dynamic data excavation
play

Dynamic Data Excavation or: Gimme back my symbol table! Asia - PowerPoint PPT Presentation

Nov 27, 2022 •216 likes •808 views

Dynamic Data Excavation or: Gimme back my symbol table! Asia Slowinska Traian Stancescu Herbert Bos VU University Amsterdam Compilation is pseudo-unbreakable code irreversibility assumption Compilation is pseudo-unbreakable code

  1. Dynamic Data Excavation or: “Gimme back my symbol table!” Asia Slowinska Traian Stancescu Herbert Bos VU University Amsterdam

  2. Compilation is pseudo-unbreakable code irreversibility assumption

  3. Compilation is pseudo-unbreakable code irreversibility assumption • Most software available only in binary form — malware analysis is — we do not know what code difficult is doing — forensics is difficult — we cannot fix it — source gets lost

  4. Goals Long term : reverse engineer complex software

  5. Goals Long term : reverse engineer complex software

  6. Goals Long term : reverse engineer complex software

  7. Goals Long term : reverse engineer complex software struct employee { char name [128]; int year; int year; int month; int day; }; struct employee* foo (struct employee* src) { struct employee dst; dst =*src; return src; }

  8. Goals Long term : reverse engineer complex software Short term: reverse engineer data structures struct employee { char name [128]; int year; int year; int month; int day; }; struct employee* foo (struct employee* src) { struct employee dst; dst =*src; return src; }

  9. Goals Long term : reverse engineer complex software Short term: reverse engineer data structures struct s1 { char f1 [128]; char f1 [128]; int f2; int f3; int f4; }; struct s1* foo (struct s1* a1) { struct s1 l1; }

  11. Application I: legacy binary protection • legacy binaries everywhere • we suspect they are vulnerable But… But… How to protect legacy code from memory corruption? Answer: find the buffers and make sure that all accesses to them do not stray beyond array bounds

  12. Application II: binary analysis • we found a suspicious binary � is it malware? • a program crashed � investigate But… But… Without symbols, what can we do? Answer: generate the symbols ourselves!

  13. (demo later)

  14. Example I: binary analysis

  15. Why is it difficult? 1. struct employee { 2. char name[128]; 3. int year; 4. int month; 5. int day 6. }; 7. 8. struct employee e; 9. e.year = 2010;

  16. Why is it difficult? 1. struct employee { 2. char name[128]; 3. int year; 4. int month; ` 5. int day 6. }; 7. 8. struct employee e; 9. e.year = 2010; Instr 1 Instr 2

  17. Data structures: key insight Yes, data is “apparently unstructured” But usage is not!

  18. Data structures: key insight Yes, data is “apparently unstructured” But usage is not!

  19. Data structures: key insight Yes, data is “apparently unstructured” But usage is not! test app DDE Emu KLEE inputs data structures

  20. 2. and A is an address of a Intuition structure, then *(A + 8) is perhaps a field in this structure field3 • Observe how memory field2 is used at runtime to field1 detect data structures A field0 • E.g., if A is a pointer… 1. and A is a function frame pointer, 3. and A is an address of an array, then *(A + 8) is perhaps then *(A + 8) is perhaps a an element of this array function argument fun arg2 elem5 fun arg1 elem4 return addr elem3 A parent EBP elem2 elem1 A elem0

  21. Approach • Track pointers – find root pointers – track how pointers derive from each other • for any address B=A+8, we need to know A. • for any address B=A+8, we need to know A. • Challenges: – missing base pointers • for instance, a field of a struct on the stack may be updated using EBP rather than a pointer to the struct – multiple base pointers • e.g., normal access and memset()

  22. Arrays are tricky • Detection: – looks for chains of accesses in a loop

  23. Arrays are tricky • Detection: – looks for chains of accesses in a loop

  24. Arrays are tricky • Detection: – looks for chains of accesses in a loop

  25. Arrays are tricky • Detection: – looks for chains of accesses in a loop – and sets of accesses with same base in linear space

