tutorial setup
play

Tutorial Setup Interactive Session Temporary shell account provided - PowerPoint PPT Presentation

Dec 31, 2022 •48 likes •268 views

Tutorial Setup Interactive Session Temporary shell account provided Environment setup to use DyninstAPI Feel free to experiment SSH Terminal Client Login Information provided on handout No SSH Terminal? Google Putty

  1. Tutorial Setup  Interactive Session – Temporary shell account provided – Environment setup to use DyninstAPI – Feel free to experiment  SSH Terminal Client – Login Information provided on handout – No SSH Terminal? • Google Putty  Not a Demo – Got a question? Ask it. University of Maryland

  2. Shell Environment  Home Directory – Hello World (hello.c) – Quicksort (qsort.c) – Sample mutator (watcher.cxx) – Sample mutatee (caller.c)  Shell Environment – LD_LIBRARY_PATH includes Dyninst libraries – PATH includes parseThat University of Maryland

  3. Pre-Built Mutator  parseThat – General tool for parsing and instrumentation – User-controlled depth of parsing • Module • Function • Control-Flow Graph – User-controlled depth of instrumentation • Function entry/exit • Basic blocks • Memory reads/writes University of Maryland

  4. Basic ParseThat (Parsing)  Parsing depth control flag ( – p) – Module (-p0) – Function (-p1) – Control-Flow Graph (-p2)  Depth flag is not absolute – Deeper parsing will occur on-demand if needed $ parseThat – p2 – v hello [ Processing hello ] ===================================== Creating new BPatch object... done. … – Add the – v flag to see additional information University of Maryland

  5. Basic ParseThat (Instrumentation)  Default instrumentation – Mutatee allocates heap memory for counter – Increment new memory at specific locations  Instrumentation control flag (-i) – Function entry (-i1) – Function exit (-i2) – Basic block (-i3) – Memory read instruction (-i4) – Memory write instruction (-i5)  Event report flag (-s) – Instrument the mutatee to print University of Maryland

  6. Intermediate ParseThat  Call tracing (-T) – Print a message at function entry points – Use integer argument to limit output • -T=10 only prints last 10 function calls $ parseThat – i1 -T qsort 20 [ Processing qsort ] ===================================== Creating new BPatch object... done. …  Useful for retrieving final call path of crashing programs University of Maryland

  7. Advanced ParseThat  Additional features – Attach to running program – Write instrumented binary to disk – Selective instrumentation • Use regular expressions to choose functions – Load your own instrumentation library • Shared libraries loaded – Track memory/cpu resource usage • Used for our nightly tests University of Maryland

  8. Analysis of Malicious Software Why malware? • Malware attacks cost billions of dollars annually [1][2] • 28 days on average to resolve a cybercrime [2] • 90% of malware resists analysis [3] [1] Computer Economics. 2007 [2] Norton. 2010 [3] McAfee. 2008 Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  9. Unresolvable Control-Flow invalid target non-standard indirect non-standard return push eax call 401000 jmp eax call ptr[eax] ret ? ? Invalid Region ? Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  10. Call-Stack Tampering Base address: 0x40d002 02 03 04 05 06 07 08 09 0a 0b 0c 0d e8 03 00 00 00 e9 eb 04 5d 45 55 c3 CALL JMP 40d00a 459dd4f7 JMP POP INC PUSH RET 40d00e ebp ebp ebp Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  11. Exception-based Control-Flow access violation handler xor eax,eax mov ecx,*[eax] push eax … ... mov *[ebp],eax mov 402d8a,edx Exception mov edx,*[eax+b8] State eip 402d8a eip 401002 ... Operating System Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  12. Code Packing Entry Point Aspack Storm Worm 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 8e 63 01 c0 73 1c 88 48 c0 73 1c 88 48 77 0e Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  13. Code Overwriting Entry Point Entry Point Aspack Upack Storm Worm Malware 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 79 5e 80 89 08 27 c0 73 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 1c 88 48 6a d8 5b 95 e7 c2 16 90 14 8a 14 26 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 8e 63 01 c0 73 1c 88 48 c0 73 1c 88 48 77 0e Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  14. Static Analysis Only Parse from known entry points Show analysis to user, who instruments based on analysis Execute ? ? Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  15. Static/Dynamic Hybrid Analysis Parse from known entry points Show analysis to user, who instruments based on analysis Insert run-time interception mechanisms Execute/Resume ? ? obfuscation- code exception resolving overwrite interceptor instrumentation detector Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  16. Static/Dynamic Hybrid Analysis Parse from known entry points Show analysis to user, who instruments based on analysis Insert run-time interception mechanisms Execute/Resume ? ? obfuscation- code exception resolving overwrite interceptor instrumentation detector Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  17. Static/Dynamic Hybrid Analysis Parse from known entry points Show analysis to user, who instruments based on analysis Insert run-time interception mechanisms Execute/Resume ? ? obfuscation- code exception resolving overwrite interceptor instrumentation detector Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  18. Static/Dynamic Hybrid Analysis Parse from known entry points Show analysis to user, who instruments based on analysis Insert run-time interception mechanisms Execute/Resume ? ? obfuscation- code exception resolving overwrite interceptor instrumentation detector Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  19. Static/Dynamic Hybrid Analysis Parse from known entry points Show analysis to user, who instruments based on analysis Insert run-time interception mechanisms Execute/Resume ? ? obfuscation- code exception resolving overwrite interceptor instrumentation detector Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  20. Static/Dynamic Hybrid Analysis Parse from known entry points Show analysis to user, who instruments based on analysis Insert run-time interception mechanisms Execute/Resume ? obfuscation- code exception resolving overwrite interceptor instrumentation detector Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  21. Static/Dynamic Hybrid Analysis Parse from known entry points Show analysis to user, who instruments based on analysis Insert run-time interception mechanisms Execute/Resume ? obfuscation- code exception resolving overwrite interceptor instrumentation detector Slides adapted from Kevin Roundy <roundy@cs.wisc.edu> University of Maryland

