialization

SimVexEngine

Explore

find = 0x55555555f0

EIP

angr Concrete environment

Process memory

Binary

Page0

EIP

Page1 Page2 Page1 Page2 Page0 arg0 Page1 Page2

slide-105
SLIDE 105

105

Analysis environment Process Memory

bp

CLEmory

ConcreteTarget SymSimbolic Memory SimPaged Memory page_initialization

SimVexEngine

Explore

find = 0x55555555f0

EIP

angr Concrete environment

Process memory

Binary

Page0

EIP

Page1 Page2 Page1 Page2 Page0 XYZ

slide-106
SLIDE 106

106

Analysis environment Process Memory

bp

SimEngineConcrete ConcreteTarget Symbion Process memory

CLEmory

ConcreteTarget SymSimbolic Memory SimPaged Memory Page0 XYZ Page1 Page2 Page0 XYZ Page1 Page2

EIP

find = 0x55555555f0 Concretize = [ “XYZ” ]

angr Concrete environment Binary

EIP

to_engine( )

slide-107
SLIDE 107

107

Analysis environment Process Memory

bp

SimEngineConcrete ConcreteTarget Symbion Process memory

CLEmory

ConcreteTarget SymSimbolic Memory SimPaged Memory Page0 XYZ Page1 Page2 Page0 XYZ Page1 Page2 find = 0x55555555f0 Concretize = [ “XYZ” ]

angr Concrete environment Binary

EIP EIP

to_engine( )

slide-108
SLIDE 108

Approach

108

P1 P1 P2 P2

VS VS concrete execution Interleaved symbolic execution under-constrained symbolic exec.

P1 P2

slide-109
SLIDE 109

Approach

109

  • Idea: Interleaving symbolic and concrete execution

○ Concrete execute EOP → P1 Symbolic execution Concrete execution

slide-110
SLIDE 110

Approach

110

  • Idea: Interleaving symbolic and concrete execution

○ Concrete execute EOP → P1 ○ Synchronize state at P1 inside symbolic engine Symbolic execution Concrete execution

slide-111
SLIDE 111

Approach

111

  • Idea: Interleaving symbolic and concrete execution

○ Concrete execute EOP → P1 ○ Synchronize state at P1 inside symbolic engine ○ User defines symbolic variables for analysis Symbolic execution Concrete execution

slide-112
SLIDE 112

Approach

112

  • Idea: Interleaving symbolic and concrete execution

○ Concrete execute EOP → P1 ○ Synchronize state at P1 inside symbolic engine ○ User defines symbolic variables for analysis ○ Symbolically execute P1 → P2 Symbolic execution Concrete execution

slide-113
SLIDE 113

Approach

113

  • Idea: Interleaving symbolic and concrete execution

○ Concrete execute EOP → P1 ○ Synchronize state at P1 inside symbolic engine ○ User defines symbolic variables for analysis ○ Symbolically execute P1 → P2 ○ Ask constraints solver for solutions Symbolic execution Concrete execution

slide-114
SLIDE 114

Approach

114

  • Idea: Interleaving symbolic and concrete execution

○ Concrete execute EOP → P1 ○ Synchronize state at P1 inside symbolic engine ○ User defines symbolic variables for analysis ○ Symbolically execute P1 → P2 ○ Ask constraints solver for solutions ○ Overwrite solutions inside program’s real memory Symbolic execution Concrete execution

slide-115
SLIDE 115

Approach

115

  • Idea: Interleaving symbolic and concrete execution

○ Concrete execute EOP → P1 ○ Synchronize state at P1 inside symbolic engine ○ User defines symbolic variables for analysis ○ Symbolically execute P1 → P2 ○ Ask constraints solver for solutions ○ Overwrite solutions inside program’s real memory ○ Concrete execute P1 → P2 Symbolic execution Concrete execution

slide-116
SLIDE 116

Approach

116

  • Idea: Interleaving symbolic and concrete execution

○ Concrete execute EOP → P1 ○ Synchronize state at P1 inside symbolic engine ○ User defines symbolic variables for analysis ○ Symbolically execute P1 → P2 ○ Ask constraints solver for solutions ○ Overwrite solutions inside program’s real memory ○ Concrete execute P1 → P2 ○ Repeat! Symbolic execution Concrete execution