  26. Interesting challenges structure array 1 array 2 • Example: – Decide which accesses are relevant • Problems caused by e.g., memset- like e.g., memset- like functions Reported by memset

  27. Challenges • Arrays – Nested loops – Consecutive loops – Boundary elements

  28. Final mapping • map access patterns to data structures – static memory : on program exit – heap memory : on free – stack frames – stack frames : on return : on return

  29. What about semantics?

  30. Semantics: key insight Yes, data is “apparently unstructured” But usage is not! Usage (again) reveals semantics Usage (again) reveals semantics

  31. Semantics: key insights Yes, data is “apparently unstructured” But usage is not! Usage (again) reveals semantics Usage (again) reveals semantics

  32. Semantics: key insights Yes, data is “apparently unstructured” But usage is not! Usage (again) reveals semantics Usage (again) reveals semantics

  33. Semantics: key insight Yes, data is “apparently unstructured” But usage is not! Propagate types from sources + sinks

  34. Semantics: key insights Yes, data is “apparently unstructured” But usage is not! Propagate types from sources + sinks

  35. Semantics: key insights Yes, data is “apparently unstructured” But usage is not! Propagate types from sources + sinks

  36. Semantics: key insights Yes, data is “apparently unstructured” But usage is not! Propagate types from sources + sinks

  37. Semantics: key insights Yes, data is “apparently unstructured” But usage is not! Propagate types from sources + sinks

  38. Semantics: key insights Yes, data is “apparently unstructured” But usage is not! Propagate types from sources + sinks ����������������������������

  39. Semantics: key insights Yes, data is “apparently unstructured” But usage is not! Propagate types from sources + sinks ����������������������������

  40. Results

  41. Results

  42. Results

  43. Results

  44. Results

  45. Results

  46. Results

  47. Results

  48. Results

  49. Results

  50. Results

  51. Results

  52. Results

  53. EU FP7 Network of Excellence in Systems Security • consolidate Systems Security research in Europe • promote cybersecurity education • identify threats and vulnerabilities of the Current and Future Internet Current and Future Internet • create active research roadmap in the area • develop a joint working plan to conduct State- of-the-Art collaborative research.

  54. Conclusions • We can recover data structures by tracking memory accesses • We believe we can protect legacy binaries • We need to work on data coverage • We need to work on data coverage http://www.cs.vu.nl/~herbertb/papers/trdatastruct-ir-cs-57.pdf http://www.few.vu.nl/~asia/papers/pdf_files/dde_tr10.pdf

  55. More details

  56. asia@dolphin:~/vu/dynamit_instrumented_binaries/wget$ file wget.gdb wget.gdb: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped asia@dolphin:~/vu/dynamit_instrumented_binaries/wget$ gdb -q wget.gdb Reading symbols from /home/asia/vu/dynamit_instrumented_binaries/wget/wget.gdb...done. (gdb) b *0x805adb0 Breakpoint 1 at 0x805adb0 (gdb) run www.google.com [Thread debugging using libthread_db enabled] [Thread debugging using libthread_db enabled] --2010-09-27 15:33:44-- http://www.google.com/ Breakpoint 1, 0x0805adb0 in function0 () (gdb)

