platform independent static
play

Platform-independent static binary code analysis using a meta- - PowerPoint PPT Presentation

May 08, 2023 •141 likes •677 views

Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien, Sebastian Porst zynamics GmbH CanSecWest 2009 Overview The REIL Language Abstract Interpretation MonoREIL Results 2 Motivation Bugs are

  1. Platform-independent static binary code analysis using a meta- assembly language Thomas Dullien, Sebastian Porst zynamics GmbH CanSecWest 2009

  2. Overview The REIL Language Abstract Interpretation MonoREIL Results 2

  3. Motivation • Bugs are getting harder to find • Defensive side (most notably Microsoft) has invested a lot of money in a „bugocide“ • Concerted effort: Lots of manual code auditing aided by static analysis tools • Phoenix RDK: Includes „lattice based“ analysis framework to allow pluggable abstract interpretation in the compiler 3

  4. Motivation • Offense needs automated tools if they want to avoid being sidelined • Offensive static analysis: Depth vs. Breadth • Offense has no source code, no Phoenix RDK, and should not depend on Microsoft • We want a static analysis framework for offensive purposes 4

  5. Overview The REIL Language Abstract Interpretation MonoREIL Results 5

  6. REIL • Reverse Engineering Intermediate Language • Platform-Independent meta-assembly language • Specifically made for static code analysis of binary files • Can be recovered from arbitrary native assembly code – Supported so far: x86, PowerPC, ARM 6

  7. Advantages of REIL • Very small instruction set (17 instructions) • Instructions are very simple • Operands are very simple • Free of side-effects • Analysis algorithms can be written in a platform-independent way – Great for security researchers working on more than one platform 7

  8. Creation of REIL code • Input: Disassembled Function – x86, ARM, PowerPC, potentially others • Each native assembly instruction is translated to one or more REIL instructions • Output: The original function in REIL code 8

  9. Example 9

  10. Design Criteria • Simplicity • Small number of instructions – Simplifies abstract interpretation (more later) • Explicit flag modeling – Simplifies reasoning about control-flow • Explicit load and store instructions • No side-effects 10

  11. REIL Instructions • One Address – Source Address * 0x100 + n – Easy to map REIL instructions back to input code • One Mnemonic • Three Operands – Always • An arbitrary amount of meta-data – Nearly unused at this point 11

  12. REIL Operands • All operands are typed – Can be either registers, literals, or sub-addresses – No complex expressions • All operands have a size – 1 byte, 2 bytes, 4 bytes, ... 12

  13. The REIL Instruction Set • Arithmetic Instructions – ADD, SUB, MUL, DIV, MOD, BSH • Bitwise Instructions – AND, OR, XOR • Data Transfer Instructions – LDM, STM, STR 13

  14. The REIL Instruction Set • Conditional Instructions – BISZ, JCC • Other Instructions – NOP, UNDEF, UNKN • Instruction set is easily extensible 14

  15. REIL Architecture • Register Machine – Unlimited number of registers t 0 , t 1 , ... – No explicit stack • Simulated Memory – Infinite storage – Automatically assumes endianness of the source platform 15

  16. Limitations of REIL • Does not support certain instructions (FPU, MMX, Ring-0, ...) yet • Can not handle exceptions in a platform- independent way • Can not handle self-modifying code • Does not correctly deal with memory selectors 16

  17. Overview The REIL Language Abstract Interpretation MonoREIL Results 17

  18. Abstract Interpretation • Theoretical background for most code analysis • Developed by Patrick and Rhadia Cousot around 1975-1977 • Formalizes „static abstract reasoning about dynamic properties“ • Huh ? • A lot of the literature is a bit dense for many security practitioners 18

  19. Abstract Interpretation • We want to make statements about programs • Example: Possible set of values for variable x at a given program point p • In essence: For each point p, we want to find K p P ( States ) • Problem: is a bit unwieldly P ( States ) • Problem: Many questions are undecidable (where is the w*nker that yells „halting problem“) ? 19

  20. Dealing with unwieldy stuff • Reason about something simpler: Abstraction P ( States ) D Concretisation P ( States ) D • Example: Values vs. Intervals 20

  21. Lattices • In order for this to work, must be structurally D similar to P ( States ) • supports intersection and union P ( States ) • You can check for inclusion (contains, does not contain) • You have an empty set (bottom) and „everything“ (top) 21