  22. Our Simple Malware Mutator  Dyninst provides the functionality – Kevin Roundy – Beyond the scope of this tutorial  Unresolvable control-flow watcher – Statically analyze binary for the following: • Function entry points • Dynamic call points – Maintain a set of function entry addresses – Pause mutatee at dynamic call points mid-run • Check target address against function entry • If invalid, kill the mutatee University of Maryland

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tutorial 2 Automatic Placement &amp; Routing Please follow the instructions found under Setup on

Tutorial 2 Automatic Placement &amp; Routing Please follow the instructions found under Setup on

Tutorial 2 Automatic Placement &amp; Routing Please follow the instructions found under Setup on the CADTA main page before starting this tutorial. 1.1. Start Encounter Log on to a VLSI server using your EE departmental username and password.

539 views • 23 slides
Setup Desktop Grids and Bridges Tutorial Robert Lovas, MTA SZTAKI RI-261556 6 th IDGF Tutorial

Setup Desktop Grids and Bridges Tutorial Robert Lovas, MTA SZTAKI RI-261556 6 th IDGF Tutorial

Setup Desktop Grids and Bridges Tutorial Robert Lovas, MTA SZTAKI RI-261556 6 th IDGF Tutorial Outline of the SZDG installation process 1. Installing the base operating system 2. Basic configuration of the operating system 3. Installing

636 views • 39 slides
Tutorial Files for this tutorial can be downloaded from:

Tutorial Files for this tutorial can be downloaded from:

Cadence First Encounter Tutorial Files for this tutorial can be downloaded from: www.cs.wright.edu/~emmert/tutorials/enc_files.tar.gz Dr. J M Emmert Configuration File This file contains information used to setup your

560 views • 18 slides
Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as a SSL monitor Suricata as a passive DNS probe Suricata as a flow probe Suricata as a malware detector VirtualBox setup File -&gt;

1.16k views • 78 slides
Rhine - FRP with type level clocks A tea tutorial Manuel Brenz 15. Januar 2020 Setup Quick

Rhine - FRP with type level clocks A tea tutorial Manuel Brenz 15. Januar 2020 Setup Quick

Setup Quick introduction to Rhine Lets hack! After the tutorial Rhine - FRP with type level clocks A tea tutorial Manuel Brenz 15. Januar 2020 Setup Quick introduction to Rhine Lets hack! After the tutorial cabal update git

874 views • 73 slides
Tutorial: Howto setup a Remote Test Lab (not only) within the AGL CI Infrastructure ALS

Tutorial: Howto setup a Remote Test Lab (not only) within the AGL CI Infrastructure ALS