  57. (gdb) info scope function0 Scope for function0: Symbol variables_function0 is a variable with complex or multiple locations (DWARF2), length 152. (gdb) print variables_function0 $1 = {field_4_bytes_0 = 0, field_4_bytes_1 = 0, pointer_struct_hostent_0 = 0xbfffeaf0, field_8_bytes_0_unused = 579558798248313200, pointer_char_0 = 0x2cfb14 "\274\t", field_in_addr_t_0 = -1073745296, pointer_struct_1_0 = 0x0, field_1_byte_0_unused = 0 '\000', field_1_byte_0 = 0 '\000', field_1_byte_1 = 0 '\000', field_8_bytes_1_unused = -4611706891964220672, inetaddr_string_0 = 0x80b0170 "www.google.com", field_4_bytes_2 = 0} (gdb) watch variables_function0.pointer_struct_1_0 (gdb) watch variables_function0.pointer_struct_1_0 Hardware watchpoint 2: variables_function0.pointer_struct_1_0 (gdb) continue Resolving www.google.com... Hardware watchpoint 2: variables_function0.pointer_struct_1_0 Old value = (struct struct_1 *) 0x0 New value = (struct struct_1 *) 0x80b2678 0x0805af5f in function0 () (gdb)

Recommend

Excavation, Confined Space & Work Zone Safety Ray Morang Team E.J.Prescott What is an

Excavation, Confined Space & Work Zone Safety Ray Morang Team E.J.Prescott What is an

Excavation, Confined Space & Work Zone Safety Ray Morang Team E.J.Prescott What is an excavation? (1926.650) Excavation - Any man made cut, cavity, trench, or depression in the earths surface. Trench A narrow excavation in

1.02k views • 90 slides
IREDES IREDES Standardized Data Communication in Rock Excavation Standardized Data Communication

IREDES IREDES Standardized Data Communication in Rock Excavation Standardized Data Communication

IREDES IREDES Standardized Data Communication in Rock Excavation Standardized Data Communication in Rock Excavation Con Conten ent Introduc Intro Introduc Intro uctio uctio tion tion Purp Purpose Archi Architecture ture Be Bene

1.11k views • 21 slides
VACUUM EXCAVATION Tricks of the Trade Types of Vacuum Excavation Air Excavation Hydro

VACUUM EXCAVATION Tricks of the Trade Types of Vacuum Excavation Air Excavation Hydro

VACUUM EXCAVATION Tricks of the Trade Types of Vacuum Excavation Air Excavation Hydro Excavation Air Excavation vs. Hydro Excavation ---------------------------------------- ---------------------------------------- Pros Pros

385 views • 25 slides
Geotechnical Monitoring of the Excavation for the Transbay Transit Center Citizens Advisory

Geotechnical Monitoring of the Excavation for the Transbay Transit Center Citizens Advisory

Geotechnical Monitoring of the Excavation for the Transbay Transit Center Citizens Advisory Committee - March 13, 2012 Stephen McLandrich Instrumentation Plan Instrument Types Data Distribution Data Interpretation and Actions

251 views • 12 slides
Provenance in Dynamic Linked Data Marcin Wylot Linking Everything: Dynamic Graphs

Provenance in Dynamic Linked Data Marcin Wylot Linking Everything: Dynamic Graphs

Provenance in Dynamic Linked Data Marcin Wylot Linking Everything: Dynamic Graphs Integrated and summarized uncertain graph data Dynamic physical and logical network of things Necessity to established transparency 2 Data

850 views • 17 slides
New MTT - Approaches 20 Marine Raker Pile Installation New MTT - Approaches Excavation

New MTT - Approaches 20 Marine Raker Pile Installation New MTT - Approaches Excavation

19 New MTT - Approaches 20 Marine Raker Pile Installation New MTT - Approaches Excavation of Approach following installation of SOE and concrete piles Struts and Walers to brace excavation Placement of Inverts, Walls, Roofs

400 views • 18 slides
Notice To Proceed August 8 th , 2008 80,000 cubic yards bulk excavation 80,000 yards of

Notice To Proceed August 8 th , 2008 80,000 cubic yards bulk excavation 80,000 yards of

Notice To Proceed August 8 th , 2008 80,000 cubic yards bulk excavation 80,000 yards of bulk excavation Geo Piers Spread Eng. Fill Footings Caissons 4 Different foundation methods required Benches for CSLM Stone at ice ring

601 views • 42 slides
33 kT Liquid Argon Detector Excavation 50% Conceptual Design Review Outline Overview of 33 kT

