Presentation is loading. Please wait.

Presentation is loading. Please wait.

String Analysis for Binaries Mihai Christodorescu Nicholas Kidd Wen-Han Goh

Published byDwight Bradford Modified over 8 years ago

Similar presentations

Presentation on theme: "String Analysis for Binaries Mihai Christodorescu Nicholas Kidd Wen-Han Goh"— Presentation transcript:

1 String Analysis for Binaries Mihai Christodorescu mihai@cs.wisc.edu Nicholas Kidd kidd@cs.wisc.edu Wen-Han Goh wen-han@cs.wisc.edu

2 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd2 What is String Analysis? Recovery of values a string variable might take at a given program point. void main( void ) { char * msg = “no msg”; printf( “This food has %s.\n”, msg ); } Output: This food has no msg. 

3 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd3 Why Do We Need String Analysis? We could just use the strings program: $ strings no_msg /lib/ld-linux.so.2 libc.so.6... no msg This food has %s. $  

4 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd4 A Complicated Example void main( void ) { char buf[257]; strcpy( buf, “/” ); strcat( buf, “b” ); strcat( buf, “i” ); strcat( buf, “n” );... system( buf ); }  Running strings : / a b c d... Running a string analysis: /bin/ifconfig –a | /bin/mail...@...

5 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd5 Our Contributions Developed a string analysis for binaries. Implemented x86sa: a string analyzer for Intel IA-32 binaries. Evaluation on both benign and malicious binaries.

6 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd6 Outline  String analysis for Java.  String analysis for x86.  Evaluation.  Applications & future work.

7 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd7 String Analysis for Java 1.Create string flowgraph. void main( void ) { String x = “/”; x = x + “b”; x = x + “i”; x = x + “n”;... System.exec( x ); } Christensen, Møller, Schwartzbach „Precise Analysis of String Expressions“ (SAS’03) “/”“b” concat “i” concat...

8 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd8 String Analysis for Java [2] 2.Create context-free grammar. 3.Approximate with finite automaton. “/”“b” concat “i” concat... A1  “/” “b” A2  A1 “i” A3  A2 “n” A4  A3 “/” … “/bin/ifconfig...”

9 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd9 From Java to x86 executables FlowgraphCFGFSA Java.class

10 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd10 From Java to x86 executables x86 executable FlowgraphCFGFSA

11 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd11 Outline  String analysis for Java.  String analysis for x86.  Evaluation.  Applications & future work.

12 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd12 Problem 1: No Types Solution: infer types from C lib. funcs. Assumption #1: Strings are manipulated only using string library functions. char * strcat( char * dest, char * src ) After:“eax” points to a string. Before:“dest” and “src” point to a string.

13 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd13 Problem 1: No Types [cont.] Perform a backwards analysis to find the strings: –Destination registers “kill” string type information. –Libc string functions “gen” string type information. –Strings at entry to CFG are constant strings or function parameters.

14 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd14 Problem 2: Function Parameters Function parameters are not explicit in x86 machine code. movecx, [ebp+var1] pushecx movebx, [ebp+var2] pushebx call_strcat

15 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd15 Problem 2: Function Parameters Solution: Perform forwards analysis modeling x86 instructions effects on the stack. movecx, [ebp+var1] pushecx movebx, [ebp+var2] pushebx call_strcat

16 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd16 Problem 3: Unmodeled Functions String type information and stack model may be incorrect! Assumption #2: “_cdecl” calling convention and well behaved functions Treat all function arguments and return values as strings.

17 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd17 Problem 4: Java vs. x86 Semantics Java strings are immutable, x86 strings are not. String y, x=“x”; y = x; y = y + “123”; System.out.println(x); char *y; char x[10] = “x”; y = x; y = strcat(y,”123”); printf(x); => “x”=> “x123”

18 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd18 Problem 4: Java vs. x86 Semantics Solution: Alias analysis. 0x100: mov eax, ecx 0x200: _strcat( ebx,ecx ) ecx eax ecx ebx esi ecx 20 0 ebx eax esi

19 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd19 Transformers – String Inference 0x200: _strcat( ebx, ecx ) String inference λd.{ d – {eax}  {ebx,ecx} }

20 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd20 Transformers – Alias Analysis 0x200: _strcat( ebx, ecx ) ebx  must let T = alias must (ebx) let V = alias may (ebx) λd.  { must(d) ­ {(ebx, *), (eax, *)}  {(ebx, 200), (eax, 200)} - a  T {(a,*)}  a  T {(a,200)}, (may(d) ­ {(ebx, *), (eax, *)}  a  V {(a,200)}) 

21 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd21 Transformers – Alias Analysis 0x200: _strcat( ebx, ecx ) ebx  may let T = alias must (ebx) let V = alias may (ebx) λd.  { must(d) ­ {(eax, *)} - a  T {(a,*)}  {(ebx, 200), (eax, 200)}, {may(d) ­ {(ebx, *), (eax, *)}  a  T {(a,200),(a,old(a)}  a  V {(a,200)}} 

