next generation debuggers
play

Next-Generation Debuggers For Reverse Engineering For Reverse - PowerPoint PPT Presentation

Dec 27, 2022 •364 likes •849 views

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

  1. Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org

  2. This presentation is about .. • The Embedded ERESI debugger : e2dbg • The Embedded ERESI tracer : etrace • The ERESI reverse engineering language • Unification & reconstruction of debug formats • Program analysis builtins (focusing on control flow graphs)

  3. The ERESI project • Started in 2001 with the ELF shell • Developed at LSE (EPITA security laboratory) • Contains more than 10 components • Featured in 2 articles in Phrack Magazine: – The Cerberus ELF Interface (2003) – Embedded ELF Debugging (2005)

  4. Limitations of existing UNIX debugging framework • GDB : Use OS-level debugging API (ptrace) - > does not work if ptrace is disabled or absent • Very sensible to variation of the environment (ex: ET_DYN linking of hardened gentoo) • Strace / Ltrace : use ptrace as well. Very few interaction (command-line parameters)

  5. Limitations of existing frameworks None of these frameworks rely on a real reverse engineering language

  6. The ERESI team • Started with a single person in 2001 (The ELF shell crew). Remained as it during 3 years. • Another person developed libasm (disassembling library) since 2002 • A third person developed libdump (the network accessibility library) in 2004-2005 • Since mid-2006 : community project (6 persons)

  7. The modern ERESI project • elfsh (and libelfsh): The ELF shell • e2dbg (and libe2dbg): The Embedded ELF debugger • etrace : The Embedded tracer • librevm : the language interpreter • libmjollnir : fingerprinting & graphs library • libaspect : Aspect oriented library

  8. The modern ERESI project (cont) • libasm : typed disassembling library • libedfmt : the ERESI debug format library • liballocproxy : allocation proxying library • libui : The user interface (readline-based)

  9. The modern ERESI project : sumup

  10. ERESI contributions (1) • Can debug hardened systems (does not need ptrace) : PaX/grsec compatible • Very effective analysis : improve the performance of fuzzing, heavy-weight debugging (no context switching between the debugger and the debuggee : the dbgvm resides in the debuggee)

  11. ERESI contributions (2) • A reflective framework : possibility to change part of it in runtime without recompilation • The first real reverse engineering language !!! – hash tables – regular expressions – loops, conditionals, variables – The complete ELF format objects accessible from the language

  12. The ERESI language : example 1 load /usr/bin/ssh set $entnbr 1.sht[.dynsym].size div $entnbr 1.sht[.dynsym].entsize print Third loop until $entnbr : foreach $idx of 0 until $entnbr print Symbol $idx is 1.dynsym[$idx].name forend unload /usr/bin/ssh

  13. The ERESI language : example 2 add $hash[hname] Intel add $hash[hname] Alpha add $hash[hname] Sparc32 add $hash[hname] Mips add $hash[hname] Sparc64 add $hash[hname] AMD add $hash[hname] Pa-risc foreach $elem of hname matching Sparc print Regex Matched $elem endfor

  14. List of available hash tables • Basic blocks (key: address) • Functions (key: address) • Regular expression applied on the key • Many dozen of hash tables (commands, objects ..) : see tables command of ERESI • Currently not supported : hash table of instructions, of data nodes (too many elements) => need of demand-driven analysis

  15. The ERESI language : example 3 type archtypes = elm:string[55] inform archtypes elfsh_arch_type type archaddr = elm:long[55] inform archaddr elfsh_arch_type print Now print Strings print 107.archtypes[elfsh_arch_type].elm[0] print 107.archtypes[elfsh_arch_type].elm[1] print Now print addresses print 107.archaddr[elfsh_arch_type].elm[0] print 107.archaddr[elfsh_arch_type].elm[1]

  16. e2dbg : the Embedded ELF debugger • Does not use ptrace. Does not have to use any OS level debug API. Evades PaX and grsecurity. • Proof of concept developed on Linux / x86 . • Scriptable using the ERESI language • Support debugging of multithreads • No need of ANY kernel level code (can execute in hostile environment)

  18. e2dbg : features • Classical features: – breakpoints (using processor opcode or function redirection) – stepping (using sigaction() syscall) • Allocation proxying – keep stack and heap unintrusiveness • Support for multithreading

  19. Allocation proxying • We manage two different heap allocator in a single process: int hook_malloc(int sz) { if (debugger) return (aproxy_malloc(sz)); return (orig_malloc(sz)) }

  20. Handling of debug format & The Embedded ELF Tracer (etrace)

  21. Debugging format • Describe each element of a program – Give names and position of: • Variables • Functions • Files • …. – Store program types dependences between them

