symbion
play

Symbion Interleaving Symbolic with Concrete Execution Fabio Gritti - PowerPoint PPT Presentation

May 21, 2023 •734 likes •1.91k views

Symbion Interleaving Symbolic with Concrete Execution Fabio Gritti , Lorenzo Fontana, Eric Gustafson, Fabio Pagani, Andrea Continella, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara 1 Motivation

  1. Motivation Emulated Program memory P1 (Uninitialized) 0x0000555555559850 │ +0x0000 <symbolic_variable_1> 0x0000555555559858 │ +0x0008 0x000000000ee0000 0x0000555555559860 │ +0x0010 0x0000000aaabbc34 0x0000555555559868 │ +0x0018 <symbolic_variable_2> 0x0000555555559870 │ +0x0020 0x000000000000000 0x0000555555559878 │ +0x0028 <symbolic_variable_3> 0x0000555555559880 │ +0x0030 0x000000000000000 0x0000555555559888 │ +0x0038 <symbolic_variable_4> 0x0000555555559890 │ +0x0040 <symbolic_variable_5> 0x0000555555559898 │ +0x0048 <symbolic_variable_6> 0x00005555555598a0 │ +0x0050 <symbolic_variable_7> 0x00005555555598a8 │ +0x0058 <symbolic_variable_8> 0x00005555555598b0 │ +0x0060 0x000000001231284 0x00005555555598b8 │ +0x0068 0x000000000001212 0x00005555555598c0 │ +0x0070 <symbolic_variable_9> 0x00005555555598c8 │ +0x0078 <symbolic_variable_a> 0x00005555555598c8 │ +0x0078 <symbolic_variable_b> 0x00005555555598c8 │ +0x0078 <symbolic_variable_c> 0x00005555555598c8 │ +0x0078 <symbolic_variable_d> P2 0x00005555555598c8 │ +0x0078 <symbolic_variable_e> 0x00005555555598c8 │ +0x0078 <symbolic_variable_f> 0x00005555555598c8 │ +0x0078 <symbolic_variable_10> 0x00005555555598c8 │ +0x0078 <symbolic_variable_11> “under-constrained” symbolic execution 17

  2. Motivation Emulated Program memory P1 (Uninitialized) 0x0000555555559850 │ +0x0000 <symbolic_variable_1> 0x0000555555559858 │ +0x0008 0x000000000ee0000 0x0000555555559860 │ +0x0010 0x0000000aaabbc34 0x0000555555559868 │ +0x0018 <symbolic_variable_2> 0x0000555555559870 │ +0x0020 0x000000000000000 0x0000555555559878 │ +0x0028 <symbolic_variable_3> 0x0000555555559880 │ +0x0030 0x000000000000000 0x0000555555559888 │ +0x0038 <symbolic_variable_4> 0x0000555555559890 │ +0x0040 <symbolic_variable_5> 0x0000555555559898 │ +0x0048 <symbolic_variable_6> 0x00005555555598a0 │ +0x0050 <symbolic_variable_7> 0x00005555555598a8 │ +0x0058 <symbolic_variable_8> 0x00005555555598b0 │ +0x0060 0x000000001231284 0x00005555555598b8 │ +0x0068 0x000000000001212 0x00005555555598c0 │ +0x0070 <symbolic_variable_9> 0x00005555555598c8 │ +0x0078 <symbolic_variable_a> 0x00005555555598c8 │ +0x0078 <symbolic_variable_b> 0x00005555555598c8 │ +0x0078 <symbolic_variable_c> 0x00005555555598c8 │ +0x0078 <symbolic_variable_d> P2 0x00005555555598c8 │ +0x0078 <symbolic_variable_e> 0x00005555555598c8 │ +0x0078 <symbolic_variable_f> 0x00005555555598c8 │ +0x0078 <symbolic_variable_10> 0x00005555555598c8 │ +0x0078 <symbolic_variable_11> “under-constrained” symbolic execution 18

  3. Motivation Emulated Program memory (Uninitialized) P1 Sn 0x0000555555559850 │ +0x0000 0x000000000000000 0x0000555555559858 │ +0x0008 0x000000000000000 0x0000555555559860 │ +0x0010 0x000000000000000 0x0000555555559868 │ +0x0018 0x000000000000000 0x0000555555559870 │ +0x0020 0x000000000000000 0x0000555555559878 │ +0x0028 0x000000000000000 0x0000555555559880 │ +0x0030 0x000000000000000 0x0000555555559888 │ +0x0038 0x000000000000000 0x0000555555559890 │ +0x0040 0x000000000000000 0x0000555555559898 │ +0x0048 0x000000000000000 0x00005555555598a0 │ +0x0050 0x000000000000000 0x00005555555598a8 │ +0x0058 0x000000000000000 0x00005555555598b0 │ +0x0060 0x000000000000000 0x00005555555598b8 │ +0x0068 0x000000000000000 0x00005555555598c0 │ +0x0070 0x000000000000000 0x00005555555598c8 │ +0x0078 0x000000000000000 THIS WAS THE CAUSE! 19

