outline
play

Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo - PowerPoint PPT Presentation

Jul 04, 2023 •236 likes •467 views

BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-level Analysis Robin David S ebastien Bardin Thanh Dinh Ta Josselin Feist Laurent Mounier Marie-Laure Potet Jean-Yves Marion SANER 2016, Osaka, Japan, March 16th Outline

  1. BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-level Analysis Robin David S´ ebastien Bardin Thanh Dinh Ta Josselin Feist Laurent Mounier Marie-Laure Potet Jean-Yves Marion — SANER 2016, Osaka, Japan, March 16th

  2. Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo CEA - - 2/11

  3. Introduction The need to reverse engineer an excutable : malware, bug discovery, safety, testing .. CEA - - 3/11

  4. Introduction The need to reverse engineer an excutable : malware, bug discovery, safety, testing .. Current approaches and limitations for binary-level understanding : Static : allow to choose any path [but not necessarily feasible] Easy to fool → indirect jumps, self-modification etc. CEA - - 3/11

  5. Introduction The need to reverse engineer an excutable : malware, bug discovery, safety, testing .. Current approaches and limitations for binary-level understanding : Static : allow to choose any path [but not necessarily feasible] Easy to fool → indirect jumps, self-modification etc. Dynamic : only doable paths [but depend on inputs] problem → possibly miss a lot of code areas CEA - - 3/11

  6. Introduction The need to reverse engineer an excutable : malware, bug discovery, safety, testing .. Current approaches and limitations for binary-level understanding : Static : allow to choose any path [but not necessarily feasible] Easy to fool → indirect jumps, self-modification etc. Dynamic : only doable paths [but depend on inputs] problem → possibly miss a lot of code areas Symbolic : best of both world only doable paths can recover new paths [regardless of path rarity] CEA - - 3/11

  7. Running examples Various problems occurs when trying to cover program paths : Dynamic jumps mov eax, var x shl eax, 2 add eax, off y mov eax, [eax] jmp eax CEA - - 4/11

  8. Running examples Various problems occurs when trying to cover program paths : Dynamic jumps mov eax, var x shl eax, 2 add eax, off y mov eax, [eax] mov edx, eax mov eax, edx jmp eax Heuristics limitations IDA Pro 6.9 fooled by such trick.. CEA - - 4/11

  9. Running examples Various problems occurs when trying to cover program paths : Dynamic jumps Call/Ret mov eax, var x 1004002 : call 0x100400a shl eax, 2 1004007 : (junk byte) add eax, off y 1004008 : mov eax, [eax] 100400a : pop ebp 100400b : inc ebp mov edx, eax mov eax, edx 100400c : push ebp 100400d : ret jmp eax 100400e : ... Heuristics limitations IDA Pro 6.9 fooled by such trick.. CEA - - 4/11

  10. Running examples Various problems occurs when trying to cover program paths : Dynamic jumps Call/Ret mov eax, var x 1004002 : call 0x100400a shl eax, 2 1004007 : (junk byte) add eax, off y 1004008 : jmp 0x100400e mov eax, [eax] 100400a : pop ebp 100400b : inc ebp mov edx, eax mov eax, edx 100400c : push ebp 100400d : ret jmp eax 100400e : ... Heuristics limitations IDA Pro 6.9 fooled by such trick.. CEA - - 4/11

  11. Running examples Various problems occurs when trying to cover program paths : Dynamic jumps Call/Ret mov eax, var x 1004002 : call 0x100400a shl eax, 2 1004007 : (junk byte) add eax, off y 1004008 : jmp 0x100400e mov eax, [eax] 100400a : pop ebp 100400b : inc ebp mov edx, eax mov eax, edx 100400c : push ebp 100400d : ret jmp eax 100400e : ... Heuristics limitations Heuristics limitations IDA Pro 6.9 fooled by such Common disassemblers does not trick.. disassemble after unknown byte and ret instructions CEA - - 4/11

  12. Running examples Various problems occurs when trying to cover program paths : Dynamic jumps Call/Ret mov eax, var x 1004002 : call 0x100400a shl eax, 2 1004007 : (junk byte) add eax, off y 1004008 : jmp 0x100400e mov eax, [eax] 100400a : pop ebp 100400b : inc ebp mov edx, eax mov eax, edx 100400c : push ebp 100400d : ret jmp eax 100400e : ... Heuristics limitations Heuristics limitations IDA Pro 6.9 fooled by such Common disassemblers does not trick.. disassemble after unknown byte and ret instructions And many others.. CEA - - 4/11