  22. Debugging format - issues • Distinction of debugging format – stabs, dwarf, stabs+, dwarf2, gdb, vms ... – Different ways to parse, read, store … • For example with stabs and dwarf2 – Stabs does not contain any position reference • You store the whole parsing tree – Dwarf2 use read pattern apply directly on data • You cannot store everything (too big) – …

  23. Uniform debugging format • Parsing – So we can read the debugging format • Transforming – We transform it on a uniform representation – Keep only useful information • Cleaning – We keep only uniform debugging format • New debugging format – We change only backend part • Register types on ERESI type engine

  24. Embedded ELF tracer • Tracer using ELFsh framework • Tracing internal and external calls • Dynamic and supports multiple architecture – It does not use statically stored function prototypes – Use gcc to reduce architecture dependence • Work with and without debugging format • Recognize string, pointers and value

  25. Embedded ELF trace - script #!/usr/local/bin/elfsh32 load ./sshd traces add packet_get_string traces create privilege_sep traces add execv privilege_sep traces create password traces add auth_password password traces add sys_auth_passwd password save sshd2

  26. Etrace – output on sshd + execv(*0x80a5048 “(…)/openssh-4.5p1/sshd2", *0x80aa0a0) + packet_get_string(*u_int length_ptr: *0xbf8f4738) - packet_get_string = *0x80ab9f0 "mxatone" debug1: Attempting authentication for mxatone. (…) + packet_get_string(*u_int length_ptr: *0xbf8f42fc) - packet_get_string = *0x80a9970 "test1" + auth_password(*Authctxt authctxt: *0x80aaca0, void* password: *0x80b23a8 "test1") + sys_auth_passwd(*Authctxt authctxt: *0x80aaca0, void* password: *0x80b23a8 "test1") - sys_auth_passwd = 0x0 - auth_password = 0x0

  27. Etrace – Performance

  29. Embedded ELF tracer • Trace backend – Analyze target function – Create proxy functions • Embedded tracer – Inject proxy functions in the binary – Redirect calls into our proxy functions – Create a new binary • Automatic using the ELF tracer

  30. Etrace - Processing function arguments • With debugging information – Extract arguments information • size • names • type names • … • With architecture dependent argument counting – Backward analysis – Forward analysis

  31. Etrace - Generate binary module • Generate a .c file – Call tree (padding) – Dynamic check pointers, strings or value • Benefits – Architecture independent – New feature implementation – Less bugs – Use ELFsh framework

  32. Libelfsh - ET_REL injection • ET_REL injection principle – Add a binary module directly on target binary • Merge symbols and sections list • Section injection – Code sections • Injected before .interp – Data sections • Injected after .bss • Relocation in two steps

  33. Libelfsh - Redirect target function • Internal function – CFLOW technique • External function – ALTPLT technique • Custom redirection – Vector benefit – Your own redirection mechanism

  34. Program analysis

  35. A Graph Analyzer • Graph analyzers – Identify blocks and functions – Identify links (calls and jumps) – Build a graph with this info • Control Flow Graphs (CFGs) – Inter-blocks CFGs vs. Interprocedural CFGs – Main instrument to Control Flow analysis

  36. A Graph Analyzer • Control Flow Analysis – Essential to some kinds of further analysis and to optimization – Gives information about properties such as • Reachability • Dominance • ...

  37. A Graph Analyzer – Libasm • Libasm – Lowest layer of this application – Multi-architecture disassembling library • Intel IA-32 • SPARC V9 • In the near future, MIPS – Unified type system

  38. A Graph Analyzer – Libasm

  39. A Graph Analyzer – Libasm • The unified instruction type system – Works with non-mutually exclusive types – Provides means to “blindly” analyze an instruction – Eg. Control Flow analysis!

  40. A Graph Analyzer - Libasm • Libasm vectors – Storage of pointers to opcode handling functions – 4 dimensions: 1 for machine info, 3 for opcode info – Runtime dumping and replacing of vectors • Built-in language constructs • Easy-made opcode tracer!

Recommend

1 Host/Target A Big Problem with Debuggers gdb can be used to debug a program on a

1 Host/Target A Big Problem with Debuggers gdb can be used to debug a program on a

Debuggers A very real interactive debugger: gdb Widely used Debugging Runs on everything A classic implementation (with and without Debuggers) Mostly standard debugger technology Design decisions Runs and

274 views • 8 slides
Lab 6: Debuggers GDB Breakpoints Inspection TUI mode Code::Blocks plugin KDevelop and KDbg

Lab 6: Debuggers GDB Breakpoints Inspection TUI mode Code::Blocks plugin KDevelop and KDbg

Debuggers Lab 6: Debuggers GDB Breakpoints Inspection TUI mode Code::Blocks plugin KDevelop and KDbg Miscellaneous Comp Sci 1585 Data Structures Lab: Tools for Computer Scientists Outline Debuggers GDB Breakpoints Inspection TUI