  4. Motivation Emulated Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 0x3d8d4800010a530d 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d CAN WE HAVE THIS? 20

  5. Approach S9 S1 S3 S4 S6 S8 S0 Sn S2 S5 S7 EOP Interleaved symbolic execution 21

  6. Approach P1 S9 S1 S3 S4 S6 S8 S0 Sn S2 S5 S7 Interleaved symbolic execution 22

  7. Approach Program memory P1 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 S9 S1 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 0x3d8d4800010a530d S3 S4 S6 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c S8 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 S0 Sn 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 S2 S5 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b S7 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 23

  8. Approach Emulated Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 0x3d8d4800010a530d 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 24

  9. Approach Emulated Program memory P1 Sn User 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 controlled 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 25

  10. Approach Emulated Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> S3 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 26

  11. Approach Emulated Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> S3 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 S4 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 27

  12. Approach Emulated Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> S3 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 S4 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f S5 1 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d S6 1 S6 Interleaved symbolic execution 28

  13. Approach Emulated Program memory P1 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 <symbolic_variable_2> 0x00005555555598a8 │ +0x0058 <symbolic_variable_3> 0x00005555555598b0 │ +0x0060 <symbolic_variable_4> 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 <symbolic_variable_5> P2 Interleaved symbolic execution 29

  14. Approach Emulated Program memory P1 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 <symbolic_variable_1> = ????? 0x0000555555559898 │ +0x0048 0x85480021a732058b To reach P2 0x00005555555598a0 │ +0x0050 <symbolic_variable_2> 0x00005555555598a8 │ +0x0058 <symbolic_variable_3> 0x00005555555598b0 │ +0x0060 <symbolic_variable_4> 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 <symbolic_variable_5> P2 Interleaved symbolic execution 30

  15. Approach Emulated Program memory P1 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 <symbolic_variable_1> = 0xdeadbeef 0x0000555555559898 │ +0x0048 0x85480021a732058b To reach P2 0x00005555555598a0 │ +0x0050 <symbolic_variable_2> 0x00005555555598a8 │ +0x0058 <symbolic_variable_3> 0x00005555555598b0 │ +0x0060 <symbolic_variable_4> 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 <symbolic_variable_5> P2 Interleaved symbolic execution 31

  16. Approach Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d S3 0x0000555555559868 │ +0x0018 0x8d4800010aca058d 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 S4 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f S5 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Sm Interleaved symbolic execution 32

  17. Approach Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d S3 0x0000555555559868 │ +0x0018 0x00000000deadbeef 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 S4 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f S5 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Sm Interleaved symbolic execution 33

  18. Approach Program memory Sn 0x0000555555559850 │ +0x0000 0x0000000111111111 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d S3 0x0000555555559868 │ +0x0018 0x00000000deadbeef 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x1123012312310010 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 S4 0x0000555555559890 │ +0x0040 0x4141414141414141 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f S5 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x0000100100000000 0x00005555555598c8 │ +0x0078 0x48550021a99a358d P2 Sm Interleaved symbolic execution 34

  19. Approach 35

  20. Approach P1 concrete execution 36

  21. Approach P1 P1 P2 under-constrained symbolic exec. concrete execution 37

  22. Approach P1 P1 P1 P2 P2 under-constrained symbolic exec. concrete execution Interleaved symbolic execution 38

  23. System Overview angr Symbolic execution engine Concrete environment Debugging Symbion ConcreteTarget ( Exploration Technique ) Component Concrete SimPlugin Binary SimEngineConcrete 39 39 39

  24. ConcreteTarget ● Interface used to implement objects that will control the program executed inside the concrete analysis environment. ● Exposes the following methods: ConcreteTarget ( Interface ) ○ def read_memory(self, address, length) ○ def write_memory(self, address, data) ○ def read_register(self, register) ○ def write_register(self, register, value) implements ○ def set_breakpoint(self, address) ○ def remove_breakpoint(self, address) ○ def set_watchpoint(self, address) GDBTarget ○ def remove_watchpoint(self, address) ○ def get_mappings(self) ○ def run(self) 40

  25. ConcreteTarget ● It can have different interesting implementations! ConcreteTarget ( Interface ) implements implements implements GDBTarget WinDBGTarget IDATarget 41

  26. ConcreteTarget Target binary Analysis GDBTarget Environment GDBServer Linux QEMU Concrete Environment 42

  27. ConcreteTarget Target binary Analysis GDBTarget Environment GDBServer Linux VirtualBox Concrete Environment 43

  28. ConcreteTarget Target binary Analysis WinDBGTarget Environment WinDBG Windows Real PC Concrete Environment 44

  29. ConcreteTarget Target binary Analysis JLinkTarget Environment Jlink Embedded System Concrete Environment 45

  30. Let’s put all the pieces together 46

  31. Use Cases (malware reverse engineering) Study evasion Study commands Detect DGA Study packed code techniques sent by C&C 47

