revnic
play

RevNIC ReverseEngineeringofBinaryDeviceDrivers - PowerPoint PPT Presentation

Dec 07, 2023 •408 likes •1.22k views

RevNIC ReverseEngineeringofBinaryDeviceDrivers VitalyChipounovandGeorgeCandea SchoolofComputer&Communica3onSciences jeudi, 15 avril 2010 Drivers:HardtoWriteandHardtoPort

  1. RevNIC Reverse
Engineering
of
Binary
Device
Drivers Vitaly
Chipounov
and
George
Candea School
of
Computer
&
Communica3on
Sciences jeudi, 15 avril 2010

  2. Drivers:
Hard
to
Write
and
Hard
to
Port
 • Drivers
are
o@en
closed
source Por3ng
from
exis3ng
drivers
is
difficult • Devices
rarely
come
with
an
interface
specificaDon Hard
to
write
a
driver
from
scratch • SpecificaDons
are
o@en
incomplete
and
buggy Buggy
driver
implementa3on jeudi, 15 avril 2010

  3. ExisDng
SoluDons • EmulaDng
source
OS
(VMs,
NDISwrapper...) Run‐3me
overhead,
hard
to
maintain • Making
drivers
from
specificaDons
(Termite) Requires
formal
specifica3ons • Manual
trace
analysis,
decompilaDon Tedious,
imprecise jeudi, 15 avril 2010

  4. Windows Windows Linux KitOS μ C/OS II x86 PC FPGA Virtual Machines http://bplteensofwa.files.wordpress.com/2009/07/computer.jpg jeudi, 15 avril 2010

  5. RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac3on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

  6. RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac3on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

  7. RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac3on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

  8. RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac3on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

  9. High
Coverage
Driver
Exerciser • Hand‐cra@ed
workload
is
not
enough jeudi, 15 avril 2010

  10. int irq_handler(device_t *dev) { status = hw_read(STATUS_REG); if (status == RX){ pkt_size = hw_read(RX_SIZE_REG); if (pkt_size < 1514) { recv_packet(dev); }else { drop_packet(dev); } }else if (status == TX) { ... } } jeudi, 15 avril 2010

  11. int irq_handler(device_t *dev) { status = hw_read(STATUS_REG); if (status == RX){ • Boundary
condiDons pkt_size = hw_read(RX_SIZE_REG); if (pkt_size < 1514) { recv_packet(dev); • Error
recovery
code }else { drop_packet(dev); } }else if (status == TX) { ... } } jeudi, 15 avril 2010

  12. int irq_handler(device_t *dev) { status = hw_read(STATUS_REG); if (status == RX){ pkt_size = hw_read(RX_SIZE_REG); if (pkt_size < 1514) { recv_packet(dev); }else { drop_packet(dev); } }else if (status == TX) { ... } } jeudi, 15 avril 2010

  13. int irq_handler(device_t *dev) { status = hw_read(STATUS_REG); if (status == RX){ pkt_size = hw_read(RX_SIZE_REG); if (pkt_size < 1514) { recv_packet(dev); }else { drop_packet(dev); } }else if (status == TX) { ... } } jeudi, 15 avril 2010

  14. int irq_handler(device_t *dev) { status = hw_read(STATUS_REG); if (status == RX){ pkt_size = hw_read(RX_SIZE_REG); if (pkt_size < 1514) { status == RX recv_packet(dev); }else { T F drop_packet(dev); pkt_size < 1514 status == TX } }else if (status == TX) { ... ... ... drop receive packet packet } } jeudi, 15 avril 2010

  15. int irq_handler(device_t *dev) { status = hw_read(STATUS_REG); if (status == RX){ pkt_size = hw_read(RX_SIZE_REG); if (pkt_size < 1514) { status == RX recv_packet(dev); }else { T F drop_packet(dev); pkt_size < 1514 status == TX } }else if (status == TX) { ... ... ... drop receive packet packet } } High
coverage
automated
driver
exerciser jeudi, 15 avril 2010

  16. . . . Applications and e x p l o r e r . e x e libraries a d v a p i 3 2 . d l l . . . m s v c r t . d l l u s e r 3 2 . d l l . . . n t d l l . d l l Device Drivers Windows ndis.sys . . . Kernel rtl8139.sys jeudi, 15 avril 2010

  17. Exercising
Windows
NIC
Drivers NICDRIVER.SYS IniDalize(...) QueryInformaDon(...) ... SendPacket(...) HandleInterrupt(...) Unload(...) jeudi, 15 avril 2010

  18. Exercising
Windows
NIC
Drivers NICDRIVER.SYS IniDalize(...) QueryInformaDon(...) ... SendPacket(...) HandleInterrupt(...) Unload(...) jeudi, 15 avril 2010

  19. Exercising
Windows
NIC
Drivers IniDalize(...) jeudi, 15 avril 2010

  20. Exercising
Windows
NIC
Drivers IniDalize(...) ☹ ☹ ☺ ☹ ☹ ☹ ☺ jeudi, 15 avril 2010

  21. Exercising
Windows
NIC
Drivers IniDalize(...) ☹ ☹ ☺ ☹ ☹ ☹ ☺ ☺ jeudi, 15 avril 2010

  22. IniDalize(...) ☹ ☹ ☺ ☹ ☹ ☹ ☺ ☺ jeudi, 15 avril 2010

  23. IniDalize(...) ☹ ☹ ☺ ☹ ☹ ☹ ☺ ☺ Send(...,
Packet,
...) jeudi, 15 avril 2010

  24. IniDalize(...) ☹ ☹ ☺ ☹ ☹ ☹ 001a706650e3... ☺ ☺ Send(...,
Packet,
...) jeudi, 15 avril 2010

  25. IniDalize(...) ☹ ☹ ☺ ☹ ☹ ☹ α β γ δ ε ϛ ... ☺ ☺ Send(...,
Packet,
...) ☹ ☹ ☺ ☹ ☹ ☹ ☺ jeudi, 15 avril 2010

  26. ☹ ☺ ☹ ☹ ☹ α β γ δ ε ϛ ... ☺ ☺ Send(...,
Packet,
...) ☹ ☹ ☹ ☹ ☺ jeudi, 15 avril 2010

