an in depth analysis of disassembly on full scale x86 x64
play

An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries - PowerPoint PPT Presentation

Sep 05, 2023 •312 likes •508 views

An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries Dennis Andriesse , Xi Chen , Victor van der Veen , Asia Slowinska , Herbert Bos Vrije Universiteit Amsterdam Lastline, Inc. USENIX Security 2016

  1. An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries Dennis Andriesse † , Xi Chen † , Victor van der Veen † , Asia Slowinska § , Herbert Bos † † Vrije Universiteit Amsterdam § Lastline, Inc. USENIX Security 2016

  2. Introduction Disassembly in Systems Security Disassembly is the backbone of all binary-level systems security work (and more) • Control-Flow Integrity • Automatic Vulnerability/Bug Search • Lifting binaries to LLVM/IR (e.g., for reoptimization) • Malware Analysis • Binary Hardening • Binary Instrumentation • . . . An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 1 of 18

  3. Introduction Challenges in Disassembly Disassembly is undecidable, and disassemblers face many challenges • Code interleaved with data • Overlapping basic blocks • Overlapping instructions (on variable-length ISAs) • Indirect jumps/calls • Alignment/padding bytes (such as nop s) • Multi-entry functions • Tailcalls • . . . How much of a problem do these challenges cause in practice? An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 2 of 18

  4. Introduction Motivation of our Work Prior work explores corner cases, but no consensus on how common these really are in practice • Pessimistic view of disassembly among reviewers and researchers • Underestimation of the potential of binary-based work We study the frequency of corner cases in real-world binaries, and measure how well disassemblers deal with them An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 3 of 18

  5. Experiment Setup Binary Types We cover a wide range of commonly targeted binary types ( 981 tests ) • SPEC CPU2006 + real-world applications (C and C++) • Compiled with gcc , clang (ELF) and Visual Studio (PE) • Compiled for x86 and x64 • Five optimization levels ( O0 - O3 and Os ) + -flto • Dynamically and statically linked binaries • Stripped binaries and binaries with symbols • Library code with handwritten assembly ( glibc ) Focus on benign use cases, such as binary protection schemes (we already know obfuscated binaries can wreak havoc) An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 4 of 18

  6. Experiment Setup Ground Truth Ground truth from DWARF/PDB, with source-level LLVM info Disassembly Primitives and Complex Cases We study five commonly used disassembly/binary analysis primitives • � Instructions, � Function starts, � Function signatures, 1 2 3 � Control Flow Graph (CFG) accuracy, � Callgraph accuracy 4 5 Measure prevalence of seven complex cases � Overlapping BBs, � Overlapping instructions, • 1 2 � Inline data/jump tables, � Switches, � Padding bytes, 3 4 5 � Multi-entry functions, � Tailcalls 6 7 Disassemblers Tested nine popular industry and research disassemblers (details in paper and in results where needed) An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 5 of 18

  7. Experiment Results More results Far too many results to fit in this presentation • Focus on most interesting results here, see paper for more • Detailed results and ground truth publicly released https://www.vusec.net/projects/disassembly/ An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 6 of 18

  8. Experiment Results Instruction Accuracy Very high accuracy for best performing disassemblers • IDA Pro 6.7: 96%–99% TP (FNs due to padding, FPs rare) • Linear: 100% correct on ELF (no inline data) 99% correct for PE, some FPs/FNs due to inline jump tables gcc-5.1.1 x86 gcc-5.1.1 x64 clang-3.7.0 x86 clang-3.7.0 x64 Visual Studio '15 x86 Visual Studio '15 x64 100 90 % correct (geometric mean) 80 70 angr 4.6.1.4 BAP 0.9.9 ByteWeight 0.9.9 60 Dyninst 9.1.0 Hopper 3.11.5 IDA Pro 6.7 50 Jakstab 0.8.4 Linear 40 SPEC (C) SPEC (C++) 30 20 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 Figure: Correctly disassembled instructions An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 7 of 18

