binary level security
play

BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien - PowerPoint PPT Presentation

Oct 29, 2023 •223 likes •1.11k views

BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Joint work with Richard Bonichon, Robin David, Adel Djoudi & many other people Sbastien Bardin -- ISSISP 2017 | 1 ABOUT MY LAB @CEA Sbastien Bardin

  1. BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sébastien Bardin (CEA LIST) Joint work with Richard Bonichon, Robin David, Adel Djoudi & many other people Sébastien Bardin -- ISSISP 2017 | 1

  2. ABOUT MY LAB @CEA Sébastien Bardin -- ISSISP 2017 | 2

  3. IN A NUTSHELL • Binary-level security analysis: many applications, many challenges • Standard techniques (dynamic, syntactic) not enough • Formal methods can help … but must be strongly adapted [Complement existing methods] • Need robustness, precision and scalability! • Acceptable to lose both correctness & completeness – in a controlled way • New challenges and variations, many things to do! • • A tour on how formal methods can help • Explore and discover -- with Josselin Feist • Prove infeasibility or validity -- with Robin David Simplify (not covered here) -- with Jonathan Salwan • Sébastien Bardin -- ISSISP 2017 | 3

  4. OUTLINE • Focus mostly on Symbolic Execution • Why binary-level analysis? • Give hints for abstract Interpretation • Some background on source-level formal methods • The hard journey from source to binary • A few case-studies Cover both • vulnerability detection • Conclusion • deobfuscation Sébastien Bardin -- ISSISP 2017 | 4

  5. OUTLINE • Why binary-level analysis? • Some background on source-level formal methods • The hard journey from source to binary • A few case-studies • Conclusion Sébastien Bardin -- ISSISP 2017 | 5

  6. BENEFITS No source code More precise analysis Malware What for: vulnerabilities, reverse (malware, legacy), protection evaluation, etc. Sébastien Bardin -- ISSISP 2017 | 6

  7. EXAMPLE: COMPILER BUG Our goal here: • Check the code after compilation Sébastien Bardin -- ISSISP 2017 | 7

  8. EXAMPLE: MALWARE COMPREHENSION APT: highly sophisticated attacks The day after: malware comprehension • understand what has been going on • Targeted malware • mitigate, fix and clean • Written by experts • Attack: 0-days • improve defense • Defense: stealth, obfuscation • Sponsored by states or mafia USA elections: DNC Hack Highly challenging [obfuscation] Sébastien Bardin -- ISSISP 2017 | 8

  9. CHALLENGE: CORRECT DISASSEMBLY Basic reverse problem • aka model recovery • aka CFG recovery Sébastien Bardin -- ISSISP 2017 | 9

  10. • code – data CAN BE TRICKY! • dynamic jumps (jmp eax) Sébastien Bardin -- ISSISP 2017 | 10

  11. STATE-OF-THE-ART TOOLS ARE NOT ENOUGH Just add mov %eax,%ecx mov %ecx,%eax and break results • Static (syntactic): too fragile • Dynamic: too incomplete Sébastien Bardin -- ISSISP 2017 | 11

  12. [See later] CAN BECOME A NIGHTMARE WHEN OBFUSCATED Sébastien Bardin -- ISSISP 2017 | 12

  13. EXAMPLE: VULNERABILITY DETECTION Find vulnerabilities before the bad guys • On the whole program • At binary-level • Know only the entry point and program input format Sébastien Bardin -- ISSISP 2017 | 13

  14. EXAMPLE: VULNERABILITY DETECTION Sébastien Bardin -- ISSISP 2017 | 14

  15. CHALLENGE: In-depth exploration (example: use after free) Dynamic: not enough • Too incomplete Sébastien Bardin -- ISSISP 2017 | 15

  16. BONUS: (MULTI-)ARCHITECTURE SUPPORT Sébastien Bardin -- ISSISP 2017 | 16

  17. THE SITUATION • Binary-level security analysis is necessary • Binary-level security analysis is highly challenging (*) • Standard tools are not enough – experts need better help! (*) i.e., more challenging • Static (syntactic): too fragile than source code analysis • Dynamic: too incomplete Sébastien Bardin -- ISSISP 2017 | 17

  18. SOLUTION? BINARY-LEVEL SEMANTIC ANALYSIS Semantic preserved by compilation or obfuscation Can reason about sets of executions Sébastien Bardin -- ISSISP 2017 | 18

  19. OUTLINE • Why binary-level analysis? • Some background on source-level formal methods • The hard journey from source to binary • A few case-studies • Conclusion Sébastien Bardin -- ISSISP 2017 | 19