  22. Lattices • A lattice is something like a generalized powerset • Example lattices: Intervals, Signs, , P ( Registers ) mod p 22

  23. Dealing with halting • Original program consists of p 1 ... p n program points • Each instruction transforms a set of states into a different set of states • p 1 ... p n are mappings P ( States ) P ( States ) • Specify ' 1  p p ' n : D D ~ • This yields us n n p : D D 23

  24. Dealing with halting • We cheat: Let be finite  n is finite D D ~ • Make sure that is monotonous (like this talk) p • Begin with initial state I ~ l • Calculate p ( ) ~ ~ • Calculate p ( p ( l )) 1 l ~ ~ • Eventually, you reach n n p ( l ) p ( ) • You are done – read off the results and see if your question is answered 24

  25. Theory vs. practice • A lot of the academic focus is on proving correctness of the transforms p i P ( States ) P ( States ) p ' i D D • As practitioner we know that p i is probably not fully correctly specified • We care much more about choosing and constructing a so that we get the results we need D 25

  26. Overview The REIL Language Abstract Interpretation MonoREIL Results 26

  27. MonoREIL • You want to do static analysis • You do not want to write a full abstract interpretation framework • We provide one: MonoREIL • A simple-to-use abstract interpretation framework based on REIL 27

  28. What does it do ? • You give it – The control flow graph of a function (2 LOC) – A way to walk through the CFG (1 + n LOC) – The lattice (15 + n LOC) D • Lattice Elements • A way to combine lattice elements – The initial state (12 + n LOC) – Effects of REIL instructions on (50 + n LOC) D 28

  29. How does it work? • Fixed-point iteration until final state is found • Interpretation of result – Map results back to original assembly code • Implementation of MonoREIL already exists • Usable from Java, ECMAScript, Python, Ruby 29

  30. Overview The REIL Language Abstract Interpretation MonoREIL Results 30

  31. Register Tracking • First Example: Simple • Question: What are the effects of a register on other instructions? • Useful for following register values 31

  32. Register Tracking • Demo 32

  33. Register Tracking • Lattice: For each instruction, set of influenced registers, combine with union • Initial State – Empty (nearly) everywhere – Start instruction: { tracked register } • Transformations for MNEM op1, op2, op3 – If op1 or op2 are tracked  op3 is tracked too – Otherwise: op3 is removed from set 33

  34. Negative indexing • Second Example: More complicated • Question: Is this function indexing into an array with a negative value ? • This gets a bit more involved 34

  35. Negative indexing • Simple intervals alone do not help us much • How would you model a situation where – A function gets a structure pointer as argument – The function retrieves a pointer to an array from an array of pointers in the structure – The function then indexes negatively into this array • Uh. Ok. 35

  36. Abstract locations • For each instruction, what are the contents of the registers ? Let‘s slowly build complexity: • If eax contains arg_4, how could this be modelled ? – eax = *(esp.in + 8) • If eax contains arg_4 + 4 ? – eax = *(esp.in + 8) + 4 • If eax can contain arg_4+4, arg_4+8, arg_4+16, arg_4 + 20 ? – eax = *(esp.in + 8) + [4, 20] 36

  37. Abstract locations • If eax can contain arg_4+4, arg_8+16 ? – eax = *(esp.in + [8,12]) + [4,16] • If eax can contain any element from – arg_4  mem[0] to arg_4  mem[10], incremented once, how do we model this ? – eax = *(*(esp.in + [8,8]) + [4, 44]) + [1,1] • OK. An abstract location is a base value and a list of intervals, each denoting memory dereferences (except the last) 37

  38. Range Tracking eax.in + [a, b] + [0, 0] eax.in + a eax.in + b 38

  39. Range Tracking eax + [a, b] + [c, d] + [0, 0] eax + a eax + b [eax+a]+c [eax+a]+d [eax+a+4]+c [eax+a+4]+d [eax+b]+c [eax+b]+d 39

  40. Range Tracking • Lattice: For each instruction, a map:  Register Aloc Aloc • Initial State – Empty (nearly) everywhere – Start instruction: { reg -> reg.in + [0,0] } • Transformations – Complicated. Next slide. 40

