Intermission. Binary parsing 2 The Deconstruction of Dyninst _lock_foo main foo dynamic instrumentation, debugger, static binary analysis tools, malware.

Slides:

Advertisements

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Advertisements

ByteWeight: Learning to Recognize Functions in Binary Code

© 2006 Nathan RosenblumMarch 2006Unconventional Code Constructs The New Dyninst Code Parser: Binary Code Isn't as Simple as it Used to Be Nathan Rosenblum.

1 Today’s lecture  Last lecture we started talking about control flow in MIPS (branches)  Finish up control-flow (branches) in MIPS —if/then —loops —case/switch.

Program Representations. Representing programs Goals.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.

Code Compaction of an Operating System Kernel Haifeng He, John Trimble, Somu Perianayagam, Saumya Debray, Gregory Andrews Computer Science Department.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-3, 2011 Introduction to the PatchAPI Wenbin Fang, Drew Bernat.

1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.

© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller.

B. Childers, M. L. Soffa, J. Beaver, L. Ber, K. Cammarata, J. Litman, J. Misurda Presented by: Priyanka Puri SOFTTEST: A FRAMEWORK FOR SOFTWARE.

Machine-Learning Assisted Binary Code Analysis

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Names and Scopes CS 351. Program Binding We should be familiar with this notion. A variable is bound to a method or current block e.g in C++: namespace.

Previous finals up on the web page use them as practice problems look at them early.

Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.

Partial Automation of an Integration Reverse Engineering Environment of Binary Code Author : Cristina Cifuentes Reverse Engineering, 1996., Proceedings.

Recap from last time: live variables x := 5 y := x + 2 x := x + 1 y := x y...

Schedule Midterm out tomorrow, due by next Monday Final during finals week Project updates next week.

Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.

Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Precision Going back to constant prop, in what cases would we lose precision?

GAP- Generating Access Permissions IJAZ AHMED advised by : NESTOR CATANO

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.

March 17, 2005 Roadmap of Upcoming Research, Features and Releases Bart Miller & Jeff Hollingsworth.

Analysis Of Stripped Binary Code Laune Harris University of Wisconsin – Madison

Andrew Bernat, Bill Williams Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 New Features in Dyninst

The Deconstruction of Dyninst: Experiences and Future Directions Drew Bernat, Madhavi Krishnan, Bill Williams, Bart Miller Paradyn Project 1.

CS266 Software Reverse Engineering (SRE) Reversing and Patching Java Bytecode Teodoro (Ted) Cipresso,

EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.

Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

University of Maryland New APIs from P/D Separation James Waskiewicz.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Static Program Analyses of DSP Software Systems Ramakrishnan Venkitaraman and Gopal Gupta.

1 Program Slicing Amir Saeidi PhD Student UTRECHT UNIVERSITY.

Introducing Allors Applications, Tools & Platform.

CSCI Rational Purify 1 Rational Purify Overview Michel Izygon - Jim Helm.

November 2005 New Features in Paradyn and Dyninst Matthew LeGendre Ray Chen

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

AMD64/EM64T – Dyninst & ParadynMarch 17, 2005 The AMD64/EM64T Port of Dyninst and Paradyn Greg Quinn Ray Chen

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Binary Rewriting with Dyninst Madhavi Krishnan and Dan McNulty.

CS412/413 Introduction to Compilers Radu Rugina Lecture 18: Control Flow Graphs 29 Feb 02.

1 Control Flow Graphs. 2 Optimizations Code transformations to improve program –Mainly: improve execution time –Also: reduce program size Can be done.

April 2007The Deconstruction of Dyninst: Part 1- the SymtabAPI The Deconstruction of Dyninst Part 1: The SymtabAPI Giridhar Ravipati University of Wisconsin,

© 2006 Andrew R. BernatMarch 2006Generalized Code Relocation Generalized Code Relocation for Instrumentation and Efficiency Andrew R. Bernat University.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 Paradyn Project Deconstruction of Dyninst: Best Practices and Lessons Learned Bill.

1 ROGUE Dynamic Optimization Framework Using Pin Vijay Janapa Reddi PhD. Candidate - Electrical And Computer Engineering University of Colorado at Boulder.

Pyragen A PYTHON WRAPPER GENERATOR TO APPLICATION CORE LIBRARIES Fernando PEREIRA, Christian THEIS - HSE/RP EDMS tech note:

Phoenix Based Dynamic Slicing Debugging Tool Eric Cheng Lin Xu Matt Gruskin Ravi Ramaseshan Microsoft Phoenix Intern Team (Summer '06)

Recent and Upcoming Advances in the Dyninst Toolkits

New Features in Dyninst 5.1

Automatic Network Protocol Analysis

Compositional Pointer and Escape Analysis for Java Programs

CompSci 725 Presentation by Siu Cho Jun, William.

