lifting program binaries with mcsema
play

Lifting program binaries with McSema Peter Goodman, Akshay Kumar - PowerPoint PPT Presentation

Mar 26, 2024 •126 likes •1.03k views

Lifting program binaries with McSema Peter Goodman, Akshay Kumar Introductions Peter Goodman Akshay Kumar Senior Security Engineer Senior Security Engineer peter@trailofbits.com akshay.kumar@trailofbits.com 2 2 Overview of this workshop

  1. Lifting program binaries with McSema Peter Goodman, Akshay Kumar

  2. Introductions Peter Goodman Akshay Kumar Senior Security Engineer Senior Security Engineer peter@trailofbits.com akshay.kumar@trailofbits.com 2 2

  3. Overview of this workshop (1) □ ○ ○ ○ □ ○ ○ ○ ○ 3

  4. Overview of this workshop (2) □ ○ ○ □ ○ ○ ○ 4

  5. Overview of this workshop (3) □ ○ ○ 5

  6. Introduction to LLVM and McSema

  7. What is LLVM bitcode? □ ○ ○ □ ○ ○ 7

  8. Why is LLVM (and its bitcode) so popular? □ ○ ○ ○ □ ○ ○ ○ 8

  9. From source code, to bitcode, to machine code char *concat(char *a, char *b) { size_t a_len = strlen(a); size_t b_len = strlen(b); char *cat = malloc(a_len + b_len + 1); strcpy(cat, a); strcpy(&(cat[a_len]), b); return cat; } define i8* @concat(i8*, i8*) #0 { %3 = call i64 @strlen(i8* %0) #3 %4 = call i64 @strlen(i8* %1) #3 %5 = add i64 %3, 1 %6 = add i64 %5, %4 %7 = call noalias i8* @malloc(i64 %6) #4 %8 = call i8* @strcpy(i8* %7, i8* %0) #4 %9 = getelementptr inbounds i8, i8* %7, i64 %3 %10 = call i8* @strcpy(i8* %9, i8* %1) #4 ret i8* %7 } 9

  10. … and back again with McSema and FCD! char *concat(char *a, char *b) { size_t a_len = strlen(a); size_t b_len = strlen(b); char *cat = malloc(a_len + b_len + 1); strcpy(cat, a); strcpy(&(cat[a_len]), b); return cat; } define i8* @concat(i8*, i8*) #0 { %3 = call i64 @strlen(i8* %0) #3 %4 = call i64 @strlen(i8* %1) #3 %5 = add i64 %3, 1 %6 = add i64 %5, %4 %7 = call noalias i8* @malloc(i64 %6) #4 %8 = call i8* @strcpy(i8* %7, i8* %0) #4 %9 = getelementptr inbounds i8, i8* %7, i64 %3 %10 = call i8* @strcpy(i8* %9, i8* %1) #4 ret i8* %7 } 10

  11. McSema lifts machine code to bitcode □ ○ □ ○ ▹ ○ □ ○ ○ 11

  12. McSema lifts this stuff to bitcode 12

  13. What a binary looks like in a disassembler 13

  14. What a binary looks like in a disassembler Instructions 14

  15. What a binary looks like in a disassembler Instructions Opcodes / Mnemonics 15

  16. What a binary looks like in a disassembler Instructions Opcodes / Mnemonics Numbers / Offsets 16

  17. What a binary looks like in a disassembler Instructions Opcodes / Mnemonics Numbers / Offsets Registers 17

  18. How registers are lifted to bitcode (1) 18

  19. How registers are lifted to bitcode (2) struct State { }; 19

  20. How registers are lifted to bitcode (3) Memory *__remill_basic_block(State &state, addr_t curr_pc, Memory *memory) { bool branch_taken = false; auto &BRANCH_TAKEN = branch_taken; auto &AH = state.gpr.rax.byte.high; auto &AL = state.gpr.rax.byte.low; auto &AX = state.gpr.rax.word; auto &EAX = state.gpr.rax.dword; auto &RAX = state.gpr.rax.qword; ... 20