33 kT Liquid Argon Detector Excavation 50% Conceptual Design Review Outline Overview of 33 kT

33 kT Liquid Argon Detector Excavation 50% Conceptual Design Review Outline Overview of 33 kT LAr Layout Generalized Development Sequence 33 kT LAr Excavation Sequence Ground Support & Stability Modeling Veto Tube

583 views • 33 slides
ANGRY MODULE EXCAVATION LET'S PLAY WITH DUCT TAPE. Stanislas 'P1kachu' Lejay LSE Week - July

ANGRY MODULE EXCAVATION LET'S PLAY WITH DUCT TAPE. Stanislas 'P1kachu' Lejay LSE Week - July

ANGRY MODULE EXCAVATION LET'S PLAY WITH DUCT TAPE. Stanislas 'P1kachu' Lejay LSE Week - July 14, 2016 1 MODULE EXCAVATION ? Use concolic analysis to explore kernel modules and get informations about their IOCTLs 2 WHAT IS AN IOCTL ? long

798 views • 52 slides
WHO ARE WE? VAC UK are specialists in vacuum excavation We are here to support you with the

WHO ARE WE? VAC UK are specialists in vacuum excavation We are here to support you with the

WHO ARE WE? VAC UK are specialists in vacuum excavation We are here to support you with the latest vacuum excavators and our professional operators to ensure you get your job completed safely, on time and in budget WHY CHOOSE VAC UK?

231 views • 20 slides
Oded Green Going to talk about 2 things A scalable and dynamic data structure for graph

Oded Green Going to talk about 2 things A scalable and dynamic data structure for graph

cuSTINGER A Sparse Dynamic Graph and Matrix Data Structure Oded Green Going to talk about 2 things A scalable and dynamic data structure for graph algorithms and linear algebra based problems A framework for static and dynamic

928 views • 57 slides
KLIC-WIN KLIC-WIN Exchanging geographical information to prevent excavation damage to cables and

KLIC-WIN KLIC-WIN Exchanging geographical information to prevent excavation damage to cables and

KLIC-WIN KLIC-WIN Exchanging geographical information to prevent excavation damage to cables and pipelines in excavation damage to cables and pipelines in the Netherlands; a usecase of INSPIRE Utility Services GWF2014 GWF2014 Ad van Houtum

232 views • 11 slides
Open, extensible dynamic programming systems or just how deep is the dynamic rabbit hole?

Open, extensible dynamic programming systems or just how deep is the dynamic rabbit hole?

DLS, Portland, 2006 10 23 Open, extensible dynamic programming systems or just how deep is the dynamic rabbit hole? Ian Piumarta Viewpoints Research Institute ian@squeakland.org dynamic dynamic? data? extending objects

719 views • 42 slides
16. Dynamic Data Structures A data structure is a particular way of organizing data in a computer

16. Dynamic Data Structures A data structure is a particular way of organizing data in a computer

Data Structures 16. Dynamic Data Structures A data structure is a particular way of organizing data in a computer so that it can be used efficiently Linked lists, Abstract data types stack, queue 395 396 Examples using a Stack Motivation:

226 views • 7 slides
Dynamic Memory Allocation Spring Semester 2011 Programming and Data Structure 51 Basic Idea

Dynamic Memory Allocation Spring Semester 2011 Programming and Data Structure 51 Basic Idea

Dynamic Memory Allocation Spring Semester 2011 Programming and Data Structure 51 Basic Idea Many a time we face situations where data are dynamic in nature. Amount of data cannot be predicted beforehand. Number of data items keeps

452 views • 16 slides
CS261 Data Structures Linked Lists - Introduction Dynamic Arrays Revisited Dynamic array can

CS261 Data Structures Linked Lists - Introduction Dynamic Arrays Revisited Dynamic array can

