binsec binary level semantic analysis to the rescue
play

BINSEC: Binary-level Semantic Analysis to the Rescue S ebastien - PowerPoint PPT Presentation

Feb 14, 2023 •644 likes •1.27k views

BINSEC: Binary-level Semantic Analysis to the Rescue S ebastien Bardin joint work with Richard Bonichon, Robin David, Adel Djoudi, Benjamin Farinier, Josselin Feist, Laurent Mounier, Marie-Laure Potet, Thanh Dihn Ta, Franck V edrine CEA

  1. BINSEC: Binary-level Semantic Analysis to the Rescue S´ ebastien Bardin joint work with Richard Bonichon, Robin David, Adel Djoudi, Benjamin Farinier, Josselin Feist, Laurent Mounier, Marie-Laure Potet, Thanh Dihn Ta, Franck V´ edrine CEA LIST (Paris-Saclay, France) BINSEC team RMLL 2016: The Security Track 1/ 44

  2. About the BINSEC project A research project : funded by ANR (2013-2017) axis 1 (security) and 2 (software engineering) formal techniques for binary-level security analysis Partners : CEA (coordinator) , Airbus Group, INRIA Bretagne Atlantique, Universit´ e Grenoble Alpes, Universit´ e de Lorraine People : S´ ebastien Bardin, Fr´ ed´ eric Besson, Sandrine Blazy, Guillaume Bonfante, Richard Bonichon, Robin David, Adel Djoudi, Benjamin Farinier, Josselin Feist, Colas Le Guernic, Jean-Yves Marion, Laurent Mounier, Marie-Laure Potet, Than Dihnh Ta, Franck V´ edrine, Pierre Wilke, Sara Zennou Platform : CEA, Universit´ e Grenoble Alpes BINSEC team RMLL 2016: The Security Track 2/ 44

  3. Takeaway Binary-level security analysis many applications, many challenges syntactic and dynamic methods are not sufficient Semantic approaches can help ! semantic exploration, semantic disassembly yet, still hard to design The BINSEC Platform [CEA & Uni. Grenoble Alpes] open source, dual goal : ◮ help design new binary-level analyzers (basic building blocks) ◮ provide innovative analyzers current : multi-architecture support, semantic exploration & semantic disassembly, poc on vulnerability analysis and deobfuscation still young : beta-version just released [http ://binsec.gforge.inria.fr/] BINSEC team RMLL 2016: The Security Track 3/ 44

  4. About my lab @CEA CEA LIST, Software Safety & Security Lab rigorous tools for building high-level quality software 2nd part of V-cycle automatic software analysis mostly source code BINSEC team RMLL 2016: The Security Track 4/ 44

  5. About formal verification Between Software Engineering and Theoretical Computer Science Goal = proves correctness in a mathematical way Key concepts : M | = ϕ Kind of properties absence of runtime error M : semantic of the program pre/post-conditions ϕ : property to be checked | = : algorithmic check temporal properties BINSEC team RMLL 2016: The Security Track 5/ 44

  6. From (a logician’s) dream to reality Industrial reality in some key areas, especially safety-critical domains hardware, aeronautics [airbus], railroad [metro 14], smartcards, drivers [Windows], certified compilers [CompCert] and OS [Sel4], etc. Ex : Airbus Verification of runtime errors [Astr´ ee] functional correctness [Frama-C ⋆ ] numerical precision [Fluctuat ⋆ ] source-binary conformance [CompCert] ressource usage [Absint] ⋆ : by CEA DILS/LSL BINSEC team RMLL 2016: The Security Track 6/ 44

  7. From (a logician’s) dream to reality Industrial reality in some key areas, especially safety-critical domains hardware, aeronautics [airbus], railroad [metro 14], smartcards, drivers [Windows], certified compilers [CompCert] and OS [Sel4], etc. Ex : Microsoft Verification of drivers [SDV] conformance to MS driver policy home developers and third-party developers Things like even software verification , this has been the Holy Grail of computer science for many decades but now in some very key areas , for example, driver verification we’re building tools that can do actual proof about the software and how it works in order to guarantee the reliability. - Bill Gates (2002) BINSEC team RMLL 2016: The Security Track 6/ 44

  8. Benefits of binary-level analysis Outline Preambule Benefits of binary-level analysis Challenges of binary-level analysis Semantic approaches BINSEC platform Achievements Conclusion BINSEC team RMLL 2016: The Security Track 7/ 44

  9. Benefits of binary-level analysis Binary-level software analysis BINSEC team RMLL 2016: The Security Track 8/ 44

  10. Benefits of binary-level analysis What for ? (1) How much do you trust your external components ? BINSEC team RMLL 2016: The Security Track 9/ 44

