program analysis
play

Program Analysis Attackers: need to analyze our program to modify - PowerPoint PPT Presentation

Mar 16, 2024 •784 likes •1.21k views

Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze our program to protect it! Two kinds of analyses: 1 static analysis tools collect information about a program by studying its code; 2 dynamic

  1. Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze our program to protect it! Two kinds of analyses: 1 static analysis tools collect information about a program by studying its code; 2 dynamic analysis tools collect information from executing the program. 1/22

  2. Static and Dynamic Analyses control-flow graphs: representation of functions. 2/22

  3. Static and Dynamic Analyses control-flow graphs: representation of functions. call graphs: representation of (possible) function calls. 2/22

  4. Static and Dynamic Analyses control-flow graphs: representation of functions. call graphs: representation of (possible) function calls. debugging: what path does the program take? 2/22

  5. Static and Dynamic Analyses control-flow graphs: representation of functions. call graphs: representation of (possible) function calls. debugging: what path does the program take? tracing: which functions/system calls get executed? 2/22

  6. Static and Dynamic Analyses control-flow graphs: representation of functions. call graphs: representation of (possible) function calls. debugging: what path does the program take? tracing: which functions/system calls get executed? profiling: what gets executed the most? 2/22

  7. Static and Dynamic Analyses control-flow graphs: representation of functions. call graphs: representation of (possible) function calls. debugging: what path does the program take? tracing: which functions/system calls get executed? profiling: what gets executed the most? disassembly: turn raw executables into assembly code. 2/22

  8. Static and Dynamic Analyses control-flow graphs: representation of functions. call graphs: representation of (possible) function calls. debugging: what path does the program take? tracing: which functions/system calls get executed? profiling: what gets executed the most? disassembly: turn raw executables into assembly code. decompilation: turn raw assembly code into source code. 2/22

  9. Outline Static Analysis 1 Control-flow analysis Reconstituting source 2 Disassembly Static Analysis 3/22

  10. Control-flow Graphs (CFGs) A way to represent functions. Nodes are called basic blocks. Each block consists of straight-line code ending (possibly) in a branch. An edge A → B : control could flow from A to B . Static Analysis 4/22

  11. ✞ ☎ int modexp ( int y , int x [ ] , int w, int n ) { ✞ ☎ int R , L ; ( 1) k=0 int k = 0; ( 2) s=1 s = 1; ( 3) ( k > = w) goto (12) int i f while ( k < w) { ( 4) i f ( x [ k ]!=1) goto ( 7) ( x [ k] == 1) ( 5) R=(s ∗ y)%n i f R = ( s ∗ y ) % n ; ( 6) goto ( 8) ( 7) R=s else R = s ; ( 8) s=R ∗ R%n s = R ∗ R % n ; ( 9) L=R L = R; (10) k++ k++; (11) goto ( 3) } (12) return L ✝ ✆ return L ; Static Analysis 5/22 }

  12. The resulting graph B 0 : (1) k=0 (2) s=1 B 1 : (3) if (k>=w)goto B 6 B 6 : B 2 : (12) return L (4) if (x[k]!=1) goto B 4 B 4 : B 3 : (7) R=s (5) R=(s*y) mod n (6) goto B 5 B 5 : (8) s=R*R mod n (9) L = R (10) k++ (11) goto B 1 Static Analysis 6/22

  13. BuildCFG( F ) : 1 Mark every instruction which can start a basic block as a leader : the first instruction is a leader; any target of a branch is a leader; the instruction following a conditional branch is a leader. 2 A basic block consists of the instructions from a leader up to, but not including, the next leader. 3 Add an edge A → B if A ends with a branch to B or can fall through to B . Static Analysis 7/22

  14. Interprocedural control flow Interprocedural analysis also considers flow of information between functions. Call graphs are a way to represent possible function calls. Each node represents a function. An edge A → B : A might call B . Static Analysis 8/22

  15. Building call-graphs ✞ ☎ void h ( ) ; f () { void h ( ) ; } void g () { f f ( ) ; } k void h ( ) { main g h f ( ) ; g ( ) ; } void k () {} Static Analysis 9/22

  16. Outline Static Analysis 1 Control-flow analysis Reconstituting source 2 Disassembly Reconstituting source 10/22

  17. Reconstituting source p.o p p.c p.s p’ as cc header ld header strip .data .data header .text .text .data symbols symbols .text relocation relocation trans Reconstituting source 11/22

  18. Attacking stripped binary code p’ hex p’’ editor header header .data .data .text .text dis p’.s p’.c p’’.c p’’ dcc edit cc Reconstituting source 12/22

  19. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Reconstituting source 13/22

  20. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Reconstituting source 13/22

  21. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Indirect jumps — must assume that any location could be the start of an instruction! Reconstituting source 13/22

  22. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Indirect jumps — must assume that any location could be the start of an instruction! Find the beginning of functions if all calls are indirect. Reconstituting source 13/22

  23. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Indirect jumps — must assume that any location could be the start of an instruction! Find the beginning of functions if all calls are indirect. Finding the end of fuctions — if no dedicated return instruction. Reconstituting source 13/22

