be a binary rockst r
play

Be a Binary Rockst r An Introduction to Program Analysis with - PowerPoint PPT Presentation

Feb 05, 2023 •180 likes •963 views

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete ->

  1. Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja

  2. Agenda ● Motivation ● Current State of Program Analysis ● Design Goals of Binja Program Analysis ● Building Tools 2

  3. Motivation 3

  4. ● Tooling - Concrete -> Symbolic ○ Increase speed & effectiveness of RE / VR ● Make Program Analysis more accessible & useful 4

  5. Foundations • Need to understand code semantics • Could be done directly on the assembly • An Intermediate Language (IL) is needed 5

  6. Why IL? • Architecture Abstraction • Smaller number of instructions 6

  7. Easy to lift • Simple flags calculation • As close to native instructions as possible • Typeless - types inferred later 7

  8. Easy to read • Intuitive to read • Tree-based infix notation • No register abstraction • Flags calculation only when necessary • Avoid excessive temporaries 8

  9. IL Instruction Set Size Easier to analyze Easier to lift Instruction Set Size 9

  10. The Options 10

  11. Existing Options for IL • BAP • VEX • REIL • LLVM • IDA 11

  12. BAP • Tree-tree based :) • Flags are explicit and inhibit readability :( • Written in OCAML :( 12

  13. addr 0x0 @asm ”add %eax,%ebx” t:u32 = REBX:u32 REBX:u32 = REBX:u32 + REAX:u32 RCF:bool = REBX:u32 < t:u32 addr 0x2 @asm ”shl %cl,%ebx” add ebx, eax t1:u32 = REBX:u32 >> 0x20:u32 − (RECX:u32 & shl ebx, cl 0x1f:u32) RCF:bool = ((RECX:u32 & 0x1f:u32) = 0:u32) & RCF:bool | ̃ ((RECX:u32 & 0x1f:u32) = 0:u32) & low:bool(t1:u32) 13

  14. VEX • Register names are abstracted :( • Single assignment :( • Over 1000 instructions! :( • Yet they call it “RISC-like” • Even Angr is planning a move away from it 14

  15. t0 = GET:I32(16) t1 = 0x8:I32 t3 = Sub32(t0,t1) subs R2, R2, #8 PUT(16) = t3 PUT(68) = 0x59FC8:I32 15

  16. REIL • Tiny instruction set • Horrible readability • Makes abstractions nearly impossible • Flags are explicit and inhibit readability :( 16

  17. 00000000.00 STR R_EAX:32, , V_00:32 00000000.01 STR 0:1, , R_CF:1 00000000.02 AND V_00:32, ff:8, V_01:8 00000000.03 SHR V_01:8, 7:8, V_02:8 00000000.04 SHR V_01:8, 6:8, V_03:8 00000000.05 XOR V_02:8, V_03:8, V_04:8 00000000.06 SHR V_01:8, 5:8, V_05:8 00000000.07 SHR V_01:8, 4:8, V_06:8 00000000.08 XOR V_05:8, V_06:8, V_07:8 00000000.09 XOR V_04:8, V_07:8, V_08:8 00000000.0a SHR V_01:8, 3:8, V_09:8 00000000.0b SHR V_01:8, 2:8, V_10:8 00000000.0c XOR V_09:8, V_10:8, V_11:8 test eax, eax 00000000.0d SHR V_01:8, 1:8, V_12:8 00000000.0e XOR V_12:8, V_01:8, V_13:8 00000000.0f XOR V_11:8, V_13:8, V_14:8 00000000.10 XOR V_08:8, V_14:8, V_15:8 00000000.11 AND V_15:8, 1:1, V_16:1 00000000.12 NOT V_16:1, , R_PF:1 00000000.13 STR 0:1, , R_AF:1 00000000.14 EQ V_00:32, 0:32, R_ZF:1 00000000.15 SHR V_00:32, 1f:32, V_17:32 00000000.16 AND 1:32, V_17:32, V_18:32 00000000.17 EQ 1:32, V_18:32, R_SF:1 00000000.18 STR 0:1, , R_OF:1 17

  18. LLVM ● Easy to analyze and has great tools already available ● It’s a compiler! ○ Reversers want a decompiler. ○ Cannot be the only goal 18

  19. LLVM Challenges ● Hard to lift well from compiled binaries ○ Designed for compiler output ● Expects type information in the instructions ● SSA form - assembly is not ● Stack in assembly looks like a structure, but structures lose many advantages of SSA 19

