dynamic analysis kung fu with panda
play

Dynamic Analysis Kung-Fu with PANDA This work is sponsored in part - PowerPoint PPT Presentation

Sep 01, 2022 •240 likes •913 views

Dynamic Analysis Kung-Fu with PANDA This work is sponsored in part under Air Force contract FA8721- 05-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by the

  1. Dynamic Analysis Kung-Fu with PANDA This work is sponsored in part under Air Force contract FA8721- 05-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by the United States Government. Georgia Tech Brendan Dolan-Gavitt MIT Lincoln Lab Tim Leek MIT Lincoln Lab Josh Hodosh MIT Lincoln Lab Ryan Whelan

  2. About Me (moyix) • PhD student at Georgia Tech • Some stuff I’ve done • pdbparse – python parser for MS PDBs • Volatility – VAD plugins, volshell, GUI analysis • PANDA – what this talk is about!

  4. What is PANDA? • P latform for • A rchitecture • N eutral • D ynamic • A nalysis

  5. What is PANDA? You can write plugins • P latform for • A rchitecture • N eutral • D ynamic • A nalysis

  6. What is PANDA? You can write plugins • P latform for Supports x86, ARM � • A rchitecture and MIPS • N eutral • D ynamic • A nalysis

  7. What is PANDA? You can write plugins • P latform for Supports x86, ARM � • A rchitecture and MIPS • N eutral • D ynamic Static analysis is hard • A nalysis

  8. What is PANDA? You can write plugins • P latform for Supports x86, ARM � • A rchitecture and MIPS • N eutral • D ynamic Static analysis is hard • A nalysis (and often imprecise, � slow, hard to scale)

  9. Features • Based on QEMU 1.0.1 • Deterministic record/replay • Translation to LLVM for all QEMU architectures (extended from S2E code) • Android emulator support • Plugin architecture – easy to extend to new analyses

  10. Record/Replay CPU Outside World == Friday? == 0x45? >= 0x80?

  11. Record/Replay CPU Outside World Get Current Date == Fri May 23 11:33:27 Friday? == 0x45? >= 0x80?

  12. Record/Replay CPU Outside World Get Current Date == Fri May 23 11:33:27 Friday? == 0x45? >= 0x80?

  13. Record/Replay CPU Outside World Get Current Date == Fri May 23 11:33:27 Friday? 0x0000: 4500 002c 0000 4000 0x0008: 4006 6b48 127e 0021 Recv Packet == 0x0010: 5dae 5f37 01bb bed4 0x0018: fccd 820f d690 0847 0x45? 0x0020: 6012 3908 cfa2 0000 0x0028: 0204 05b4 >= 0x80?

  14. Record/Replay CPU Outside World Get Current Date == Fri May 23 11:33:27 Friday? 0x0000: 4500 002c 0000 4000 0x0008: 4006 6b48 127e 0021 Recv Packet == 0x0010: 5dae 5f37 01bb bed4 0x0018: fccd 820f d690 0847 0x45? 0x0020: 6012 3908 cfa2 0000 0x0028: 0204 05b4 >= 0x80?

  15. Record/Replay CPU Outside World Get Current Date == Fri May 23 11:33:27 Friday? 0x0000: 4500 002c 0000 4000 0x0008: 4006 6b48 127e 0021 Recv Packet == 0x0010: 5dae 5f37 01bb bed4 0x0018: fccd 820f d690 0847 0x45? 0x0020: 6012 3908 cfa2 0000 0x0028: 0204 05b4 >= 0x80?

  16. Record/Replay CPU Outside World Get Current Date == Fri May 23 11:33:27 Friday? 0x0000: 4500 002c 0000 4000 0x0008: 4006 6b48 127e 0021 Recv Packet == 0x0010: 5dae 5f37 01bb bed4 0x0018: fccd 820f d690 0847 0x45? 0x0020: 6012 3908 cfa2 0000 0x0028: 0204 05b4 Record Log >= 0x80?

