The Postmodern Binary Analysis
54
THE POSTMODERN BINARY ANALYSIS Onur ALANBEL
-
Upload
onur-alanbel -
Category
Internet
-
view
381 -
download
6
Transcript of The Postmodern Binary Analysis
THE POSTMODERN BINARY ANALYSISOnur ALANBEL
$ id -un
➤ Computer Engineer (IZTECH)
➤ Developer @TaintAll (taintall.com)
➤ AppSec Researcher
➤ Blog: onuralanbel.pro
➤ @onuralanbel
➤ https://packetstormsecurity.com/search/?q=onur+alanbel
AGENDA
➤ Dynamic Binary Instrumentation
➤ Taint Analysis
➤ Constraint Solving With Z3
➤ Symbolic/Concolic Execution
DYNAMIC BINARY INSTRUMENTATION
➤ Inject instrumentation code into a running binary.
DYNAMIC BINARY INSTRUMENTATION
➤ Inject instrumentation code into a running binary.
➤ Instrumentation code executes as normal instructions.
DYNAMIC BINARY INSTRUMENTATION
➤ Inject instrumentation code into a running binary.
➤ Instrumentation code executes as normal instructions.
➤ Instrumentation is transparent to the application.
DBI FRAMEWORKS
➤ Intel PIN Framework
➤ Win, Lin, OS X
➤ No IL
DBI FRAMEWORKS
➤ Intel PIN Framework
➤ Win, Lin, OS X
➤ No IL
➤ Valgrind
➤ Lin, OS X
➤ IL
DBI FRAMEWORKS
➤ Intel PIN Framework
➤ Win, Lin, OS X
➤ No IL
➤ Valgrind
➤ Lin, OS X
➤ IL
➤ DynamoRIO
➤ Win, Lin, Android
➤ No IL
DBI FRAMEWORKS
➤ Intel PIN Framework
➤ Win, Lin, OS X
➤ No IL
➤ Valgrind
➤ Lin, OS X
➤ IL
➤ DynamoRIO
➤ Win, Lin, Android
➤ No IL
➤ May be others like
➤ PEMU
➤ …
INSTRUCTION COUNTING
SIMPLE SIDE CHANNEL ATTACK
CAN WE DO BETTER?
➤ Use snapshots instead of Re-run
CAN WE DO BETTER?
➤ Use snapshots instead of Re-run
➤ Use multi-threading
CAN WE DO BETTER?
➤ Use snapshots instead of Re-run
➤ Use multi-threading
➤ What about doing something smarter?
TAINT ANALYSIS
➤ Which parts of the code can be controlled or affected by tainted data (usually user input)
TAINT ANALYSIS
➤ Which parts of the code can be controlled or affected by tainted data (usually user input)
TAINT ANALYSIS
taint RAX
TAINT ANALYSIS
taint RAX
mov RCX, RAX
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
…….
mov RCX, ptr [0x1234]
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
…….
mov RCX, ptr [0x1234]
pop RBX
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
…….
mov RCX, ptr [0x1234]
pop RBX
stop tainting
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
…….
mov RCX, ptr [0x1234]
pop RBX
stop tainting
Which are the tainted regs?
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
…….
mov RCX, ptr [0x1234]
pop RBX
stop tainting
Which are the tainted regs?
Which are the tainted mems?
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
…….
mov RCX, ptr [0x1234]
pop RBX
stop tainting
Which are the tainted regs?
Which are the tainted mems?
RAX, RBX and 8 addresses from the stack
TAINT ANALYSIS
taint RAX
mov AL, 0x1
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp ECX, EBX
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp ECX, EBX
jz 0x4321
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp ECX, EBX
jz 0x4321
Can we control this branch?
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp CL, BL
jz 0x4321
What about this one?
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp CL, BL
jz 0x4321
What about this one?
taint RCX
xor RCX, RDX
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp CL, BL
jz 0x4321
What about this one?
taint RCX
xor RCX, RDX
add RAX, RCX
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp CL, BL
jz 0x4321
What about this one?
taint RCX
xor RCX, RDX
add RAX, RCX
Should RAX be tainted?
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp CL, BL
jz 0x4321
What about this one?
taint RCX
xor RCX, RCX
mov RAX, RCX
Now, should be ?
TAINT ANALYSIS
➤ With the help of PIN’s Inspection API (TaintAll)
TAINT ANALYSIS
➤ With the help of PIN’s Inspection API (TaintAll)
➤ With the help of Symbolic Execution (Triton Framework)
TAINT ANALYSIS
➤ With the help of PIN’s Inspection API (TaintAll)
➤ With the help of Symbolic Execution (Triton Framework)
➤ Using an Intermediate Language (TaintGrind)
TAINT ANALYSIS WITH TRITON
Triton/src/examples/pin/runtime_memory_tainting.py
with a little modification
TAINT ANALYSIS WITH TRITON
Triton/src/examples/pin/runtime_memory_tainting.py
with a little modification
A LITTLE BIT OF Z3
➤ “Z3 is a state-of-the art theorem prover from Microsoft Research”
A LITTLE BIT OF Z3
➤ “Z3 is a state-of-the art theorem prover from Microsoft Research”
➤ Input format is an extension of SMT-LIB 2.0 standard
A LITTLE BIT OF Z3
➤ “Z3 is a state-of-the art theorem prover from Microsoft Research”
➤ Input format is an extension of SMT-LIB 2.0 standard
A LITTLE BIT OF Z3
➤ “Z3 is a state-of-the art theorem prover from Microsoft Research”
➤ Input format is an extension of SMT-LIB 2.0 standard
➤ Or use Z3Py
For a real world example
Search: “Reversing the petya ransomware with constraint solvers”
SYMBOLIC EXECUTION
➤ x = input()y = x * 5 if x < 20: print “ok” else: print “nope”
SYMBOLIC EXECUTION
➤ x = input()y = x * 5 if x < 20: print “ok” else: print “nope”
y=sym_x*5
sym_x
x < 20
ok nope
CONCRETE EXECUTION
➤ x = input()y = x * 5 if x < 20: print “ok” else: print “nope”
y=sym_x*5
sym_x
x < 20
ok nope
CONCOLIC EXECUTION
➤ x = input()y = x * 5 if x < 20: print “ok” else: print “nope”
y=sym_x*5
sym_x
x < 20
ok nope
OPEN SOURCE DBA FRAMEWORKS/TOOLS
➤ Triton
➤ Angr
➤ BitBlaze TEMU
➤ Valgrind Tools
➤ PIN Tools
REFERENCES
➤ http://uninformed.org/index.cgi?v=7&a=1&p=3
➤ https://software.intel.com/sites/landingpage/pintool/docs/76991/Pin/html/
➤ http://smtlib.cs.uiowa.edu/solvers.shtml