  32. Use Cases (malware reverse engineering) wgxododfj2e7y990ueey2ywc22.info? Study evasion Study commands Study packed code techniques sent by C&C Detect DGA 48

  33. Use Case ● Symmi Trojan ○ Detecting a domain generation algorithm (DGA) inside the binary. wgxododfj2e7y990ueey2ywc22.info Wed Tue 30 10:12:42 PDT 2020 GetFileSystemTime gethostbyname processing 49

  34. Use Case ● Symmi Trojan ○ Detecting a domain generation algorithm (DGA) inside the binary. <BV32 (if ((((0x0 .. __add__(0xfe624e21, symbolic_buffer [63:32], 0x0 .. (if ( symbolic_buffer [31:0] ... <symbolic_buffer> GetFileSystemTime gethostbyname processing 50

  35. Use Case ● Symmi Trojan ○ Detecting a domain generation algorithm (DGA) inside the binary. ○ Challenges : ■ Malware has noisy initialization code and evasion: ● “API Hammering” ● Junk code ● Self-checks ■ Vanilla symbolic execution or under-constrained symbolic execution won’t work. 51

  36. Use Case ● Symmi Trojan ○ Detecting a domain generation algorithm (DGA) inside the binary. GDBServer GDBTarget Windows VirtualBox 52

  37. Symbolic → Concrete angr Concrete environment Analysis environment SimEngineConcrete find= call_getfilesystime Symbion ConcreteTarget Binary EIP Symbolic → Concrete Initialization code (threads and API hammering) CALL GetFileSystemTime Process memory Process Memory CLEmory 53

  38. Symbolic → Concrete angr Concrete environment Analysis environment SimEngineConcrete find= call_getfilesystime Symbion ConcreteTarget Binary EIP Initialization code (threads and API hammering) CALL GetFileSystemTime Process memory Process Memory CLEmory 54

  39. Symbolic → Concrete angr Concrete environment Analysis environment SimEngineConcrete find= call_getfilesystime Symbion ConcreteTarget Binary Initialization code (threads and API hammering) EIP CALL GetFileSystemTime Process memory Process Memory CLEmory 55

  40. Symbolic ← Concrete angr Concrete environment Concrete Analysis environment SimEngineConcrete SimPlugin Symbion sync ConcreteTarget Binary Symbolic ← Concrete EIP CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Process Memory CLEmory 56

  41. Symbolic ← Concrete angr Concrete environment Concrete Analysis environment SimEngineConcrete SimPlugin Symbion sync ConcreteTarget Binary EIP CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Process Memory CLEmory 57

  42. angr Concrete environment Analysis environment SimVexEngine Explore find = call_gethostbyname Binary EIP CALL GetFileSystemTime Symbolic Exploration Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Process Memory CLEmory 58

  43. angr Concrete environment Analysis environment SimVexEngine Explore find = call_gethostbyname Binary EIP CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Process Memory CLEmory 59

  44. angr Concrete environment Analysis environment SimVexEngine Explore find = call_gethostbyname Binary EIP CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Page1 Process Memory sym_buffer_SystemTimeAsFIleTime CLEmory 60

  45. angr Concrete environment Analysis environment SimVexEngine Explore find = call_gethostbyname Binary CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Page1 Process Memory sym_buffer_SystemTimeAsFIleTime CLEmory 61 61

  46. angr Concrete environment Analysis environment SimVexEngine Explore find = call_gethostbyname Binary CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Page1 Process Memory sym_buffer_SystemTimeAsFIleTime CLEmory 62 62

  47. angr Concrete environment Analysis environment SimVexEngine Explore find = call_gethostbyname Binary CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL EIP CALL gethostbyname GetFileSystemTime Process memory Page1 Process Memory sym_buffer_SystemTimeAsFIleTime CLEmory 63 63

  48. angr Concrete environment Analysis environment arg0 = <BV32 (if ((((0x0 .. __add__(0xfe624e21, SimVexEngine Explore find = call_gethostbyname SystemTimeAsFileTime_0_64 [63:32], 0x0 .. (if Binary ( SystemTimeAsFileTime_0_64 [31:0] <= (0x2ac18000 + SystemTimeAsFileTime_0_64 [31:0])) then 0 CALL else 1)) GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL EIP EIP CALL gethostbyname gethostbyname GetFileSystemTime Process memory Page1 Process Memory sym_buffer_SystemTimeAsFIleTime CLEmory 64 64

  49. (More) Use Cases Vulnerabilities Exploit More! Hunting Writing/Generation 65

  50. Comparison ● Question prediction: Why isn’t this just “Concolic Execution?” 66

  51. Comparison ● Question prediction: Why isn’t this just “Concolic Execution?” ● Concolic execution has the goal of improving code coverage of vanilla symbolic execution. ● The techniques are orthogonal and can be chained together 67