  17. Sharing is Caring

  18. LLVM Translation 0x8260a634: push esp 0x8260a635: push ebp 0x8260a636: push ebx 0x8260a637: push esi 0x8260a638: push edi 0x8260a639: sub esp,0x54 0x8260a63c: mov ebp,esp 0x8260a63e: mov DWORD PTR [ebp+0x44],eax 0x8260a641: mov DWORD PTR [ebp+0x40],ecx 0x8260a644: mov DWORD PTR [ebp+0x3c],edx 0x8260a647: test DWORD PTR [ebp+0x70],0x20000 0x8260a64e: jne 0x8260a60c

  19. LLVM Translation movi_i64 tmp4,$0x8260a634 st_i64 tmp4,env,$0x80 ---- 0x8260a634 movi_i64 tmp12,$0x8260a634 st_i64 tmp12,env,$0xdae0 ld_i64 tmp12,env,$0xdad0 movi_i64 tmp13,$0x1 add_i64 tmp12,tmp12,tmp13 st_i64 tmp12,env,$0xdad0 mov_i64 tmp0,rsp mov_i64 tmp2,rsp movi_i64 tmp12,$0xfffffffffffffffc add_i64 tmp2,tmp2,tmp12 movi_i64 tmp12,$0xffffffff and_i64 tmp2,tmp2,tmp12 [ … ]

  20. LLVM Translation define private i64 @tcg-llvm-tb-0-8260a634(i64*) { entry: %1 = getelementptr i64* %0, i32 0 %env_v = load i64* %1 %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 store volatile i64 2, i64* inttoptr (i64 29543856 to i64*) store volatile i64 2187372084, i64* inttoptr (i64 29543864 to i64*) %4 = add i64 %env_v, 56032 %5 = inttoptr i64 %4 to i64* store i64 2187372084, i64* %5 %6 = add i64 %env_v, 56016 [ … ]

  21. Android Emulation • Supports Android 2.x – 4.2 • Can make phone calls, send SMS, run native apps • Record/replay • Introspection into Android apps (Dalvik-level) for Android 2.3 (from DroidScope) • System-level introspection supported on all Android versions

  22. Plugin Architecture • Extend PANDA by writing plugins • Implement functions that take action at various instrumentation points • Can also instrument generated code in LLVM mode

  23. Translation Execution Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � Basic Block � Basic Block

  24. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � Basic Block � Basic Block

  25. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � PANDA_CB_INSN_TRANSLATE Basic Block � Basic Block

  26. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � PANDA_CB_INSN_TRANSLATE Basic Block PANDA_CB_AFTER_BLOCK_TRANSLATE � Basic Block

  27. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE PANDA_CB_BEFORE_BLOCK_EXEC Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � PANDA_CB_INSN_TRANSLATE Basic Block PANDA_CB_AFTER_BLOCK_TRANSLATE � Basic Block

  28. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE PANDA_CB_BEFORE_BLOCK_EXEC Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR PANDA_CB_AFTER_BLOCK_EXEC � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � PANDA_CB_INSN_TRANSLATE Basic Block PANDA_CB_AFTER_BLOCK_TRANSLATE � Basic Block

  29. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE PANDA_CB_BEFORE_BLOCK_EXEC Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR PANDA_CB_AFTER_BLOCK_EXEC � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � PANDA_CB_INSN_TRANSLATE Basic Block PANDA_CB_AFTER_BLOCK_TRANSLATE PANDA_CB_VIRT_MEM_READ PANDA_CB_VIRT_MEM_WRITE PANDA_CB_PHYS_MEM_READ PANDA_CB_PHYS_MEM_WRITE � Basic Block

