Binary Context-Sensitive Recognizer (BCSR) Hong Pham December 4, 2007.

Slides:



Advertisements
Similar presentations
Practical Malware Analysis
Advertisements

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, All rights reserved. You may modify and copy this slide.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
COMP 2003: Assembly Language and Digital Logic
Compiler construction in4020 – lecture 10 Koen Langendoen Delft University of Technology The Netherlands.
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 2 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Introduction to X86 assembly by Istvan Haller
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
Accessing parameters from the stack and calling functions.
Chapter 4 Basic Instructions. 4.1 Copying Data mov Instructions mov (“move”) instructions are really copy instructions, like simple assignment statements.
Practical Session 8 Computer Architecture and Assembly Language.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
CEG 320/520: Computer Organization and Assembly Language ProgrammingIntel Assembly 1 Intel IA-32 vs Motorola
Machine-Level Programming 3 Control Flow Topics Control Flow Switch Statements Jump Tables.
Apache Exploits
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Chapter 8 Intermediate Code Zhang Jing, Wang HaiLing College of Computer Science & Technology Harbin Engineering University.
Code Generation Gülfem Savrun Yeniçeri CS 142 (b) 02/26/2013.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
CMPE 511 Computer Architecture A Faster Optimal Register Allocator Betül Demiröz.
Today’s topics Procedures Procedures Passing values to/from procedures Passing values to/from procedures Saving registers Saving registers Documenting.
Machine-Level Programming 3 Control Flow Topics Control Flow Switch Statements Jump Tables.
ELF binary # readelf -a foo.out ELF Header:
CNIT 127: Exploit Development Ch 1: Before you begin.
CS412/413 Introduction to Compilers and Translators April 14, 1999 Lecture 29: Linking and loading.
Assembly Language. Symbol Table Variables.DATA var DW 0 sum DD 0 array TIMES 10 DW 0 message DB ’ Welcome ’,0 char1 DB ? Symbol Table Name Offset var.
Introduction to Assembly II Abed Asi Extended System Programming Laboratory (ESPL) CS BGU Fall 2013/2014.
LOW vs. HIGH Level Languages
Stack Usage with MS Visual Studio Without Stack Protection.
Compiler Construction Code Generation Activation Records
Superoptimization Venkatesh Karthik Srinivasan Guest Lecture in CS 701, Nov. 10, 2015.
October 1, 2003Serguei A. Mokhov, 1 SOEN228, Winter 2003 Revision 1.2 Date: October 25, 2003.
ECE 447 Fall 2009 Lecture 4: TI MSP430 Architecture and Instruction Set.
Data Types Always data types will decide which type of information we are storing into variables In C programming language we are having 3 types of basic.
Computer Organization & Assembly Language University of Sargodha, Lahore Campus Prepared by Ali Saeed.
Course 150 Basic Computing Environment. Objective of course Familiar with Linux environment Objective of lecture: To understand basic terms like software,
Inline Assembly 井民全. Accessing C or C++ Data in __asm Blocks An __asm block can refer to any symbols Including variable name Ex: __asm mov eax, var Store.
Assembly Programming Practical2. Initialising Variables (Recap) Initialising variables are done in the.data section Initialising variables are done in.
Practical Session 8. Position Independent Code- self sufficiency of combining program Position Independent Code (PIC) program has everything it needs.
Number Systems and Representations Binary Representation Binary Representation Signed numbers Signed numbers Very small and very big numbers Very small.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.
CC410: System Programming Dr. Manal Helal – Fall 2014 – Lecture 4 - Assembler 1.
ICS51 Introductory Computer Organization Accessing parameters from the stack and calling functions.
7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.
Assembly function call convention
Credits and Disclaimers
C function call conventions and the stack
CS-401 Computer Architecture & Assembly Language Programming
Computer Architecture and Assembly Language
Exploiting & Defense Day 2 Recap
Arithmetic Instructions
Computer Architecture and Assembly Language
BIC 10503: COMPUTER ARCHITECTURE
Chap. 6 Programming the Basic Computer
Bits and Bytes Topics Representing information as bits
Multi-modules programming
Lecture 2 SCOPE – Local and Global variables
Miscellaneous Topics.
Comp Org & Assembly Lang
X86 Assembly Review.
Credits and Disclaimers
Computer Architecture and System Programming Laboratory
Computer Architecture and Assembly Language
Computer Architecture and System Programming Laboratory
Computer Architecture and System Programming Laboratory
Computer Architecture and System Programming Laboratory
Presentation transcript:

Binary Context-Sensitive Recognizer (BCSR) Hong Pham December 4, 2007

Motivation Virus Signatures  Database of hexadecimals  Definitive registers Alter the registers and it is another signature

Register Manipulation Different registers give different signatures

BCSR Program generator to recognize context- sensitive binary signatures General representation of signatures, not dependent on registers The signatures are specified by the user in the source specification

Source Specification A signature  Binary signature  actions Variable construct  [name, size, values]  Global / Local Ambiguous source rules {definitions} % {rules} % {user subroutines}

Example 89 c3:mov%eax, %ebx FF c3:inc%ebx 75 f2:jne

Example 89 c3:mov%eax, %ebx FF c3:inc%ebx 75 f2:jne mov %eax, $1 inc$1 jne$2

Example 89 c3:mov%eax, %ebx FF c3:inc%ebx 75 f2:jne mov %eax, $1 inc$1 jne$2 % [a, 3, *] [a] [b, 8, *] {}

BCSR Process int bcsr_scan( char* addr, int num_bits )

Strata Software dynamic translator Fragment creation  Conditional or indirect control transfer  trampoline

Experiments Protocol  Scanning Strata fragments  Spec Int Benchmarks  Red Hat Linux  X86_64 Statistics  Overhead

Results ???

Issue 1 Specs are too general !!!

Issue 1 Specs are too general !!! Signature pop%eax push %ecx add%eax, %ebx add %ecx, %eax push %ecx

Issue 1 Specs are too general !!! Signature pop%eax push %ecx add%eax, %ebx add %ecx, %eax push %ecx pop$1 push $2 add$1, %ebx add $2, $1 push$2

Issue 1 Specs are too general !!! Signature pop%eax push %ecx add%eax, %ebx add %ecx, %eax push %ecx pop$1 push $2 add$1, %ebx add $2, $1 push$2 pop%eax push %eax add%eax, %ebx add %eax, %eax push %eax

Issue 1 Specs are too general !!! Signature pop%eax push %ecx add%eax, %ebx add %ecx, %eax push %ecx False positives pop$1 push $2 add$1, %ebx add $2, $1 push$2 pop%eax push %eax add%eax, %ebx add %eax, %eax push %eax

Issue 2 Multiple fragments

Issue 2 Multiple fragments Signatures contains the following:  Conditional or indirect control transfers

Issue 2 Multiple fragments Signatures contains the following:  Conditional or indirect control transfers False negatives

Future Work Address Issue 1 and 2 Extend the language  Star, functionality, … Symbolic code  Write in assembly rather than binary

Questions??

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.