CS261 Data Structures Linked Lists - Introduction Dynamic Arrays Revisited Dynamic array can sometimes be slow When? Why? Linked Lists to the Rescue Dynamic Array Linked List in memory in memory da LL Alan Newell data head a

420 views • 15 slides
Dictionaries and Dynamic Sets Abstract Data Type (ADT) Dictionary : Insert ( x , D ): inserts x

Dictionaries and Dynamic Sets Abstract Data Type (ADT) Dictionary : Insert ( x , D ): inserts x

CS 5633 -- Spring 2006 Dictionaries and Dynamic Sets Abstract Data Type (ADT) Dictionary : Insert ( x , D ): inserts x into D D is a Delete ( x , D ): deletes x from D dynamic set Find ( x , D ): finds x in D Augmenting Data Structures Popular

235 views • 7 slides
Eraser: A Dynamic Data Race Detector for Multithreaded Programs Review Introduce tool to

Eraser: A Dynamic Data Race Detector for Multithreaded Programs Review Introduce tool to

Eraser: A Dynamic Data Race Detector for Multithreaded Programs Review Introduce tool to help eliminate data races Threads must use mutex locks Finds bugs during dynamic executions Checks shared variables on heap or global vars

275 views • 6 slides
CS3000: Algorithms & Data Jonathan Ullman Lecture 5: Dynamic Programming: Fibonacci

CS3000: Algorithms & Data Jonathan Ullman Lecture 5: Dynamic Programming: Fibonacci

CS3000: Algorithms & Data Jonathan Ullman Lecture 5: Dynamic Programming: Fibonacci Numbers, Interval Scheduling Jan 22, 2020 Dynamic Programming Dont think too hard about the name I thought dynamic programming was a good

397 views • 28 slides
MEDIA LAUNCH PLANNER OVERVIEW One Dynamic Hub The Data Center Exchange is the best of

MEDIA LAUNCH PLANNER OVERVIEW One Dynamic Hub The Data Center Exchange is the best of

MEDIA LAUNCH PLANNER OVERVIEW One Dynamic Hub The Data Center Exchange is the best of print publications, online communities and social networking packaged into one dynamic hub. INFORMATION EXCHANGED It is designed to attract and retain

235 views • 8 slides
xtdpdqml: Quasi-maximum likelihood estimation of linear dynamic short-T panel data models

xtdpdqml: Quasi-maximum likelihood estimation of linear dynamic short-T panel data models

Introduction Dynamic panel data model Stata syntax Example Conclusion xtdpdqml: Quasi-maximum likelihood estimation of linear dynamic short-T panel data models Sebastian Kripfganz University of Exeter Business School, Department of

560 views • 27 slides
Chapter 19 Data Structures - struct -dynamic memory allocation Data Structures A data structure

Chapter 19 Data Structures - struct -dynamic memory allocation Data Structures A data structure

Chapter 19 Data Structures - struct -dynamic memory allocation Data Structures A data structure is a particular organization of data in memory. We want to group related items together. We want to organize these data bundles in a way

951 views • 29 slides
Data Analytics and Dynamic Languages Lee E. Edlefsen, Ph.D. VP of Engineering 1 Overview

Data Analytics and Dynamic Languages Lee E. Edlefsen, Ph.D. VP of Engineering 1 Overview

Data Analytics and Dynamic Languages Lee E. Edlefsen, Ph.D. VP of Engineering 1 Overview Revolution Confidential This is my perspective on the use of dynamic languages (interpreters) for data analytics (statistics) I am a

728 views • 14 slides
16. Dynamic Data Structures so that it can be used efficiently Linked lists, Abstract data types

16. Dynamic Data Structures so that it can be used efficiently Linked lists, Abstract data types

Data Structures A data structure is a particular way of organizing data in a computer 16. Dynamic Data Structures so that it can be used efficiently Linked lists, Abstract data types stack, queue 446 447 Motivation: Stack Examples using a

258 views • 7 slides

More recommend