symbion
play

Symbion Interleaving Symbolic with Concrete Execution Fabio Gritti - PowerPoint PPT Presentation

May 21, 2023 •734 likes •1.91k views

Symbion Interleaving Symbolic with Concrete Execution Fabio Gritti , Lorenzo Fontana, Eric Gustafson, Fabio Pagani, Andrea Continella, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara 1 Motivation

  1. Motivation Emulated Program memory P1 (Uninitialized) 0x0000555555559850 │ +0x0000 <symbolic_variable_1> 0x0000555555559858 │ +0x0008 0x000000000ee0000 0x0000555555559860 │ +0x0010 0x0000000aaabbc34 0x0000555555559868 │ +0x0018 <symbolic_variable_2> 0x0000555555559870 │ +0x0020 0x000000000000000 0x0000555555559878 │ +0x0028 <symbolic_variable_3> 0x0000555555559880 │ +0x0030 0x000000000000000 0x0000555555559888 │ +0x0038 <symbolic_variable_4> 0x0000555555559890 │ +0x0040 <symbolic_variable_5> 0x0000555555559898 │ +0x0048 <symbolic_variable_6> 0x00005555555598a0 │ +0x0050 <symbolic_variable_7> 0x00005555555598a8 │ +0x0058 <symbolic_variable_8> 0x00005555555598b0 │ +0x0060 0x000000001231284 0x00005555555598b8 │ +0x0068 0x000000000001212 0x00005555555598c0 │ +0x0070 <symbolic_variable_9> 0x00005555555598c8 │ +0x0078 <symbolic_variable_a> 0x00005555555598c8 │ +0x0078 <symbolic_variable_b> 0x00005555555598c8 │ +0x0078 <symbolic_variable_c> 0x00005555555598c8 │ +0x0078 <symbolic_variable_d> P2 0x00005555555598c8 │ +0x0078 <symbolic_variable_e> 0x00005555555598c8 │ +0x0078 <symbolic_variable_f> 0x00005555555598c8 │ +0x0078 <symbolic_variable_10> 0x00005555555598c8 │ +0x0078 <symbolic_variable_11> “under-constrained” symbolic execution 17

  2. Motivation Emulated Program memory P1 (Uninitialized) 0x0000555555559850 │ +0x0000 <symbolic_variable_1> 0x0000555555559858 │ +0x0008 0x000000000ee0000 0x0000555555559860 │ +0x0010 0x0000000aaabbc34 0x0000555555559868 │ +0x0018 <symbolic_variable_2> 0x0000555555559870 │ +0x0020 0x000000000000000 0x0000555555559878 │ +0x0028 <symbolic_variable_3> 0x0000555555559880 │ +0x0030 0x000000000000000 0x0000555555559888 │ +0x0038 <symbolic_variable_4> 0x0000555555559890 │ +0x0040 <symbolic_variable_5> 0x0000555555559898 │ +0x0048 <symbolic_variable_6> 0x00005555555598a0 │ +0x0050 <symbolic_variable_7> 0x00005555555598a8 │ +0x0058 <symbolic_variable_8> 0x00005555555598b0 │ +0x0060 0x000000001231284 0x00005555555598b8 │ +0x0068 0x000000000001212 0x00005555555598c0 │ +0x0070 <symbolic_variable_9> 0x00005555555598c8 │ +0x0078 <symbolic_variable_a> 0x00005555555598c8 │ +0x0078 <symbolic_variable_b> 0x00005555555598c8 │ +0x0078 <symbolic_variable_c> 0x00005555555598c8 │ +0x0078 <symbolic_variable_d> P2 0x00005555555598c8 │ +0x0078 <symbolic_variable_e> 0x00005555555598c8 │ +0x0078 <symbolic_variable_f> 0x00005555555598c8 │ +0x0078 <symbolic_variable_10> 0x00005555555598c8 │ +0x0078 <symbolic_variable_11> “under-constrained” symbolic execution 18