  52. Comparison ● Other similar tools have been developed in the past: ○ Avatar2 ○ Triton ○ S2E ○ Mayhem (not freely available to the community) ● None was really making available this kind of technique in a customizable, general purpose and easy to use/programmatic way 68

  53. Limitations ● Program execution correctness not guaranteed by default ○ Users could force executions that are not feasible ○ Solutions to mitigate this can be implemented on top of the technique ● Desynchronized environment interactions ○ Only registers and memory are synchronized ○ States of other objects (socket,file,stdin/stdout) are not sync with the symbolic engine ● Targets support ○ Limited amount of Concrete Targets ○ “Lazy developing” (as needed) 69

  54. Takeaways 1. Symbion is a building block that can empower different new analyses applied to many scenarios 2. Supporting symbolic execution at real-world-program scale is essential 3. Symbion provides a compromise between the power of symbolic execution and the ability to operate on real-world programs 70

  55. Support ● Open source ○ https://github.com/angr/angr ○ https://github.com/degrigis/symbion-use-cases ○ https://github.com/angr/angr-targets ● Docs & Tutorials ○ https://angr.io/blog/angr_symbion/ ○ https://docs.angr.io/advanced-topics/symbion ● Support ○ https://angr.io/invite/ ○ Just yell in #help or directly ping me @degrigis 71

  56. Thanks! degrigis@cs.ucsb.edu @degrigis 72

  57. Motivation Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850 │ +0x0000 0x000000000000000 0x0000555555559858 │ +0x0008 0x000000000000000 code [...] 0x0000555555559860 │ +0x0010 0x000000000000000 0x0000555555559868 │ +0x0018 0x000000000000000 0x0000555555559870 │ +0x0020 0x000000000000000 0x0000555555559878 │ +0x0028 0x000000000000000 P1 0x0000555555559880 │ +0x0030 0x000000000000000 0x0000555555559888 │ +0x0038 0x000000000000000 0x0000555555559890 │ +0x0040 0x000000000000000 0x0000555555559898 │ +0x0048 0x000000000000000 0x00005555555598a0 │ +0x0050 0x000000000000000 0x00005555555598a8 │ +0x0058 0x000000000000000 code [...] 0x00005555555598b0 │ +0x0060 0x000000000000000 Symbolic 0x00005555555598b8 │ +0x0068 0x000000000000000 0x00005555555598c0 │ +0x0070 0x000000000000000 execution 0x00005555555598c8 │ +0x0078 0x000000000000000 from here! “under-constrained” symbolic execution 73

  58. Motivation Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850 │ +0x0000 0x000000000000000 0x0000555555559858 │ +0x0008 0x000000000000000 code [...] 0x0000555555559860 │ +0x0010 0x000000000000000 0x0000555555559868 │ +0x0018 0x000000000000000 0x0000555555559870 │ +0x0020 0x000000000000000 0x0000555555559878 │ +0x0028 0x000000000000000 P1 0x0000555555559880 │ +0x0030 0x000000000000000 0x0000555555559888 │ +0x0038 0x000000000000000 0x0000555555559890 │ +0x0040 0x000000000000000 mov rax, [0x555555559850] 0x0000555555559898 │ +0x0048 0x000000000000000 0x00005555555598a0 │ +0x0050 0x000000000000000 0x00005555555598a8 │ +0x0058 0x000000000000000 0x00005555555598b0 │ +0x0060 0x000000000000000 Symbolic 0x00005555555598b8 │ +0x0068 0x000000000000000 0x00005555555598c0 │ +0x0070 0x000000000000000 execution 0x00005555555598c8 │ +0x0078 0x000000000000000 from here! “under-constrained” symbolic execution 74

  59. Motivation Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 <symbolic_variable_1> 0x0000555555559858│+0x0008 0x000000000000000 code [...] 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 0x000000000000000 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 P1 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x000000000000000 0x00005555555598a0│+0x0050 0x000000000000000 0x00005555555598a8│+0x0058 0x000000000000000 0x00005555555598b0│+0x0060 0x000000000000000 Symbolic 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 execution 0x00005555555598c8│+0x0078 0x000000000000000 from here! “under-constrained” symbolic execution 75

  60. Motivation Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 <symbolic_variable_1> 0x0000555555559858│+0x0008 0x000000000000000 code [...] 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 <symbolic_variable_2> 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 P1 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x000000000000000 … 0x00005555555598a0│+0x0050 0x000000000000000 … 0x00005555555598a8│+0x0058 0x000000000000000 mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x000000000000000 Symbolic 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 execution 0x00005555555598c8│+0x0078 0x000000000000000 from here! “under-constrained” symbolic execution 76