  21. How instructions are lifted to bitcode (1) 21

  22. How instructions are lifted to bitcode (2) Memory *lifted_main(State &state, addr_t curr_pc, Memory *memory) { bool branch_taken = false; auto &BRANCH_TAKEN = branch_taken; auto &RDI = state.gpr.rdi.qword; auto &RBP = state.gpr.rbp.qword; auto &RSP = state.gpr.rsp.qword; auto &EAX = state.gpr.rax.dword; memory = PUSH<R64>(memory, state, RBP); memory = MOV<R64W, R64>(memory, state, &RBP, RSP); memory = SUB<R64W, R64, I64>(memory, state, &RSP, RSP, 0x10); memory = MOV<M32W, I32>(memory, state, RBP - 0x4, 0x0); memory = LEA<R64W, M8>(memory, state, &RDI, RBP - 0x4); memory = CALL<PC>(memory, state, 0x…); memory = lifted_verify_pin(state, …, memory); memory = TEST<R32, R32>(memory, state, EAX, EAX); memory = JZ<R8W, PC, PC>(memory, state, &BRANCH_TAKEN, …, …); if (BRANCH_TAKEN) { … } … 22

  23. How instructions are lifted to bitcode (3) Memory *lifted_main(State &state, addr_t curr_pc, Memory *memory) { bool branch_taken = false; auto &BRANCH_TAKEN = branch_taken; auto &RDI = state.gpr.rdi.qword; auto &RBP = state.gpr.rbp.qword; auto &RSP = state.gpr.rsp.qword; auto &EAX = state.gpr.rax.dword; memory = PUSH<R64>(memory, state, RBP); memory = MOV<R64W, R64>(memory, state, &RBP, RSP); memory = SUB<R64W, R64, I64>(memory, state, &RSP, RSP, 0x10); Instructions memory = MOV<M32W, I32>(memory, state, RBP - 0x4, 0x0); memory = LEA<R64W, M8>(memory, state, &RDI, RBP - 0x4); Opcodes / Mnemonics memory = CALL<PC>(memory, state, 0x…); memory = lifted_verify_pin(state, RIP, memory); Numbers / Offsets memory = TEST<R32, R32>(memory, state, EAX, EAX); memory = JZ<R8W, PC, PC>(memory, state, &BRANCH_TAKEN, …, …); Registers if (BRANCH_TAKEN) { … } … 23

  24. How instructions are lifted to bitcode (4) Memory *lifted_main(State &state, addr_t curr_pc, Memory *memory) { auto &RBP = state.gpr.rbp.qword; auto &RSP = state.gpr.rsp.qword; // memory = PUSH<R64>(memory, state, RBP); memory = __remill_write_memory(memory, RSP, RBP); RSP -= 8; // memory = MOV<R64W, R64>(memory, state, &RBP, RSP); RBP = RSP; // memory = SUB<R64W, R64, I64>(memory, state, &RSP, RSP, 0x10); RSP = RSP - 0x10; ZF = RSP == 0x0; // Result is zero flag. … // More flags computations. // memory = MOV<M32W, I32>(memory, state, RBP - 0x4, 0x0); memory = __remill_write_memory_32(memory, RBP - 0x4, 0x0); 24

  25. How instructions are lifted to bitcode (5) define %struct.Memory* @lifted_main(%struct.State*, i64, %struct.Memory*) #2 { entry: … %10 = load i64, i64* %9, align 8 %11 = load i64, i64* %8, align 8, !tbaa !1303 %12 = add i64 %11, -8 %13 = inttoptr i64 %12 to i64* store i64 %10, i64* %13 store i64 %12, i64* %9, align 8, !tbaa !1299 … %20 = add i64 %11, -12 %21 = inttoptr i64 %20 to i32* store i32 0, i32* %21 store i64 %20, i64* %7, align 8, !tbaa !1299 %22 = add i64 %1, -112 %23 = add i64 %1, 24 %24 = add i64 %11, -32 %25 = inttoptr i64 %24 to i64* store i64 %23, i64* %25 store i64 %24, i64* %8, align 8, !tbaa !1299 %26 = tail call %struct.Memory* @lifted_verify_pin(%struct.State* %0, i64 %22, %struct.Memory* %2) … 25