  9. Experiment Results CFG and Callgraph accuracy CFG and callgraph very accurate due to high instruction accuracy (see paper for details) An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 8 of 18

  10. Experiment Results Function Signatures Only IDA Pro, important mostly for manual reverse engineering • Poor accuracy, especially on x64 • Acceptable for manual analysis, caution in automated analysis gcc-5.1.1 x86 gcc-5.1.1 x64 clang-3.7.0 x86 clang-3.7.0 x64 Visual Studio '15 x86 Visual Studio '15 x64 100 80 % correct (geometric mean) 60 40 20 0 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 Figure: Correctly detected non-empty argument list (IDA Pro, argc only) An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 9 of 18

  11. Experiment Results Function Detection Function detection currently the main disassembly challenge • Even function start detection yields many FPs/FNs (20% + ) • Complex cases: non-standard prologues, tailcalls, inlining, . . . • Binary analysis commonly requires function information gcc-5.1.1 x86 gcc-5.1.1 x64 clang-3.7.0 x86 clang-3.7.0 x64 Visual Studio '15 x86 Visual Studio '15 x64 100 80 % correct (geometric mean) 60 angr 4.6.1.4 BAP 0.9.9 ByteWeight 0.9.9 40 Dyninst 9.1.0 Hopper 3.11.5 IDA Pro 6.7 Jakstab 0.8.4 20 SPEC (C) SPEC (C++) 0 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 Figure: Correctly detected function start addresses An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 10 of 18

  12. Experiment Results Function Detection: False Negative Listing: False negative indirectly called function for IDA Pro 6.7 ( gcc compiled with gcc at O3 for x64 ELF) 6caf10 <ix86 fp compare mode>: 6caf10: mov 0x3f0dde(%rip),%eax 6caf16: and $0x10,%eax 6caf19: cmp $0x1,%eax 6caf1c: sbb %eax,%eax 6caf1e: add $0x3a,%eax 6caf21: retq An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 11 of 18

  13. Experiment Results Function Detection: False Positive Listing: False positive function (shaded) for Dyninst ( perlbench compiled with gcc at O3 for x64 ELF) 46b990 <Perl pp enterloop>: [...] 46ba02: ja 46bb50 <Perl pp enterloop+0x1c0> 46ba08: mov %rsi,%rdi 46ba0b: shl %cl,%rdi 46ba0e: mov %rdi,%rcx 46ba11: and $0x46,%ecx 46ba14: je 46bb50 <Perl pp enterloop+0x1c0> [...] 46bb47: pop %r12 46bb49: retq 46bb4a: nopw 0x0(%rax,%rax,1) 46bb50: sub $0x90,%rax An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 12 of 18

  14. Prevalence of Complex Cases Complex Cases in Application Code • No inline data in ELF , even jump tables placed in .rodata • Inline data for PE (jump tables), well recognized by IDA Pro • No overlapping basic blocks , contrary to widespread belief • Tailcalls quite common (impact on function detection) gcc-5.1.1 x86 gcc-5.1.1 x64 clang-3.7.0 x86 clang-3.7.0 x64 Visual Studio '15 x86 Visual Studio '15 x64 600 BB overlap ins overlap 500 multi-entry jmps # complex cases (geometric mean) multi-entry targets tailcall jmps tailcall targets 400 SPEC (C) SPEC (C++) 300 200 100 0 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 O0 O1 O2 O3 Figure: Prevalence of complex constructs in SPEC CPU2006 binaries An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 13 of 18

  15. Prevalence of Complex Cases Complex Cases in Library Code ( glibc-2.22 ) Highly optimized library code (handwritten assembly) allows for more complex cases • Surprisingly, no inline data in recent glibc versions (explicitly pushed into .rodata even in handwritten code) • No overlapping basic blocks • Tailcalls again quite common • Some overlapping instructions (handwritten assembly) • Some multi-entry functions (well-defined) An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 14 of 18