  61. Motivation Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 <symbolic_variable_1> 0x0000555555559858│+0x0008 0x000000000ee0000 code [...] 0x0000555555559860│+0x0010 0x0000000aaabbc34 0x0000555555559868│+0x0018 <symbolic_variable_2> 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 <symbolic_variable_4> 0x0000555555559890│+0x0040 <symbolic_variable_5> mov rax, [0x555555559850] 0x0000555555559898│+0x0048 <symbolic_variable_6> … 0x00005555555598a0│+0x0050 <symbolic_variable_7> … 0x00005555555598a8│+0x0058 <symbolic_variable_8> mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x000000001231284 … Symbolic 0x00005555555598b8│+0x0068 0x000000000001212 … 0x00005555555598c0│+0x0070 <symbolic_variable_9> execution … 0x00005555555598c8│+0x0078 <symbolic_variable_a> ... from here! “under-constrained” symbolic execution 77

  62. Approach Program memory P1 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 S9 S1 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 0x3d8d4800010a530d S3 S4 S6 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c S8 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 S0 Sn 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 S2 S5 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b S7 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 78

  63. Approach Program memory P1 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 S9 S1 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 0x00000000deadbeef S3 S4 S6 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c S8 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 S0 Sn 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 S2 S5 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b S7 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 79

  64. Approach Init memory Program A memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x3d8d4800010a530d 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b Breakpoint! 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d Interleaved symbolic execution ( Phase 1: concrete execution to P1 ) 80

  65. Approach Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d Symbolic 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 execution 0x00005555555598c8│+0x0078 0x48550021a99a358d from here! Interleaved symbolic execution ( Phase 2: setup symbolic data ) 81

  66. Approach Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f P2 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d Interleaved symbolic execution ( Phase 3: symbolic execution ) 82

  67. Approach Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b … 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 … 0x00005555555598a8│+0x0058 0x0000000000841f0f mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f P2 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d Interleaved symbolic execution ( Phase 3: symbolic execution ) 83

  68. Approach Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b … 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 … 0x00005555555598a8│+0x0058 0x0000000000841f0f mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d … 0x00005555555598b8│+0x0068 0x0000000000841f0f … P2 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 … 0x00005555555598c8│+0x0078 0x48550021a99a358d ... Interleaved symbolic execution ( Phase 3: symbolic execution ) 84

  69. Approach Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b … 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 … 0x00005555555598a8│+0x0058 0x0000000000841f0f mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d … 0x00005555555598b8│+0x0068 0x0000000000841f0f … P2 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 <symbolic_variable_1> = ????? 0x00005555555598c8│+0x0078 0x48550021a99a358d To reach P2 Interleaved symbolic execution ( Phase 3: symbolic execution ) 85

  70. Approach Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b … 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 … 0x00005555555598a8│+0x0058 0x0000000000841f0f mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d … 0x00005555555598b8│+0x0068 0x0000000000841f0f … P2 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 <symbolic_variable_1> = 0xdeadbeef 0x00005555555598c8│+0x0078 0x48550021a99a358d To reach P2 Interleaved symbolic execution ( Phase 3: symbolic execution ) 86

  71. Approach Program A memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x00000000deadbeef 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b … 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 … 0x00005555555598a8│+0x0058 0x0000000000841f0f mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d … 0x00005555555598b8│+0x0068 0x0000000000841f0f … P2 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 <symbolic_variable_1> = 0xdeadbeef 0x00005555555598c8│+0x0078 0x48550021a99a358d To reach P2 Interleaved symbolic execution ( Phase 4: Edit program A concrete memory ) 87

  72. Approach Program A memory Program A P2 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x00000000deadbeef 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 P3 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 code [...] 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d Interleaved symbolic execution ( Phase 5: Resume concrete execution ) 88

  73. Symbion - Exploration Technique ● API provided to the users in order to control the concrete execution of the binary inside the concrete environment rax 0x00000012 rbx 0x00000001 Concrete process Modifications Symbion (OPTIONAL) addr_1 0x4141 ( Exploration Technique ) addr_2 0xff0000 breakpoints [0x555555559856] Where to stop! 89

  74. System Overview Symbolic execution engine Concrete environment Debugging Symbion ConcreteTarget ( Exploration Technique ) Component rax 0x00000012 rbx 0x00000001 Concrete addr_1 0x4141 SimPlugin addr_2 0xff0000 Binary breakpoints [0x555555559856] SimEngineConcrete 90 90 90

  75. SimEngineConcrete ● Engine used by the Symbion Exploration Technique in order to step the concrete execution of the binary in the analysis environment. ● Consists of two main parts: ○ to_engine ( ) ■ Handle the “jump” inside the concrete world! ○ from_engine ( ) ■ Handle the “jump” outside the concrete world leveraging the Concrete SimPlugin . 91

  76. SimEngineConcrete ● to_engine ( ): ○ Leverages the ConcreteTarget object to: ■ Set breakpoints on the concrete execution instance of the program. ■ Modify the concrete memory. ■ Resume the concrete execution by exploiting. rax 0x00000012 GDBTarget rbx 0x00000001 write_register() Commands to addr_1 0x4141 debugging write_memory() addr_2 0xff0000 components set_breakpoint() breakpoints [0x555555559856] 92