  24. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Indirect jumps — must assume that any location could be the start of an instruction! Find the beginning of functions if all calls are indirect. Finding the end of fuctions — if no dedicated return instruction. Handwritten assembly code — won’t conform to the standard calling conventions. Reconstituting source 13/22

  25. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Indirect jumps — must assume that any location could be the start of an instruction! Find the beginning of functions if all calls are indirect. Finding the end of fuctions — if no dedicated return instruction. Handwritten assembly code — won’t conform to the standard calling conventions. code compression — the code of two functions may overlap. Reconstituting source 13/22

  26. Why is disassembly hard? Variable length instruction sets — overlapping instructions. Mixing data and code — misclassify data as instructions. Indirect jumps — must assume that any location could be the start of an instruction! Find the beginning of functions if all calls are indirect. Finding the end of fuctions — if no dedicated return instruction. Handwritten assembly code — won’t conform to the standard calling conventions. code compression — the code of two functions may overlap. Self-modifying code. Reconstituting source 13/22

  27. Instruction set 1 opcode mnemonic operands semantics 0 function call to addr addr call 1 function call to address in reg reg calli 2 branch to pc + offset if flags for brg offset > are set 3 reg reg ← reg + 1 inc 4 offset branch to pc + offset bra 5 reg jump to address in reg jmpi 6 beginning of function prologue 7 return from function ret Instruction set for a small architecture. All operators and operands are one byte long. Instructions can be 1-3 bytes long. Reconstituting source 14/22

  28. Instruction set 2 opcode mnemonic operands semantics 8 reg 1 , ( reg 2 ) reg 1 ← [ reg 2 ] load 9 reg , imm reg ← imm loadi 10 reg , imm compare reg and imm and set cmpi flags 11 reg 1 ← reg 1 + reg 2 add reg 1 , reg 2 12 branch to pc + offset if flags for brge offset ≥ are set 13 offset branch to pc + offset if flags for breq = are set 14 ( reg 1 ) , reg 2 [ reg 1 ] ← reg 2 store Reconstituting source 15/22

  29. Disassembly — example ✞ ☎ 6 0 1 0 9 0 4 3 1 0 7 0 6 9 0 1 1 0 0 1 2 2 6 9 1 3 0 1 1 1 0 8 2 1 5 2 3 2 3 7 9 1 3 4 7 9 1 4 4 2 7 6 9 0 3 7 6 9 0 1 7 4 2 2 4 3 1 7 4 3 4 1 ✝ ✆ Next few slides show the results of different disassembly algorithms. Correctly disassembled regions are in pink. Reconstituting source 16/22

Recommend

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program

Analysis and Optimizations Program Analysis P3 / 2006 Discovers properties of a program Optimizations Using Program Analysis Use analysis results to transform program for Optimization Goal: improve some aspect of program

232 views • 12 slides
Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis

Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis

Analysis and Optimizations Analysis and Optimizations Program Analysis Program Analysis Discovers properties of a program Optimizations Using Program Analysis Use analysis results to transform program Use analysis results

744 views • 17 slides
EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last lecture. . . Uses of Program Analysis Static vs. Dynamic Program Analysis Soundness, Precision, Termination Abstraction and Simplification

4.44k views • 52 slides
Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28.

Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28.

Program analysis INF4140 - Models of concurrency Program Analysis, lecture 5 Hsten 2015 28. 9. 2016 2 / 43 Program correctness Is my program correct? Central question for this and the next lecture. Does a given program behave as intended?

880 views • 43 slides
Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and

Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and

Lexical analysis Lexical analysis Lexical analysis checks the correctness of program words and transforms a program to the stream of tokens: removes empty symbols and commentaries; identifies keywords, indentifiers and literal

400 views • 37 slides
Program Analysis in Software Development Summary of Papers Program Analysis Application Areas

Program Analysis in Software Development Summary of Papers Program Analysis Application Areas

Program Analysis in Software Development Summary of Papers Program Analysis Application Areas Compilation and Optimization LLVM: A Compilation Framework for Lifelong Program Analysis &amp; Transformation Obfuscation Generation and

1.64k views • 6 slides
Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le

Lecture 1: Introduction to Program Analysis 17-355/17-655/17-819: Program Analysis Claire Le Goues January 14, 2020 * Course materials developed with Jonathan Aldrich (c) 2020 C. Le Goues 1 Learning objectives Provide a high level

788 views • 50 slides
Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische

Information Flow and Program Analysis Program Analysis Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany IFIP WG 2.2 Meeting Singapore, September 13-16, 2016 Project Context Work in progress from a joint project with

762 views • 19 slides
Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations

Principles of Program Analysis An overview of approaches beyond loop analysis and optimizations cs6363 1 The Nature of static analysis --- approximation Static program analysis --- predict the dynamic behavior of programs without running

368 views • 19 slides
1 Programmers often use analysis tools to improve program quality. These are just tools to

1 Programmers often use analysis tools to improve program quality. These are just tools to

1 Programmers often use analysis tools to improve program quality. These are just tools to analyze, or carefully examine, some aspect of a program. We can categorize program analyses into two groups: Static analysis involves analyzing a program's