  3. Motivation Emulated Program memory (Uninitialized) P1 Sn 0x0000555555559850 │ +0x0000 0x000000000000000 0x0000555555559858 │ +0x0008 0x000000000000000 0x0000555555559860 │ +0x0010 0x000000000000000 0x0000555555559868 │ +0x0018 0x000000000000000 0x0000555555559870 │ +0x0020 0x000000000000000 0x0000555555559878 │ +0x0028 0x000000000000000 0x0000555555559880 │ +0x0030 0x000000000000000 0x0000555555559888 │ +0x0038 0x000000000000000 0x0000555555559890 │ +0x0040 0x000000000000000 0x0000555555559898 │ +0x0048 0x000000000000000 0x00005555555598a0 │ +0x0050 0x000000000000000 0x00005555555598a8 │ +0x0058 0x000000000000000 0x00005555555598b0 │ +0x0060 0x000000000000000 0x00005555555598b8 │ +0x0068 0x000000000000000 0x00005555555598c0 │ +0x0070 0x000000000000000 0x00005555555598c8 │ +0x0078 0x000000000000000 THIS WAS THE CAUSE! 19

  4. Motivation Emulated Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 0x3d8d4800010a530d 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d CAN WE HAVE THIS? 20

  5. Approach S9 S1 S3 S4 S6 S8 S0 Sn S2 S5 S7 EOP Interleaved symbolic execution 21

  6. Approach P1 S9 S1 S3 S4 S6 S8 S0 Sn S2 S5 S7 Interleaved symbolic execution 22

  7. Approach Program memory P1 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 S9 S1 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 0x3d8d4800010a530d S3 S4 S6 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c S8 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 S0 Sn 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 S2 S5 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b S7 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 23

  8. Approach Emulated Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 0x3d8d4800010a530d 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 24

  9. Approach Emulated Program memory P1 Sn User 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 controlled 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 25

  10. Approach Emulated Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> S3 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 26

  11. Approach Emulated Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> S3 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 S4 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 27

  12. Approach Emulated Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> S3 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 S4 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f S5 1 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d S6 1 S6 Interleaved symbolic execution 28

  13. Approach Emulated Program memory P1 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 <symbolic_variable_2> 0x00005555555598a8 │ +0x0058 <symbolic_variable_3> 0x00005555555598b0 │ +0x0060 <symbolic_variable_4> 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 <symbolic_variable_5> P2 Interleaved symbolic execution 29

  14. Approach Emulated Program memory P1 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 <symbolic_variable_1> = ????? 0x0000555555559898 │ +0x0048 0x85480021a732058b To reach P2 0x00005555555598a0 │ +0x0050 <symbolic_variable_2> 0x00005555555598a8 │ +0x0058 <symbolic_variable_3> 0x00005555555598b0 │ +0x0060 <symbolic_variable_4> 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 <symbolic_variable_5> P2 Interleaved symbolic execution 30

  15. Approach Emulated Program memory P1 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 <symbolic_variable_1> 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 <symbolic_variable_1> = 0xdeadbeef 0x0000555555559898 │ +0x0048 0x85480021a732058b To reach P2 0x00005555555598a0 │ +0x0050 <symbolic_variable_2> 0x00005555555598a8 │ +0x0058 <symbolic_variable_3> 0x00005555555598b0 │ +0x0060 <symbolic_variable_4> 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 <symbolic_variable_5> P2 Interleaved symbolic execution 31

  16. Approach Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d S3 0x0000555555559868 │ +0x0018 0x8d4800010aca058d 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 S4 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f S5 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Sm Interleaved symbolic execution 32

  17. Approach Program memory P1 Sn 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d S3 0x0000555555559868 │ +0x0018 0x00000000deadbeef 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 S4 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f S5 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Sm Interleaved symbolic execution 33