  13. Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo CEA - - 5/11

  14. DSE : In brief Definition Symbolic execution is the mean of executing a program using symbolic values (logical symbols) rather than actual values (bitvectors) in order to obtain in-out relationship of a path. Dynamic Symbolic Execution [DSE] : precise reasoning on a single path sound execution of the program (path necessarily feasible) can recover new paths (goto eax, call/ret, etc.) thwart basic tricks (code overlapping..) CEA - - 6/11

  15. Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo CEA - - 7/11

  16. Binsec : Global overview CEA - - 8/11

  17. Binsec : Global overview CEA - - 8/11

  18. Binsec/SE : In depth Tracing (Pin) Core (10K OCaml loc) gather certain library calls stub engine for library concrete infos calls arbitrary value retrieval generic path selection (registers/memory) path predicate On-the-fly value optimization : patching handle JSON conf. files Linux/Windows Solvers : Z3, boolector, .. Remote control CEA - - 9/11

  19. Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo CEA - - 10/11

  20. Demo : Call/Ret violation Example code obfuscated by the ASPack packer : 1 1004002 e8 03 00 00 00 c a l l 0 x100400a //push 0x1004007 as return 2 100400 a 5d pop ebp //pop return address in ebp 3 100400b 45 i n c ebp //increment ebp 4 100400 c 55 push ebp //push back the value 5 100400d c3 r e t //return on 0x1004008 6 1004008 eb 04 jmp 0 x100400e → Fool the disassembler (which works here). (Goal : Trying to find the violations with DSE) CEA - - 11/11

  21. Demo : Call/Ret violation Example code obfuscated by the ASPack packer : 1 1004002 e8 03 00 00 00 c a l l 0 x100400a //push 0x1004007 as return 2 100400 a 5d pop ebp //pop return address in ebp 3 100400b 45 i n c ebp //increment ebp 4 100400 c 55 push ebp //push back the value 5 100400d c3 r e t //return on 0x1004008 6 1004008 eb 04 jmp 0 x100400e → Fool the disassembler (which works here). (Goal : Trying to find the violations with DSE) CEA - - 11/11

  22. Thank you ! あ あ あり り りが が がと とう と う うご ご ござ ざ ざい い いま ます ま す す Direction de la Recherche Technologique Commissariat ` a l’´ energie atomique et aux ´ energies alternatives D´ epartement d’Ing´ enierie des Logiciels et des Syst` emes Institut Carnot CEA LIST Laboratoire de Sˆ uret´ e des Logiciels Centre de Saclay — 91191 Gif-sur-Yvette Cedex Etablissement public ` a caract` ere industriel et commercial — RCS Paris B 775 685 019

Recommend

Ins Domingues Breast Cancer Workshop April 7th 2015 Outline Outline Outline Outline

Ins Domingues Breast Cancer Workshop April 7th 2015 Outline Outline Outline Outline

An automatic mammogram system: from screening to diagnosis Ins Domingues Breast Cancer Workshop April 7th 2015 Outline Outline Outline Outline Outline Outline Outline Outline Outline Outline Outline Outline Pectoral muscle

589 views • 45 slides
Presentation Preparation Outline Speech Outline Template ***Use this outline to guide you in

Presentation Preparation Outline Speech Outline Template ***Use this outline to guide you in

Presentation Preparation Outline Speech Outline Template ***Use this outline to guide you in preparing for your presentation; this outline is required. Title: I. Introduction (The speech actually starts here.) A. Attention Getter:

479 views • 3 slides
PT1 TMP Presentation Outline 1 Group Members: ___________________________________ Use this outline

PT1 TMP Presentation Outline 1 Group Members: ___________________________________ Use this outline

PT1 TMP Presentation Outline 1 Group Members: ___________________________________ Use this outline to organize your argument to create a logical flow of information and plan your presentation layout. This outline is worth a group grade (one copy

506 views • 3 slides
1 Web Application Development 2 3 Web Application Development CSS Outline An outline is a

