Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Memory Accesses in x86 Executables Gogul Balakrishnan Thomas Reps University of Wisconsin.

Published byPhoebe Jefferson Modified over 9 years ago

Similar presentations

Presentation on theme: "Analyzing Memory Accesses in x86 Executables Gogul Balakrishnan Thomas Reps University of Wisconsin."— Presentation transcript:

1 Analyzing Memory Accesses in x86 Executables Gogul Balakrishnan Thomas Reps University of Wisconsin

2 Motivation Basic infrastructure for language-based security –buffer-overrun detection –information-flow vulnerabilities –... What if we do not have source code? –viruses, worms, mobile code, etc. –legacy code (w/o source) Limitations of existing tools –overly conservative treatment of memory accesses  Many false positives –non-conservative treatment of memory accesses  Many false negatives No VSA Crude VSA VSA

3 Goal (1) Create an intermediate representation (IR) that is similar to the IR used in a compiler –CFGs –call graph –used, killed, may-killed variables for CFG nodes –points-to sets Why? –a tool for a security analyst –a general infrastructure for binary analysis

4 Goal (2) Scope: programs that conform to a “standard compilation model” –data layout determined by compiler –some variables held in registers –global variables  absolute addresses –local variables  offsets in esp -based stack frame Report violations –violations of stack protocol –return address modified within procedure

5 CodeSurfer IDA Pro Client Applications Connector Codesurfer/x86 Architecture Binary Value-set Analysis Build SDG Browse Build CFGs Parse Binary CFGs call graph used, killed, may-killed variables for CFG nodes points-to sets

6 CodeSurfer IDA Pro Client Applications Connector Codesurfer/x86 Architecture Binary Value-set Analysis Build SDG Browse Build CFGs Parse Binary Initial estimate of code vs. data procedures and call sites malloc sites Whole-program analysis stubs are ok

7 Outline Example Challenges Value-set analysis Performance [Future work]

8 Running Example int arrVal=0, *pArray2; int main() { int i, a[10], *p; /* Initialize pointers */ pArray2 = &a[2]; p = &a[0]; /* Initialize Array */ for(i = 0; i<10; ++i) { *p = arrVal; p++ ; } /* Return a[2] */ return *pArray2; } ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn

9 mov ecx, edx ; ecx = edx mov ecx, [edx] ; ecx = *edx mov [ecx], edx ;*ecx = edx lea ecx, [esp+8] ; ecx = &a[2] Tutorial on x86 Instructions

10 Running Example int arrVal=0, *pArray2; int main() { int i, a[10], *p; /* Initialize pointers */ pArray2 = &a[2]; p = &a[0]; /* Initialize Array */ for(i = 0; i<10; ++i) { *p = arrVal; p++ ; } /* Return a[2] */ return *pArray2; } ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn

11 Running Example int arrVal=0, *pArray2; int main() { int i, a[10], *p; /* Initialize pointers */ pArray2 = &a[2]; p = &a[0]; /* Initialize Array */ for(i = 0; i<10; ++i) { *p = arrVal; p++ ; } /* Return a[2] */ return *pArray2; } ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn ?

12 Running Example – Address Space ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn 0h 4h a(40 bytes) arrVal(4 bytes) pArray2(4 bytes) Global data Data local to main (Activation Record) ? return_address 0ffffh

13 Running Example – Address Space 0ffffh 0h ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn Global data Data local to main (Activation Record) No debugging information ? return_address

14 Challenges (1) No debugging/symbol-table information Explicit memory addresses –need something similar to C variables –a-locs Only have an initial estimate of –code, data, procedures, call sites, malloc sites –extend IR on-the-fly disassemble data, add to CFG,... similar to elaboration of CFG/call-graph in a compiler because of calls via function pointers

15 Indirect-addressing mode –need “pointer analysis” –value-set analysis Pointer arithmetic –need numeric analysis (e.g., range analysis) –value-set analysis Checking for non-aligned accesses –pointer forging? –keep stride information in value-sets Challenges (2) [ ]

16 Multiple source languages OK Some optimizations make our task easier –optimizers try to use registers, not memory –deciphering memory operations is the hard part Not Everything is Bad News !

17 Memory-regions An abstraction of the address space Idea: group similar runtime addresses –collapse the runtime ARs for each procedure f f f … … … g f g global g

18 An abstraction of the address space Idea: group similar runtime addresses –collapse the runtime ARs for each procedure Similarly, one region for all global data one region for each malloc site Memory-regions

19 Example – Memory-regions ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn (GL,0) (GL,8) (main, -40) Region for main Global Region (main, 0) ret_main ?

