fun with symbolic execution
play

Fun with symbolic execution Carl Svensson, 27 MSc in Computer - PowerPoint PPT Presentation

Carl Svensson Exploit development and deobfuscation September 13, 2018 SEC-T 2018 Fun with symbolic execution Carl Svensson, 27 MSc in Computer Science, KTH Head of Security, Kry CTF-player, HackingForSoju 1 About me


  1. Carl Svensson Exploit development and deobfuscation September 13, 2018 SEC-T 2018 Fun with symbolic execution

  2. • Carl Svensson, 27 • MSc in Computer Science, KTH • Head of Security, Kry • CTF-player, HackingForSoju 1 About me •  calle.svensson@zeta-two.com •  @zetatwo •  https://zeta-two.com

  3. • Pro: Explore ”all” paths • Symbols vs. concrete values • Con: Exponential complexity 2 Symbolic execution

  4. • ”python framework for analyzing binaries” • ”both static and dynamic symbolic (concolic)” • Computer Security Lab at UC Santa Barbara • Uses Z3 internally 3 Once again, with fee... angr

  5. • Satisfy condition • IP control 4 Exploitation

  6. • Constrain execution • Find execution path • Satisfy condition 5 Exploitation with angr

  7. • Index OOB • Function pointer lookup • Hook messy function 6 Example from Security Fest CTF

  8. 7 angr exploitation example

  9. 8 angr exploitation example

  10. 9 angr exploitation example

  11. 10 angr exploitation example

  12. 11 angr exploitation example > python exploit_angr.py Choice: 2147483648 RDX: fffffffffffffffe > ./bowrain_581bbadaafd23051a25ccb4adc80b670 ... : 2147483648 [1] 17059 segmentation fault (core dumped)

  13. 12 Deobfuscation Deobfuscation

  14. • Make code hard to read • for humans • for computers • Control flow flattening • Packer • Dropper • VM • Dead code 13 Obfuscation

  15. • Hard problem • Undo the mess 14 Deobfuscation in general

  16. • Prove uniqueness of value • Prove that dead code is dead 15 Deobfuscation of dead code with angr

  17. 16 Example: indirect jmp deobfuscator

  18. • Find ”jmp reg” • Search callgraph backwards • Search forward • Simplify expression • Replace code 17 Example from mobile app

  19. 18 Example: indirect jmp deobfuscator

  20. 19 Example: indirect jmp deobfuscator

  21. 20 Example: indirect jmp deobfuscator

  22. 21 Example: indirect jmp deobfuscator

  23. 21 Thanks for listening!

Recommend


More recommend