  26. How instructions are lifted to bitcode (6) Original Binary Lifted Bitcode Compiled Bitcode 26

  27. Now you can lift binaries too! □ ○ ○ ○ □ ○ ○ ○ 27

  28. A vulnerable program

  29. Time to apply our newfound knowledge We’ll start with a simple authentication program $ cd ~/mcsema $ git clone git@github.com:trailofbits/issisp-2018.git $ cd issisp-2018 $ cat authenticate.c void admin_control(void); bool verify_pin(bool *is_admin) { void user_control(void); char pin[5]; puts("Enter PIN: "); int main(int argc, char *argv[]) { gets(pin); bool is_admin = false; if (!strcmp(pin, "1337")) { bool is_logged = verify_pin(&is_admin); return true; if (is_admin) { } else if (!strcmp(pin, "w00t")) { admin_control(); *is_admin = true; } else if (is_logged) { return true; user_control(); } else { } else { return false; return EXIT_FAILURE; } } } return EXIT_SUCCESS; } 29

  30. What is done right, and what is wrong? (1) BAD : Never use gets , no way to limit how much input is read void admin_control(void); bool verify_pin(bool *is_admin) { void user_control(void); char pin[5]; puts("Enter PIN: "); int main(int argc, char *argv[]) { gets(pin); bool is_admin = false; if (!strcmp(pin, "1337")) { bool is_logged = verify_pin(&is_admin); return true; if (is_admin) { } else if (!strcmp(pin, "w00t")) { admin_control(); *is_admin = true; } else if (is_logged) { return true; user_control(); } else { } else { return false; return EXIT_FAILURE; } } } return EXIT_SUCCESS; } 30

  31. What is done right, and what is wrong? (2) GOOD-ish : Make sure there’s room for gets to replace the \n with a \0 (NUL char) void admin_control(void); bool verify_pin(bool *is_admin) { void user_control(void); char pin[5]; puts("Enter PIN: "); int main(int argc, char *argv[]) { gets(pin); bool is_admin = false; if (!strcmp(pin, "1337")) { bool is_logged = verify_pin(&is_admin); return true; if (is_admin) { } else if (!strcmp(pin, "w00t")) { admin_control(); *is_admin = true; } else if (is_logged) { return true; user_control(); } else { } else { return false; return EXIT_FAILURE; } } } return EXIT_SUCCESS; } 31

  32. What is done right, and what is wrong? (3) BAD-ish : Not checking is_logged && is_admin void admin_control(void); bool verify_pin(bool *is_admin) { void user_control(void); char pin[5]; puts("Enter PIN: "); int main(int argc, char *argv[]) { gets(pin); bool is_admin = false; if (!strcmp(pin, "1337")) { bool is_logged = verify_pin(&is_admin); return true; if (is_admin) { } else if (!strcmp(pin, "w00t")) { admin_control(); *is_admin = true; } else if (is_logged) { return true; user_control(); } else { } else { return false; return EXIT_FAILURE; } } } return EXIT_SUCCESS; } 32

  33. Let’s see the binary (1) Back in the terminal, please compile the program $ cd ~/mcsema $ git clone git@github.com:trailofbits/issisp-2018.git $ cd issisp-2018 $ cat authenticate.c $ gcc -fno-stack-protector -O1 -g3 authenticate.c 33

Recommend

JEFFERSON JOBOY 27 November 2018 1 LIFTING AWARENESS 2 GROUND RULES 3 What is a lifting

JEFFERSON JOBOY 27 November 2018 1 LIFTING AWARENESS 2 GROUND RULES 3 What is a lifting

JEFFERSON JOBOY 27 November 2018 1 LIFTING AWARENESS 2 GROUND RULES 3 What is a lifting operation? An operation concerned with the lifting or lowering of a load'. A 'load' is the item or items being lifted, which includes a person or people

380 views • 27 slides
From Program Verification to Certified Binaries Angelos Manousaridis Michalis A. Papakyriakou

From Program Verification to Certified Binaries Angelos Manousaridis Michalis A. Papakyriakou

From Program Verification to Certified Binaries Angelos Manousaridis Michalis A. Papakyriakou Nikolaos S. Papaspyrou National Technical University of Athens School of Electrical and Computer Engineering Software Engineering Laboratory

360 views • 32 slides
McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM

McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM

McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM ANDREW RUEF, ANDREW@TRAILOFBITS.COM This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The

1.09k views • 34 slides
Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone Jan 14, 2017, 2nd Fudan Winter School on Black Hole Astrophysics Overview Phenomena associated with binary evolution Formation of close binaries