  11. Benefits of binary-level analysis What for ? (2) How much do you trust your compiler ? BINSEC team RMLL 2016: The Security Track 10/ 44

  12. Benefits of binary-level analysis What for ? (2) Security bug introduced by a non-buggy compiler void getPassword(void) { char pwd [64]; if (GetPassword(pwd,sizeof(pwd))) { /* checkpassword */ } memset(pwd,0,sizeof(pwd)); } Optimizing compilers may remove dead code pwd never accessed after memset Thus can be safely removed And allows the password to stay longer in memory Mentioned in OpenSSH CVE-2016-0777 BINSEC team RMLL 2016: The Security Track 11/ 44

  13. Benefits of binary-level analysis What for ? (3) Is it Stuxnet ? BINSEC team RMLL 2016: The Security Track 12/ 44

  14. Challenges of binary-level analysis Outline Preambule Benefits of binary-level analysis Challenges of binary-level analysis Semantic approaches BINSEC platform Achievements Conclusion BINSEC team RMLL 2016: The Security Track 13/ 44

  15. Challenges of binary-level analysis Binary-level security analysis Several major security analyses are performed at byte-level vulnerability analysis [exploit finding] malware dissection and detection [deobfuscation] State-of-the-technique very skilled experts, many efforts and basic tools dynamic analysis : gdb, fuzzing [easy to miss behaviours] syntactic analysis : objdump, IDA Pro [easy to get fooled] BINSEC team RMLL 2016: The Security Track 14/ 44

  16. Challenges of binary-level analysis Binary-level security analysis Several major security analyses are performed at byte-level vulnerability analysis [exploit finding] malware dissection and detection [deobfuscation] State-of-the-technique very skilled experts, many efforts and basic tools dynamic analysis : gdb, fuzzing [easy to miss behaviours] syntactic analysis : objdump, IDA Pro [easy to get fooled] state-of-the-art tools are not enough ! BINSEC team RMLL 2016: The Security Track 14/ 44

  17. Challenges of binary-level analysis Challenge : correct disassembly Input an executable code (array of bytes) an initial address a basic decoder : file × address �→ instruction × size Output : (surapproximation of) the program Control-Flow Graph problem : successors of jmp eax ? BINSEC team RMLL 2016: The Security Track 15/ 44

  18. Challenges of binary-level analysis Limits of syntactic approaches Ex : IDA is fooled by simple syntactic tricks With IDA BINSEC team RMLL 2016: The Security Track 16/ 44

  19. Challenges of binary-level analysis Even worse : obfuscated code Understand or recognize malware despite obfuscation ◮ self-modifying code, virtual machines ◮ opaque predicates, stack tampering, etc. BINSEC team RMLL 2016: The Security Track 17/ 44

  20. Challenges of binary-level analysis Challenges : vulnerabilities Use-after-free (UaF) – CWE-416 dangling pointer on deallocated-then-reallocated memory may lead to arbitrary data/code read, write or execution standard vulnerability in C/C++ applications (e.g. web browsers) . firefox (CVE-2014-1512), chrome (CVE-2014-1713) 1 char ∗ l ogi n , ∗ passwords ; l o g i n =(char ∗ ) malloc ( . . . ) ; [ . . . ] 3 f r e e ( l o g i n ) ; // login is now a dangling pointer [ . . . ] 5 passwords=(char ∗ ) malloc ( . . . ) ; // may re-allocate memory of *login [ . . . ] 7 p r i n t f ( ”%s \ n” , l o g i n ) ; // security threat : may print the passwords ! BINSEC team RMLL 2016: The Security Track 18/ 44

  21. Challenges of binary-level analysis Limits of dynamic analysis Find a needle in the heap ! sequence of events, importance of aliasing strongly depend on implem of malloc and free BINSEC team RMLL 2016: The Security Track 19/ 44

  22. Binary-level semantic approaches Outline Preambule Benefits of binary-level analysis Challenges of binary-level analysis Semantic approaches BINSEC platform Achievements Conclusion BINSEC team RMLL 2016: The Security Track 20/ 44

  23. Binary-level semantic approaches Our proposal : binary-level semantic analysis Semantic tools help make sense of binary Develop the next generation of binary-level tools ! motto : leverage formal methods from safety critical systems Challenges source-level �→ binary-level safety �→ security many (complex) architectures BINSEC team RMLL 2016: The Security Track 21/ 44

  24. Binary-level semantic approaches BINSEC approach leverage powerful methods from formal software analysis pragmatic formal methods (combination, tradeoffs, etc.) common basic analysis + dedicated analysis (vuln., malware) BINSEC team RMLL 2016: The Security Track 22/ 44