551 views • 17 slides
THE GDB DEBUGGER GDB Debuggers allow you to examine and control program execution To compile a

THE GDB DEBUGGER GDB Debuggers allow you to examine and control program execution To compile a

THE GDB DEBUGGER GDB Debuggers allow you to examine and control program execution To compile a program for use with gdb, use the -g compiler switch Most debuggers provide the same functionality Other graphical options on MCECS Linux

506 views • 8 slides
Last Time Today Advanced interrupt issues Debugging embedded software ColdFire

Last Time Today Advanced interrupt issues Debugging embedded software ColdFire

Last Time Today Advanced interrupt issues Debugging embedded software ColdFire interrupts The best debuggers are probably 100x more effective than average ones System design The worst debuggers are probably 100x worse than

342 views • 5 slides
Domain Specific Debugging Tools Volker Krause vkrause@kde.org General Purpose Tools Generic

Domain Specific Debugging Tools Volker Krause vkrause@kde.org General Purpose Tools Generic

Domain Specific Debugging Tools Volker Krause vkrause@kde.org General Purpose Tools Generic debuggers Instruction-level debuggers (gdb) printf Similar for profilers No understanding of your frameworks Framework Complexity

271 views • 16 slides
Reverse Engineering with Hardware Debuggers 11 Mar 10 11 Mar 10 JASON RABER and JASON CHEATHAM

Reverse Engineering with Hardware Debuggers 11 Mar 10 11 Mar 10 JASON RABER and JASON CHEATHAM

Reverse Engineering with Hardware Debuggers 11 Mar 10 11 Mar 10 JASON RABER and JASON CHEATHAM ATSPI Assessment Science Team ATSPI Assessment Science Team RYTA Air Force Research Laboratory Public release authorization 88 ABW-10-1497 2

231 views • 19 slides
Generation Z Libraries and the Post-Millennial Generation

Generation Z Libraries and the Post-Millennial Generation

Generation Z Libraries and the Post-Millennial Generation http://procatdigital.co.uk/images/procat/blog/generation%20z%20words.jpg What is a generation? Generations in America

574 views • 22 slides
sentecacommerce.com Evolution of eCommerce 1 st Generation 2nd Generation Next Generation ERP

sentecacommerce.com Evolution of eCommerce 1 st Generation 2nd Generation Next Generation ERP

sentecacommerce.com Evolution of eCommerce 1 st Generation 2nd Generation Next Generation ERP Focused Setup Features in Shop Features in Ecosystem E-commerce = E-commerce = new Digital commerce=part additional sales business model of

1.17k views • 25 slides
Electricity Generation U.S. vs. Ky Ky Elec. Generation by Type U.S. Elec. Generation by Type

Electricity Generation U.S. vs. Ky Ky Elec. Generation by Type U.S. Elec. Generation by Type

Electricity Generation U.S. vs. Ky Ky Elec. Generation by Type U.S. Elec. Generation by Type 100% Potential 98% 96% 94% BTU per Unit of Coal Loading Mining Transportation Storage Transformation

552 views • 8 slides
Second Generation Expert Systems Ahme Rafea CS Dept., AUC Second Generation ES 1 First

Second Generation Expert Systems Ahme Rafea CS Dept., AUC Second Generation ES 1 First

Second Generation Expert Systems Ahme Rafea CS Dept., AUC Second Generation ES 1 First Generation ES Problems Knowledge Acquisition Explanation Brittleness KB Maintenance Second Generation ES 2 Multiple Domain Knowledge

390 views • 11 slides
Optical Parametric Generation and Amplification 1 Optical Parametric Generation Sum frequency

Optical Parametric Generation and Amplification 1 Optical Parametric Generation Sum frequency

Optical Parametric Generation and Amplification 1 Optical Parametric Generation Sum frequency generation: Parametric generation: Phase matching condition for collinear beams: By J S Lundeen at English Wikipedia - Own work by the original

198 views • 6 slides
OPA in our lab: TOPAS C 1 Optical Parametric Generation Sum frequency generation: Parametric

OPA in our lab: TOPAS C 1 Optical Parametric Generation Sum frequency generation: Parametric

OPA in our lab: TOPAS C 1 Optical Parametric Generation Sum frequency generation: Parametric generation: Phase matching condition for collinear beams: By J S Lundeen at English Wikipedia - Own work by the original uploader, CC BY-SA 3.0,

538 views • 8 slides
Objectives Random Bit Generation Pseudorandom Bit Generation Statistical Tests

Objectives Random Bit Generation Pseudorandom Bit Generation Statistical Tests

Pseudorandomness Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Random Bit Generation Pseudorandom Bit Generation