  18. Approach Program memory Sn 0x0000555555559850 │ +0x0000 0x0000000111111111 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 0x0000555555559860 │ +0x0010 0x8d4800010aca058d S3 0x0000555555559868 │ +0x0018 0x00000000deadbeef 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 0x0000555555559880 │ +0x0030 0x1123012312310010 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 S4 0x0000555555559890 │ +0x0040 0x4141414141414141 0x0000555555559898 │ +0x0048 0x85480021a732058b 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f S5 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x0000100100000000 0x00005555555598c8 │ +0x0078 0x48550021a99a358d P2 Sm Interleaved symbolic execution 34

  19. Approach 35

  20. Approach P1 concrete execution 36

  21. Approach P1 P1 P2 under-constrained symbolic exec. concrete execution 37

  22. Approach P1 P1 P1 P2 P2 under-constrained symbolic exec. concrete execution Interleaved symbolic execution 38

  23. System Overview angr Symbolic execution engine Concrete environment Debugging Symbion ConcreteTarget ( Exploration Technique ) Component Concrete SimPlugin Binary SimEngineConcrete 39 39 39

  24. ConcreteTarget ● Interface used to implement objects that will control the program executed inside the concrete analysis environment. ● Exposes the following methods: ConcreteTarget ( Interface ) ○ def read_memory(self, address, length) ○ def write_memory(self, address, data) ○ def read_register(self, register) ○ def write_register(self, register, value) implements ○ def set_breakpoint(self, address) ○ def remove_breakpoint(self, address) ○ def set_watchpoint(self, address) GDBTarget ○ def remove_watchpoint(self, address) ○ def get_mappings(self) ○ def run(self) 40

  25. ConcreteTarget ● It can have different interesting implementations! ConcreteTarget ( Interface ) implements implements implements GDBTarget WinDBGTarget IDATarget 41

  26. ConcreteTarget Target binary Analysis GDBTarget Environment GDBServer Linux QEMU Concrete Environment 42

  27. ConcreteTarget Target binary Analysis GDBTarget Environment GDBServer Linux VirtualBox Concrete Environment 43

  28. ConcreteTarget Target binary Analysis WinDBGTarget Environment WinDBG Windows Real PC Concrete Environment 44

  29. ConcreteTarget Target binary Analysis JLinkTarget Environment Jlink Embedded System Concrete Environment 45

  30. Let’s put all the pieces together 46

  31. Use Cases (malware reverse engineering) Study evasion Study commands Detect DGA Study packed code techniques sent by C&C 47

  32. Use Cases (malware reverse engineering) wgxododfj2e7y990ueey2ywc22.info? Study evasion Study commands Study packed code techniques sent by C&C Detect DGA 48

  33. Use Case ● Symmi Trojan ○ Detecting a domain generation algorithm (DGA) inside the binary. wgxododfj2e7y990ueey2ywc22.info Wed Tue 30 10:12:42 PDT 2020 GetFileSystemTime gethostbyname processing 49

  34. Use Case ● Symmi Trojan ○ Detecting a domain generation algorithm (DGA) inside the binary. <BV32 (if ((((0x0 .. __add__(0xfe624e21, symbolic_buffer [63:32], 0x0 .. (if ( symbolic_buffer [31:0] ... <symbolic_buffer> GetFileSystemTime gethostbyname processing 50

  35. Use Case ● Symmi Trojan ○ Detecting a domain generation algorithm (DGA) inside the binary. ○ Challenges : ■ Malware has noisy initialization code and evasion: ● “API Hammering” ● Junk code ● Self-checks ■ Vanilla symbolic execution or under-constrained symbolic execution won’t work. 51

  36. Use Case ● Symmi Trojan ○ Detecting a domain generation algorithm (DGA) inside the binary. GDBServer GDBTarget Windows VirtualBox 52

  37. Symbolic → Concrete angr Concrete environment Analysis environment SimEngineConcrete find= call_getfilesystime Symbion ConcreteTarget Binary EIP Symbolic → Concrete Initialization code (threads and API hammering) CALL GetFileSystemTime Process memory Process Memory CLEmory 53

