binary analysis
play

Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am - PowerPoint PPT Presentation

Jul 16, 2023 •374 likes •532 views

Binary Analysis Dennis Andriesse Finse Winter School 2018 Who am I? Researcher at Vrije Universiteit Amsterdam Reverse engineering Hardening programs/anti-exploitation Malware analysis ... Attack developer in GameOver Zeus

  1. Binary Analysis Dennis Andriesse Finse Winter School 2018

  2. Who am I? • Researcher at Vrije Universiteit Amsterdam – Reverse engineering – Hardening programs/anti-exploitation – Malware analysis – ... • Attack developer in GameOver Zeus takedown • Past year: writing a book on binary analysis – Topic of these lectures 2

  3. 3

  4. What is Binary Analysis? • Analyzing and/or modifying programs at the binary (e.g. machine code ) level • As opposed to source-level analysis (C/Java/Python/. . .) • Simple example: disassembling a program with objdump • Here: focus on x86 ELF binaries 4

  5. Producing a Binary • High-level C programs compile into binaries • Intermediate step: assembly language 5

  6. Example of source vs assembly 6

  7. The ELF binary format 7

  8. Disassembly • Tools like objdump disassemble binaries into approximation of the original assembly code • Binary analysis uses disassembly or code recovered at runtime Disassemble binary “foobar” $ objdump -d ~/foobar /home/dnx/foobar: file format elf64-x86-64 Disassembly of section .text: Read from register %rbp ... 4005ae: 55 push %rbp 4005af: 48 89 e5 mov %rsp,%rbp Read from memory 4005b2: 48 83 ec 20 sub $0x20,%rsp 4005b6: 89 7d ec mov %edi,-0x14(%rbp) 4005b9: 48 89 75 e0 mov %rsi,-0x20(%rbp) 4005bd: c7 45 fc 2a 00 00 00 movl $0x2a,-0x4(%rbp) Call function 4005c4: bf be 06 40 00 mov $0x4006be,%edi 4005c9: e8 62 fe ff ff callq 400430 <puts@plt> 4005ce: 8b 45 fc mov -0x4(%rbp),%eax 4005d1: 89 c7 mov %eax,%edi ... Opcodes (machine level) 8

  9. Linear vs Recursive Disassembly 9

  10. Disassembly with IDA Pro 10

  11. Binary Analysis is Hard! • No symbolic names for variables/functions • No info on function/class layout • No type information • No clear distinction between code/data • Inserting new code/data can break things • Loads of undecidable problems to deal with! 11

  12. So why do it? • Only way to really know what a program does • Only way to analyze malware • Discover low-level vulnerabilities/backdoors • Only way to change/fix binary programs – Source may be lost/proprietary – Example: Microsoft’s recent Equation Editor patch – Lots of vulnerable legacy programs! 12

  13. BA is a large and active field • Lots of different topics: – Disassembly/Reverse engineering/Malware analysis – Binary instrumentation/binary hardening – Taint analysis – Symbolic execution – . . . • Static and dynamic (runtime) analysis 13

  14. BA is a large and active field Here we’ll focus on basic binary analysis in Linux Many more advanced and automated analysis and binary modification tools available! 14

  15. Demo: Basic Binary Analysis in Linux 15

Recommend

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson

Analysis of the Binary IV Model or The case of the missing 9 dimensions Thomas Richardson Department of Statistics University of Washington This is joint work with James Robins (Harvard). Outline 1. The binary IV potential outcomes model

156 views • 15 slides
Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed

Lecture 3: Binary image analysis Thursday, Sept 6 Sudheendras office hours Mon, Wed 1-2 pm ENS 31NR Forsyth and Ponce book Binary images Two pixel values Foreground and background Regions of interest

1.13k views • 78 slides
QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop -

QSynth - A Program Synthesis approach for Binary Code Deobfuscation Binary Analysis Workshop - NDSS Robin David &lt;rdavid@quarkslab.com&gt; Luigi Coniglio &lt;luigi.coniglio@studenti.unitn.it&gt; Mariano Ceccato &lt;mariano.ceccato@univr.it&gt;

1.12k views • 82 slides
How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin (Nathan) Li, Xing Li, Loc Nguyen, James E. Just Outline Background Interactive Binary Analysis with TREE and CBASS Demonstrations

1.06k views • 67 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform gray-level each region is a binary image ( 0 : background, 1 : object or the reverse) more intensity values for overlapping regions

875 views • 30 slides
LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary to decimal conversions and vice versa IEEE 754 Floating point representations Binary Arithmetic Decimal representation of binary numbers

1.66k views • 118 slides
Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those that dont. What is binary? You and I write numbers like this: twelve is 12, sixty eight is 68, and one hundred is 100 Binary is a number

525 views • 26 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal

A Quick Review Decimal to binary Binary to decimal Binary to hexadecimal Hexadecimal to binary Hexadecimal to Decimal Binary addition Binary subtraction Binary shift Decimal to Binary 146d = ????????b 146/2

91 views • 7 slides
Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents

Binary Numbers Calculate your age Binary &amp; decimal differences In binary 1 represents on Fun Facts Why 10 digits? Because and the 0 represents off people typically have 10 fingers and 10 toes, making it easy for counting! 2

119 views • 10 slides
HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan Caselden, Alex Bazhanyuk, Mathias Payer , Stephen McCamant, Dawn Song, UC Berkeley Recovering Information Knowledge of information (data) flow and

694 views • 32 slides
BEOWULF STRUCTURAL ANALYSIS I. BINARY STRUCTURE J.R.R. Tolkien The poem is essentially

BEOWULF STRUCTURAL ANALYSIS I. BINARY STRUCTURE J.R.R. Tolkien The poem is essentially

BEOWULF STRUCTURAL ANALYSIS I. BINARY STRUCTURE J.R.R. Tolkien The poem is essentially balance, an opposition of endings and beginnings. In simple terms, it is a contrasted description of two moments in a great life, rising and

359 views • 7 slides
Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next

Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next

Binary Tree Iterators and Properties Displayable Binary Trees Displayable Binary Trees (next assignment) DE DEPARTMENT OF OF COM OMPUTER S SCIENCE &amp; &amp; SO SOFTW TWARE RE E ENGINEERI RING PI PICN CNIC SA SATU TURD RDAY

709 views • 41 slides
rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at

rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at

rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at Politecnico di Milano LLVM developers meeting 2016 November 3, 2016 Index Introduction A peek inside Recovery of switch cases Function detection

908 views • 53 slides
A practical GLMM example: Network meta- analysis of studies of binary outcomes occurrence of

A practical GLMM example: Network meta- analysis of studies of binary outcomes occurrence of

A practical GLMM example: Network meta- analysis of studies of binary outcomes occurrence of exacerbations in COPD patients 2015-10-07 H. Schmidt, G. Nehmiz Workshop of 4 WGs, Wrzburg Overview (1) Introduction (2) Estimation methods

442 views • 30 slides
Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

CRYPTACUS Workshop Nijmegen, 16 - 18 November 2017 Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration Marius Muench &lt;marius.muench@eurecom.fr&gt; PART I Avatar - Enhancing Binary Firmware

1.04k views • 26 slides

More recommend