  16. Prevalence of Complex Cases Complex Cases in Library Code: Overlapping Instruction Listing: Overlapping instruction in glibc-2.22 7b05a: cmpl $0x0,%fs:0x18 7b063: je 7b066 7b065: lock cmpxchg %rcx,0x3230fa(%rip) An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 15 of 18

  17. Prevalence of Complex Cases Complex Cases in Library Code: Multi-Entry Function Listing: Multi-entry function in glibc-2.22 e9a30 <splice>: e9a30: cmpl $0x0,0x2b9da9(%rip) e9a37: jne e9a4c < splice nocancel+0x13> e9a39 < splice nocancel>: e9a39: mov %rcx,%r10 e9a3c: mov $0x113,%eax e9a41: syscall e9a43: cmp $0xfffffffffffff001,%rax e9a49: jae e9a7f < splice nocancel+0x46> e9a4b: retq e9a4c: sub $0x8,%rsp e9a50: callq f56d0 < libc enable asynccancel> [...] An In-Depth Analysis of Disassembly,on Full-Scale x86/x64 Binaries 16 of 18

Recommend

Supermodule Disassembly Tom Dietel WWU M unster TRD Status Meeting 3.11.2008 Supermodule

Supermodule Disassembly Tom Dietel WWU M unster TRD Status Meeting 3.11.2008 Supermodule

Supermodule Disassembly Supermodule Disassembly Tom Dietel WWU M unster TRD Status Meeting 3.11.2008 Supermodule Disassembly Disassembly of SM-II Cooling problems in L5 short silicone hoses, bends problem has been solved in

321 views • 4 slides
Binarylevel program analysis: Static Disassembly Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Static Disassembly Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Static Disassembly Gang Tan CSE 597 Spring 2019 Penn State University 3 Disassemblers Disassembler Convert machine code in a binary file into assembly code or code in an equivalent IR Assume a

514 views • 26 slides
Full Depth Reclamation Fly Ash Stabilization MERRILL AIRPORT &amp; LANGLADE COUNTY AIRPORT

Full Depth Reclamation Fly Ash Stabilization MERRILL AIRPORT &amp; LANGLADE COUNTY AIRPORT

Full Depth Reclamation Fly Ash Stabilization MERRILL AIRPORT &amp; LANGLADE COUNTY AIRPORT (Antigo) Pulverize Asphaltic Pavement and Base Course Full Depth Reclamation aka Cold In-place Recycling [CIR] A reclamation technique in

749 views • 20 slides
Senior Thesis Analysis Topics Alternate Formwork System Evaluation (Depth Analysis) The

Senior Thesis Analysis Topics Alternate Formwork System Evaluation (Depth Analysis) The

Senior Thesis Analysis Topics Alternate Formwork System Evaluation (Depth Analysis) The Green Building Reference Guide (Depth Analysis) Office Tower Structural Redesign (Breadth Analyses) Introduction Occupants Headquarters of

522 views • 31 slides
Pennsylvania State University Atrium Medical Corporation Architectural Engineering Table of

Pennsylvania State University Atrium Medical Corporation Architectural Engineering Table of

Pennsylvania State University Atrium Medical Corporation Architectural Engineering Table of Contents Headquarters Facility Senior Thesis Final Presentation Title Page Project Information Depth Analysis 1 Depth Analysis 2 Depth Analysis 3

533 views • 32 slides
Successful Online and Offline Cleaning of Steam Turbines With and Without Disassembly Successful

Successful Online and Offline Cleaning of Steam Turbines With and Without Disassembly Successful

Successful Online and Offline Cleaning of Steam Turbines With and Without Disassembly Successful Online and Offline Cleaning of Steam Turbines With and Without Disassembly Bladimir Gomez Supervisor, Rotating Equipment Engineering PDVSA CRP

354 views • 21 slides
PCA and Admixture proportions for low depth NGS data Anders Albrechtsen Admixture model

PCA and Admixture proportions for low depth NGS data Anders Albrechtsen Admixture model