  38. Symbolic → Concrete angr Concrete environment Analysis environment SimEngineConcrete find= call_getfilesystime Symbion ConcreteTarget Binary EIP Initialization code (threads and API hammering) CALL GetFileSystemTime Process memory Process Memory CLEmory 54

  39. Symbolic → Concrete angr Concrete environment Analysis environment SimEngineConcrete find= call_getfilesystime Symbion ConcreteTarget Binary Initialization code (threads and API hammering) EIP CALL GetFileSystemTime Process memory Process Memory CLEmory 55

  40. Symbolic ← Concrete angr Concrete environment Concrete Analysis environment SimEngineConcrete SimPlugin Symbion sync ConcreteTarget Binary Symbolic ← Concrete EIP CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Process Memory CLEmory 56

  41. Symbolic ← Concrete angr Concrete environment Concrete Analysis environment SimEngineConcrete SimPlugin Symbion sync ConcreteTarget Binary EIP CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Process Memory CLEmory 57

  42. angr Concrete environment Analysis environment SimVexEngine Explore find = call_gethostbyname Binary EIP CALL GetFileSystemTime Symbolic Exploration Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Process Memory CLEmory 58

  43. angr Concrete environment Analysis environment SimVexEngine Explore find = call_gethostbyname Binary EIP CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Process Memory CLEmory 59

  44. angr Concrete environment Analysis environment SimVexEngine Explore find = call_gethostbyname Binary EIP CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Page1 Process Memory sym_buffer_SystemTimeAsFIleTime CLEmory 60

  45. angr Concrete environment Analysis environment SimVexEngine Explore find = call_gethostbyname Binary CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Page1 Process Memory sym_buffer_SystemTimeAsFIleTime CLEmory 61 61

  46. angr Concrete environment Analysis environment SimVexEngine Explore find = call_gethostbyname Binary CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL gethostbyname GetFileSystemTime Process memory Page1 Process Memory sym_buffer_SystemTimeAsFIleTime CLEmory 62 62

  47. angr Concrete environment Analysis environment SimVexEngine Explore find = call_gethostbyname Binary CALL GetFileSystemTime Initialization code (threads and API hammering) EIP CALL EIP CALL gethostbyname GetFileSystemTime Process memory Page1 Process Memory sym_buffer_SystemTimeAsFIleTime CLEmory 63 63

  48. angr Concrete environment Analysis environment arg0 = <BV32 (if ((((0x0 .. __add__(0xfe624e21, SimVexEngine Explore find = call_gethostbyname SystemTimeAsFileTime_0_64 [63:32], 0x0 .. (if Binary ( SystemTimeAsFileTime_0_64 [31:0] <= (0x2ac18000 + SystemTimeAsFileTime_0_64 [31:0])) then 0 CALL else 1)) GetFileSystemTime Initialization code (threads and API hammering) EIP CALL CALL EIP EIP CALL gethostbyname gethostbyname GetFileSystemTime Process memory Page1 Process Memory sym_buffer_SystemTimeAsFIleTime CLEmory 64 64

  49. (More) Use Cases Vulnerabilities Exploit More! Hunting Writing/Generation 65

  50. Comparison ● Question prediction: Why isn’t this just “Concolic Execution?” 66

  51. Comparison ● Question prediction: Why isn’t this just “Concolic Execution?” ● Concolic execution has the goal of improving code coverage of vanilla symbolic execution. ● The techniques are orthogonal and can be chained together 67

  52. Comparison ● Other similar tools have been developed in the past: ○ Avatar2 ○ Triton ○ S2E ○ Mayhem (not freely available to the community) ● None was really making available this kind of technique in a customizable, general purpose and easy to use/programmatic way 68

  53. Limitations ● Program execution correctness not guaranteed by default ○ Users could force executions that are not feasible ○ Solutions to mitigate this can be implemented on top of the technique ● Desynchronized environment interactions ○ Only registers and memory are synchronized ○ States of other objects (socket,file,stdin/stdout) are not sync with the symbolic engine ● Targets support ○ Limited amount of Concrete Targets ○ “Lazy developing” (as needed) 69

