Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics Erick Bauman 1 , Zhiqiang Lin 1 , 2 , Kevin Hamlen 1 1 University of Texas at Dallas 2 The Ohio State University NDSS 2018
Introduction Background and Overview Design and Implementation Evaluation Conclusion References Static Binary Rewriting 2 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References Static Binary Rewriting 2 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References Many Static Rewriters Have Been Developed Over the Past Decades L S S P C D R P A F U N R D H H H H P O H C R I Systems Year E TCH [RVL + 97] 1997 � � ✗ ✗ ✗ ✗ � � � ✗ ✗ ✗ SASI [ES99] 1999 ✗ ✗ � � � � ✗ ✗ ✗ � ✗ ✗ P LTO [SDAL01] 2001 ✗ ✗ � � � � � � � ✗ ✗ ✗ V ULCAN [SEV01] 2001 � ✗ � � � � � � � ✗ ✗ ✗ D IABLO [PCB + 05] 2005 ✗ ✗ � � � � � � � ✗ ✗ ✗ CFI [ABEL09] 2005 � ✗ � � � � ✗ ✗ ✗ � � ✗ XFI [EAV + 06] 2006 � ✗ � � � � ✗ ✗ ✗ � ✗ ✗ P ITT SFI ELD [MM06] 2006 ✗ ✗ � � � � ✗ ✗ ✗ � ✗ ✗ B IRD [NLLC06] 2006 � � ✗ � � ✗ � � � � ✗ ✗ N A C L [YSD + 09] 2009 ✗ ✗ � � � � ✗ ✗ ✗ � ✗ ✗ P EBIL [LTCS10] 2010 ✗ ✗ � � � � � � � ✗ ✗ ✗ S ECOND W RITE [OAK + 11] 2011 � � � ✗ ✗ ✗ � � � � ✗ ✗ D YN I NST [BM11] 2011 � � ✗ ✗ � ✗ � � � � � ✗ S TIR /R EINS [WMHL12b, WMHL12a] 2012 � � � ✗ ✗ � ✗ ✗ ✗ � � ✗ C CFIR [ZWC + 13] 2013 ✗ � � � ✗ ✗ ✗ ✗ ✗ � � ✗ B ISTRO [DZX13] 2013 � � � ✗ ✗ ✗ ✗ ✗ ✗ � ✗ � B IN CFI [ZS13] 2013 � � � � � ✗ ✗ ✗ ✗ � � ✗ P SI [ZQHS14] 2014 � � � � � ✗ � � � � � ✗ U ROBOROS [WWW16] 2016 � � ✗ ✗ ✗ ✗ � � � � � � R AMBLR [WSB + 17] 2017 � � � ✗ ✗ ✗ � � � � � � 3 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References Many Static Rewriters Have Been Developed Over the Past Decades C D P A L S S P R F U N O R D H H H H P H C R Systems Year I E TCH [RVL + 97] 1997 � � ✗ ✗ ✗ ✗ � � � ✗ ✗ ✗ SASI [ES99] 1999 ✗ ✗ � � � � ✗ ✗ ✗ � ✗ ✗ P LTO [SDAL01] 2001 ✗ ✗ � � � � � � � ✗ ✗ ✗ V ULCAN [SEV01] 2001 � ✗ � � � � � � � ✗ ✗ ✗ D IABLO [PCB + 05] 2005 ✗ ✗ � � � � � � � ✗ ✗ ✗ CFI [ABEL09] 2005 � ✗ � � � � ✗ ✗ ✗ � � ✗ XFI [EAV + 06] 2006 � ✗ � � � � ✗ ✗ ✗ � ✗ ✗ P ITT SFI ELD [MM06] 2006 ✗ ✗ � � � � ✗ ✗ ✗ � ✗ ✗ B IRD [NLLC06] 2006 � � ✗ � � ✗ � � � � ✗ ✗ These tools rely on various N A C L [YSD + 09] 2009 ✗ ✗ � � � � ✗ ✗ ✗ � ✗ ✗ assumptions and heuristics! P EBIL [LTCS10] 2010 ✗ ✗ � � � � � � � ✗ ✗ ✗ S ECOND W RITE [OAK + 11] 2011 � � � ✗ ✗ ✗ � � � � ✗ ✗ D YN I NST [BM11] 2011 � � ✗ ✗ � ✗ � � � � � ✗ S TIR /R EINS [WMHL12b, WMHL12a] 2012 � � � ✗ ✗ � ✗ ✗ ✗ � � ✗ C CFIR [ZWC + 13] 2013 ✗ � � � ✗ ✗ ✗ ✗ ✗ � � ✗ B ISTRO [DZX13] 2013 � � � ✗ ✗ ✗ ✗ ✗ ✗ � ✗ � B IN CFI [ZS13] 2013 � � � � � ✗ ✗ ✗ ✗ � � ✗ P SI [ZQHS14] 2014 � � � � � ✗ � � � � � ✗ U ROBOROS [WWW16] 2016 � � ✗ ✗ ✗ ✗ � � � � � � R AMBLR [WSB + 17] 2017 � � � ✗ ✗ ✗ � � � � � � 3 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References M ULTIVERSE : the first heuristic-free static binary rewriter “Everything that can happen does happen.” [CF12] 4 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References Fundamental Challenges Recognizing and relocating static memory addresses 1 Handling dynamically computed memory addresses 2 Differentiating code and data 3 Handling function pointer arguments (e.g., callbacks) 4 Handling PIC 5 5 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References Working Example 6 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References Working Example 6 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References Working Example 6 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References Challenge (C)1: Recognizing and relocating static addresses 7 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References Challenge (C)1: Recognizing and relocating