  20. BACK IN TIME: THE SOFTWARE CRISIS (1969) Sébastien Bardin -- ISSISP 2017 | 20

  21. ABOUT FORMAL METHODS Success in safety-critical Sébastien Bardin -- ISSISP 2017 | 21

  22. A DREAM COME TRUE … IN CERTAIN DOMAINS Sébastien Bardin -- ISSISP 2017 | 22

  23. A DREAM COME TRUE … IN CERTAIN DOMAINS (2) Sébastien Bardin -- ISSISP 2017 | 23

  24. OVERVIEW OF FORMAL METHODS Semantics • Precise meaning for the domain of evaluation and the effect of instructions • Operational semantics = « interpreter » Properties • From Invariants / reachability to safety/liveness/hyper-properties /… • On software: mostly invariants and reachability Algorithms: • Historically: Weakest precondition, Abstract interpretation, model checking • Correctness: the analysis explores only behaviors of interest • Completeness: the analysis explores at least all behaviors of interest Sébastien Bardin -- ISSISP 2017 | 24

  25. OVERVIEW OF FORMAL METHODS Trends: • Frontier between techniques disappear • master abstraction (correct xor complete) • reduction to logic • sweet spots Representative • Industrial successes at • source-level Next: Adaptation to binary: • • AI: complete (can prove invariants) -- 1977 very different situations • DSE: correct (can find bugs) -- 2005 Sébastien Bardin -- ISSISP 2017 | 25

  26. ABSTRACT INTERPRETATION Sébastien Bardin -- ISSISP 2017 | 26

  27. ABSTRACT INTERPRETATION IN PRACTICE skip Sébastien Bardin -- ISSISP 2017 | 27

  28. ABSTRACT INTERPRETATION IN PRACTICE Key points: • Infinite data: abstract domain • Path explosion: merge • Loops: widening In practice: • Tradeoff between cost and precision • Tradeoff between generic & dedicated domains It is sometimes simple and useful • taint, pointer nullness, typing Big successes: Astrée, Frama-C, Clousot Sébastien Bardin -- ISSISP 2017 | 28

  29. DYNAMIC SYMBOLIC EXECUTION (DSE, Godefroid 2005) Perfect for intensive testing • Correct, relatively complete • No false alarm • Robust • Scale in some ways // incomplete Sébastien Bardin -- ISSISP 2017 | 29

  30. DSE: PATH PREDICATE COMPUTATION (DSE, Godefroid 2005) Sébastien Bardin -- ISSISP 2017 | 30

  31. DSE: GLOBAL PROCEDURE (DSE, Godefroid 2005) Sébastien Bardin -- ISSISP 2017 | 31

  32. ABOUT ROBUSTNESS (imo, the major advantage) « concretization » • Keep going when symbolic reasoning fails • Tune the tradeoff genericity - cost Sébastien Bardin -- ISSISP 2017 | 32

  33. DSE Three key ingredients • Path predicate & solving • Path enumeration • C/S policy Limits • #paths -> better heuristics (?), state merging, distributed search, path pruning, adaptation to coverage objectives, etc. • solving cost -> preprocessing, caching, incremental solving, aggressive concretization (good?) [wait for better solvers  ] • Preconditions/postconditions/advanced stubs Sébastien Bardin -- ISSISP 2017 | 33

  34. DSE: PATH PREDICATE MAY BE COMPLICATED Sébastien Bardin -- ISSISP 2017 | 34

  35. DSE: SEARCH • Search heurstics matters • But no good choice (hint: DFS is often the worst) • The engine must provide flexibility Sébastien Bardin -- ISSISP 2017 | 35

  36. DSE: SEARCH (2) Generic engine • Score each active prefix • Pick the best & expand • Easy encoding of many heuristics Sébastien Bardin -- ISSISP 2017 | 36

  37. C/S POLICIES Sébastien Bardin -- ISSISP 2017 | 37

  38. C/S POLICIES (2) • C/S policy matters • But no good choice • The engine must provide flexibility Sébastien Bardin -- ISSISP 2017 | 38

  39. C/S POLICIES (3) Generic engine • C/S specification • DSE parametrized by C/S Sébastien Bardin -- ISSISP 2017 | 39

  40. OUTLINE • Why binary-level analysis? • Some background on source-level formal methods • The hard journey from source to binary • A few case-studies • Conclusion Sébastien Bardin -- ISSISP 2017 | 40

