binrec attack surface reduction through dynamic binary
play

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery - PowerPoint PPT Presentation

May 08, 2023 •1.9k likes •2.55k views

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018 Attack Surface Reduction x =

  1. BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018

  2. Attack Surface Reduction x = getenv(“SET_ME”); if (x) cold_code(); hot_code(); 2

  3. Attack Surface Reduction x = getenv(“SET_ME”); if (x) Buggy features cold_code(); hot_code(); ROP gadgets 3

  4. Attack Surface Reduction x = getenv(“SET_ME”); if (x) Remove unwanted features cold_code(); hot_code(); d e c u d e r e a c r f u s k c a t A t e d o c d e s t e t l - e l w o t 4

  5. Attack Surface Reduction setme_str: .asciz: “SET_ME” push setme_str call getenv Want to work on cmp eax, 0 COTS binaries je main call cold_code main: call hot_code 5

  6. Static approach Input Transformed Transform binary binary 6

  7. Static approach Input Transformed Transform binary binary i n c o m p l e t e d i s a s s e m b l y PIC? obfuscated? 7

  8. Static approach w contains cold h i c h c o d e i s code r e a c h e d ? Input Transformed Transform binary binary i n c o m p l e t e d i s a s s e m b l y PIC? obfuscated? 8

  9. Dynamic approach by BinRec e s c i r e p y b l m e s s a s d i Input Transformed Execute Transform binary binary only hot code 9

  10. Dynamic approach by BinRec Recovery Input Recovered Execute Transform binary binary 10

  11. Dynamic approach by BinRec Recovery Input Recovered Execute Transform binary binary can we make this more generic? 11

  12. BinRec goal: complex binary transformation many applications Attack Surface Reduction / Binary rejuvenation / Input Recovered Execute binary Profile-guided binary optimization / (De)obfuscation / ISA retargeting 12

  13. BinRec goal: complex binary transformation many applications Attack Surface Reduction / Binary rejuvenation / Input Recovered Execute binary Profile-guided binary optimization / (De)obfuscation / ISA retargeting s e r u i q e r l e v e l - h g i h ! e d o c 13

  14. BinRec design Compiler IR Transform Machine Code Input Recovered Execute binary binary 14

  15. BinRec design Compiler IR Transform Lift Lower Machine Code Input Recovered Execute binary binary 15

  16. BinRec design Compiler IR Transform Lift Lower Machine Code Input Recovered Execute binary binary Sometimes we want more code coverage than a single code path 16

  17. BinRec design Compiler IR Transform Lift Lower Machine Code Input Symbolic Recovered binary execution binary Run with “symbolic” input and follow both sides of a branch 17

  18. BinRec design Compiler IR Transform Lift Lower Machine Code Input Symbolic Recovered binary execution binary Want to support multiple architectures Need to observe each instruction 18

  19. BinRec design Compiler IR Transform Lift in VM Lower Machine Code Input Symbolic Recovered binary execution binary , V M i n t e u l a E m I R t o n s c t i o r u n s t e i s l a t a n t r 19

  20. BinRec design Compiler IR Transform Lift in VM Lower Machine Code Input Symbolic Recovered binary execution binary 20

  21. BinRec design Compiler IR Transform Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary J u s t u s e t h e c o m p i l e r 21

  22. BinRec design Compiler IR Transform Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary 22

  23. BinRec design Compiler IR Transform Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary What about unlifted code paths? ... if (getenv(“SET_ME”)) { puts(“thanks!”); // not recovered! } ... 23

  24. BinRec design Compiler IR Transform Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary What about unlifted code paths? 1. do nothing (breaks conservative behavior) ... getenv(“SET_ME”); ... 24

  25. BinRec design Compiler IR Transform Add errors Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary What about unlifted code paths? 2. yield error ... if (getenv(“SET_ME”)) { abort(); } ... 25

  26. BinRec design Compiler IR Transform Add errors / fallbacks Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary What about unlifted code paths? 3. fallback to old code ... if (getenv(“SET_ME”)) { goto old_code_address; } ... 26

  27. BinRec design Compiler IR Transform Add errors / fallbacks Lift in VM Compile Machine Code Input Symbolic Recovered binary execution binary R e f e r e n c e s d a t a f r o m i n p u t b i n a r y 27

  28. BinRec design Compiler IR Transform Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary 28

  29. BinRec design Compiler IR Transform Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary IR interacts with VM runtime 29

  30. BinRec design Compiler IR Transform Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary IR interacts with VM runtime // machine code // Lifted code emit_event(BASIC_BLOCK_START) 0x1000: cpu_state.pc = 0x1000 add ebx, 1 ebx = &cpu_state.registers[R_EBX] jmp 0x1234 *ebx = *ebx + 1 cpu_state.icount++ cpu_state.pc = 0x1234 30 emit_event(BASIC_BLOCK_END)