Tutorial: Howto setup a Remote Test Lab (not only) within the AGL CI Infrastructure ALS Jun 2017 Jan-Simon Mller Introduction Name: Jan-Simon Mller Email: jsmoeller@linuxfoundation.org IRC: dl9pf , #automotive on

472 views • 33 slides
D3 Tutorial Introduction of Basic Components: HTML, CSS, SVG, and JavaScript D3.js Setup Edit by

D3 Tutorial Introduction of Basic Components: HTML, CSS, SVG, and JavaScript D3.js Setup Edit by

D3 Tutorial Introduction of Basic Components: HTML, CSS, SVG, and JavaScript D3.js Setup Edit by Jiayi Xu and Han-Wei Shen, The Ohio State University HTML - H yper T ext M arkup L anguage HTML is the standard markup language for creating Web

1.14k views • 39 slides
The Meade ETX Telescope A Tutorial for both Basic and Advanced Setup A Service Provided by the

The Meade ETX Telescope A Tutorial for both Basic and Advanced Setup A Service Provided by the

The Meade ETX Telescope A Tutorial for both Basic and Advanced Setup A Service Provided by the The Meade ETX 90 The Meade ETX series is a sophisticated entry level telescope suitable for people that would like to view the night sky without

608 views • 30 slides
Tutorial: GAN Dissection What is learned inside a GAN? David Bau To follow along:

Tutorial: GAN Dissection What is learned inside a GAN? David Bau To follow along:

Setup here: http://bit.ly/gandtut Tutorial: GAN Dissection What is learned inside a GAN? David Bau To follow along: http://bit.ly/ gandtut We will go through a Jupyter notebook. Ideal machine has git, conda, and a GPU. Setup here:

305 views • 5 slides
EEHPC lab Prof. Mohsenin # Tutorial for Encounter Place+Route ##Encounter Setup After each

EEHPC lab Prof. Mohsenin # Tutorial for Encounter Place+Route ##Encounter Setup After each

EEHPC lab Prof. Mohsenin # Tutorial for Encounter Place+Route ##Encounter Setup After each step, make sure to check the encounter.log file for errors in place and route. Keep in mind that the step may appear to complete successfully even if

158 views • 12 slides
Course setup 9 ec course examination based on computer exercises weekly exercises

Course setup 9 ec course examination based on computer exercises weekly exercises

Course setup 9 ec course examination based on computer exercises weekly exercises discussed in tutorial class All course materials (slides, exercises) and schedule via http://www.snn.ru. nl/bertk/machinelearning/ Bert Kappen ML

696 views • 43 slides
Lab 0: Dev Env Setup Rizky Wellyanto (wellyan2) NodeJS + NPM Download here:

Lab 0: Dev Env Setup Rizky Wellyanto (wellyan2) NodeJS + NPM Download here:

Lab 0: Dev Env Setup Rizky Wellyanto (wellyan2) NodeJS + NPM Download here: https://nodejs.org/en/download/ NPM tutorial: https://docs.npmjs.com/about-npm/ NodeJS Documentation: https://nodejs.org/docs/latest-v9.x/api/ Terminal Example setup

120 views • 8 slides
CSE 547 : Spark Tutorial Topics Overview Useful Spark Actions and Operations Help

CSE 547 : Spark Tutorial Topics Overview Useful Spark Actions and Operations Help

CSE 547 : Spark Tutorial Topics Overview Useful Spark Actions and Operations Help session Setup Follow instructions in HW 0 Piazza Office Hour Deployment Options Local Stand-alone clusters Managed clusters

234 views • 20 slides
Scintillators: Setup, performance and lessons learned Ran Hong CENPA, University of Washington

Scintillators: Setup, performance and lessons learned Ran Hong CENPA, University of Washington

Scintillators: Setup, performance and lessons learned Ran Hong CENPA, University of Washington Scintillator/Light-guide Setup PMT Setup Signal reading Scintillator Setup ScR Beam Veto ScL Scintillator Setup Easy to

624 views • 16 slides
Tutorial: Sparse Recovery Using Sparse Matrices Piotr Indyk MIT Problem Formulation

Tutorial: Sparse Recovery Using Sparse Matrices Piotr Indyk MIT Problem Formulation

Tutorial: Sparse Recovery Using Sparse Matrices Piotr Indyk MIT Problem Formulation (approximation theory, learning Fourier coeffs, linear sketching, finite rate of innovation, compressed sensing...) Setup: Data/signal in n-dimensional