379 views • 17 slides
GANocracy Outline Background: Text Generation Latent-Variable Generation Learning

GANocracy Outline Background: Text Generation Latent-Variable Generation Learning

Controlling Text Generation Alexander Rush (and Sam Wiseman) Harvard / Cornell Tech GANocracy Outline Background: Text Generation Latent-Variable Generation Learning Neural Templates Machine Learning for Text Generation y 1: T =

710 views • 55 slides
Code Generation Chapter 9 1 Compiler Construction Code Generation Issues in Code Generation

Code Generation Chapter 9 1 Compiler Construction Code Generation Issues in Code Generation

Code Generation Chapter 9 1 Compiler Construction Code Generation Issues in Code Generation Target language Relocatable machine code Commercial compilers produce this Absolute machine code OS code must start at a particular memory

503 views • 19 slides
SUMMARY FOR REGION LEADERS e A r s e g A l A l f o l e p o e P INVOLVED IN PCA

SUMMARY FOR REGION LEADERS e A r s e g A l A l f o l e p o e P INVOLVED IN PCA

2015 Member Survey RESULTS SUMMARY FOR REGION LEADERS e A r s e g A l A l f o l e p o e P INVOLVED IN PCA G.I. GENERATION SILENT GENERATION BABY BOOMERS GENERATION X MILLENNIALS GENERATION Z Most Members Heard About PCA

222 views • 10 slides
Video Consoles - The Next Generation consoles and games from Next Generation 1994 - present

Video Consoles - The Next Generation consoles and games from Next Generation 1994 - present

Topics Video Consoles - The Next Generation consoles and games from Next Generation 1994 - present PlayStation Computer Literacy 1 Lecture 10 Xbox 13/10/08 Nintendo Wii Wii hardware Moving on to 3D games Next generation

459 views • 7 slides
Next Generation Climate Next Generation Climate Grades 6-8 Supports NGSS Lots of graphs and

Next Generation Climate Next Generation Climate Grades 6-8 Supports NGSS Lots of graphs and

Next Generation Climate Next Generation Climate Grades 6-8 Supports NGSS Lots of graphs and tables Argumentation, Questioning Next Generation Climate http://www.climategen.org/ngc NGC Performance Expectations Lesson Essential Questions

457 views • 18 slides
1 Crashes, interrupts, and backtrace Watchpoints GDB will automatically stop if the program

1 Crashes, interrupts, and backtrace Watchpoints GDB will automatically stop if the program

Debugging and debuggers Debugging in the development cycle You have probably already had the experience of making Edit a mistake in a program Speaking roughly, debugging is the process: After you know that your code is wrong

911 views • 3 slides
Session Overview Improving First-Generation Student Why first-generation student success

Session Overview Improving First-Generation Student Why first-generation student success

Session Overview Improving First-Generation Student Why first-generation student success matters Success with Instructional and Advising Pathways Missouri State profile & first-generation student characteristics Two programs to

205 views • 6 slides
Antonella Bogoni CNIT-TECIP Microwave Signal Generation High purity carrier generation

Antonella Bogoni CNIT-TECIP Microwave Signal Generation High purity carrier generation

Antonella Bogoni CNIT-TECIP Microwave Signal Generation High purity carrier generation Arbitrary waveform generation Terahertz signal generation Microwave Signal Distribution Analog photonic link Radio over Fiber Antenna

1.17k views • 33 slides
Generation Approach Christina Church, Two-Generation Program Officer October 2019 What is a

Generation Approach Christina Church, Two-Generation Program Officer October 2019 What is a

An Update on Marylands Two - Generation Approach Christina Church, Two-Generation Program Officer October 2019 What is a Two-Generation Approach? A method of service delivery that improves outcomes for whole families by coordinating and

401 views • 9 slides
ICTs in education Moving from 1 Generation to 2 Generation models a framework for program

ICTs in education Moving from 1 Generation to 2 Generation models a framework for program

ICTs in education Moving from 1 Generation to 2 Generation models a framework for program success Gurumurthy K IT for Change, Bangalore February 2013 ICT Models in Business First generation computer applications in business - Simple

356 views • 8 slides
MANAGING THE COSTS AND RISKS OF NEW GENERATION COORDINATION OF GENERATION AND TRANSMISSION

MANAGING THE COSTS AND RISKS OF NEW GENERATION COORDINATION OF GENERATION AND TRANSMISSION

MANAGING THE COSTS AND RISKS OF NEW GENERATION COORDINATION OF GENERATION AND TRANSMISSION INVESTMENT PUBLIC WORKSHOP 18 OCTOBER 2019 Agenda 1. Welcome 2. Need for reform 3. Overview of proposal 4. How this works in practice 5.

784 views • 64 slides

More recommend