  25. Binary-level semantic approaches Focus : modelling Example of x86 more than 1,000 instructions . ≈ 400 basic . + float, interrupts, mmx many side-effects error-prone decoding . addressing modes, prefixes, ... BINSEC team RMLL 2016: The Security Track 23/ 44

  26. Binary-level semantic approaches Focus : modelling lhs := rhs goto addr, goto expr ite(cond)? goto addr : goto addr’ assume, assert, nondet, malloc, free Intermediate Representation [cav11] architecture independent (really) reduced set of instructions . 9 instructions, less than 30 operators simple, clear semantic, no side-effect BINSEC team RMLL 2016: The Security Track 23/ 44

Recommend

Binsec A Binary Analysis Platform BlackHoodie December, 07th 2019 Binsec team:

Binsec A Binary Analysis Platform BlackHoodie December, 07th 2019 Binsec team:

Binsec A Binary Analysis Platform BlackHoodie December, 07th 2019 Binsec team: Sbastien Bardin, Richard Bonichon, Lesly-Ann Daniel, Robin David, Adel Djoudi, Benjamin Farinier, Josselin Feist, Guillaume Girol, Matthieu Lemerre,

830 views • 15 slides
BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Joint work

BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Joint work

BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Joint work with Richard Bonichon, Robin David, Adel Djoudi & many other people Sbastien Bardin -- ISSISP 2017 | 1 ABOUT MY LAB @CEA Sbastien Bardin

1.11k views • 87 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Supervisors: Author: Lesly-Ann Daniel Sbastien Bardin CEA LIST CEA LIST Tamara Rezk Oct 2018 - Oct 2021 INRIA Sophia Antipolis

777 views • 38 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Lesly-Ann Daniel Sbastien Bardin Tamara Rezk CEA LIST, France CEA LIST, France INRIA, France IEEE Symposium on Security and Privacy May

464 views • 25 slides
Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo CEA - - 2/11 Introduction The

Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo CEA - - 2/11 Introduction The

BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-level Analysis Robin David S ebastien Bardin Thanh Dinh Ta Josselin Feist Laurent Mounier Marie-Laure Potet Jean-Yves Marion SANER 2016, Osaka, Japan, March 16th Outline

467 views • 22 slides
DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA

DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA

DEOBFUSCATION: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Robin David (CEA LIST, QuarksLab) Jean-Yves Marion (LORIA) Sbastien Bardin et al. Dagstuhl2017 | 1 IN A NUTSHELL Challenge: malware deobfuscation

641 views • 36 slides
Get the VM Local network ssid binsec@ssprew password binsec@ssprew Access ip 10.10.10.254

Get the VM Local network ssid binsec@ssprew password binsec@ssprew Access ip 10.10.10.254

Get the VM Local network ssid binsec@ssprew password binsec@ssprew Access ip 10.10.10.254 user guest password (leave the field empty) Or through one of the USB flash drives or from https://rbonichon.github.io/posts/ssprew-17/ This

1.26k views • 90 slides
(FWE-RRK 3:1/FWE-RRK 5:1) R-ALF RESCUE KIT 3:1 / 5:1 Australia The Ferno R-ALF Rescue Kit is a

(FWE-RRK 3:1/FWE-RRK 5:1) R-ALF RESCUE KIT 3:1 / 5:1 Australia The Ferno R-ALF Rescue Kit is a

Doc ID: 00332-V1_R-ALF-RESCUE-KIT_Instructions USER INSTRUCTIONS (FWE-RRK 3:1/FWE-RRK 5:1) R-ALF RESCUE KIT 3:1 / 5:1 Australia The Ferno R-ALF Rescue Kit is a 3:1 or 5:1 ratio mechanical advantage lift system for work positioning, rescue or

195 views • 4 slides
Semantic Analysis CMSC 35100 Natural Language Processing May 8, 2003 Roadmap Semantic

Semantic Analysis CMSC 35100 Natural Language Processing May 8, 2003 Roadmap Semantic

Semantic Analysis CMSC 35100 Natural Language Processing May 8, 2003 Roadmap Semantic Analysis Motivation: Understanding commands Approach I: Syntax-driven semantic analysis Augment productions with semantic component

333 views • 16 slides
Semantic Analysis/Checking Symbol tables Semantic analysis: the final part of analysis half of

Semantic Analysis/Checking Symbol tables Semantic analysis: the final part of analysis half of

Semantic Analysis/Checking Symbol tables Semantic analysis: the final part of analysis half of compilation Key data structure during semantic analysis, code generation afterwards comes synthesis half of compilation Stores info about names