  30. Translation Execution PANDA_CB_BEFORE_BLOCK_TRANSLATE PANDA_CB_BEFORE_BLOCK_EXEC Guest Code TCG IR � � Basic Block 0x8260a634: push esp movi_i64 tmp12,$0x8260a634 0x8260a635: push ebp st_i64 tmp12,env,$0xdae0 0x8260a636: push ebx ld_i64 tmp12,env,$0xdad0 LLVM IR PANDA_CB_AFTER_BLOCK_EXEC � %2 = add i64 %env_v, 128 %3 = inttoptr i64 %2 to i64* store i64 2187372084, i64* %3 � PANDA_CB_INSN_TRANSLATE Basic Block PANDA_CB_AFTER_BLOCK_TRANSLATE PANDA_CB_VIRT_MEM_READ PANDA_CB_VIRT_MEM_WRITE PANDA_CB_PHYS_MEM_READ PANDA_CB_PHYS_MEM_WRITE � Basic Block PANDA_CB_GUEST_HYPERCALL

  31. And many more… • On HDD read / write • Network packet send / receive • When page directory base changes (e.g., CR3) • When replay starts

  32. What Can You Do With It? • An answer in three demos: • Using taint to analyze a backdoored ssh- keygen • Breaking Spotify DRM • Live memory visualization with Hilbert curves

  33. Scenario • Backdoored ssh-keygen that exfiltrates passphrase and private key • We’re going to analyze: 1. Take recording of ssh-keygen 2. Run replay, taint the passphrase 3. What’s that tainted data doing in send() ?

Recommend

PanDA in Nutshell PanDA = Production and Distributed Analysis System Designed to meet

PanDA in Nutshell PanDA = Production and Distributed Analysis System Designed to meet

PanDA Tadashi Maeno (BNL) NPPS meeting, Jun 19 PanDA in Nutshell PanDA = Production and Distributed Analysis System Designed to meet ATLAS production/analysis requirements for a data-driven workload management system capable of

553 views • 10 slides
Statistics and Data Analysis Regression Analysis (3) Ling-Chieh Kung Department of Information

Statistics and Data Analysis Regression Analysis (3) Ling-Chieh Kung Department of Information

Residual analysis Case study: bike rentals Statistics and Data Analysis Regression Analysis (3) Ling-Chieh Kung Department of Information Management National Taiwan University Regression Analysis (3) 1 / 21 Ling-Chieh Kung (NTU IM)

460 views • 21 slides
Panda: Production and Distributed Analysis System Tadashi Maeno (BNL) on behalf of PANDA team

Panda: Production and Distributed Analysis System Tadashi Maeno (BNL) on behalf of PANDA team

Panda: Production and Distributed Analysis System Tadashi Maeno (BNL) on behalf of PANDA team Overview PanDA Production and Distributed Analysis Designed for analysis as well as production New system developed by US ATLAS team

186 views • 18 slides
Statistics and Data Analysis Regression Analysis (1) Ling-Chieh Kung Department of Information

Statistics and Data Analysis Regression Analysis (1) Ling-Chieh Kung Department of Information

Introduction Least square approximation Model validation Variable transformation and selection Statistics and Data Analysis Regression Analysis (1) Ling-Chieh Kung Department of Information Management National Taiwan University Regression

501 views • 37 slides
Statistics and Data Analysis Descriptive Statistics (2): Summarization Ling-Chieh Kung

Statistics and Data Analysis Descriptive Statistics (2): Summarization Ling-Chieh Kung

Central tendency Variability Correlation Statistics and Data Analysis Descriptive Statistics (2): Summarization Ling-Chieh Kung Department of Information Management National Taiwan University Descriptive Statistics 1 / 33 Ling-Chieh Kung

338 views • 33 slides
Statistics and Data Analysis Regression Analysis (2) Ling-Chieh Kung Department of Information

Statistics and Data Analysis Regression Analysis (2) Ling-Chieh Kung Department of Information

Ticket selling Indicator variables Interaction among variables Endogeneity Statistics and Data Analysis Regression Analysis (2) Ling-Chieh Kung Department of Information Management National Taiwan University Regression Analysis (2) 1 / 35

457 views • 35 slides
Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley,

Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley,

Model Checking Dynamic Datapaths Aurojit Panda, Katerina Argyraki, Scott Shenker UC Berkeley, ICSI, EPFL Networks: Not Just for Delivery Enforce a variety of invariants: Packet Isolation: Packets from A can not reach B Content

585 views • 42 slides
Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu, Hong, Patrick A. V. Hall, and John H. R. May, "Software Unit Test Coverage and Adequacy," ACM Computing Surveys, vol. 29, no.4, pp.