  41. NOW: BINARY-LEVEL SECURITY Sébastien Bardin -- ISSISP 2017 | 41

  42. THE HARD JOURNEY FROM SOURCE TO BINARY Wanted • robustness • precision • scale Sébastien Bardin -- ISSISP 2017 | 42

  43. ADAPTING DSE and AI to BINARY: two very different stories DSE is quite easy to adapt • thx to SMT solvers (arrays+bitvectors) Problems • thx to concretization • Low-level control: jump eax • yet, performance degrades • Low-level data: memory • Low-level data: flags AI is much more complicated • Even for « normal » code Problem solved: multi-architecture • btw, cannot expect better than • rely on some IR source-level precision Sébastien Bardin -- ISSISP 2017 | 43

  44. FULL DISCLOSURE: the BINSEC tool Still very young! Semantic analysis for binary-level security • Help make sense of binary • more robust than syntactic • more exhaustive than dynamic Some features • Help to recover a simple model • Identify feasible events (+ input) • Identify infeasible events (eg, protections) • Multi-architecture Sébastien Bardin -- ISSISP 2017 | 44

  45. UNDER THE HOOD Sébastien Bardin -- ISSISP 2017 | 45

  46. INTERMEDIATE REPRESENTATION • Concise • Well-defined • Clear, side-effect free Sébastien Bardin -- ISSISP 2017 | 46

Recommend

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer Schools on Cryptography and Principles of Software Security @ Penn State; Jun 1st, 2012 High-Level Languages for Safety/Security 2 Java, C#,

1.54k views • 98 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin & Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Lesly-Ann Daniel Sbastien Bardin Tamara Rezk CEA LIST, France CEA LIST, France INRIA, France IEEE Symposium on Security and Privacy May

464 views • 25 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Reverse engineering Reverse engineer Did anyone analyze f1 something similar A binary file f2

Reverse engineering Reverse engineer Did anyone analyze f1 something similar A binary file f2

Asm2Vec : Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization Steven H. H. Ding Benjamin C. M. Fung Philippe Charland Data Mining and Security Lab Mission Critical Cyber Security

625 views • 23 slides
Binary Tree Traversal Methods Preorder Inorder Postorder Level order Preorder

Binary Tree Traversal Methods Preorder Inorder Postorder Level order Preorder

Binary Tree Traversal Methods In a traversal of a binary tree, each element of the binary tree is visited exactly once. During the visit of an element, all action (make a clone, display, evaluate the operator, etc.) with respect to this

305 views • 14 slides
1.00 Lecture 37 Data Structures: TreeMap, HashMap Binary Trees Level Nodes 2 0 0 m e p 2 1

1.00 Lecture 37 Data Structures: TreeMap, HashMap Binary Trees Level Nodes 2 0 0 m e p 2 1

1.00 Lecture 37 Data Structures: TreeMap, HashMap Binary Trees Level Nodes 2 0 0 m e p 2 1 1 2 2 2 d f n v 2 k k Full binary tree has 2 (k+1) -1 nodes Maximum of k steps required to find (or not find) a node E.g. 2

306 views • 13 slides
Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki

University of Crete Computer Science Department CS457 Introduction to Information Systems Security Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code Papadaki Eleni 872 Rigakis Nikolaos 2422

513 views • 22 slides
Binary Tree Traversal Methods Preorder Inorder In a traversal of a binary tree, each

Binary Tree Traversal Methods Preorder Inorder In a traversal of a binary tree, each

Binary Tree Traversal Methods Binary Tree Traversal Methods Preorder Inorder In a traversal of a binary tree, each element of Postorder the binary tree is visited exactly once. Level order During the visit of an

406 views • 7 slides
Binary Tree Traversal Methods Preorder Inorder In a traversal of a binary tree, each

Binary Tree Traversal Methods Preorder Inorder In a traversal of a binary tree, each

Binary Tree Traversal Methods Binary Tree Traversal Methods Preorder Inorder In a traversal of a binary tree, each element of Postorder the binary tree is visited exactly once. Level order During the visit of an

408 views • 5 slides
RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications * Taegyu Kim, Chung

RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications * Taegyu Kim, Chung

RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications * Taegyu Kim, Chung Hwan Kim, Hongjun Choi, Yonghwi Kwon, + Brendan Saltaformaggio, Xiangyu Zhang, Dongyan Xu + * Security of ARM platforms ARM platforms have

377 views • 22 slides
Transport Level Security HTTPS SSH CSS322: Security and Cryptography Sirindhorn International

Transport Level Security HTTPS SSH CSS322: Security and Cryptography Sirindhorn International

CSS322 Transport Security Web Security TLS/SSL Transport Level Security HTTPS SSH CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013

687 views • 32 slides
Chapter 16 Cryptography and Network Transport Level Security Security Chapter 16 Use your