20 “Need Something Similar to C Variables” Standard compilation model –some variables held in registers –global variables  absolute addresses –local variables  offsets in stack frame A-locs –locations between consecutive addresses –locations between consecutive offsets –registers Use a-locs instead of variables in static analysis –e.g., killed a-loc  killed variable

21 (GL,0) (GL,8) Region for main Global Region Example – A-locs ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn [esp] (main, -40) (main, 0) [esp+8] [0] [4] (GL,4) (main, -32) ? ret_main

22 (GL,0) (GL,8) Region for main Global Region Example – A-locs ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn (main, -40) (main, 0) (GL,4) (main, -32) mainv_28 mainv_20 mem_0 mem_4 ? ret_main

23 (GL,0) (GL,8) Region for main Global Region Example – A-locs ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, &mainv_2 ; mov mem_4, edx ;pArray2=&a[2] lea ecx, &mainv_2 ;p=&a[0] mov edx, mem_0 ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, mem_4 ; mov eax, [edi] ;return *pArray2 add esp, 40 retn (main, -40) (main, 0) (GL,4) (main, -32) mainv_28 mainv_20 mem_0 mem_4 ? ret_main

24 Example – A-locs ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, &mainv_20; mov mem_4, edx ;pArray2=&a[2] lea ecx, &mainv_28;p=&a[0] mov edx, mem_0 ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, mem_4 ; mov eax, [edi] ;return *pArray2 add esp, 40 retn ? edx locals: mainv_28, mainv_20 {a[0], a[2]} globals: mem_0, mem_4 {arrVal, pArray2} mainv_20 mem_4 ecx mainv_28 edi

25 Example – A-locs ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, &mainv_20; mov mem_4, edx ;pArray2=&a[2] lea ecx, &mainv_28;p=&a[0] mov edx, mem_0 ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, mem_4 ; mov eax, [edi] ;return *pArray2 add esp, 40 retn  edx locals: mainv_28, mainv_20 {a[0], a[2]} globals: mem_0, mem_4 {arrVal, pArray2} mainv_20 mem_4 ecx mainv_28 edi

26 Value-Set Analysis Resembles a pointer-analysis algorithm –interprets pointer-manipulation operations –pointer arithmetic, too Resembles a numeric-analysis algorithm –over-approximate the set of values/addresses held by an a-loc range information stride information –interprets arithmetic operations on sets of values/addresses

27 Value-set An a-loc  a variable –the address of an a-loc (memory-region, offset within the region) An a-loc  an aggregate variable –addresses of elements of an a-loc (rgn, {o 1, o 2, …, o n }) Value-set = a set of such addresses {(rgn 1, {o 1, o 2, …, o n }), …, (rgn r, {o 1, o 2, …, o m })} “r” – number of regions in the program

28 Value-set Set of addresses: {(rgn 1, {o 1, …, o n }), …, (rgn r, {o 1, …, o m })} Idea: approximate {o 1, …, o k } with a numeric domain –{1, 3, 5, 9} represented as 2[0,4]+1 –Reduced Interval Congruence (RIC) common stride lower and upper bounds displacement Set of addresses is an r-tuple: (ric 1, …, ric r ) –ric 1 : offsets in global region –a set of numbers: (ric 1, , …,  )

29 (GL,0) (GL,8) Region for main Global Region Example – Value-set analysis ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn (main, -40) (main, 0) (GL,4) (main, -32) mainv_28 mem_0 mem_4 12 ? 21 ecx  ( , 4[0,∞]-40) ebx  (1[0,9],  ) esp  ( , -40) edi  ( , -32) esp  ( , -40) mainv_20 ret_main

30 ( ,-32) ecx  ( , 4[0,∞]-40) ( , 4[0,∞]-40) edi  ( , -32) (GL,0) (GL,8) Region for main Global Region Example – Value-set analysis ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn (main, -40) (main, 0) (GL,4) (main, -32) mainv_28 mem_0 mem_4 21 mainv_20 ret_main  = ( ,-32)   ? 12

31 (GL,0) (GL,8) Region for main Global Region Example – Value-set analysis ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn (main, -40) (main, 0) (GL,4) (main, -32) mainv_28 mem_0 mem_4 1 ecx  ( , 4[0,∞]-40) 2 edi  ( , -32) mainv_20 ret_main A stack-smashing attack? 12

32 Affine-Relation Analysis Value-set domain is non-relational –cannot capture relationships among a-locs Imprecise results –e.g. no upper bound for ecx at loc_9 ecx  ( , 4[0,∞]-40)... loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ;...

33 Affine-Relation Analysis Obtain affine relations via static analysis Use affine relations to improve precision –e.g., at loc_9 ecx = esp+(4  ebx), ebx=([0,9],  ), esp=( ,-40)  ecx=( ,-40)+4([0,9])  ecx=( ,4[0,9]-40)  upper bound for ecx at loc_9... loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ;...