1 Web Application Development 2 3 Web Application Development CSS Outline An outline is a

1 Web Application Development 2 3 Web Application Development CSS Outline An outline is a line that is drawn around elements, OUTSIDE the borders, to make the element "stand out". CSS has the following outline properties:

1.76k views • 117 slides
Outline Outline Background of the Network Vision Vision Aims Activities

Outline Outline Background of the Network Vision Vision Aims Activities

Asia Pacific Adaptation Network (APAN)- A k A key regional Initiative i l I iti ti Puja Sawhney Coordinator, APAN , Institute for Global Environmental Strategies Thimpu, Bhutan p 16 th November, 2011 Outline Outline Background of the

441 views • 9 slides
When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really

When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really

When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters Yogesh K. Ramadass, AnanthaGroup Microsystems Technology Laboratory Outline Outline Outline Outline

507 views • 36 slides
Presentation Outline Worksheet You can use part or all of this outline to help you. This is YOUR

Presentation Outline Worksheet You can use part or all of this outline to help you. This is YOUR

Presentation Outline Worksheet You can use part or all of this outline to help you. This is YOUR personal presentation so you can create it however you want. These are just suggestions to help you get started. The purpose is to educate your

618 views • 3 slides
Outline 2 Outline 2 ZSim core simulation techniques Outline 2 ZSim core simulation

Outline 2 Outline 2 ZSim core simulation techniques Outline 2 ZSim core simulation

ZSim Tutorial MICRO 2015 S TATS AND C ONFIGURATION Core Models Po-An Tsai Outline 2 Outline 2 ZSim core simulation techniques Outline 2 ZSim core simulation techniques ZSim core structure I1D I1I Simple IPC 1 core

1.96k views • 120 slides
Outline Outline Motivation Motivation 1 1. Email Speech Acts 2. Modeling textual intention

Outline Outline Motivation Motivation 1 1. Email Speech Acts 2. Modeling textual intention

Modeling Intention in Email : Speech Acts, Information Leaks and User Ranking Methods p g Vitor R. Carvalho Carnegie Mellon University William Cohen Ramnath a at Tom Tom Jon Jon Balasubramanyan Mitchell Elsas Outline Outline

1.09k views • 65 slides
Session Outline Course themes imperative problem solving (think: outline form) C

Session Outline Course themes imperative problem solving (think: outline form) C

Session Outline Course themes imperative problem solving (think: outline form) C programming (close to the machine) storage and processing of data Linux operating system control of robots Demo Course Web site

780 views • 9 slides
Outline : Outline : Our method to perform periodicity search Candidates of the next Geminga The

Outline : Outline : Our method to perform periodicity search Candidates of the next Geminga The

Periodicity Sear Periodicity Search of ch of the the Geming Geminga-lik -like Pulsar e Pulsars Lupin Chun-Che Lin () Institute of Astronomy, National Central University, Taiwan Outline : Outline : Our method to perform periodicity

654 views • 19 slides
Outline for St Outline for St Outline for

Outline for St Outline for St Outline for

Outline for St Outline for St Outline for St Outline for St Francis Participation Francis Participation Francis Participation Francis Participation St Francis Overview Current Work on

120 views • 10 slides
RDF Beyond RDF Beyond Outline Outline RDFa RDFa Microformat Schema.org S h RDFa

RDF Beyond RDF Beyond Outline Outline RDFa RDFa Microformat Schema.org S h RDFa

RDF Beyond RDF Beyond Outline Outline RDFa RDFa Microformat Schema.org S h RDFa RDFa RDFa RDFa RDFa: A collection of attributes and processing p g rules for extending XHTML to support RDF. HTML contains structured data,

768 views • 37 slides
Appendix J: Capstone Presentation Outline Revised Spring 2016 CAPSTONE PRESENTATION OUTLINE This

Appendix J: Capstone Presentation Outline Revised Spring 2016 CAPSTONE PRESENTATION OUTLINE This

Appendix J: Capstone Presentation Outline Revised Spring 2016 CAPSTONE PRESENTATION OUTLINE This is a suggested outline only. Students should work closely with their Faculty Advisors to adapt this format the presentation to the needs of the

418 views • 4 slides
1 Course Outline Course Outline Course Outline Course Outline 3D Graphics Pipeline 3D