  77. System Overview Symbolic execution engine Concrete environment Debugging Symbion ConcreteTarget ( Exploration Technique ) Component rax 0x00000012 rbx 0x00000001 Concrete addr_1 0x4141 SimPlugin addr_2 0xff0000 Binary breakpoints [0x555555559856] SimEngineConcrete 93 93 93

  78. SimConcrete Plugin ● Synchronize the concrete process with angr and returns a a new SimState. ○ Copy values of ALL registers. SimState Concrete Program State GDBTarget rax rax 0x0000a44 rbx rbx 0x0000001 read_register() read_memory() rcx rcx 0x0000000 get_mapping() 94

  79. SimConcrete Plugin ● Synchronize the concrete process with angr and returns a a new SimState. ○ Copy values of ALL registers. SimState Concrete Program State GDBTarget rax 0x0000a44 rax 0x0000a44 rbx 0x0000001 rbx 0x0000001 read_register() read_memory() rcx 0x0000000 rcx 0x0000000 get_mapping() 95

  80. SimConcrete Plugin ● Synchronize the concrete process with angr and returns a a new SimState. ○ Copy values of ALL registers. ○ Hook new SimState memory backend to redirect reads to concrete process. SimState Concrete Program State GDBTarget 0x0000555555559850│ 0x89485ed18949ed31 0x0000555555559858│ 0x4c5450f0e48348e2 CLE 0x0000555555559860│ 0x8d4800010aca058d read_register() 0x0000555555559868│0x3d8d4800010a530d (memory backend) 0x0000555555559870│0xa75e15ffffffe61c 0x0000555555559878│0x0000441f0ff40021 read_memory() 0x0000555555559880│0x550021a9e13d8d48 get_mapping() 96

  81. SimConcrete Plugin ● Synchronize the concrete process with angr and returns a a new SimState. ○ Copy values of ALL registers. ○ Hook new SimState memory backend to redirect reads to concrete process. ○ Updates memory mapping information. SimState Concrete Program State GDBTarget 0x54000 0x64000 r-x /bin/ls 0x64000 0x84000 r-- /bin/ls read_register() 0x84000 0x94000 rw- /bin/ls 0x94000 0xf0000 rw- [heap] read_memory() 0xf1000 0xffff00 rw- [stack] get_mapping() 97

  82. SimConcrete Plugin ● Synchronize the concrete process with angr and returns a a new SimState. ○ Copy values of ALL registers. ○ Hook new SimState memory backend to redirect reads to concrete process. ○ Updates memory mapping information. SimState Concrete Program State GDBTarget 0x54000 0x64000 r-x /bin/ls 0x54000 0x64000 r-x /bin/ls 0x64000 0x84000 r-- /bin/ls 0x64000 0x84000 r-- /bin/ls 0x84000 0x94000 rw- /bin/ls read_register() 0x84000 0x94000 rw- /bin/ls 0x94000 0xf0000 rw- [heap] 0x94000 0xf0000 rw- [heap] read_memory() 0xf1000 0xffff00 rw- [stack] 0xf1000 0xffff00 rw- [stack] get_mapping() 98

  83. to_engine( ) angr Concrete environment Analysis environment SimEngineConcrete find= 0x5555555540 Symbion ConcreteTarget Binary EIP bp Process memory Page0 SymSimbolic SimPaged Page1 Process Memory Memory Memory Page2 CLEmory 99

  84. from_engine() angr Concrete environment Analysis environment SimEngineConcrete Concrete Symbion SimPlugin ConcreteTarget Binary sync EIP EIP bp Process memory SymSimbolic SimPaged Memory Memory Process Memory CLEmory ConcreteTarget 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An overview of MOSEK Erling D. Andersen MOSEK ApS Fruebjergvej 3, Symbion Science park, Box 16

An overview of MOSEK Erling D. Andersen MOSEK ApS Fruebjergvej 3, Symbion Science park, Box 16

An overview of MOSEK Erling D. Andersen MOSEK ApS Fruebjergvej 3, Symbion Science park, Box 16 2100 Copenhagen O Denmark Email: sales@mosek.com WWW: http://www.mosek.com http://www.mosek.com October 5, 2013 Introduction 2 / 25 Overview

367 views • 25 slides
Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1 Today Protection Security 2 Examples of OS Protection Memory protection Between user processes Between user and kernel File

953 views • 51 slides
Cosmology: the First 4 Days D. Russell Humphreys, Ph.D. Creation Research Society In the

Cosmology: the First 4 Days D. Russell Humphreys, Ph.D. Creation Research Society In the

Cosmology: the First 4 Days D. Russell Humphreys, Ph.D. Creation Research Society In the beginning God created ... = space ... the heavens and the earth. In the beginning God created ... = space ... the heavens and the earth. When?