  54. Takeaways 1. Symbion is a building block that can empower different new analyses applied to many scenarios 2. Supporting symbolic execution at real-world-program scale is essential 3. Symbion provides a compromise between the power of symbolic execution and the ability to operate on real-world programs 70

  55. Support ● Open source ○ https://github.com/angr/angr ○ https://github.com/degrigis/symbion-use-cases ○ https://github.com/angr/angr-targets ● Docs & Tutorials ○ https://angr.io/blog/angr_symbion/ ○ https://docs.angr.io/advanced-topics/symbion ● Support ○ https://angr.io/invite/ ○ Just yell in #help or directly ping me @degrigis 71

  56. Thanks! degrigis@cs.ucsb.edu @degrigis 72

  57. Motivation Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850 │ +0x0000 0x000000000000000 0x0000555555559858 │ +0x0008 0x000000000000000 code [...] 0x0000555555559860 │ +0x0010 0x000000000000000 0x0000555555559868 │ +0x0018 0x000000000000000 0x0000555555559870 │ +0x0020 0x000000000000000 0x0000555555559878 │ +0x0028 0x000000000000000 P1 0x0000555555559880 │ +0x0030 0x000000000000000 0x0000555555559888 │ +0x0038 0x000000000000000 0x0000555555559890 │ +0x0040 0x000000000000000 0x0000555555559898 │ +0x0048 0x000000000000000 0x00005555555598a0 │ +0x0050 0x000000000000000 0x00005555555598a8 │ +0x0058 0x000000000000000 code [...] 0x00005555555598b0 │ +0x0060 0x000000000000000 Symbolic 0x00005555555598b8 │ +0x0068 0x000000000000000 0x00005555555598c0 │ +0x0070 0x000000000000000 execution 0x00005555555598c8 │ +0x0078 0x000000000000000 from here! “under-constrained” symbolic execution 73

  58. Motivation Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850 │ +0x0000 0x000000000000000 0x0000555555559858 │ +0x0008 0x000000000000000 code [...] 0x0000555555559860 │ +0x0010 0x000000000000000 0x0000555555559868 │ +0x0018 0x000000000000000 0x0000555555559870 │ +0x0020 0x000000000000000 0x0000555555559878 │ +0x0028 0x000000000000000 P1 0x0000555555559880 │ +0x0030 0x000000000000000 0x0000555555559888 │ +0x0038 0x000000000000000 0x0000555555559890 │ +0x0040 0x000000000000000 mov rax, [0x555555559850] 0x0000555555559898 │ +0x0048 0x000000000000000 0x00005555555598a0 │ +0x0050 0x000000000000000 0x00005555555598a8 │ +0x0058 0x000000000000000 0x00005555555598b0 │ +0x0060 0x000000000000000 Symbolic 0x00005555555598b8 │ +0x0068 0x000000000000000 0x00005555555598c0 │ +0x0070 0x000000000000000 execution 0x00005555555598c8 │ +0x0078 0x000000000000000 from here! “under-constrained” symbolic execution 74

  59. Motivation Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 <symbolic_variable_1> 0x0000555555559858│+0x0008 0x000000000000000 code [...] 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 0x000000000000000 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 P1 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x000000000000000 0x00005555555598a0│+0x0050 0x000000000000000 0x00005555555598a8│+0x0058 0x000000000000000 0x00005555555598b0│+0x0060 0x000000000000000 Symbolic 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 execution 0x00005555555598c8│+0x0078 0x000000000000000 from here! “under-constrained” symbolic execution 75

  60. Motivation Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 <symbolic_variable_1> 0x0000555555559858│+0x0008 0x000000000000000 code [...] 0x0000555555559860│+0x0010 0x000000000000000 0x0000555555559868│+0x0018 <symbolic_variable_2> 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 0x000000000000000 P1 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 0x000000000000000 0x0000555555559890│+0x0040 0x000000000000000 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x000000000000000 … 0x00005555555598a0│+0x0050 0x000000000000000 … 0x00005555555598a8│+0x0058 0x000000000000000 mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x000000000000000 Symbolic 0x00005555555598b8│+0x0068 0x000000000000000 0x00005555555598c0│+0x0070 0x000000000000000 execution 0x00005555555598c8│+0x0078 0x000000000000000 from here! “under-constrained” symbolic execution 76