  20. IDA ? 20

  21. Binary Ninja’s Answer • Binary Ninja Intermediate Language (BNIL) 21

  22. IL Goals & Design 22

  23. Why Another IL? ● Popular existing ILs for compiled binaries are not very human readable . They are extremely low level and verbose. ● Existing ILs are single stage . Heavyweight analysis must be performed to get anywhere close to decompiled output. ● Writing a lifter for a new architecture is usually very time consuming. 23

  24. Binary Ninja IL ● Create a family of ILs with multiple stages of analysis ● Lowest level is close to assembly ● After analysis and transformations, higher levels are closer to decompiled output and would be much easier to translate to good LLVM code ● Analysis involved in each transformation is easy to understand, fast, and directly aids further analysis 24

  25. IL Design Goals ● Human readable ● Computer understandable (SSA, 3AF, etc.) ● Plugin understandable ● Easy to lift native architectures ● Translation to other ILs such as LLVM 25

  26. Human Readable ● Reads like pseudocode, even in lowest level form ● Flags are resolved into readable expressions 26

  27. Low Level IL Example lea rax, [0x201047] rax = 0x201047 lea rdi, [0x201040] rdi = 0x201040 push rbp push(rbp) sub rax, rdi rax = rax - rdi mov rbp, rsp rbp = rsp cmp rax, 0xe if (rax u> 0xe) then ja 0x68d 6 @ 0x68d else 8 @ 0x68b x86-64 Assembly Low Level IL 27

  28. Low Level IL Example addiu $sp, $sp, -0x18 $sp = $sp - 0x18 sw $ra, 0x14($sp) [$sp + 0x14].d = $ra lw $a0, ($a1) $a0 = [$a1].d jal atoi call(atoi) nop $at = $v0 u< 0x20 ? 1 : 0 sltiu $at, $v0, 0x20 if ($at == 0) then beqz $at, 0x4002d8 7 @ 0x4002d8 else nop 12 @ 0x400290 MIPS Assembly Low Level IL 28

  29. Computer Understandable ● Multiple IL forms ● Pick the right IL for the task at hand 29

  30. IL Forms Lifted IL Low Level IL SSA / 3AF ASM -> IL Flags use resolved High Level IL Medium Level IL Calls in high level form Stack usage resolved SSA / 3AF Expression folding Type propagation Like decompiled output 30

  31. Plugin Understandable ● All IL forms directly accessible from API ● Analysis performed on IL also accessible by API 31

  32. Easy to Lift ● Expression tree ● Designed for quick, modular lifter implementations ● Semantic flags eases the burden of describing flag effects during lifting 32

  33. Semantic Flags ● Architecture plugins define the set of flags and their semantic roles ● Instructions can define a set of flags they write ● Data flow analysis is performed to link flag uses to flag writes 33

  34. Semantic Flags ● In most compiled code, flags are resolved to simple comparison expressions with no effort from the architecture plugin ● Special cases fall back to emitting concrete flag write expressions 34

  35. Semantic Flags Example Folded expression “Writes to all ALU flags” describing use of flags sub.q{*}(rax, 0xe) if (rax u> 0xe) then if (u>) then … else … … else … “Flag state representing unsigned greater than” 35

  36. Translating Upwards ● Semantic flags analysis gives Low Level IL with flag usage fully resolved ● Stack is represented as memory accesses, so data flow can be difficult to compute on stack variables in Low Level IL ● Need to analyze and translate to Medium Level IL 36

  37. Low Level IL to Medium Level IL ● Low Level IL is translated to SSA form ● Use implicit data flow from SSA to resolve stack layout ● Data flow based stack layout resolution avoids problems with nonstandard frame pointer behavior ● Translate loads and stores on stack to stack variable uses and assignments 37

  38. Medium Level IL Example push(ebp) ebp = esp var_4 = ebp esp = esp - 0x18 eax = arg_4 eax = [ebp + 8].d var_1c = eax [esp].d = eax free(var_1c) call(free) ebp = var_4 esp = ebp return ebp = pop <return> jump(pop) Medium Level IL 38

  39. Medium Level IL ● Registers and stack usage are now both treated as variables ● Stack variables no longer use explicit memory access ● Translate to SSA form to obtain implicit data flow on both registers and stack variables ● Type propagation is performed on SSA form 39

  40. Using Medium Level IL - Jump Tables 40

  41. Using Medium Level IL - Jump Tables ● Jump table resolution based on path-sensitive data flow ● SSA conversion process also tracks control flow dependence for every block ● Data flow computations allow disjoint sets of possible values ● Reads from memory are simulated ● At jump site, possible values are the possible jump targets 41

  42. Jump Table Example x8#1 = zx.q(x0#2.d) if (x0#2.d u> 0x1f) then … else … … x8#2 = sx.q([table + (x8#1 << 2)].d) x8#3 = x8#2 + table jump(x8#3) Medium Level IL Solve for this to get jump targets SSA Form 42