  27. ☹ ☺ ☹ ☹ ☹ α β γ δ ε ϛ ... ☺ ☺ Send(...,
Packet,
...) Interrupt ☹ ☹ ☹ ☹ ☺ jeudi, 15 avril 2010

  28. ☹ ☺ ☹ ☹ ☹ α β γ δ ε ϛ ... ☺ ☺ Send(...,
Packet,
...) Interrupt ☹ ☹ ☹ ☹ ☺ HandleInterrupt(...) jeudi, 15 avril 2010

  29. Send(...,
Packet,
...) Interrupt ☹ ☹ ☺ HandleInterrupt(...) jeudi, 15 avril 2010

  30. Send(...,
Packet,
...) Interrupt ☹ ☹ ☺ HandleInterrupt(...) Unload(...) jeudi, 15 avril 2010

  31. RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac3on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

  32. RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac,on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

  33. Hardware
InteracDon
Traces Virtual
Machine Guest
OS • ExecuDon
tree Original
Binary
Driver • Machine
instrucDons Driver
Exerciser • Memory
accesses • Register
values • (Memory‐Mapped)
I/O Trace
Files jeudi, 15 avril 2010

  34. RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac,on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template SyntheDc
Driver jeudi, 15 avril 2010

  35. RevNIC
 Virtual
Machine Guest
OS Original
Binary
Driver Driver
Exerciser Hardware
 interac3on
traces RevNIC
Code
 NIC
Driver
 Synthesizer Template Traces ➔ 
 C code SyntheDc
Driver jeudi, 15 avril 2010

  36. ExecuDon
Tree jeudi, 15 avril 2010

  37. Sequences
of ExecuDon
Tree basic
blocks BB
1 BB
2 BB
3 BB
4 BB
5 BB
6 BB
7 Trace
#1 jeudi, 15 avril 2010

  38. Sequences
of ExecuDon
Tree basic
blocks BB
1 BB
1 BB
2 BB
2 BB
3 BB
3 BB
4 BB
4 BB
5 BB
8 BB
6 BB
9 BB
7 BB
7 Trace
#1 Trace
#2 jeudi, 15 avril 2010

  39. BB
1 BB
1 BB
2 BB
2 BB
3 BB
3 BB
4 BB
4 BB
5 BB
8 BB
6 BB
9 BB
7 BB
7 Trace
#1 Trace
#2 jeudi, 15 avril 2010

  40. BB
1 BB
1 BB
1 BB
1 BB
2 BB
2 BB
2 BB
2 BB
3 BB
3 BB
3 BB
3 BB
4 BB
4 BB
4 BB
4 BB
5 BB
5 BB
8 BB
8 BB
6 BB
6 BB
9 BB
9 BB
7 BB
7 BB
7 BB
7 Trace
#1 Trace
#2 jeudi, 15 avril 2010

  41. BB
1 BB
1 BB
1 BB
1 BB
2 BB
2 BB
2 BB
2 BB
3 BB
3 BB
3 BB
3 BB
4 BB
4 BB
4 BB
4 BB
5 BB
8 BB
5 BB
8 BB
6 BB
9 BB
7 BB
7 BB
6 BB
9 Trace
#1 Trace
#2 BB
7 BB
7 jeudi, 15 avril 2010

  42. CFG BB
1 BB
1 BB
1 BB
1 BB
2 BB
2 BB
2 BB
2 BB
3 BB
3 BB
3 BB
3 BB
4 BB
4 BB
4 BB
4 BB
5 BB
8 BB
5 BB
8 BB
6 BB
9 BB
7 BB
7 BB
6 BB
9 Trace
#1 Trace
#2 BB
7 BB
7 jeudi, 15 avril 2010

  43. CFG BB
1 BB
1 BB
2 BB
2 BB
3 BB
3 BB
4 BB
4 BB
5 BB
8 BB
6 BB
9 BB
7 BB
7 jeudi, 15 avril 2010

  44. CFG uint32_t function_0001(...) { BB
1 BB
1 BB1: BB
2 BB
2 BB2: BB
3 BB
3 BB3: BB
4 BB
4 BB4: BB5: BB
5 BB
8 BB6: BB
6 BB
9 BB8: BB9: BB
7 BB
7 BB7: } jeudi, 15 avril 2010

  45. CFG uint32_t function_0001(uint32_t param1, uint32_t param2) { /* ... */ BB
1 BB
1 BB1: BB
2 BB
2 goto BB2; BB2: BB
3 BB
3 v1 = read_port(param1); BB3: BB
4 BB
4 v2 = read_port(param2); BB4: if (v1 & 0x21) goto BB8; BB5: BB
5 BB
8 write_port(param2, 0x1234); BB6: goto BB7; BB
6 BB
9 BB8: write_port(param1, 0x4567); BB9: goto BB7; BB
7 BB
7 BB7: } jeudi, 15 avril 2010

Recommend

More recommend