  61. Motivation Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 <symbolic_variable_1> 0x0000555555559858│+0x0008 0x000000000ee0000 code [...] 0x0000555555559860│+0x0010 0x0000000aaabbc34 0x0000555555559868│+0x0018 <symbolic_variable_2> 0x0000555555559870│+0x0020 0x000000000000000 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x000000000000000 0x0000555555559888│+0x0038 <symbolic_variable_4> 0x0000555555559890│+0x0040 <symbolic_variable_5> mov rax, [0x555555559850] 0x0000555555559898│+0x0048 <symbolic_variable_6> … 0x00005555555598a0│+0x0050 <symbolic_variable_7> … 0x00005555555598a8│+0x0058 <symbolic_variable_8> mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x000000001231284 … Symbolic 0x00005555555598b8│+0x0068 0x000000000001212 … 0x00005555555598c0│+0x0070 <symbolic_variable_9> execution … 0x00005555555598c8│+0x0078 <symbolic_variable_a> ... from here! “under-constrained” symbolic execution 77

  62. Approach Program memory P1 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 S9 S1 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 0x3d8d4800010a530d S3 S4 S6 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c S8 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 S0 Sn 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 S2 S5 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b S7 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 78

  63. Approach Program memory P1 0x0000555555559850 │ +0x0000 0x89485ed18949ed31 0x0000555555559858 │ +0x0008 0x4c5450f0e48348e2 S9 S1 0x0000555555559860 │ +0x0010 0x8d4800010aca058d 0x0000555555559868 │ +0x0018 0x00000000deadbeef S3 S4 S6 0x0000555555559870 │ +0x0020 0xa75e15ffffffe61c S8 0x0000555555559878 │ +0x0028 0x0000441f0ff40021 S0 Sn 0x0000555555559880 │ +0x0030 0x550021a9e13d8d48 S2 S5 0x0000555555559888 │ +0x0038 0x480021a9d9058d48 0x0000555555559890 │ +0x0040 0x481974e58948f839 0x0000555555559898 │ +0x0048 0x85480021a732058b S7 0x00005555555598a0 │ +0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8 │ +0x0058 0x0000000000841f0f 0x00005555555598b0 │ +0x0060 0x2e6600401f0fc35d 0x00005555555598b8 │ +0x0068 0x0000000000841f0f 0x00005555555598c0 │ +0x0070 0x480021a9a13d8d48 0x00005555555598c8 │ +0x0078 0x48550021a99a358d Interleaved symbolic execution 79

  64. Approach Init memory Program A memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x3d8d4800010a530d 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b Breakpoint! 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d Interleaved symbolic execution ( Phase 1: concrete execution to P1 ) 80

  65. Approach Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d Symbolic 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 execution 0x00005555555598c8│+0x0078 0x48550021a99a358d from here! Interleaved symbolic execution ( Phase 2: setup symbolic data ) 81

  66. Approach Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f P2 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d Interleaved symbolic execution ( Phase 3: symbolic execution ) 82

  67. Approach Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b … 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 … 0x00005555555598a8│+0x0058 0x0000000000841f0f mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f P2 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d Interleaved symbolic execution ( Phase 3: symbolic execution ) 83

  68. Approach Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b … 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 … 0x00005555555598a8│+0x0058 0x0000000000841f0f mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d … 0x00005555555598b8│+0x0068 0x0000000000841f0f … P2 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 … 0x00005555555598c8│+0x0078 0x48550021a99a358d ... Interleaved symbolic execution ( Phase 3: symbolic execution ) 84