  31. BinRec design Compiler IR Transform Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary // machine code // Lifted code emit_event(BASIC_BLOCK_START) 0x1000: cpu_state.pc = 0x1000 add ebx, 1 events, counters ebx = &cpu_state.registers[R_EBX] jmp 0x1234 *ebx = *ebx + 1 cpu_state.icount++ cpu_state.pc = 0x1234 31 emit_event(BASIC_BLOCK_END)

  32. BinRec design Compiler IR Transform Strip emulation Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary // machine code // Lifted code emit_event(BASIC_BLOCK_START) 0x1000: cpu_state.pc = 0x1000 add ebx, 1 control flow through ebx = &cpu_state.registers[R_EBX] jmp 0x1234 virtual program counter *ebx = *ebx + 1 cpu_state.icount++ registers in CPU state cpu_state.pc = 0x1234 32 emit_event(BASIC_BLOCK_END)

  33. BinRec design Compiler IR Transform Strip emulation Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary // machine code // Lifted code // stripped code emit_event(BASIC_BLOCK_START) 0x1000: global ebx cpu_state.pc = 0x1000 add ebx, 1 lifted_1000: ebx = &cpu_state.registers[R_EBX] jmp 0x1234 ebx = ebx + 1 *ebx = *ebx + 1 goto lifted_1234 cpu_state.icount++ cpu_state.pc = 0x1234 33 emit_event(BASIC_BLOCK_END)

  34. BinRec design Compiler IR Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Machine Code Link data sections Input Symbolic Recovered binary execution binary Needed to prevent over-optimization during transformations (details in paper) 34

  35. This is quite bit of code 35

  36. Implementation Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Link data sections Input Symbolic Recovered binary execution binary 36

  37. Implementation Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Link data sections S 2 E Input Symbolic Recovered binary execution binary 37

  38. Implementation LLVM Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Link data sections S 2 E Input Symbolic Recovered binary execution binary 38

  39. Implementation LLVM Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Binutils Link data sections S 2 E Input Symbolic Recovered binary execution binary Bash + Python 39

  40. Case study 40

  41. Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Link data sections Input Symbolic Recovered binary execution binary // ab.c int main(int argc, char **argv) { char a = argv[1][0]; char b = argv[1][1]; if (a == 'a') { if (b == 'b') { puts("You entered \"ab\""); } } return 0; } 41

  42. Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Link data sections Input Symbolic Recovered binary execution binary 42

  43. Transform Pre-process Post-process Strip emulation Add errors / fallbacks Lift in VM Compile Link data sections Input Symbolic Recovered binary execution binary Raw code is heavily instrumented - event triggers - instruction counter - program counter, registers, flags, etc. stored in CPU state in memory 43

Recommend

BinRec: Dynamic Binary Lifting and Recompilation Anil Altinay , Joseph Nash , Taddeus

BinRec: Dynamic Binary Lifting and Recompilation Anil Altinay , Joseph Nash , Taddeus

BinRec: Dynamic Binary Lifting and Recompilation Anil Altinay , Joseph Nash , Taddeus Kroes Prabhu Rajasekaran, Dixin Zhou, Adrian Dabrowski, David Gens, Yeoul Na, Stijn Volckaert, Cristiano Giuffrida, Herbert Bos, Michael Franz

457 views • 32 slides
HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan Caselden, Alex Bazhanyuk, Mathias Payer , Stephen McCamant, Dawn Song, UC Berkeley Recovering Information Knowledge of information (data) flow and

694 views • 32 slides
The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice

The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice

The cyber attack surface of the aerospace industry Andy Davis, Transport Assurance Practice Director Global experts in cyber security & risk mitigation Agenda Space attack surface overview Attacks against terrestrial assets

310 views • 30 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides
Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript

Verify what? Navigating the Attack Surface Mark S. Miller, Google Formal Methods meets JavaScript Imperial College, March 2018 Risk as Attack Surface a Expected Risk: likelihood * damage Potential damage Likelihood of exploitable

592 views • 48 slides
Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc.

Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc.