  41. Range Tracking • Transformations – ADD/SUB are simple: Operate on last intervals – STM op 1 , , op 3 • If op 1 or op 3 not in our input map M skip • Otherwise, M[ M[op 3 ] ] = op 1 – LDM op 1 , , op 3 • If op 1 or op 3 is not in our input map M skip • M[ op 3 ] = M[ op 1 ] – Others: Case-specific hacks 41

  42. Range Tracking • Where is the meat ? • Real world example: Find negative array indexing 42

Recommend

Automated Generation of Platform-Variant Applications from Platform-Independent Models via

Automated Generation of Platform-Variant Applications from Platform-Independent Models via

Automated Generation of Platform-Variant Applications from Platform-Independent Models via Templates Nuno Amlio, Christian Glodt, Frederico Pinto, Pierre Kelsen University of Luxembourg Introduction Manual code development is expensive

243 views • 21 slides
Technical Specifications Platform will have Independent chassis To-do and the balance of the

Technical Specifications Platform will have Independent chassis To-do and the balance of the

Technical Specifications Platform will have Independent chassis To-do and the balance of the platform will be mounted to the chassis outrigger detached. The chassis of the crane will install by screw sand studs to the carrier chassis. In the

117 views • 8 slides
Static and Method Overloading static One per class, not per object static variables

Static and Method Overloading static One per class, not per object static variables

Static and Method Overloading static One per class, not per object static variables all instances of the class share the same static variable example: serial/VIN number for Car static methods invoked through class

324 views • 7 slides
An Integrated Approach for Platform-Independent Web Applications W3C Multimodal Interaction

An Integrated Approach for Platform-Independent Web Applications W3C Multimodal Interaction

An Integrated Approach for Platform-Independent Web Applications W3C Multimodal Interaction Workshop Sophia-Antipolis, 19.-20.7.2004 Gerald Hbsch and Thomas Springer Dresden University of Technology {huebsch,springet}@rn.inf.tu-dresden.de

519 views • 26 slides
Getting Serious About a Platform Independent Application for the Usage of Mobile Moodle Quizzes:

Getting Serious About a Platform Independent Application for the Usage of Mobile Moodle Quizzes:

Getting Serious About a Platform Independent Application for the Usage of Mobile Moodle Quizzes: A Case Study Stefan Geisler, Marc Jansen 1 S. Geisler, M. Jansen: A Platform Independent App for Mobile Moodle Quizzes: A Case Study Contents

656 views • 20 slides
1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

Static/ Dynamic Deformation I ntroduction to Static deformation Dynamic deformation Static/ Dynamic Deformation with Mass-Spring Systems undeformed shape f internal + = f inertia = 0 f external Min Gyu Choi deformed

426 views • 4 slides
Keeping modular and platform- independent software up-to-date: benefits from the Semantic Web

Keeping modular and platform- independent software up-to-date: benefits from the Semantic Web

Keeping modular and platform- independent software up-to-date: benefits from the Semantic Web Olivier Dameron SMI - Stanford University 8 th International Protg Conference July 18-21, 2005 Problem Keeping local installation of

736 views • 39 slides
Egyptian Research and Evaluation Network EREN is a distinct and independent platform whose

Egyptian Research and Evaluation Network EREN is a distinct and independent platform whose

Egyptian Research and Evaluation Network EREN is a distinct and independent platform whose purpose is to enhance the effectiveness, impact and sustainability of development in Egypt by supporting quality evaluation, advancing generation

312 views • 16 slides
SciViews-K and Komodo Edit, a new platform-independent GUI/IDE for R Ph. Grosjean, R. Franois

SciViews-K and Komodo Edit, a new platform-independent GUI/IDE for R Ph. Grosjean, R. Franois

SciViews-K and Komodo Edit, a new platform-independent GUI/IDE for R Ph. Grosjean, R. Franois & K. Barton Acadmie Universitaire Universit de Mons Wallonie-Bruxelles What is SciViews? SciViews was one of the first GUI for R (back to

204 views • 8 slides
Independent specialist platform provider Relaunching for growth. A WORLD OF visit INVESTMENTS

Independent specialist platform provider Relaunching for growth. A WORLD OF visit INVESTMENTS

Independent specialist platform provider Relaunching for growth. A WORLD OF visit INVESTMENTS xplorewealth.com.au Name change subject to Managed Accounts Holdings shareholder approval at an EGM on 12 April 2019. 1 Disclaimer Summary

698 views • 24 slides
Format for 2013 Report 300+ word e-book Fully Interactive pdf Platform independent