651 views • 30 slides
Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook

Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook

Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries Jeongwook Oh(mat@monkey.org,oh.jeongwook@gmail.com) Jeongwook Oh works on eEye's flagship product called &quot;Blink&quot;. He develops traffic analysis module that filters

841 views • 60 slides
Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET

Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET

Coalescences of IMBH binaries as sources for the future ET detector Coalescences of IMBH binaries as sources for the future IMBH binaries as seen by the GW ET detector detectors The (disputed) existence of IMBHs Modeling BBH Luca

199 views • 16 slides
Galactic Center, Colliding Wind Binaries, &amp; Gamma-ray Binaries: Hydro simulations to do with

Galactic Center, Colliding Wind Binaries, &amp; Gamma-ray Binaries: Hydro simulations to do with

Galactic Center, Colliding Wind Binaries, &amp; Gamma-ray Binaries: Hydro simulations to do with Phantom Christopher M. P . Russell Pontificia Universidad Catlica de Chile crussell@udel.edu @chrastropher astro.puc.cl/~crussell Phantom

589 views • 43 slides
Observations of jets in X-ray binaries Tom Maccarone (University of Southampton) ING

Observations of jets in X-ray binaries Tom Maccarone (University of Southampton) ING

Observations of jets in X-ray binaries Tom Maccarone (University of Southampton) ING archive/Nick Szymanek Russell et al. 2007 Stirling et al. 2001 Black Hole X-ray binaries: key sources for understanding accretion-ejection phenomenology

347 views • 21 slides
NIOSH revised lifting equation Week 8 Dr. Belal Gharaibeh 1 Why use the NIOSH lifting equation?

NIOSH revised lifting equation Week 8 Dr. Belal Gharaibeh 1 Why use the NIOSH lifting equation?

NIOSH revised lifting equation Week 8 Dr. Belal Gharaibeh 1 Why use the NIOSH lifting equation? National Institute for Occupational Safety and Health (NIOSH) in the USA made a standard procedure for assessing the physical demands of

540 views • 14 slides
Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin

Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin

Departm ent Physics &amp; Astronom y The University of Texas at Brow nsville Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin Carlos Lousto with Manuela Campanelli &amp; Yosef Zlochower

365 views • 20 slides
Lifting Jonathan Templeman Chief Executive 53% of Lifting 22% of Melrose Products overview

Lifting Jonathan Templeman Chief Executive 53% of Lifting 22% of Melrose Products overview

Lifting Jonathan Templeman Chief Executive 53% of Lifting 22% of Melrose Products overview Oil &amp; Gas Mining Crane and industrial Specialist fibre and steel rope High quality steel wire ropes High performance wire ropes Mooring,

341 views • 15 slides
Lifting Applied to Proof Complexity Marc Vinyals Technion Haifa, Israel FSTTCS Workshop on

Lifting Applied to Proof Complexity Marc Vinyals Technion Haifa, Israel FSTTCS Workshop on

Lifting Applied to Proof Complexity Marc Vinyals Technion Haifa, Israel FSTTCS Workshop on Extension Complexity and Lifting Theorems Supported by ERC project HARMONIC Proof Complexity Lifting Examples Wishlist SAT Is this formula

1.26k views • 82 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Strategy of lifting up Strategy of lifting up small or medium scale rabbit farming into small or

Strategy of lifting up Strategy of lifting up small or medium scale rabbit farming into small or

First Jilin Rabbit Fair and Conference on Asian Rabbit Production Development, Changchun (China), 8-10 September 2009. Strategy of lifting up Strategy of lifting up small or medium scale rabbit farming into small or medium scale rabbit farming

333 views • 29 slides
Numerical simulations of eccentric neutron star binaries N. K. Johnson-McDaniel TPI, Uni Jena

Numerical simulations of eccentric neutron star binaries N. K. Johnson-McDaniel TPI, Uni Jena

Numerical simulations of eccentric neutron star binaries N. K. Johnson-McDaniel TPI, Uni Jena 2nd GW Bursts Workshop May 28th, 2012 In collaboration with S. Bernuzzi, M. Thierfelder, and B. Br ugmann Why (highly) eccentric NS binaries? NR

404 views • 12 slides
Modeling Compact Object Binaries (very briefly) Compact Objects: neutron stars (NSs) or black

Modeling Compact Object Binaries (very briefly) Compact Objects: neutron stars (NSs) or black