511 views • 35 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

csci 210: Data Structures Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis big-O big-Omega big-theta asymptotic notation commonly used functions discrete math

500 views • 33 slides
Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda

Be a Binary Rockst r An Introduction to Program Analysis with Binary Ninja Agenda Motivation Current State of Program Analysis Design Goals of Binja Program Analysis Building Tools 2 Motivation 3 Tooling - Concrete -&gt;

963 views • 77 slides
Nutrition Program Secondary 2014 DHS Analysis Reference: National Nutrition Program,

Nutrition Program Secondary 2014 DHS Analysis Reference: National Nutrition Program,

Nutrition Program Secondary 2014 DHS Analysis Reference: National Nutrition Program, Nutrition secondary analysis 2014 CDHS, UNICEF/IRD/MOH, Phnom Penh, Cambodia, January 2016 Team For the secondary analysis: IRD MOH Dr Frank Wieringa

826 views • 57 slides
Program Analysis discrete math refresher READING: Textbook chapter 2 (p. 13-26)

Program Analysis discrete math refresher READING: Textbook chapter 2 (p. 13-26)

Summary Summary analysis of algorithms asymptotic analysis big-O big-Omega csci 210: Data Structures big-theta asymptotic notation commonly used functions Program Analysis discrete math

112 views • 9 slides
EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last lecture. . . More Points-to Analysis Memory Errors 2 / 44 Challenges to Static Analysis Static analysis is far from solved Very active

574 views • 42 slides
CS 497 Program Analysis Ond rej Lhot ak November 21 and 26, 2007 Program Analysis Prove

CS 497 Program Analysis Ond rej Lhot ak November 21 and 26, 2007 Program Analysis Prove

CS 497 Program Analysis Ond rej Lhot ak November 21 and 26, 2007 Program Analysis Prove properties about runtime behaviour of a program without running it Program Analysis Prove properties about runtime behaviour of a program without

1.43k views • 107 slides
Lexical Analysis Lexical analysis is the first phase of compilation: The file is converted from

Lexical Analysis Lexical analysis is the first phase of compilation: The file is converted from

Lexical Analysis Lexical analysis is the first phase of compilation: The file is converted from ASCII to tokens. It must be fast! Analysis Synthesis Compiler Passes of input program of output program ( front -end) ( back -end) character

697 views • 32 slides
Program Analysis Program Analysis Extracting information, in order to present Extracting

Program Analysis Program Analysis Extracting information, in order to present Extracting

Program Analysis Program Analysis Extracting information, in order to present Extracting static and dynamic information from a software system abstractions of, or answer questions about, a software system Static Analysis: Examines the

201 views • 6 slides
Laser Safety Program Gap Analysis Greta Toncheva, LSO 9/17/2013 Laser Gap Analysis Purpose: T

Laser Safety Program Gap Analysis Greta Toncheva, LSO 9/17/2013 Laser Gap Analysis Purpose: T

Laser Safety Program Gap Analysis Greta Toncheva, LSO 9/17/2013 Laser Gap Analysis Purpose: T o evaluate the existing laser safety program for compliance with the design and control requirements of 10 CFR 851Worker Safety and Health Program

146 views • 10 slides
SMT-Style Program Analysis with Value-based Refinements Vijay DSilva Leopold Haller Daniel

SMT-Style Program Analysis with Value-based Refinements Vijay DSilva Leopold Haller Daniel

SMT-Style Program Analysis SMT-Style Program Analysis with Value-based Refinements Vijay DSilva Leopold Haller Daniel Kr oning NSV-3 July 15, 2010 SMT-Style Program Analysis Outline Imprecision and Refinement in Abstract

1.71k views • 108 slides
Program Analsysis Tools Steven J Zeil April 18, 2013 Program Analsysis Tools Outline

Program Analsysis Tools Steven J Zeil April 18, 2013 Program Analsysis Tools Outline

Program Analsysis Tools Program Analsysis Tools Steven J Zeil April 18, 2013 Program Analsysis Tools Outline Program Analsysis Tools Analysis Tools Static Analysis style checkers data flow analysis Dynamic Analysis

937 views • 45 slides
A Tutorial on Program Analysis Markus Mller-Olm Dortmund University Thanks ! Helmut Seidl

A Tutorial on Program Analysis Markus Mller-Olm Dortmund University Thanks ! Helmut Seidl

A Tutorial on Program Analysis Markus Mller-Olm Dortmund University Thanks ! Helmut Seidl (TU Mnchen) and Bernhard Steffen (Universitt Dortmund) for discussions, inspiration, joint work, ... 1 Dream of Program Analysis program

785 views • 57 slides
Efficient Deductive Methods for Program Analysis Harald Ganzinger Max-Planck-Institut f ur

Efficient Deductive Methods for Program Analysis Harald Ganzinger Max-Planck-Institut f ur

Efficient Deductive Methods for Program Analysis Harald Ganzinger Max-Planck-Institut f ur Informatik Introduction 2 program analysis from high-level inference rules complexity analysis through general meta-complexity theorems

451 views • 33 slides

More recommend