1 Course Outline Course Outline Course Outline Course Outline 3D Graphics Pipeline 3D

Goals Goals Foundations of Computer Graphics Foundations of Computer Graphics Systems: Write complex 3D graphics programs (Spring 2010) (Spring 2010) (real-time in OpenGL, offline raytracer, animation) CS 184, Lecture 1: Overview and

176 views • 5 slides
Outline Outline 1. About Cambodia 1. About Cambodia 2. Overview of disaster Hazards &

Outline Outline 1. About Cambodia 1. About Cambodia 2. Overview of disaster Hazards &

Sophak PHOEUN, National DRR Forum Coordinat or & Executive Assistant to Vice President of NCDM , National Committee for Disaster Management. Outline Outline 1. About Cambodia 1. About Cambodia 2. Overview of disaster Hazards &

346 views • 15 slides
SWAZILAND IMTS Presentation BY: WISEMAN DLAMINI Outline Outline Scope and time of

SWAZILAND IMTS Presentation BY: WISEMAN DLAMINI Outline Outline Scope and time of

SWAZILAND IMTS Presentation BY: WISEMAN DLAMINI Outline Outline Scope and time of recording . p g Commodity classifications. Valuation. Quantity Measurements. Partner country. Data compilation strategies.

1.68k views • 12 slides
Outline Outline Consumer Expenditure Survey p y Why redesign the CE? Why redesign the CE?

Outline Outline Consumer Expenditure Survey p y Why redesign the CE? Why redesign the CE?

Outline Outline Consumer Expenditure Survey p y Why redesign the CE? Why redesign the CE? Data Users Need Forum The CE Redesign Process h d Michael W. Horrigan Associate Commissioner Associate Commissione The philosophy of

82 views • 4 slides
Oral Presentation Module Outline: Please fill out the following outline while you are watching the

Oral Presentation Module Outline: Please fill out the following outline while you are watching the

Oral Presentation Module Outline: Please fill out the following outline while you are watching the videos, and bring a copy to class. Video 1: Oral Presentation Skill Areas Some different types of oral presentations you may encounter in your

372 views • 3 slides
Outline Framework Antiderivative Functions Applications Conclusion Outline Framework

Outline Framework Antiderivative Functions Applications Conclusion Outline Framework

Antiderivative Functions over F 2 n Valentin SUDER Seminar CALIN - Paris 13 April 12nd 2016. ComSec Lab, University of Waterloo ON, CANADA Outline Framework Antiderivative Functions Applications Conclusion Outline Framework Symmetric

999 views • 57 slides
NIKHIL.K.POTDUKHE Outline of UV spectrophotometer Outline of Recombinant DNA technology

NIKHIL.K.POTDUKHE Outline of UV spectrophotometer Outline of Recombinant DNA technology

NIKHIL.K.POTDUKHE Outline of UV spectrophotometer Outline of Recombinant DNA technology Application of UV spectroscopy in recombinant DNA technology References Lambert law: When a beam of light is allowed to pass through a

677 views • 38 slides
3/17/2009 OUTLINE OUTLINE Business Intelligence Business Intelligence Knowledge

3/17/2009 OUTLINE OUTLINE Business Intelligence Business Intelligence Knowledge

3/17/2009 OUTLINE OUTLINE Business Intelligence Business Intelligence Knowledge Management Paper by W. F. Cody BIKM J. T. Kreulen V. Krishna eClassifier W. S. Spangler Integrated BIKM Tools Presentation by Dylan Chi

492 views • 7 slides
Outline Outline Introduction (the concept of Desktop Grids) Objectives of the talk How to

Outline Outline Introduction (the concept of Desktop Grids) Objectives of the talk How to

Research Unit UTIC Laboratory LIPN , UMR 7030 ESSTT, University of Tunis CNRS, University of Paris 13 Outline Outline Introduction (the concept of Desktop Grids) Objectives of the talk How to decentralize Desktop Grid middlewares, p , Two

334 views • 18 slides
Draft Outline of the 2020 Work Programme BACKGROUND This document presents an outline of the

Draft Outline of the 2020 Work Programme BACKGROUND This document presents an outline of the

Draft Outline of the 2020 Work Programme BACKGROUND This document presents an outline of the tasks the Agency for the Cooperation of Energy Regulators (ACER) plans to perform in 2020. As such, it focuses primarily on the external deliverables the

283 views • 14 slides

More recommend