the bincoa framework for binary code analysis
play

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, - PowerPoint PPT Presentation

Mar 18, 2023 •9 likes •149 views

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

  1. The BINCOA Framework for Binary Code Analysis S´ ebastien Bardin, Philippe Herrmann, J´ erˆ ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13

  2. Binary code analysis 2/ 13

  3. Binary code analysis at a glimpse Recent research field [Codesurfer/x86, SAGE, Jakstab, Osmose, TraceAnalyzer, McVeto, Vine, BAP ] Many promising applications off-the-shelf components (including libraries) mobile code (including malware) third-party certification Advantages over source-code analysis always available no “compilation gap” allows precise quantitative analysis (ex : wcet) Very challenging conceptual challenges practical issues 3/ 13

  4. Practical issues Engineering issue : many different (large) ISAs supporting a new ISA : time-consuming, error-prone, tedious consequence : each tool support only a few ISAs (often one !) Semantic issue : each tool comes with its own formal( ?) model exact semantics seldom available modelling hypothesises often unclear Consequences lots of redundant engineering work between analysers difficult to achieve empiric comparisons difficult to combine / reuse tools 4/ 13

  5. The BINary COde Analysis project French research project (CEA, Uni. Bordeaux 1, Uni. Paris 7) Propose a common formal model for low-level programs Dynamic Bitvector Automata (DBA) Provide basic open-source tool support basic DBA manipulation • (future) front-ends from x86, PPC, ARM Develop (complementary) binary-level analysers OSMOSE (CEA), TraceAnalyzer (CEA), Insight (LABRI) 5/ 13

  6. Long-term objective • Mutualize engineering work • Common semantic • Ease collaboration between analyses 6/ 13

  7. Dynamic Bitvector Automata Main design ideas small set of instructions concise and natural modelling of common ISAs low-level enough to allow bit-precise modelling Can model : instruction overlapping, return address smashing, endianness, overlapping memory read/write Limitations : (strong) no self-modifying code, (weak) no dynamic memory allocation, no FPA 7/ 13

  8. Dynamic Bitvector Automata (2) Extended automata-like formalism bitvector variables and arrays of bytes all bv sizes statically known, no side-effects standard operations from BVA Feature 1 : Dynamic transitions for dynamic jumps Feature 2 : Directed multiple-bytes read and write operations for endianness and word load/store Feature 3 : Memory zone properties for (simple) environment 8/ 13

  9. Dynamic Bitvector Automata (2) Feature 1 : Dynamic transitions some nodes are labelled by an address dynamic transitions have no predefined destination destination computed dynamically via a target expression Feature 2 : Directed multiple-bytes read and write operations array [ expr ; k # ], where k ∈ N and # ∈ {← , →} Feature 3 : Memory zone properties specify special behaviour for some segments of memory volatile, write-aborts, write-ignored, read-aborts 8/ 13

  10. Modelling with DBA Procedure calls / returns : encoded as static / dynamic jumps Memory zone properties, a few examples : ROM (write-ignored) , memory controlled by env (volatile) , code section (write-aborts) 9/ 13

  11. DBA toolbox Open-source Ocaml code for basic DBA manipulation Features a datatype for DBAs basic “typing” (size checking) over DBAs import (export) from (to) a XML format DBA simplification (see next) GPL license, based on xml-light, ≈ 3 kloc 10/ 13

  12. DBA toolbox - simplifications Goal : simplify unduly complex DBAs typically obtained from instruction-wise translation useless flag computations / auxiliary variables / etc. Inspired by standard compilation techniques [peephole, dead code, etc.] beware of partial DBAs and dynamic jumps ! rethink these standard techniques in a partial CFG setting Results : size reduction of − 50% (all instrs), and between − 30% and − 50% (non-goto instrs) 11/ 13

