symbolic execution
play

Symbolic Execution of Linux binaries About Symbolic Execution - PowerPoint PPT Presentation

May 22, 2023 •195 likes •451 views

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

  1. A tool for the Symbolic Execution of Linux binaries

  2. About Symbolic Execution ● Dynamically explore all program branches. ● Inputs are considered symbolic variables. ● Symbols remain uninstantiated and become constrained at execution time. ● At a conditional branch operating on symbolic terms, the execution is forked. ● Each feasible branch is taken, and the appropriate constraints logged.

  3. Input space >> Number of paths int main( ) { int val ; read(STDIN, & val , sizeof( val ) ); if ( val > 0 ) if ( val < 100 ) do_something( ); else do_something_else( ); }

  8. This is used for: ● Test generation and bug hunting. ● Reason about reachability. ● Worst-Case Execution Time Analysis. ● Comparing different versions of a func. ● Deobfuscation, malware analisys. ● AEG: Automatic Exploit Generation. Whaat?!

  9. State of the art ● Lots of academic papers: ○ 2008-12-OSDI-KLEE ○ Unleashing MAYHEM on Binary ● Several implementations: ○ SymDroid, Cloud9, Pex, jCUTE, Java PathFinder, KLEE, s2e, fuzzball, mayhem, cbass ● Only a few work on binary : ○ libVEX / IL based ○ quemu based

  10. Our aim ● Emulate x86-64 machine code symbolically. ● Load ELF executables. ● Synthesize any process state as starting point. ● The final code should be readable and easy to extend. ● Use as few dependencies as possible: ○ pyelftools, distorm3 and z3 ● Analysis state can be saved and restored. ● Workload can be distributed (dispy)

  11. Basic architecture

  12. Instructions Frequency in GNU LIBC ● 336 different opcodes ● 160218 total instructions ● 37% of them are MOV or ADD ● currently 185 instruction implemented

  13. CPU ● Based on distorm3 DecomposeInterface. ● Most instructions are very simple, ex. @instruction def DEC(cpu, dest): res = dest.write( dest.read() - 1 ) #Affected Flags o..szapc cpu.calculateFlags('DEC', dest.size, res)

  14. Memory class Memory: def mprotect(self, start, size, perms): … def munmap(self, start, size): … def mmap(self, addr, size, perms): … def putchar(self, addr, data): … def getchar(self, addr): …

  15. Operating System Model (Linux) class Linux: def exe(self, filename, argv=[], envp=[]):… def syscall(self, cpu):… def sys_open(self, cpu, buf, flags, mode):… def sys_read(self, cpu, fd, buf, count):… def sys_write(self, cpu, fd, buf, size):… def sys_close(self, cpu, fd):… def sys_brk(self, cpu, brk):…

  16. Symbols and SMT solver class Solver: def getallvalues(self, x, maxcnt = 30): def minmax(self, x, iters=10000): def check(self): def add(self, constraint): #Symbols factory def mkArray(self, size, name ): … def mkBool(self, name ): … def mkBitVec(self, size, name ): …

  17. Operation over symbols is almost transparent >>> from smtlibv2 import * >>> s = Solver() >>> a = s.mkBitVec(32) >>> b = s.mkBitVec(32) >>> s.add( a + 2*b > 100 ) >>> s.check() 'sat' >>> s.getvalue(a), s.getvalue(b) ( 101 , 0 )

  18. The glue: Basic Initialization 1. Make Solver, Memory, Cpu and Linux objects. 2. Load ELF binary program in Memory, Initialize cpu registers, initialize stack. solver = Solver() mem = SMemory(solver, bits, 12 ) cpu = Cpu(mem, arch ) linux = SLinux(solver, [cpu], mem, ... ) linux.exe(“./my_test”, argv=[], env=[])

  19. The glue: Basic analysis loop states = [‘init.pkl’] while len(states) > 0 : linux = load(state.pop()) while linux.running: linux.execute() if isinstance( linux.cpu.PC, Symbol): vals = solver.getallvalues(linux. cpu.PC) -- generate states for each value -- break

  20. Micro demo python system.py -h usage: system.py [-h] [-sym SYM] [-stdin STDIN] [-stdout STDOUT] [-stderr STDERR] [-env ENV] PROGRAM ... python system.py -sym stdin my_prog stdin: PDF-1.2++++++++++++++++++++++++++++++

  21. Symbolic inputs. We need to mark whic part of the environment is symbolic: ● STDIN: a file partially symbolic. Symbols marked with “+” ● STDOUT and STDERR are placeholders. ● ARGV and ENVP can be symbolic