A System for Protecting the Integrity of Virtual Function Tables

TriggerScope Towards detecting logic bombs in android applications

Capriccio – A Thread Model

New Features in Dyninst 6.1 and 6.2

COP4020 Programming Languages

Control Flow Analysis (Chapter 7)

Presentation transcript:

Intermission

Binary parsing 2 The Deconstruction of Dyninst _lock_foo main foo dynamic instrumentation, debugger, static binary analysis tools, malware analysis, binary editor/rewriter, …

3 Familiar territory Benjamin Schwarz, Saumya Debray, and Gregory R. Andrews. Disassembly of executable code revisited Cristina Cifuentes and K. John Gough. Decompilation of binary programs Richard L. Sites, Anton Chernoff, Matthew B. Kirk, Maurice P. Marks, and Scott G. Robinson. Binary translation HenrikTheiling. Extracting safe and precise control flow from binaries Ramkumar Chinchani and Eric van den Berg. A fast static analysis approach to detect exploit code inside network flows J. Troger and C. Cifuentes. Analysis of virtual method invocation for binary translation Laune C. Harris and Barton P. Miller. Practical analysis of stripped binary code Christopher Kruegel, William Robertson, Fredrik Valeur, and Giovanni Vigna. Static disassembly of obfuscated binaries Nathan Rosenblum, Xiaojin Zhu, Barton P. Miller, and Karen Hunt. Learning to analyze binary computer code Amitabh Srivastava and Alan Eustace. ATOM: a system for building customized program analysis tools Barton Miller, Jeffrey Hollingsworth, and Mark Callaghan. Dynamic Program Instrumentation for Scalable Performance Tools

We’ve been down this road… 4 The Deconstruction of Dyninst recursive traversal parsing“gap” parsing heuristicsprobabilistic code models  non-contiguous functions  code sharing  non-returning functions  preamble scanning  handles stripped binaries  learn to recognize function entry points  very accurate gap parsing the DYNINST binary parser

What makes a parsing component? 5 The Deconstruction of Dyninst Parsing API simple, intuitive representation 2 functions blocks edges InstructionAPI SymtabAPI platform independence supported by previous Dyninst components 3 Binary code source abstraction 1

Flexible code sources 6 The Deconstruction of Dyninst a binary code object Parser code source requirements: code location codedata access to code bytes unsigned char * buf fe … mainfoobarbaz function hints & names a few (optional) facts pointer width external linkage PLT

Code source contract 7 The Deconstruction of Dyninst boolisValidAddress boolisExecutableAddress void *getPtrToInstruction void *getPtrToData unsignedgetAddressWidth boolisCode boolisData AddresscodeOffset AddresscodeLength Nine mandatory methods SymtabAPI implementation in 232 lines (including optional hints, function names) Any binary code object that can be memory mapped can be parsed

Simple control flow interface 8 The Deconstruction of Dyninst FunctionsBlocksEdges start addr. extents containjoined by start addr. end addr. in edges out edges srctarg type

Views of control flow 9 The Deconstruction of Dyninst while(!work.empty()) { Block *b = work.pop(); /* do something with b */ edgeiter eit = b->out().begin(); while(eit != b->out().end()) { work.push(*eit++); } Walking a control flow graph starting here What if we only want intraprocedural edges? 

Edge predicates 10 The Deconstruction of Dyninst while(!work.empty()) { Block *b = work.pop(); /* do something with b */ IntraProc pred; edgeiter eit = b->out().begin(&pred); while(eit != b->out().end()) { work.push(*eit++); } Walking a control flow graph Edge Predicates Tell iterator whether Edge argument should be returned Composable (and, or) Examples:  Intraprocedural  Single function context  Direct branches only

Extensible CFG objects 11 The Deconstruction of Dyninst image_func Function Dyninst image_func ParseAPI Function Simple, only need to represent control flow graph Complex, handles instrumentation, liveness, relocation, etc. Special callback points during parsing parse parse parse unresBranchNotify(insn) [derived class does stuff] parse parse parse Factory interface for CFG objects parser custom factory mkfunc() (Function*) image_func

What’s in the box? 12 The Deconstruction of Dyninst * box to be released soon Binary Parser Control Flow Graph Representation SymtabAPI-based Code Source  recursive descent parsing  speculative gap parsing  cross platform: x86, x86-64, PPC, IA64, SPARC  graph interface  extensible objects for easy tool integration  exports Dyninst InstructionAPI interface  cross-platform  supports ELF, PE, XCOFF formats

Status 13 The Deconstruction of Dyninst conceptioncode refactoringinterface design Dyninst re-integration (major test case) other major test case: compiler provenance (come tomorrow!)