  43. Jump Table Example x8#1 = zx.q(x0#2.d) if (x0#2.d u> 0x1f) then … else … … x8#2 = sx.q([table + (x8#1 << 2)].d) x8#3 = x8#2 + table jump(x8#3) Track flow backwards with SSA to find definitions 43

  44. Jump Table Example x8#1 = zx.q(x0#2.d) if (x0#2.d u> 0x1f) then … else … … x8#2 = sx.q([table + (x8#1 << 2)].d) x8#3 = x8#2 + table jump(x8#3) Memory read depends on value of x8#1 44

  45. Jump Table Example x8#1 = zx.q(x0#2.d) Value used in if (x0#2.d u> 0x1f) branch then … else … comparison … x8#2 = sx.q([table + (x8#1 << 2)].d) x8#3 = x8#2 + table jump(x8#3) 45

  46. Jump Table Example Branch condition x8#1 = zx.q(x0#2.d) must be false to if (x0#2.d u> 0x1f) reach jump site then … else … … x8#2 = sx.q([table + (x8#1 << 2)].d) x8#3 = x8#2 + table jump(x8#3) 46

Recommend

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary to decimal conversions and vice versa IEEE 754 Floating point representations Binary Arithmetic Decimal representation of binary numbers

1.66k views • 118 slides
Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those that dont. What is binary? You and I write numbers like this: twelve is 12, sixty eight is 68, and one hundred is 100 Binary is a number

525 views • 26 slides
A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal Hexadecimal to binary Hexadecimal to Decimal Binary addition Binary subtraction Binary shift Decimal to Binary 146d = ????????b 146/2

91 views • 7 slides
Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents on Fun Facts Why 10 digits? Because and the 0 represents off people typically have 10 fingers and 10 toes, making it easy for counting! 2

119 views • 10 slides
Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next

Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next

Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next assignment) DE DEPARTMENT OF OF COM OMPUTER S SCIENCE &amp; &amp; SO SOFTW TWARE RE E ENGINEERI RING PI PICN CNIC SA SATU TURD RDAY

709 views • 41 slides
Binary Search Trees A binary search tree is a binary tree T such that - each internal node

Binary Search Trees A binary search tree is a binary tree T such that - each internal node

AVL T REES Binary Search Trees AVL Trees AVL Trees 1 Binary Search Trees A binary search tree is a binary tree T such that - each internal node stores an item (k, e) of a dictionary. - keys stored at nodes in the left subtree of

547 views • 26 slides
Binary trees Binary trees David Morgan Binary trees Binary trees elements have up to 2

Binary trees Binary trees David Morgan Binary trees Binary trees elements have up to 2

Binary trees Binary trees David Morgan Binary trees Binary trees elements have up to 2 child elements left child sorts less, right more, than parent tree has a depth tree has a balance, comparing depths of its left and right

305 views • 5 slides
Negative Numbers and Binary operations Eric McCreath Binary Addition Adding binary numbers is

Negative Numbers and Binary operations Eric McCreath Binary Addition Adding binary numbers is

Negative Numbers and Binary operations Eric McCreath Binary Addition Adding binary numbers is very similar to how you would add large decimal numbers in primary school It involves positioning the numbers such that the columns line up in their

562 views • 10 slides
Binary Trees Parts of a binary tree A binary tree is composed of zero or more nodes Each

Binary Trees Parts of a binary tree A binary tree is composed of zero or more nodes Each

Binary Trees Parts of a binary tree A binary tree is composed of zero or more nodes Each node contains: A value (some sort of data item) A reference or pointer to a left child (may be null ), and A reference or pointer to a

653 views • 14 slides
Binary Numbers 723 Binary Numbers 723 = 7x100 + 2x10 + 3x1 Binary Numbers 723 = 7x100 + 2x10 +

Binary Numbers 723 Binary Numbers 723 = 7x100 + 2x10 + 3x1 Binary Numbers 723 = 7x100 + 2x10 +

Binary Numbers 723 Binary Numbers 723 = 7x100 + 2x10 + 3x1 Binary Numbers 723 = 7x100 + 2x10 + 3x1 = 7x10 2 + 2x10 1 + 3x10 0 Binary Numbers 5349 = 5x10 3 + 3x10 2 + 4x10 1 + 9x10 0 Binary Numbers Why base 10? Binary Numbers 257 (base 8)

1.23k views • 75 slides
Extending Binary Linear Classification One-Versus-All Classification (OVA) } In the presence of

Extending Binary Linear Classification One-Versus-All Classification (OVA) } In the presence of

Binary and Other Classification } We will generally discuss binary classifiers, which divide data into one of two classes } Linear classifiers as presented in last lecture are inherently binary, defining the classes based on two regions,

336 views • 7 slides
(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

(Binary code is a series of digits, that are either ones or zeros. Each digit is called a

Welcome back! In the last session, we started to look at computers and coding, and explored the computer language binary. Can anyone remember what binary code looks like? (Binary code is a series of digits, that are either ones or zeros.