215 views • 5 slides
Semantic Analysis and Semantic Roles Ling 571 Deep Processing Techniques for NLP February 10,

Semantic Analysis and Semantic Roles Ling 571 Deep Processing Techniques for NLP February 10,

Semantic Analysis and Semantic Roles Ling 571 Deep Processing Techniques for NLP February 10, 2016 Roadmap Semantic Analysis Semantic attachments Extended example Quantifier scope Earley Parsing and Semantics

588 views • 15 slides
Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Outline Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Statically vs. Dynamically typed languages

251 views • 9 slides
Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks

Outline Semantic Analysis The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

134 views • 10 slides
Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list

Semantic Analysis Outline The role of semantic analysis in a compiler A laundry list of tasks Scope Static vs. Dynamic scoping Implementation: symbol tables Types Static analyses that detect type errors

481 views • 37 slides
Semantic Similarity MultiJEDI ERC 259234 Semantic Similarity Semantic Similarity Mostly

Semantic Similarity MultiJEDI ERC 259234 Semantic Similarity Semantic Similarity Mostly

SemEval 2014 Task-3 Cross-Level Semantic Similarity MultiJEDI ERC 259234 Semantic Similarity Semantic Similarity Mostly focused on similar types of lexical items Semantic Similarity What if we have different types of inputs? CLSS:

971 views • 47 slides
What levels of linguistic rep resentation determine o r constrain the semantic level?

What levels of linguistic rep resentation determine o r constrain the semantic level?

What levels of linguistic rep resentation determine o r constrain the semantic level? W e b elieve that the f-structure is the p rima ry level that con- strains semantic interp retation. Of course, info

966 views • 10 slides
Semantic Analysis Chapter 5 Semantic Analysis Determine static properties of programs

Semantic Analysis Chapter 5 Semantic Analysis Determine static properties of programs

Semantic Analysis Chapter 5 Semantic Analysis Determine static properties of programs association between definitions and applied occurrences of variables and other names scope and visibility of names, escaping names types

661 views • 20 slides
Pixel-Level Im Image Understanding wit ith Semantic Segmentation and Panoptic Segmentation

Pixel-Level Im Image Understanding wit ith Semantic Segmentation and Panoptic Segmentation

Pixel-Level Im Image Understanding wit ith Semantic Segmentation and Panoptic Segmentation Hengshuang Zhao The Chinese University of Hong Kong May 29, 2019 Part I: I: Semantic Segmentation Semantic Segmentation background car person

510 views • 39 slides
Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform

Binary Image Analysis Segmentation produces homogenous regions each region has uniform gray-level each region is a binary image ( 0 : background, 1 : object or the reverse) more intensity values for overlapping regions

875 views • 30 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete ->

963 views • 77 slides
Where We Are Source code Lexical, Syntax, and if (b == 0) a = b; Semantic Analysis IR

Where We Are Source code Lexical, Syntax, and if (b == 0) a = b; Semantic Analysis IR

Where We Are Source code Lexical, Syntax, and if (b == 0) a = b; Semantic Analysis IR Generation Low-level IR code Optimizations Optimized Low-level IR code Assembly code Assembly code generation cmp $0,%rcx cmovz %rax,%rdx 1 Low IR

777 views • 42 slides
Compiling Techniques Lecture 8: Semantic Analysis Christophe Dubach 5 October 2018 Christophe

Compiling Techniques Lecture 8: Semantic Analysis Christophe Dubach 5 October 2018 Christophe

Introduction Name Analysis Compiling Techniques Lecture 8: Semantic Analysis Christophe Dubach 5 October 2018 Christophe Dubach Compiling Techniques Introduction Semantic Analysis Name Analysis Beyond Syntax There is a level of

420 views • 22 slides
Compiling Techniques Lecture 8: Semantic Analysis Christophe Dubach 3 October 2019 Christophe

Compiling Techniques Lecture 8: Semantic Analysis Christophe Dubach 3 October 2019 Christophe

Introduction Name Analysis Compiling Techniques Lecture 8: Semantic Analysis Christophe Dubach 3 October 2019 Christophe Dubach Compiling Techniques Introduction Semantic Analysis Name Analysis Beyond Syntax There is a level of

603 views • 22 slides
The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er

The BINCOA Framework for Binary Code Analysis S ebastien Bardin, Philippe Herrmann, J er ome Leroux, Olivier Ly, Renaud Tabary, Aymeric Vincent CEA LIST (Saclay, Paris) LABRI (Bordeaux) 1/ 13 Binary code analysis 2/ 13 Binary code

149 views • 14 slides

More recommend