1.03k views • 58 slides
Statistics and Data Analysis A Brief Introduction to Data Mining Ling-Chieh Kung Department of

Statistics and Data Analysis A Brief Introduction to Data Mining Ling-Chieh Kung Department of

Classification Association Clustering Statistics and Data Analysis A Brief Introduction to Data Mining Ling-Chieh Kung Department of Information Management National Taiwan University Introduction to Data Mining 1 / 59 Ling-Chieh Kung (NTU

713 views • 59 slides
MA111: Contemporary mathematics Exam is Nov 19. HW is due Nov 19. Context: How to share? The

MA111: Contemporary mathematics Exam is Nov 19. HW is due Nov 19. Context: How to share? The

. $ 6 Today we investigate fair division. The friends are leaving the store, who should get which movie? $9 $12 $ 6 WALL-E $9 $ 6 $12 Kung Fu Panda $6 $ 6 . Momma Mia! Chad Bart Adam They each think they paid for different movies:

290 views • 9 slides
Physics Analysis Concepts with PandaRoot (3) PANDA Lecture Week 2017 GSI, Dec 11 - 15, 2017

Physics Analysis Concepts with PandaRoot (3) PANDA Lecture Week 2017 GSI, Dec 11 - 15, 2017

Physics Analysis Concepts with PandaRoot (3) PANDA Lecture Week 2017 GSI, Dec 11 - 15, 2017 Klaus Gtzen GSI Darmstadt Topics Effective Analysis - Working with ROOT TTrees Event Generators: EvtGen, DPM, FTF, Box Generator

1.22k views • 51 slides
Statistics and Data Analysis Introduction to Probability (1) Ling-Chieh Kung Department of

Statistics and Data Analysis Introduction to Probability (1) Ling-Chieh Kung Department of

Basic concepts Independent events Random variables Descriptive measurements Statistics and Data Analysis Introduction to Probability (1) Ling-Chieh Kung Department of Information Management National Taiwan University Introduction to

287 views • 27 slides
Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring Meeting Martin Eling, University of Ulm Thomas Parnitzke, Baloise Holding San Diego, May 23-26, 2010 Hato Schmeiser, University of St. Gallen Hato

639 views • 30 slides
Physics Analysis Concepts with PandaRoot (3) PANDA Computing Week 2017 Nakhon Ratchasima,

Physics Analysis Concepts with PandaRoot (3) PANDA Computing Week 2017 Nakhon Ratchasima,

Physics Analysis Concepts with PandaRoot (3) PANDA Computing Week 2017 Nakhon Ratchasima, Thailand, July 3 - 7, 2017 Klaus Gtzen GSI Darmstadt Topics Effective Analysis - Working with ROOT TTrees Event Generators: EvtGen, DPM,

808 views • 51 slides
Analysis Tools in PandaRoot GlueX PANDA Workshop 2019 Washington, GW, May 3 - 5, 2019 Klaus

Analysis Tools in PandaRoot GlueX PANDA Workshop 2019 Washington, GW, May 3 - 5, 2019 Klaus

Analysis Tools in PandaRoot GlueX PANDA Workshop 2019 Washington, GW, May 3 - 5, 2019 Klaus Gtzen GSI Darmstadt Topics Performing analysis Only briefly The Rho Analysis Framework discussed PandaRoot Tools Previewing