  22. A toy example int main(int argc, char* argv[], char* envp[]){ char buffer [0x100] = {0}; read(0, buffer , 0x100); if (strcmp( buffer , "ZARAZA") == 0 ) printf("Message: ZARAZA!\n"); else printf("Message: Not Found!\n"); return 0; }

  23. Conclusions, future work ● Push all known optimizations: solver cache, implied values, Redundant State Elimination, constraint independence, KLEE-like cex cache, symbol simplification. ● Add more cpu instructions (fpu, simd). ● Improve Linux model, add network. ● Implement OSX loader and os model. ● https://github.com/feliam/pysymemu

  24. g Gracias. Contacto: feliam@binamuse.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
On the Analysis of the Internet from a Geographic and Economic Perspective via BGP Raw Data

On the Analysis of the Internet from a Geographic and Economic Perspective via BGP Raw Data

On the Analysis of the Internet from a Geographic and Economic Perspective via BGP Raw Data Alessandro Improta Advisors: Prof. Luciano Lenzini Prof. Gigliola Vaglini Ing. Enrico Gregori Pisa - May 24th, 2013 Alessandro Improta On the

336 views • 32 slides
Towards Field Theory of D-Branes Tamiaki Yoneya (University of Tokyo, Komaba) Motivations:

Towards Field Theory of D-Branes Tamiaki Yoneya (University of Tokyo, Komaba) Motivations:

Towards Field Theory of D-Branes Tamiaki Yoneya (University of Tokyo, Komaba) Motivations: D-brane field theory ? Free-fermion representation of single-charge 1/2-BPS operators: Puzzles and resolution A Toy Theory: D3-brane field

712 views • 32 slides
(Supersymmetric) Godel Space from Wrapped M2 Branes Bert Vercnocke, ITF, K.U.Leuven in

(Supersymmetric) Godel Space from Wrapped M2 Branes Bert Vercnocke, ITF, K.U.Leuven in

(Supersymmetric) Godel Space from Wrapped M2 Branes Bert Vercnocke, ITF, K.U.Leuven in collaboration with: Tommy Levi (NYU) Joris Raeymaekers (FZU Prague) Dieter Van den Bleeken (Rutgers U.) Walter Van Herck (K.U.Leuven)

681 views • 33 slides
5. Using language signs on suitable contexts 5.1 Bhlers organon model 5.1.1 Theory of

5. Using language signs on suitable contexts 5.1 Bhlers organon model 5.1.1 Theory of

FoCL, Chapter 5: Using language signs on suitable contexts 69 5. Using language signs on suitable contexts 5.1 Bhlers organon model 5.1.1 Theory of pragmatics Analyzes the general principles of purposeful action. Describes how a cognitive

332 views • 15 slides
Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer , Vincent Rahli, Ivana Vukotic, Marcus Vlp, Andr Platzer Thanks to: Johannes Hlzl, Fabian Immler, Tobias Nipkow, et. al. + Coquelicot team

540 views • 38 slides
Visib isible Dep e Depen ende dent nt Quan uantifjcati tifjcation on (V (VDQ) Q) Ryan

Visib isible Dep e Depen ende dent nt Quan uantifjcati tifjcation on (V (VDQ) Q) Ryan

Visib isible Dep e Depen ende dent nt Quan uantifjcati tifjcation on (V (VDQ) Q) Ryan Scott PL Wonks March 8, 2019 Code t Code time! me! The VDQ p he VDQ pat atch ch --- a/compiler/parser/Parser.y +++

547 views • 27 slides
Computer Graphics III Monte Carlo integration Direct illumination Jaroslav Kivnek, MFF

Computer Graphics III Monte Carlo integration Direct illumination Jaroslav Kivnek, MFF

Computer Graphics III Monte Carlo integration Direct illumination Jaroslav Kivnek, MFF UK Jaroslav.Krivanek@mff.cuni.cz Entire the lecture in 5 slides in out Reflection equation Total reflected radiance: integrate

1.12k views • 62 slides
b d q d + + q kd kd kq kq f f a c (a) (b) - d d + q + - -

b d q d + + q kd kd kq kq f f a c (a) (b) - d d + q + - -

b d q d + + q kd kd kq kq f f a c (a) (b) - d d + q + - - kq - kd Vs + ( r) E - + f Ep + q a t (ref) 1 ref Is (b) (a) Three-phase machine Two-phase

527 views • 16 slides

More recommend