  69. Approach Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b … 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 … 0x00005555555598a8│+0x0058 0x0000000000841f0f mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d … 0x00005555555598b8│+0x0068 0x0000000000841f0f … P2 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 <symbolic_variable_1> = ????? 0x00005555555598c8│+0x0078 0x48550021a99a358d To reach P2 Interleaved symbolic execution ( Phase 3: symbolic execution ) 85

  70. Approach Emulated Program A (uninitialized) memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 <symbolic_variable_1> 0x0000555555559870│+0x0020 <symbolic_variable_2> 0x0000555555559878│+0x0028 <symbolic_variable_3> P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b … 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 … 0x00005555555598a8│+0x0058 0x0000000000841f0f mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d … 0x00005555555598b8│+0x0068 0x0000000000841f0f … P2 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 <symbolic_variable_1> = 0xdeadbeef 0x00005555555598c8│+0x0078 0x48550021a99a358d To reach P2 Interleaved symbolic execution ( Phase 3: symbolic execution ) 86

  71. Approach Program A memory Program A EOP 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x00000000deadbeef 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 P1 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 mov rax, [0x555555559850] 0x0000555555559898│+0x0048 0x85480021a732058b … 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 … 0x00005555555598a8│+0x0058 0x0000000000841f0f mov rbx, [0x555555559868] 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d … 0x00005555555598b8│+0x0068 0x0000000000841f0f … P2 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 <symbolic_variable_1> = 0xdeadbeef 0x00005555555598c8│+0x0078 0x48550021a99a358d To reach P2 Interleaved symbolic execution ( Phase 4: Edit program A concrete memory ) 87

  72. Approach Program A memory Program A P2 0x0000555555559850│+0x0000 0x89485ed18949ed31 0x0000555555559858│+0x0008 0x4c5450f0e48348e2 code [...] 0x0000555555559860│+0x0010 0x8d4800010aca058d 0x0000555555559868│+0x0018 0x00000000deadbeef 0x0000555555559870│+0x0020 0xa75e15ffffffe61c 0x0000555555559878│+0x0028 0x0000441f0ff40021 P3 0x0000555555559880│+0x0030 0x550021a9e13d8d48 0x0000555555559888│+0x0038 0x480021a9d9058d48 0x0000555555559890│+0x0040 0x481974e58948f839 code [...] 0x0000555555559898│+0x0048 0x85480021a732058b 0x00005555555598a0│+0x0050 0x2e66e0ff5d0d74c0 0x00005555555598a8│+0x0058 0x0000000000841f0f 0x00005555555598b0│+0x0060 0x2e6600401f0fc35d 0x00005555555598b8│+0x0068 0x0000000000841f0f 0x00005555555598c0│+0x0070 0x480021a9a13d8d48 0x00005555555598c8│+0x0078 0x48550021a99a358d Interleaved symbolic execution ( Phase 5: Resume concrete execution ) 88

  73. Symbion - Exploration Technique ● API provided to the users in order to control the concrete execution of the binary inside the concrete environment rax 0x00000012 rbx 0x00000001 Concrete process Modifications Symbion (OPTIONAL) addr_1 0x4141 ( Exploration Technique ) addr_2 0xff0000 breakpoints [0x555555559856] Where to stop! 89

  74. System Overview Symbolic execution engine Concrete environment Debugging Symbion ConcreteTarget ( Exploration Technique ) Component rax 0x00000012 rbx 0x00000001 Concrete addr_1 0x4141 SimPlugin addr_2 0xff0000 Binary breakpoints [0x555555559856] SimEngineConcrete 90 90 90

  75. SimEngineConcrete ● Engine used by the Symbion Exploration Technique in order to step the concrete execution of the binary in the analysis environment. ● Consists of two main parts: ○ to_engine ( ) ■ Handle the “jump” inside the concrete world! ○ from_engine ( ) ■ Handle the “jump” outside the concrete world leveraging the Concrete SimPlugin . 91