Format for 2013 Report 300+ word e-book Fully Interactive pdf Platform independent

Format for 2013 Report 300+ word e-book Fully Interactive pdf Platform independent More like a magazine style than a straight e-book sort of idea Multiple links within the document 50-page printed synthesis report 2 pages

443 views • 6 slides
Platform-Independent Debugging of Physical Interaction and Signal Flow Models Mehdi Dadfarnia 1

Platform-Independent Debugging of Physical Interaction and Signal Flow Models Mehdi Dadfarnia 1

Intro Background Debugging Methods Conclusions & Future Work References & Backup Slides Platform-Independent Debugging of Physical Interaction and Signal Flow Models Mehdi Dadfarnia 1 Raphael Barbau 2 1 National Institute of Standards

590 views • 40 slides
bigmemory : bigger, better, and platform independent John W. Emerson Jay Associate

bigmemory : bigger, better, and platform independent John W. Emerson Jay Associate

UseR! 2009 bigmemory : bigger, better, and platform independent John W. Emerson Jay Associate Professor Department of Statistics Yale University john.emerson@yale.edu http://www.stat.yale.edu/~jay/ Collaborator: Michael J Kane Yale

601 views • 35 slides
Independent specialist platform provider A WORLD OF visit INVESTMENTS xplorewealth.com.au 1

Independent specialist platform provider A WORLD OF visit INVESTMENTS xplorewealth.com.au 1

Independent specialist platform provider A WORLD OF visit INVESTMENTS xplorewealth.com.au 1 Disclaimer Summary information This presentation contains summary information about Xplore Wealth Limited (Company) (ASX: XPL) and its activities as

338 views • 10 slides
A Platform-Independent Tool for Modeling Parallel Programs ACM Southeast 2011 Kennesaw State

A Platform-Independent Tool for Modeling Parallel Programs ACM Southeast 2011 Kennesaw State

A Platform-Independent Tool for Modeling Parallel Programs ACM Southeast 2011 Kennesaw State University March 2011 Ferosh Jacob, Jeff Gray, Yu Sun, Purushotham Bangalore Department of Computer Science University of Alabama

169 views • 15 slides
Static and dynamic verification Static and dynamic V&V Software inspections Concerned

Static and dynamic verification Static and dynamic V&V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
static vs automatic storage classes Three types of memory allocations static storage class

static vs automatic storage classes Three types of memory allocations static storage class

static vs automatic storage classes Three types of memory allocations static storage class means variable persists through static allocation: for globals and any static the life of the program variables in functions automatic storage

569 views • 9 slides
the home of INDEPENDENT music 360 TUNEbox HD quality music videos from all over Todays

the home of INDEPENDENT music 360 TUNEbox HD quality music videos from all over Todays

the home of INDEPENDENT music 360 TUNEbox HD quality music videos from all over Todays hottest the world independent artists Videos organized by genre: 24/7 pop, hip-hop/rap, dance, rock, international The best platform

472 views • 7 slides
Wikitude Company Overview WIKITUDE AT A GLANCE Wikitude is the leading independent augmented

Wikitude Company Overview WIKITUDE AT A GLANCE Wikitude is the leading independent augmented

Wikitude Company Overview WIKITUDE AT A GLANCE Wikitude is the leading independent augmented reality platform for phones, tablets, and smart glasses with over 1 billion app installs AR v Leading independent Serving 20,000 apps AR technology

366 views • 24 slides
Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New

Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New

Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New transactions, new friends, stop following somebody in T witter, But most data mining algorithms assume static data Even a minor change requires

925 views • 44 slides
Libraries In C++ its possible to create static libraries and shared libraries Static

Libraries In C++ its possible to create static libraries and shared libraries Static

Libraries In C++ its possible to create static libraries and shared libraries Static libraries (end in .a) are combined/linked into an executable Executables are large. If library is updated in a binary compatible way, programs

297 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
THE HOME OF INDEPENDENT MUSIC HD quality music videos from all over the world 24/7 Todays

THE HOME OF INDEPENDENT MUSIC HD quality music videos from all over the world 24/7 Todays

THE HOME OF INDEPENDENT MUSIC HD quality music videos from all over the world 24/7 Todays hottest independent artists Videos organized by genre: pop, hip-hop/ rap, dance, rock, international The best platform for emerging artists

190 views • 8 slides

More recommend