static addresses 7 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C1: Recognizing and relocating static memory addresses Data may contain function pointers Must identify pointers to transformed code Difficult to reliably distinguish pointer-like integers from pointers 8 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C1: Recognizing and relocating static memory addresses Data may contain function pointers Must identify pointers to transformed code Difficult to reliably distinguish pointer-like integers from pointers Keeping original data space intact No need to modify data addresses if data unchanged Keep read-only copy of code for inline data in original code section [OAK + 11, ZS13, WMHL12b, WMHL12a] 8 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C2: Handling dynamically computed memory addresses 9 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C2: Handling dynamically computed memory addresses 9 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C2: Handling dynamically computed memory addresses Indirect control flow transfer (iCFT) targets computed at runtime May use base+offset or arbitrary arithmetic Difficult to predict iCFT targets statically 10 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C2: Handling dynamically computed memory addresses Indirect control flow transfer (iCFT) targets computed at runtime May use base+offset or arbitrary arithmetic Difficult to predict iCFT targets statically Creating mapping from old code space to rewritten code space Do not attempt to identify original addresses to rewrite Ignore how address is computed; only focus on final target Rewrite all iCFTs to use mapping to dynamically translate address on use [PCC + 04] 10 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C3: Differentiating code and data 11 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C3: Differentiating code and data 11 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C3: Differentiating code and data Code and data can be freely interleaved Found in hand-written assembly and optimizing compilers Linear sweep fails on inline data Recursive traversal lacks full coverage 12 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C3: Differentiating code and data Code and data can be freely interleaved Found in hand-written assembly and optimizing compilers Linear sweep fails on inline data Recursive traversal lacks full coverage Brute force disassembling of all possible code Disassemble every offset [KRVV04, WZHK14, LVP + 15] All intended code will be within resulting superset 12 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C4: Handling function pointer arguments (e.g., callbacks) 13 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C4: Handling function pointer arguments (e.g., callbacks) 13 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C4: Handling function pointer arguments (e.g., callbacks) Callbacks will fail if function pointer not updated Library code uses callbacks Difficult to identify function pointer arguments 14 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C4: Handling function pointer arguments (e.g., callbacks) Callbacks will fail if function pointer not updated Library code uses callbacks Difficult to identify function pointer arguments Rewriting all user level code including libraries Hard to automatically identify all function pointer arguments Instead, rewrite everything [ZS13] Use mapping (from Solution ❷ ) to translate callback upon use 14 / 34
Introduction Background and Overview Design and Implementation Evaluation Conclusion References C5: Handling PIC 15 / 34
Recommend
More recommend