PCA and Admixture proportions for low depth NGS data Anders Albrechtsen Admixture model NGSadmix Introduction to PCA PCA for NGS - genotype likelihood approach analysis based on individual allele frequencies Analysis of low depth

930 views • 53 slides
Graphical Exploratory Analysis Using Take a fixed collection of datapoints : ( x 1 , y 1 ) , ( x 2

Graphical Exploratory Analysis Using Take a fixed collection of datapoints : ( x 1 , y 1 ) , ( x 2

Bivariate halfspace depth (Tukey depth) Graphical Exploratory Analysis Using Take a fixed collection of datapoints : ( x 1 , y 1 ) , ( x 2 , y 2 ) , . . . , ( x n , y n ) . Halfspace Depth Given an arbitrary point ( x , y ) : take all (closed)

208 views • 5 slides
Re Regio gional nal Fu Full-Scale Scale Ex Exerc ercis ise Molly McFadden &amp; Alicia

Re Regio gional nal Fu Full-Scale Scale Ex Exerc ercis ise Molly McFadden &amp; Alicia

Nor orth th Cen entral tral Te Texas as Re Regio gional nal Fu Full-Scale Scale Ex Exerc ercis ise Molly McFadden &amp; Alicia Toombs May 16, 2017 Pr Pres esenters enters Molly McFadden Director of Emergency Preparedness

594 views • 55 slides
Applications of Graph Traversal Algorithm : Design &amp; Analysis [12] In the last class

Applications of Graph Traversal Algorithm : Design &amp; Analysis [12] In the last class

Applications of Graph Traversal Algorithm : Design &amp; Analysis [12] In the last class Depth-First and Breadth-First Search Finding Connected Components General Depth-First Search Skeleton Depth-First Search Trace

498 views • 35 slides
Full-scale micropollutant removal from municipal wastewater in Switzerland Aline Meier, Julie

Full-scale micropollutant removal from municipal wastewater in Switzerland Aline Meier, Julie

Associazione svizzera Verband Schweizer des professionnels Association suisse dei professionisti Gewsserschutz- della protezione de la protection Abwasser- und Swiss Water delle acque Association fachleute des eaux Full-scale

333 views • 12 slides
The Pavement Design Spreadsheet can be used to develop pavement designs for full depth pavement

The Pavement Design Spreadsheet can be used to develop pavement designs for full depth pavement

The Pavement Design Spreadsheet can be used to develop pavement designs for full depth pavement projects off the National Highway System. The spreadsheet walks the designer from start to finish and develops the Pavement Design signature form

671 views • 30 slides
State-of-the-art Report On FULL-DEPTH PRECAST CONCRETE BRIDGE DECK PANELS (SOA -01-1911) Vince

State-of-the-art Report On FULL-DEPTH PRECAST CONCRETE BRIDGE DECK PANELS (SOA -01-1911) Vince

State-of-the-art Report On FULL-DEPTH PRECAST CONCRETE BRIDGE DECK PANELS (SOA -01-1911) Vince Campbell Former president of Bayshore Concrete Products Corporation, VA This presentation is developed by Sameh S. Badie, Ph.D., PE Associate

1.36k views • 72 slides
Agenda 9:30 AM 10:30 AM Plans for 2017 Full scale adaptive management What it means for our

Agenda 9:30 AM 10:30 AM Plans for 2017 Full scale adaptive management What it means for our

W ELCOME AND I NTRODUCTIONS Nancy Sheehan, Program Coordinator Volunteer Stream Monitoring Program The Rock River Coalition 9:00 AM 9:15 AM Registration 9:15 AM 9:30 AM Introduction Agenda 9:30 AM 10:30 AM Plans for 2017 Full scale

670 views • 34 slides
Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics Erick Bauman 1 ,

Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics Erick Bauman 1 ,

Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics Erick Bauman 1 , Zhiqiang Lin 1 , 2 , Kevin Hamlen 1 1 University of Texas at Dallas 2 The Ohio State University NDSS 2018 Introduction Background and Overview Design