  13. Binary-level analysers Osmose (CEA) [ICST-08, STVR-11] automatic test data generation (dynamic symbolic execution) 75 kloc of OCaml, front-ends : PPC, M6800, Intel c509 case-studies : programs from aeronautics and energy > negotiations to become open-source TraceAnalyzer (CEA, with Franck V´ edrine) [VMCAI-11] safe CFG reconstruction (refinement-based static analysis) 29 kloc of C++, front-end : PPC case-studies : programs from aeronautics Insight (LABRI, with Emmanuel Fleury) abstract interpretation and weakest precondition C++, front-end : x86 case-studies (on-going) : polymorphic virus analysis > aims at being open source when the API stabilizes 12/ 13

  14. Conclusion Current state DBAs are a nice formalism to work with [improve our former model] common semantics allows exchange of information [OSMOSE - Traceanalyzer] basic DBA support Ongoing and future work open-source front-ends extensions of DBAs : support for dynamic memory allocation 13/ 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

Welcome back! In the last session, we started to look at computers and coding, and explored the computer language binary. Can anyone remember what binary code looks like? (Binary code is a series of digits, that are either ones or zeros.

402 views • 25 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David <rdavid@quarkslab.com> Luigi Coniglio <luigi.coniglio@studenti.unitn.it> Mariano Ceccato <mariano.ceccato@univr.it>

1.12k views • 82 slides
DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang

DeepBinDiff : Learning Program-Wide Code Representations for Binary Diffing Yue Duan, Xuezixiang Li, Jinghan Wang, and Heng Yin 1 Motivation Binary Code Differential Analysis quantitatively measure the similarity between two given

507 views • 27 slides
rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at

rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at

rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at Politecnico di Milano LLVM developers meeting 2016 November 3, 2016 Index Introduction A peek inside Recovery of switch cases Function detection

908 views • 53 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides
Using Axe to Reason About Binary Code Eric Smith Kestrel Institute and Kestrel Technology

Using Axe to Reason About Binary Code Eric Smith Kestrel Institute and Kestrel Technology

Using Axe to Reason About Binary Code Eric Smith Kestrel Institute and Kestrel Technology ACL2 Workshop, May, 2017 Goal Lift binary code into logic JVM bytecode x86 binary code Then verify against a spec using Axe

276 views • 24 slides
Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters e.g. ASCII code A = 01000001 fixed-length code B = 01000010 C = 01000011 How to decode: ? 01000001010000100100001101000001 Problem:

163 views • 13 slides
Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters

Problem: Huffman Coding Def: binary character code = assignment of binary strings to characters e.g. ASCII code A = 01000001 fixed-length code B = 01000010 C = 01000011 How to decode: ? 01000001010000100100001101000001 Problem:

348 views • 14 slides
Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien,

Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien,

Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien, Sebastian Porst zynamics GmbH CanSecWest 2009 Overview The REIL Language Abstract Interpretation MonoREIL Results 2 Motivation Bugs are

677 views • 52 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Supervisors: Author: Lesly-Ann Daniel Sbastien Bardin CEA LIST CEA LIST Tamara Rezk Oct 2018 - Oct 2021 INRIA Sophia Antipolis

777 views • 38 slides
! The variable-length code is a prefix min f ( c ) d ( c ) code : no binary string is

! The variable-length code is a prefix min f ( c ) d ( c ) code : no binary string is

Coding ! Representing characters from some input alphabet using another alphabet . Example: input characters from the Latin Huffman Codes alphabet, output strings of binary digits. ! Fixed-length binary character code: for an input

326 views • 3 slides
Binary Code Analysis: Concepts and Perspectives Emmanuel Fleury

Binary Code Analysis: Concepts and Perspectives Emmanuel Fleury

Binary Code Analysis: Concepts and Perspectives Emmanuel Fleury <emmanuel.fleury@u-bordeaux.fr> LaBRI, Universit de Bordeaux, France May 12, 2016 E. Fleury (LaBRI, France) Binary Code Analysis: Concepts and Perspectives May 12, 2016

990 views • 98 slides
Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

University of Crete Computer Science Department CS457 Introduction to Information Systems Security Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki Eleni 872 Rigakis Nikolaos 2422