402 views • 25 slides
/ + - * * 5 3 2 6 5 2 Examples Binary Trees BSTs Augmenting BinExpr General Trees

/ + - * * 5 3 2 6 5 2 Examples Binary Trees BSTs Augmenting BinExpr General Trees

Trees Readings: HtDP , sections 14, 15, 16. Topics: Introductory examples and terminology Binary trees Binary search trees Augmenting trees Binary expression trees General arithmetic expression trees Nested lists Examples Binary Trees

1.19k views • 31 slides
Objectives To design and implement a binary search tree (25.2). To represent binary trees

Objectives To design and implement a binary search tree (25.2). To represent binary trees

Chapter 25 Binary Search Trees Liang, Introduction to Java Programming, Tenth Edition, (c) 2013 Pearson Education, Inc. All 1 rights reserved. Objectives To design and implement a binary search tree (25.2). To represent binary trees

443 views • 18 slides
Definitions Binary Search Tree: n Tree: hierarchical structure made of nodes with father-son

Definitions Binary Search Tree: n Tree: hierarchical structure made of nodes with father-son

Advanced Programming Binary Search Tree Binary Search Tree Introduction Binary Search Tree, o BST implement dictionaries or ordered queues elements stored are ordered according to a key Efficient (log n) operations S EARCH , M INIMUM , M

362 views • 32 slides
Binary Search Trees and Balanced Binary Search Trees using AVL Trees Mark Redekopp David Kempe

Binary Search Trees and Balanced Binary Search Trees using AVL Trees Mark Redekopp David Kempe

1 CSCI 104 Binary Search Trees and Balanced Binary Search Trees using AVL Trees Mark Redekopp David Kempe Sandra Batista 2 Properties, Insertion and Removal BINARY SEARCH TREES 3 Binary Search Tree Binary search tree = binary tree

630 views • 61 slides
The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601.

The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601.

The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601. Its a very neat implementation of the binary tree idea, using an array. We can use the binary heap to sort an array, and we can use it to make a

304 views • 15 slides
Binary XML and its Characterization Robin Berjon, XML Prague, 25/06/2005 What is Binary XML?

Binary XML and its Characterization Robin Berjon, XML Prague, 25/06/2005 What is Binary XML?

Binary XML and its Characterization Robin Berjon, XML Prague, 25/06/2005 What is Binary XML? Its not XML not in XML syntax doesnt comply to the XML specifications cant give it to an XML parser, it wont work your

553 views • 23 slides
Trees Linear Vs non-linear data structures Types of binary trees Binary tree traversals

Trees Linear Vs non-linear data structures Types of binary trees Binary tree traversals

Trees Linear Vs non-linear data structures Types of binary trees Binary tree traversals Representations of a binary tree Binary tree ADT Binary search tree EECS 268 Programming II 1 Overview We have discussed linear

1.05k views • 76 slides
ECE 242 Data Structures Lecture 17 Binary Trees October 19, 2009 ECE242 L17: Binary Trees

ECE 242 Data Structures Lecture 17 Binary Trees October 19, 2009 ECE242 L17: Binary Trees

ECE 242 Data Structures Lecture 17 Binary Trees October 19, 2009 ECE242 L17: Binary Trees Overview Problem: How do we represent non-linear structures? Binary Tree Similar to a linked list except each node has two children

391 views • 9 slides
Fixed and Floating-point Numbers Eric McCreath Fractional binary numbers Remember how the

Fixed and Floating-point Numbers Eric McCreath Fractional binary numbers Remember how the

Fixed and Floating-point Numbers Eric McCreath Fractional binary numbers Remember how the meaning of the digits in a binary number is defined: Note the binary radix point For example, the binary number: means 2 Binary Converting a

449 views • 7 slides
Fixed and Floating Point Numbers Eric McCreath Fractional binary numbers Remember how the

Fixed and Floating Point Numbers Eric McCreath Fractional binary numbers Remember how the

Fixed and Floating Point Numbers Eric McCreath Fractional binary numbers Remember how the meaning of the digits in a binary number is defined: note how there is a binary radix point. So for example the binary number: means 2 Binary

549 views • 7 slides

More recommend