1.07k views • 81 slides
Depth-First Search A B D E C Outline and Reading Definitions (6.1) Subgraph

Depth-First Search A B D E C Outline and Reading Definitions (6.1) Subgraph

Depth-First Search A B D E C Outline and Reading Definitions (6.1) Subgraph Connectivity Spanning trees and forests Depth-first search (6.3.1) Algorithm Example Properties Analysis Applications of

551 views • 15 slides
A Statistical Analysis of Snow Depth Trends in North America Jonathan Woody Mississppi State

A Statistical Analysis of Snow Depth Trends in North America Jonathan Woody Mississppi State

Snow Depth Trends-A Single Series Mississippi State University North American Snow Depth Trends A Statistical Analysis of Snow Depth Trends in North America Jonathan Woody Mississppi State University Statistics June 13, 2017 Jonathan Woody

319 views • 31 slides
Hun$ng the Shadows: In Depth Analysis of Escalated APT A=acks

Hun$ng the Shadows: In Depth Analysis of Escalated APT A=acks

Hun$ng the Shadows: In Depth Analysis of Escalated APT A=acks Fyodor Yarochkin, Academia Sinica Pei Kan PK Tsung, Academia Sinica Ming-Chang Jeremy

675 views • 43 slides
Full Coop Cooperati tion on: Z Zero V Viol olence ce Challenge of large scale multi-agency

Full Coop Cooperati tion on: Z Zero V Viol olence ce Challenge of large scale multi-agency

Full Coop Cooperati tion on: Z Zero V Viol olence ce Challenge of large scale multi-agency training in a different cultural context Annalise Muscat Ministry for European Affairs and Equality, Malta Full Cooperation: Zero Violence To

1.03k views • 37 slides
Pilot Studies Informing a Full Scale SMART to Address

Pilot Studies Informing a Full Scale SMART to Address

Pilot Studies Informing a Full Scale SMART to Address Obesity Related Health Dispari@es Sylvie Naar-King, Ph.D. Wayne State University Pediatrics Key Co-Investigators: Deborah Ellis, Ph.D.

767 views • 38 slides
Full-scale comparison of N 2 O emissions from N/DN SBR operation versus one-stage

Full-scale comparison of N 2 O emissions from N/DN SBR operation versus one-stage

Full-scale comparison of N 2 O emissions from N/DN SBR operation versus one-stage deammonification MBBR treating reject water and optimization with pH set-point Linda Kanders, Mlardalen University and Purac AB PhD Student

363 views • 5 slides
Computer disassembly Dell OptiPlex GX260 Overview Working with the Dell OptiPlex GX260

Computer disassembly Dell OptiPlex GX260 Overview Working with the Dell OptiPlex GX260

Computer disassembly Dell OptiPlex GX260 Overview Working with the Dell OptiPlex GX260 Disassemble Identify the parts Reassemble Precautionary measures NOTICE : To help avoid possible damage to the system board, wait 5 seconds

398 views • 26 slides
Multi-scale Analysis of Large Distributed Computing Systems Lucas M. Schnorr, Arnaud Legrand,

Multi-scale Analysis of Large Distributed Computing Systems Lucas M. Schnorr, Arnaud Legrand,

Introduction Multi-scale Analysis Approach Experimental Framework Results and Analysis Conclusion Multi-scale Analysis of Large Distributed Computing Systems Lucas M. Schnorr, Arnaud Legrand, Jean-Marc Vincent INRIA Mescal, CNRS LIG

583 views • 27 slides
1 Syntactic Analysis (Parsing) Bottom-Up Parsing: Shift-Reduce Grammer a + b + c Impose

1 Syntactic Analysis (Parsing) Bottom-Up Parsing: Shift-Reduce Grammer a + b + c Impose

Undergraduate Compilers Review and Intro to MJC Some Thoughts on Grad School Goal Announcements learn how to learn a subject in depth Mailing list is in full swing learn how to organize a project, execute it, and write about it

736 views • 5 slides

More recommend