513 views • 22 slides
MySQL 8 Tips and Tricks Dave Stokes @stoker david.stokes@oracle.com

MySQL 8 Tips and Tricks Dave Stokes @stoker david.stokes@oracle.com

MySQL 8 Tips and Tricks Dave Stokes @stoker david.stokes@oracle.com Elephantdolphin.blogger.com OpensourceDBA.wordpress.com What This Talk Is About?? 2 MySQL 8 Features This is not a simple talk on performance tuning a database or a

1.77k views • 113 slides
Acacia + , a Tool for LTL Synthesis Aaron Bohy 1 ere 1 Emmanuel Filiot 2 V eronique Bruy`

Acacia + , a Tool for LTL Synthesis Aaron Bohy 1 ere 1 Emmanuel Filiot 2 V eronique Bruy`

Acacia+ LTL realizability and synthesis Theoretical background References Acacia + , a Tool for LTL Synthesis Aaron Bohy 1 ere 1 Emmanuel Filiot 2 V eronique Bruy` Naiyong Jin 3 cois Raskin 2 Jean-Fran 1 Universit 2 Universit 3

210 views • 9 slides
Carnegie Mellon Univ. Dept. of Computer Science 15-415 - Database Applications C. Faloutsos

Carnegie Mellon Univ. Dept. of Computer Science 15-415 - Database Applications C. Faloutsos

Faloutsos CMU SCS 15-415 CMU SCS Carnegie Mellon Univ. Dept. of Computer Science 15-415 - Database Applications C. Faloutsos Lecture#1: Introduction CMU SCS Outline Introduction to DBMSs The Entity Relationship model The

272 views • 26 slides
SQL Best Practices for SharePoint admins, the reluctant DBA ITP324 Todd Klindt Todd Klindt,

SQL Best Practices for SharePoint admins, the reluctant DBA ITP324 Todd Klindt Todd Klindt,

SQL Best Practices for SharePoint admins, the reluctant DBA ITP324 Todd Klindt Todd Klindt, MVP Solanite Consulting, Inc. http://www.solanite.com http://www.toddklindt.com/blog todd@solanite.com Author, Inside SharePoint

575 views • 22 slides
Datenbanken IIB: DBMS-Implementierung Chapter 1: Introduction Prof. Dr. Stefan Brass

Datenbanken IIB: DBMS-Implementierung Chapter 1: Introduction Prof. Dr. Stefan Brass

DB Services Tasks of the DBA The Oracle Data Dictionary DB Schema Information in Oracle Datenbanken IIB: DBMS-Implementierung Chapter 1: Introduction Prof. Dr. Stefan Brass Martin-Luther-Universit at Halle-Wittenberg Wintersemester

942 views • 65 slides
Complexity of B uchi automata minimization Dejan Kostyszyn Chair of Software Engineering

Complexity of B uchi automata minimization Dejan Kostyszyn Chair of Software Engineering

Overview Foundations Definitions & Constructions Main proof Complexity of B uchi automata minimization Dejan Kostyszyn Chair of Software Engineering February 3, 2018 Dejan Kostyszyn Complexity of B uchi automata minimization 1

1k views • 63 slides
Transition and Succession Planning for Lawyers Matt Spain Josh Rohrscheib Wha hat i is a a

Transition and Succession Planning for Lawyers Matt Spain Josh Rohrscheib Wha hat i is a a

Transition and Succession Planning for Lawyers Matt Spain Josh Rohrscheib Wha hat i is a a Succes Succession Plan? Unexpected Exit or Absence From Practice A basic plan provides instructions designating another competent lawyer to

798 views • 42 slides
IT Administra-ve Controls Week 3 Organizing an IT Func-on What func-ons are Opera-ons

IT Administra-ve Controls Week 3 Organizing an IT Func-on What func-ons are Opera-ons

IT Administra-ve Controls Week 3 Organizing an IT Func-on What func-ons are Opera-ons cri-cal to an IT Applica-on development organiza-on? Architecture Program management Security Compliance/quality Finance

245 views • 8 slides

More recommend