1.34k views • 94 slides
Physics Analysis Concepts with PandaRoot (1) PANDA Computing Week 2017 Nakhon Ratchasima,

Physics Analysis Concepts with PandaRoot (1) PANDA Computing Week 2017 Nakhon Ratchasima,

Physics Analysis Concepts with PandaRoot (1) PANDA Computing Week 2017 Nakhon Ratchasima, Thailand, July 3 - 7, 2017 Klaus Gtzen GSI Darmstadt Topics Data Levels Data Access (PndAnalysis) Analysis Basics Particle Candidates

727 views • 37 slides
Panda Hill Niobium Cradle Definitive Feasibility Study Panda Hill Managing Director E:

Panda Hill Niobium Cradle Definitive Feasibility Study Panda Hill Managing Director E:

For additional information contact: Grant Davey Thankyou Panda Hill Niobium Cradle Definitive Feasibility Study Panda Hill Managing Director E: admin@cradleresources.com.au Investor Update April 2016 T +61 8 9389 2000 Project Panda Hill

345 views • 12 slides
PANDA PV archiving Alexandru Mario Bragadireanu, Particle Physics Department, IFIN-HH M gurele

PANDA PV archiving Alexandru Mario Bragadireanu, Particle Physics Department, IFIN-HH M gurele

PANDA PV archiving Alexandru Mario Bragadireanu, Particle Physics Department, IFIN-HH M gurele PANDA DCS core group meeting, 08 February 2018, e-Zuce PANDA DCS Architecture HESR <-> PANDA magnets -> Experiment services <->

373 views • 19 slides
Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay

Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay

Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay trees Inge Li Grtz CLRS Chapter 17 Je ff Erickson notes Dynamic tables Dynamic tables Problem. Have to assign size of table at initialization.

365 views • 11 slides
Statistics and Data Analysis Probability Ling-Chieh Kung Department of Information Management

Statistics and Data Analysis Probability Ling-Chieh Kung Department of Information Management

Random variables Expectation and variances Continuous distributions Normal distribution Statistics and Data Analysis Probability Ling-Chieh Kung Department of Information Management National Taiwan University Probability 1 / 41 Ling-Chieh

538 views • 41 slides
Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic Analysis (WODA 2015) October 26, 2015 Pittsburgh, Pennsylvania, USA http://www.rascal-mpl.org 1 PHP AiR: PHP Analysis in Rascal PHP AiR: a framework

528 views • 16 slides
Simulation of cooling system for PANDA electromagnetic calorimeter using CFD PANDA Collaboration

Simulation of cooling system for PANDA electromagnetic calorimeter using CFD PANDA Collaboration

FACULTY OF MECHANICAL ENGINEERING UNIVERSITY OF WEST BOHEMIA Simulation of cooling system for PANDA electromagnetic calorimeter using CFD PANDA Collaboration Meeting Darmstadt, November 2018 Ing. Michal VOLF volfm@kke.zcu.cz +420 608 282

392 views • 12 slides
Kung Fu Tea u Kung Fu Tea is a unique bubble tea store. The goal of this marketing plan is

Kung Fu Tea u Kung Fu Tea is a unique bubble tea store. The goal of this marketing plan is

EXECUTIVE SUMMARY Kung Fu Tea u Kung Fu Tea is a unique bubble tea store. The goal of this marketing plan is Marketing to outline the strategies, tactics and programs that will change the face of the store. Plan u Since marketing will play a

459 views • 3 slides
The PANDA Project Guy P. Brasseur Jan. 2015 Objective of the PANDA Project To establish a

The PANDA Project Guy P. Brasseur Jan. 2015 Objective of the PANDA Project To establish a

The PANDA Project Guy P. Brasseur Jan. 2015 Objective of the PANDA Project To establish a team of European and Chinese scientists who will jointly use space observations and in-situ data as well as advanced numerical models to monitor,

982 views • 64 slides

More recommend