418 views • 25 slides
A GAMS TUTORIAL A GAMS TUTORIAL A GAMS TUTORIAL WHAT IS GAMS ? General Algebraic Modeling

A GAMS TUTORIAL A GAMS TUTORIAL A GAMS TUTORIAL WHAT IS GAMS ? General Algebraic Modeling

A GAMS TUTORIAL A GAMS TUTORIAL A GAMS TUTORIAL WHAT IS GAMS ? General Algebraic Modeling System Modeling linear, nonlinear and mixed integer optimization problems Useful with large, complex problems A GAMS TUTORIAL A GAMS TUTORIAL

274 views • 24 slides
ANOVA: Analysis of Variance An example ANOVA problem 25 individuals split into three

ANOVA: Analysis of Variance An example ANOVA problem 25 individuals split into three

ANOVA: Analysis of Variance An example ANOVA problem 25 individuals split into three between-subject conditions: A, B and C A: 5,6,6,7,7,8,9,10 [8 participants, mean: 7.25] B: 7,7,8,9,9,10,10,11 [8 participants, mean: 8.875] P:

188 views • 14 slides
Qualitative Data Collection and Analysis In this lecture Overview of observations, diary

Qualitative Data Collection and Analysis In this lecture Overview of observations, diary

Qualitative Data Collection and Analysis In this lecture Overview of observations, diary studies, field studies Interviewing in detail Interviews that are done incorrectly are lost data Externalizing and analyzing data Heuristic

1.01k views • 66 slides
Stella Performance Strategy &amp; Analysis Tool June 5 &amp; 6, 2019 1 Stella Performance

Stella Performance Strategy &amp; Analysis Tool June 5 &amp; 6, 2019 1 Stella Performance

Stella Performance Strategy &amp; Analysis Tool June 5 &amp; 6, 2019 1 Stella Performance Webinar Overview Future of Homeless Service Data Introduction to Stella and the Performance and Modeling modules Stella Performance Module

543 views • 35 slides
Idaho Career and Technical Education Data Collection Training: Data Analysis Hella Bel Hadj Amor,

Idaho Career and Technical Education Data Collection Training: Data Analysis Hella Bel Hadj Amor,

Idaho Career and Technical Education Data Collection Training: Data Analysis Hella Bel Hadj Amor, Ph.D. May 1, 2019 Our Region About REL Northwest Regional educational laboratories (RELs) partner with practitioners and policymakers to use

876 views • 43 slides
Dawn Song dawnsong@cs.berkeley.edu 1 Other Issues &amp; Attacks against GhostBuster? Malware

Dawn Song dawnsong@cs.berkeley.edu 1 Other Issues &amp; Attacks against GhostBuster? Malware

In-depth Malware Analysis Dawn Song dawnsong@cs.berkeley.edu 1 Other Issues &amp; Attacks against GhostBuster? Malware only hides from certain processes Solution? Run GhostBuster in every process Issues? On the other hand,

275 views • 8 slides
Finite-Sample Analysis in Reinforcement Learning Mohammad Ghavamzadeh INRIA Lille Nord

Finite-Sample Analysis in Reinforcement Learning Mohammad Ghavamzadeh INRIA Lille Nord

Finite-Sample Analysis in Reinforcement Learning Mohammad Ghavamzadeh INRIA Lille Nord Europe, Team SequeL Outline Introduction to RL and DP 1 Approximate Dynamic Programming (AVI &amp; API) 2 How does Statistical Learning Theory come to

708 views • 66 slides
Principles of Program Analysis: A Sampler of Approaches Transparencies based on Chapter 1 of the

Principles of Program Analysis: A Sampler of Approaches Transparencies based on Chapter 1 of the

Principles of Program Analysis: A Sampler of Approaches Transparencies based on Chapter 1 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag 2005. c Flemming Nielson &amp;

1.12k views • 98 slides
Study of Face-to-Face Interaction Main Points: Phenomena that we tend to think of as

Study of Face-to-Face Interaction Main Points: Phenomena that we tend to think of as

Study of Face-to-Face Interaction Main Points: Phenomena that we tend to think of as psychological ( within the individual) turn out to be accomplishments of the pragmatics of language ( between people) the collaborative work of talk

146 views • 10 slides

More recommend