34 (GL,0) (GL,8) Region for main Global Region Example – Value-set analysis ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn (main, -40) (main, 0) (GL,4) (main, -32) mainv_28 mem_0 mem_4 1 ecx  ( , 4[0,9]-40) mainv_20 ret_main No stack-smashing attack reported 12

35 Affine-Relation Analysis Affine relation –x 1, x 2, …, x n – a-locs –a 0, a 1, …, a n – integer constants –a 0 +  i=1..n (a i x i ) = 0 Idea: determine affine relations on registers –use such relations to improve precision Implemented using WPDS++

36 Performance ProgramnProcnInsts Value-set analysis (seconds) Affine- relations (seconds) javac363,5554236 cat(2.0.14)1233,8925132 cut(2.0.14)1294,3292850 grep(2.4.2)24516,8088578 flex(2.5.4)23923,373200376 tar(1.13.19)58750,347210 awk(3.1.0)59569,9271,507 winhlp32 (5.00.2195.2014) 1,018108,3802,002

37 Future Work Aggregate Structure Identification –Ramalingam et al. [POPL 99] –Ignore declarative information –Identify fields from the access patterns –Useful for improving the a-loc abstraction discovering type information

38 Future Work ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn AR[-40:-1] 40 428 328

39 Future Work ; ebx  i ; ecx  variable p sub esp, 40 ;adjust stack lea edx, [esp+8] ; mov [4], edx ;pArray2=&a[2] lea ecx, [esp] ;p=&a[0] mov edx, [0] ; loc_9: mov [ecx], edx ;*p=arrVal add ecx, 4 ;p++ inc ebx ;i++ cmp ebx, 10 ;i<10? jl short loc_9 ; mov edi, [4] ; mov eax, [edi] ;return *pArray2 add esp, 40 retn AR[-40:-1] 40 428 328 22 11 77 4

40 [ ] Main Insights Combined numeric and pointer analysis Congruence (“stride”) information –Ranges alone  false reports of pointer forging Affine relations used to improve precision –Constraints among values of registers –Loop conditions + affine relations  better bounds for an a-locs RICs

41 CodeSurfer IDA Pro Client Applications Connector Codesurfer/x86 Architecture Binary Value-set Analysis Build SDG Browse Build CFGs Parse Binary For more details Gogul Balakrishnan’s demo Gogul Balakrishnan’s poster Consult UW-TR 1486 [http://www.cs.wisc.edu/~reps/#tr1486]http://www.cs.wisc.edu/~reps/#tr1486

42 Analyzing Memory Accesses in x86 Executables Gogul Balakrishnan Thomas Reps University of Wisconsin

Download ppt "Analyzing Memory Accesses in x86 Executables Gogul Balakrishnan Thomas Reps University of Wisconsin."

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
Intermediate Code Generation

Intermediate Code Generation
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
8. Code Generation. Generate executable code for a target machine that is a faithful representation of the semantics of the source code Depends not only.

8. Code Generation. Generate executable code for a target machine that is a faithful representation of the semantics of the source code Depends not only.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
Assembly Language for Intel-Based Computers Chapter 8: Advanced Procedures Kip R. Irvine.

Assembly Language for Intel-Based Computers Chapter 8: Advanced Procedures Kip R. Irvine.
Lecture 11 – Code Generation Eran Yahav 1 Reference: Dragon 8. MCD 4.2.4 www.cs.technion.ac.il/~yahave/tocs2011/compilers-lec11.pptx.

Lecture 11 – Code Generation Eran Yahav 1 Reference: Dragon 8. MCD
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Model Checking x86 Executables with CodeSurfer/x86 and WPDS++ G. Balakrishnan 1, T. Reps 1,2, N. Kidd 1, A. Lal 1, J. Lim 1, D. Melski 2, R. Gruian 2,

Model Checking x86 Executables with CodeSurfer/x86 and WPDS++ G. Balakrishnan 1, T. Reps 1,2, N. Kidd 1, A. Lal 1, J. Lim 1, D. Melski 2, R. Gruian 2,
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
Gogul Balakrishnan NEC Laboratories America

Gogul Balakrishnan NEC Laboratories America
Run time vs. Compile time

Run time vs. Compile time
Assembly Language for Intel-Based Computers Chapter 2: IA-32 Processor Architecture Kip Irvine.

Assembly Language for Intel-Based Computers Chapter 2: IA-32 Processor Architecture Kip Irvine.
Semantics of Calls and Returns

Semantics of Calls and Returns
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.

1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
Addressing Modes Chapter 11 S. Dandamudi. 2003 To be used with S. Dandamudi, “Fundamentals of Computer Organization and Design,” Springer, 2003.  S.

Addressing Modes Chapter 11 S. Dandamudi To be used with S. Dandamudi, “Fundamentals of Computer Organization and Design,” Springer,  S.
CEG 320/520: Computer Organization and Assembly Language ProgrammingIntel Assembly 1 Intel IA-32 vs Motorola 68000.

CEG 320/520: Computer Organization and Assembly Language ProgrammingIntel Assembly 1 Intel IA-32 vs Motorola

Similar presentations

Ads by Google