280 views • 26 slides
Welcome We will begin at 7:30 p.m. Central Time. Alexis Conavay Or Organizing Coordinator

Welcome We will begin at 7:30 p.m. Central Time. Alexis Conavay Or Organizing Coordinator

Welcome We will begin at 7:30 p.m. Central Time. Alexis Conavay Or Organizing Coordinator Jalakoi Solomon Re Regional Organizing Manager Logistics We will meet every Wednesday for 90 minutes. If you cannot attend, inform your fellows

518 views • 40 slides
States, Processes, and Events, and the Ontology of Causal Relations Antony Galton College of

States, Processes, and Events, and the Ontology of Causal Relations Antony Galton College of

States, Processes, and Events, and the Ontology of Causal Relations Antony Galton College of Engineering, Mathematics, and Physical Sciences, University of Exeter, UK FOIS-2012, Graz, Austria, July 2012 Key Questions regarding Causation (after

427 views • 28 slides
The Project FeederWatch Top 20 feeder birds in the East Central region Based on the reports of

The Project FeederWatch Top 20 feeder birds in the East Central region Based on the reports of

The Project FeederWatch Top 20 feeder birds in the East Central region Based on the reports of citizen scientists from across the region. White-breasted Nuthatch by Steve Delloff Do you like to watch the birds that visit your backyard bird

369 views • 26 slides
jive5ab 2.8.1 and support acts m5copy and vbs_{fs,ls,rm} May 2017 TOG - Ventspils

jive5ab 2.8.1 and support acts m5copy and vbs_{fs,ls,rm} May 2017 TOG - Ventspils

jive5ab 2.8.1 and support acts m5copy and vbs_{fs,ls,rm} May 2017 TOG - Ventspils verkouter@jive.eu New developments in jive5ab 2.8.1 May 2017 TOG - Ventspils verkouter@jive.eu Many fjxes in 2.8.1 SIGSEGV reported by one (1) FlexBuff

572 views • 28 slides
EMBODIED NEURO- SYMBOLIC COMPUTATION SERGE THILL SERGE.THILL@HIS.SE CONTENTS (from

EMBODIED NEURO- SYMBOLIC COMPUTATION SERGE THILL SERGE.THILL@HIS.SE CONTENTS (from

EMBODIED NEURO- SYMBOLIC COMPUTATION SERGE THILL SERGE.THILL@HIS.SE CONTENTS (from stampauctionnetwork.com) TWO REASONS FOR BEING INTERESTED IN NEURO-SYMBOLIC COMPUTATION 1. IT APPEARS USEFUL FOR APPLICATIONS IN COGNITIVE SYSTEMS 2. IT MAY

1.03k views • 38 slides
The Socioeconomic Machine Philosophy of Economics University of Virginia Matthias Brinkmann

The Socioeconomic Machine Philosophy of Economics University of Virginia Matthias Brinkmann

The Socioeconomic Machine Philosophy of Economics University of Virginia Matthias Brinkmann Contents 1. Interventionist Accounts of Causation 2. Ceteris Paribus Clauses 3. Cartwright on the Socioeconomic Machine 29/10/2018

357 views • 14 slides
1. What is skill and how are skill classified? 2. How do people learn skills? 3. How can

1. What is skill and how are skill classified? 2. How do people learn skills? 3. How can

Coaching I Skill Acquisition Image by minwoo Lesson Outcomes 1. What is skill and how are skill classified? 2. How do people learn skills? 3. How can coaches monitor the learning process? 1 PROPERTIES Allow user to leave interaction:

248 views • 10 slides
Real Time Data Analytics @ Uber Ankur Bansal November 14, 2016 About Me Sr. Software Engineer,

Real Time Data Analytics @ Uber Ankur Bansal November 14, 2016 About Me Sr. Software Engineer,

Real Time Data Analytics @ Uber Ankur Bansal November 14, 2016 About Me Sr. Software Engineer, Streaming Team @ Uber Streaming team supports platform for real time data analytics: Kafka, Samza, Flink, Pinot.. and plenty more

1.91k views • 71 slides
DIY IoT Backend Voon Siong WONG greenfields greenfields 4 years ago, wanted IoT platform no

DIY IoT Backend Voon Siong WONG greenfields greenfields 4 years ago, wanted IoT platform no

DIY IoT Backend Voon Siong WONG greenfields greenfields 4 years ago, wanted IoT platform no clear requirements grew organically flaws in hindsight never in production, never fixed hobby project revisited the project made list of good,

636 views • 31 slides
10-701 Machine Learning (Spring 2012) Principal Component Analysis Yang Xu This note is partly

10-701 Machine Learning (Spring 2012) Principal Component Analysis Yang Xu This note is partly

10-701 Machine Learning (Spring 2012) Principal Component Analysis Yang Xu This note is partly based on Chapter 12.1 in Chris Bishops book on PRML and the lecture slides on PCA written by Carlos Guestrin in the 10-701 Machine Learning (fall