  76. SimEngineConcrete ● to_engine ( ): ○ Leverages the ConcreteTarget object to: ■ Set breakpoints on the concrete execution instance of the program. ■ Modify the concrete memory. ■ Resume the concrete execution by exploiting. rax 0x00000012 GDBTarget rbx 0x00000001 write_register() Commands to addr_1 0x4141 debugging write_memory() addr_2 0xff0000 components set_breakpoint() breakpoints [0x555555559856] 92

  77. System Overview Symbolic execution engine Concrete environment Debugging Symbion ConcreteTarget ( Exploration Technique ) Component rax 0x00000012 rbx 0x00000001 Concrete addr_1 0x4141 SimPlugin addr_2 0xff0000 Binary breakpoints [0x555555559856] SimEngineConcrete 93 93 93

  78. SimConcrete Plugin ● Synchronize the concrete process with angr and returns a a new SimState. ○ Copy values of ALL registers. SimState Concrete Program State GDBTarget rax rax 0x0000a44 rbx rbx 0x0000001 read_register() read_memory() rcx rcx 0x0000000 get_mapping() 94

  79. SimConcrete Plugin ● Synchronize the concrete process with angr and returns a a new SimState. ○ Copy values of ALL registers. SimState Concrete Program State GDBTarget rax 0x0000a44 rax 0x0000a44 rbx 0x0000001 rbx 0x0000001 read_register() read_memory() rcx 0x0000000 rcx 0x0000000 get_mapping() 95

  80. SimConcrete Plugin ● Synchronize the concrete process with angr and returns a a new SimState. ○ Copy values of ALL registers. ○ Hook new SimState memory backend to redirect reads to concrete process. SimState Concrete Program State GDBTarget 0x0000555555559850│ 0x89485ed18949ed31 0x0000555555559858│ 0x4c5450f0e48348e2 CLE 0x0000555555559860│ 0x8d4800010aca058d read_register() 0x0000555555559868│0x3d8d4800010a530d (memory backend) 0x0000555555559870│0xa75e15ffffffe61c 0x0000555555559878│0x0000441f0ff40021 read_memory() 0x0000555555559880│0x550021a9e13d8d48 get_mapping() 96

  81. SimConcrete Plugin ● Synchronize the concrete process with angr and returns a a new SimState. ○ Copy values of ALL registers. ○ Hook new SimState memory backend to redirect reads to concrete process. ○ Updates memory mapping information. SimState Concrete Program State GDBTarget 0x54000 0x64000 r-x /bin/ls 0x64000 0x84000 r-- /bin/ls read_register() 0x84000 0x94000 rw- /bin/ls 0x94000 0xf0000 rw- [heap] read_memory() 0xf1000 0xffff00 rw- [stack] get_mapping() 97

  82. SimConcrete Plugin ● Synchronize the concrete process with angr and returns a a new SimState. ○ Copy values of ALL registers. ○ Hook new SimState memory backend to redirect reads to concrete process. ○ Updates memory mapping information. SimState Concrete Program State GDBTarget 0x54000 0x64000 r-x /bin/ls 0x54000 0x64000 r-x /bin/ls 0x64000 0x84000 r-- /bin/ls 0x64000 0x84000 r-- /bin/ls 0x84000 0x94000 rw- /bin/ls read_register() 0x84000 0x94000 rw- /bin/ls 0x94000 0xf0000 rw- [heap] 0x94000 0xf0000 rw- [heap] read_memory() 0xf1000 0xffff00 rw- [stack] 0xf1000 0xffff00 rw- [stack] get_mapping() 98

  83. to_engine( ) angr Concrete environment Analysis environment SimEngineConcrete find= 0x5555555540 Symbion ConcreteTarget Binary EIP bp Process memory Page0 SymSimbolic SimPaged Page1 Process Memory Memory Memory Page2 CLEmory 99

  84. from_engine() angr Concrete environment Analysis environment SimEngineConcrete Concrete Symbion SimPlugin ConcreteTarget Binary sync EIP EIP bp Process memory SymSimbolic SimPaged Memory Memory Process Memory CLEmory ConcreteTarget 100

More recommend