Motivation EM Counterparts Extreme Matter Single Star Binary NS Conclusions Modeling Compact Object Binaries (very briefly) Compact Objects: neutron stars (NSs) or black holes (BHs) Binaries: tend to only consider last n orbits before

185 views • 14 slides
Controlled Phased Lifting of COVID-19 Restrictions in Qatar June 8 th , 2020 Wit ith an im

Controlled Phased Lifting of COVID-19 Restrictions in Qatar June 8 th , 2020 Wit ith an im

Controlled Phased Lifting of COVID-19 Restrictions in Qatar June 8 th , 2020 Wit ith an im impactful response taking effect, preparation for lif lifting restr trictions started Comparison of COVID 19 statistics in Qatar Perspectives with

162 views • 15 slides
DeBIN: Predicting Debug Information in Stripped Binaries ht https://debin.ai Jingxuan Pesho

DeBIN: Predicting Debug Information in Stripped Binaries ht https://debin.ai Jingxuan Pesho

DeBIN: Predicting Debug Information in Stripped Binaries ht https://debin.ai Jingxuan Pesho Petar Veselin Martin He Ivanov Tsankov Raychev Vechev Binaries with debug symbols Descriptive names for functions and variables Assembly

304 views • 29 slides
LIFTESSENCE NATURAL LIFTING POLYSACCHARIDES Key points Tree fern polysaccharides Fine

LIFTESSENCE NATURAL LIFTING POLYSACCHARIDES Key points Tree fern polysaccharides Fine

ANTI-AGING / ANTI-WRINKLE / CELL TURNOVER LIFTESSENCE NATURAL LIFTING POLYSACCHARIDES Key points Tree fern polysaccharides Fine line eraser Firmness and tonicity enhancer Visible lifting results in 1 hour INCI name Water

448 views • 16 slides
Modeling Compact Object Binaries Liebling &amp; Shoemaker Mano a Mano Tuesday, May 29, 12

Modeling Compact Object Binaries Liebling &amp; Shoemaker Mano a Mano Tuesday, May 29, 12

Modeling Compact Object Binaries Liebling &amp; Shoemaker Mano a Mano Tuesday, May 29, 12 Compact Binaries are both Transient and Inspiral Sources of GWs Where are we in vacuum BH+BH? Ninja (Aylott et al CQG 2009, ...) NRAR

842 views • 7 slides
Lifting and Rigging Seminar Amsterdam September 2018 Technology add-ons to assist offshore

Lifting and Rigging Seminar Amsterdam September 2018 Technology add-ons to assist offshore

Lifting and Rigging Seminar Amsterdam September 2018 Technology add-ons to assist offshore lifting David id M Mulla lard Business D Dev evel elopmen ent M Manager er Intro to Straightpoint - 1976 - Straightpoint was

517 views • 15 slides
Black hole X-ray binaries IV: Outflows jets and winds Thomas J. Maccarone Jan 9, 2017, 2nd

Black hole X-ray binaries IV: Outflows jets and winds Thomas J. Maccarone Jan 9, 2017, 2nd

Black hole X-ray binaries IV: Outflows jets and winds Thomas J. Maccarone Jan 9, 2017, 2nd Fudan Winter School on Black Hole Astrophysics Overview Early discovery of jets in AGN Discoveries in X-ray binaries The microquasar paradigm

393 views • 27 slides
On the Unique-Lifting Property Amitabh Basu Joint Work with Gennadiy Averkov 18th Aussois

On the Unique-Lifting Property Amitabh Basu Joint Work with Gennadiy Averkov 18th Aussois

On the Unique-Lifting Property Amitabh Basu Joint Work with Gennadiy Averkov 18th Aussois Combinatorial Optimization Workshop Cut Generating Functions for Mixed-Integer Linear Programs Solve problem as Linear Program and obtain optimal

746 views • 51 slides
Dynamical formation ! of black-hole X -ray binaries Ross Church ! Department of Astronomy and

Dynamical formation ! of black-hole X -ray binaries Ross Church ! Department of Astronomy and

Dynamical formation ! of black-hole X -ray binaries Ross Church ! Department of Astronomy and Theoretical Physics ! Lund University ! ! ! With thanks to: ! Melvyn B. Davies (Lund), Seppo Mikkola (Turku) ! Black-hole X -ray binaries in GCs

451 views • 22 slides

More recommend