Exploring the IoT attack surface Breaking || Liberating the brave new IoT world. doc.dr.sc. Tonimir Kiasondi Sponsored by http://iot.foi.hr Why should i listen to you and not go out for coffee? Well, IoT is the next big hotness

725 views • 55 slides
Dynamic Critical Grading Surfaces Class Summary This demonstration will guide the participant

Dynamic Critical Grading Surfaces Class Summary This demonstration will guide the participant

Dynamic Critical Grading Surfaces Class Summary This demonstration will guide the participant through workflows to leverage surface creation tools to develop a dynamic setup surface based on critical criteria parameters. This base surface can

458 views • 34 slides
Windows Metafiles An Analysis of the EMF Attack Surface & Recent Vulnerabilities Mateusz

Windows Metafiles An Analysis of the EMF Attack Surface & Recent Vulnerabilities Mateusz

Windows Metafiles An Analysis of the EMF Attack Surface & Recent Vulnerabilities Mateusz j00ru Jurczyk PacSec, Tokyo 2016 PS> whoami Project Zero @ Google Low-level security researcher with interest in all sorts of

1.62k views • 150 slides
Fault attack vulnerability assessment of binary code Cryptography and Security in Computing

Fault attack vulnerability assessment of binary code Cryptography and Security in Computing

Fault attack vulnerability assessment of binary code Cryptography and Security in Computing Systems [CS219], Valencia, Spain January 21, 2019 Jean-Baptiste Brjon Emmanuelle Encrenaz Karine Heydemann Quentin Meunier Son-Tuan Vu Sorbonne

770 views • 34 slides
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared

Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch Black Hat 2007 www.vdalabs.com VDA Labs, LLC Agenda Goals and previous works (1)

683 views • 54 slides
Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S. Albers Winter term 07/08 Method of dynamic programming Recursive approach: Solve a problem by solving several smaller analogous subproblems of the same

559 views • 16 slides
Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department

Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department

Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department of Computer Science ETH Z rich Motivation Binary Translation (BT) well known technique for late transformations Extend or add

326 views • 29 slides
Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations: Search/Find Minimum/findMin Maximum/findMax Binary Search Trees Predecessor Successor Insert Delete/Remove ! All

83 views • 4 slides
Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware Analysis Device Rooting System Architecture Vulndev Environment Remote H.323 Exploit Post Exploitation Who am I? From Hamburg,

1.13k views • 80 slides
FABRICATION OF SUPER-HYDROPHILIC/HYDROPHOBIC SURFACE AND DRAG REDUCTION EFFECTS S. Lyu 1 , D. C.

FABRICATION OF SUPER-HYDROPHILIC/HYDROPHOBIC SURFACE AND DRAG REDUCTION EFFECTS S. Lyu 1 , D. C.

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS FABRICATION OF SUPER-HYDROPHILIC/HYDROPHOBIC SURFACE AND DRAG REDUCTION EFFECTS S. Lyu 1 , D. C. Nguyen 2 , B. S. Yoon 2 , W. Hwang 1 * 1 Department of Mechanical Engineering, POSTECH, Pohang,

75 views • 4 slides
A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal,

A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal,

A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal, Thomas Wunderer 29.06.2017 | 1 Motivation Primal BKW Embedding LWE Hybrid Dual Embedding Make it quantum! Faster More versatile

553 views • 28 slides
GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface NIIBE Yutaka <gniibe@fsij.org> FOSDEM 2018 This is a talk of my experience to have better control (by its user) of computing for privacy

610 views • 37 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast

NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast

NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast and compact Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal 29 June 2018 Bernstein, Chuengsatiansup,

1.18k views • 36 slides
Carbon dioxide reduction on Ir(111): stable hydrocarbon surface species at near-ambient pressure

Carbon dioxide reduction on Ir(111): stable hydrocarbon surface species at near-ambient pressure

Contents Introduction Methods Results Conclusions Carbon dioxide reduction on Ir(111): stable hydrocarbon surface species at near-ambient pressure Manuel Corva Physics department, University of Trieste Iom-CNR February 1-11, 2016 |

513 views • 18 slides
Transcendental lattices and supersingular reduction lattices of a singular K3 surface Keio, 2007

Transcendental lattices and supersingular reduction lattices of a singular K3 surface Keio, 2007

Transcendental lattices and supersingular reduction lattices of a singular K3 surface Keio, 2007 September Ichiro Shimada (Hokkaido University, Sapporo, JAPAN) By a lattice, we mean a finitely generated free Z -module equipped with a

611 views • 31 slides
CSL 860: Modern Parallel Computation Computation PARALLEL ALGORITHM TECHNIQUES: BALANCED BINARY

CSL 860: Modern Parallel Computation Computation PARALLEL ALGORITHM TECHNIQUES: BALANCED BINARY

CSL 860: Modern Parallel Computation Computation PARALLEL ALGORITHM TECHNIQUES: BALANCED BINARY TREE Reduction n operands => log n steps Total work = O(n) How do you map? Balance Binary tree technique Reduction n operands

541 views • 37 slides
Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Introduction DBT principle Design flow Intermediate Representation Generation Conclusion Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc Michel and Nicolas Fournel Tima Laboratory , Grenoble,

686 views • 25 slides

More recommend