413 views • 8 slides
Knowledge Working Organization #ABE17, Warsaw, October 2017 HOW CAN YOU CREATE AN @mortenelvang

Knowledge Working Organization #ABE17, Warsaw, October 2017 HOW CAN YOU CREATE AN @mortenelvang

#GameChangingBeliefs for the Knowledge Working Organization #ABE17, Warsaw, October 2017 HOW CAN YOU CREATE AN @mortenelvang ORGANIZATION WHERE SUCCEEDING WITH AGILE IS POSSIBLE? Find the latest presentation here: www.42stc.com/downloads

434 views • 26 slides
Part 3: Audio-Visual Child-Robot Interaction Petros Maragos slides:

Part 3: Audio-Visual Child-Robot Interaction Petros Maragos slides:

Computer Vision, Speech Communication &amp; Signal Processing Group, Intelligent Robotics and Automation Laboratory National Technical University of Athens, Greece (NTUA) Robot Perception and Interaction Unit, Athena Research and Innovation

250 views • 20 slides
Impulsive control of moving ensembles of interacting agents Maxim Staritsyn joint work with

Impulsive control of moving ensembles of interacting agents Maxim Staritsyn joint work with

Impulsive control of moving ensembles of interacting agents Maxim Staritsyn joint work with Nikolay Pogodaev CROWDS: Models and Control CIRM Marseille, France June 37, 2019 Matrosov Institute for System Dynamics and Control

753 views • 37 slides
Python &amp; Memory Tomasz Paczkowski @oinopion PyWaw, 14.07.2014 Disclaimer Code was

Python &amp; Memory Tomasz Paczkowski @oinopion PyWaw, 14.07.2014 Disclaimer Code was

Python &amp; Memory Tomasz Paczkowski @oinopion PyWaw, 14.07.2014 Disclaimer Code was executed on Ubuntu 12.04 x64 and cPython 2.7.3 Im not an expert in cPython Its much more complicated than it looks like Im not even

248 views • 20 slides
Evan Krall 2015-06-12 Who is this person? Evan Krall SRE = development + sysadmin 4+ years at

Evan Krall 2015-06-12 Who is this person? Evan Krall SRE = development + sysadmin 4+ years at

Evan Krall 2015-06-12 Who is this person? Evan Krall SRE = development + sysadmin 4+ years at Yelp Paasta Application Delivery at Yelp Why? History Yelp started out as monolithic python app Builds/pushes take a long time Messing up is

884 views • 72 slides
Interaktionsdesign Interaktionsdesign E2008 Lektion 19 Lektion 19 Mening i brug

Interaktionsdesign Interaktionsdesign E2008 Lektion 19 Lektion 19 Mening i brug

Interaktionsdesign Interaktionsdesign E2008 Lektion 19 Lektion 19 Mening i brug fnomenologi Indhold Indhold S Social &amp; tangible computing i l &amp; ibl i Refleksionsrapport indhold / krav fl k i i dh ld / k

871 views • 70 slides
Introduction to Natural Language Processing Steven Bird Ewan Klein Edward Loper University of

Introduction to Natural Language Processing Steven Bird Ewan Klein Edward Loper University of

Introduction to Natural Language Processing Steven Bird Ewan Klein Edward Loper University of Melbourne, AUSTRALIA University of Edinburgh, UK University of Pennsylvania, USA August 27, 2008 Knowledge and Communication in Language human

1.07k views • 71 slides
Capabilities, Metadata and Adaptation Architectures T-110.456 Next Generation Cellular Networks

Capabilities, Metadata and Adaptation Architectures T-110.456 Next Generation Cellular Networks

Capabilities, Metadata and Adaptation Architectures T-110.456 Next Generation Cellular Networks Immo Heino Content Adaptation and delivery context Methods for describing capabilities and preferences Adaptation architectures

451 views • 27 slides
What Servlets Are and Why You Would Want to Use Them Java Servlets are an efficient and powerful

What Servlets Are and Why You Would Want to Use Them Java Servlets are an efficient and powerful

falkner.ch2.qxd 8/29/03 1:00 PM Page 31 Chapter 2 Java Servlets I n this chapter the concept of Servlets, not the entire Servlet specification, is explained; consider this an introduction to the Servlet specification starting strictly with

1.01k views • 78 slides
Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC

Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC

Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC (August 2006) Srivaths Ravi (Email: sravi@nec- labs. com) NEC Laboratories America Princeton, NJ Security Requirements of Mobile Appliances

159 views • 12 slides
User Authentication Earlence Fernandes earlence@cs.wisc.edu Admin Homework 1 is out: start

User Authentication Earlence Fernandes earlence@cs.wisc.edu Admin Homework 1 is out: start

Computer Security and Privacy (CS642) User Authentication Earlence Fernandes earlence@cs.wisc.edu Admin Homework 1 is out: start doing it Talk to TAs to figure out any setup issues You may discuss high- level ideas but DONT

880 views • 49 slides

More recommend