Chapter 16 Cryptography and Network Transport Level Security Security Chapter 16 Use your

Chapter 16 Cryptography and Network Transport Level Security Security Chapter 16 Use your mentality Wake up to reality From the song, "I've Got You under My Skin Fifth Edition by Cole Porter by William Stallings Lecture slides by

300 views • 5 slides
The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number

The Power of Binary 0, 1, 10, 11, 100, 101, 110, 111... What is Binary? a binary number is a number expressed in the binary numeral system, or base-2 numeral system, which represents numeric values using two different symbols: typically

485 views • 19 slides
How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin

How to Grow a TREE from CBASS Interactive Binary Analysis for Security Professionals Lixin (Nathan) Li, Xing Li, Loc Nguyen, James E. Just Outline Background Interactive Binary Analysis with TREE and CBASS Demonstrations

1.06k views • 67 slides
BINSEC: Binary-level Semantic Analysis to the Rescue S ebastien Bardin joint work with

BINSEC: Binary-level Semantic Analysis to the Rescue S ebastien Bardin joint work with

BINSEC: Binary-level Semantic Analysis to the Rescue S ebastien Bardin joint work with Richard Bonichon, Robin David, Adel Djoudi, Benjamin Farinier, Josselin Feist, Laurent Mounier, Marie-Laure Potet, Thanh Dihn Ta, Franck V edrine CEA

1.27k views • 61 slides
LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary

LECTURE 2 Review 1 Binary Math and Assembly BINARY MATH In this section, we review Binary to decimal conversions and vice versa IEEE 754 Floating point representations Binary Arithmetic Decimal representation of binary numbers

1.66k views • 118 slides
Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those

Binary There are 10 types of people in the world those that understand binary and those that dont. What is binary? You and I write numbers like this: twelve is 12, sixty eight is 68, and one hundred is 100 Binary is a number

525 views • 26 slides
A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen,

A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen,

A Tough call : Mitigating Advanced Code-Reuse Attacks At The Binary Level Victor van der Veen, Enes Gkta (joint first author) (VU) Moritz Contag, Andre Pawlowski, Thorsten Holz (RUB) Xi Chen, Sanjay Rawat, Herbert Bos, Elias Athanasopoulos,

587 views • 26 slides
Fault attack vulnerability assessment of binary code Cryptography and Security in Computing

Fault attack vulnerability assessment of binary code Cryptography and Security in Computing

Fault attack vulnerability assessment of binary code Cryptography and Security in Computing Systems [CS219], Valencia, Spain January 21, 2019 Jean-Baptiste Brjon Emmanuelle Encrenaz Karine Heydemann Quentin Meunier Son-Tuan Vu Sorbonne

770 views • 34 slides
Accelerate Cycle-Level Multi-Core RISC-V Simulation with Binary Translation Xuan Guo, Robert

Accelerate Cycle-Level Multi-Core RISC-V Simulation with Binary Translation Xuan Guo, Robert

Accelerate Cycle-Level Multi-Core RISC-V Simulation with Binary Translation Xuan Guo, Robert Mullins Department of Computer Science and Technology Both the paper and the slides are made available under CC BY 4.0 Motivation We want to

790 views • 22 slides
Lecture 4 Machine Code 3. Hardware and Softw are 4. High Level Languages 5. Standard input

Lecture 4 Machine Code 3. Hardware and Softw are 4. High Level Languages 5. Standard input

1. Introduction 2. Binary Representation Lecture 4 Machine Code 3. Hardware and Softw are 4. High Level Languages 5. Standard input and output As we have seen, programs exist as binary 6. Operators, expression and statem ents

354 views • 4 slides
Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

CRYPTACUS Workshop Nijmegen, 16 - 18 November 2017 Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration Marius Muench <marius.muench@eurecom.fr> PART I Avatar - Enhancing Binary Firmware

1.04k views • 26 slides
YOUR SPEAKER 2016 CHIEF SECURITY OFFICER PRAETORIAN CONSULTING INTERNATIONAL (CYBER

YOUR SPEAKER 2016 CHIEF SECURITY OFFICER PRAETORIAN CONSULTING INTERNATIONAL (CYBER

YOUR SPEAKER 2016 CHIEF SECURITY OFFICER PRAETORIAN CONSULTING INTERNATIONAL (CYBER SECURITY AUTOMATION) 2014 HEAD OF INFORMATION SECURITY WORLDLINE (ATOS GROUP) (LEVEL ONE SERVICE PROVIDER) 2014 CISO LEVEL SECURITY, RISK

266 views • 24 slides

More recommend