22 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd22 Stack Height Transformers String Type Transformers Alias Analysis Transformers UTF-8 func’s Stack Height Transformers String Type Transformers Alias Analysis Transformers libc char* func’s Stack Height Transformers String Type Transformers Alias Analysis Transformers Unicode func’s x86sa Architecture EXE IDA Pro Connector WPDS++ JSA

23 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd23 Intraprocedural Analysis Summary 1.Recover callsite arguments. (stack-operation modeling) 2.Infer string types. (backward type analysis) 3.Discover aliases. (may-, must-alias forward analysis) Generate the String Flow Graph for the Control Flow Graph.

24 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd24 Interprocedural Analysis Proposed solutions: 1.Inline everything and apply intra- procedural analysis. 2.“Hook” intraprocedural String Flow Graphs into a “Super String Flow Graph”. 3.Polyvariant analysis over function summaries for String Flow Graphs.

25 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd25 Outline  String analysis for Java.  String analysis for x86.  Evaluation.  Applications & future work.

26 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd26 Example 1: simple char * s1 = "Argc has "; char * s2; char * s3 = " arguments"; char * s4; switch( argc ) { case 1:s2 = "1“ ; break; case 2:s2 = "2“ ; break; default:s2 = "> 2"; break; } s4 = malloc( strlen(s1)+strlen(s2)+strlen(s3)+1 ); s4[0] = 0; strcat( strcat( strcat( s4, s1 ), s2), s3 ); printf( "%s\n", s4 );

27 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd27 Example 1: String Flow Graph “Argc has” “ arguments” “1” concat malloc “2”“> 2” assign Our result: "Argc has 1 arguments" "Argc has 2 arguments" "Argc has > 2 arguments"

28 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd28 Example 2: cstar char * c = “c"; char * s4 = malloc(101); for( int i=0; i < 100 ; i++ ) { strcat( s4, c ); } printf( "%s\n", s4 );

29 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd29 Example 2: String Flow Graph “c” concat malloc assign Our result: c* Correct answer: c 100

30 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd30 Example 3: Lion Worm Code and String Flow Graph omitted. x86sa analysis results: " /sbin/ifconfig -a|/bin/mail angelz1578@usa.net "

31 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd31 Applications & Future Work Implement interprocedural analysis Relax the assumptions: –VSA looks promising Malicious code analysis Analysis of dynamic code generators –VMs, shell code generators, etc.

32 String Analysis for Binaries Mihai Christodorescu mihai@cs.wisc.edu Nicholas Kidd kidd@cs.wisc.edu Wen-Han Goh wen-han@cs.wisc.edu

33 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd33 From Java to x86 Binaries Input: x86 binary file Java string analyzer input: Flowgraph Output: finite automaton ?

34 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd34 Problem 4: Java vs. x86 Semantics Solution: Alias analysis. 0x100: mov eax,ecx λS.let A = aliases(ecx) S – {(eax,*)}  ({eax}  A) 0x200: _strcat( ebx, ecx ) λS. let A = alias(ebx) let N = vars(A) (S  (N  {200})) – {(ebx,*),{(eax,*)}  {(ebx,200),(eax,200)}

35 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd35 Example 1: x86sa Analysis Results 1."Argc has 1 arguments" 2."Argc has 2 arguments" 3."Argc has > 2 arguments"

36 7 May 2005Mihai Christodorescu, Wen-Han Goh, Nicholas Kidd36 cstar’s x86sa analysis results Infinitely many strings with common prefix: “c”

Download ppt "String Analysis for Binaries Mihai Christodorescu Nicholas Kidd Wen-Han Goh"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Introduction to C Programming

Introduction to C Programming
Practical Malware Analysis

Practical Malware Analysis
CPSC 441 TUTORIAL – JANUARY 16, 2012 TA: MARYAM ELAHI INTRODUCTION TO C.

CPSC 441 TUTORIAL – JANUARY 16, 2012 TA: MARYAM ELAHI INTRODUCTION TO C.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
ByteWeight: Learning to Recognize Functions in Binary Code

ByteWeight: Learning to Recognize Functions in Binary Code
Semantic Analysis Chapter 6. Two Flavors  Static (done during compile time) –C –Ada  Dynamic (done during run time) –LISP –Smalltalk  Optimization.

Semantic Analysis Chapter 6. Two Flavors  Static (done during compile time) –C –Ada  Dynamic (done during run time) –LISP –Smalltalk  Optimization.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.

1 CS 201 Compiler Construction Lecture Interprocedural Data Flow Analysis.
Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)

Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.

Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Lecture 11 – Code Generation Eran Yahav 1 Reference: Dragon 8. MCD 4.2.4 www.cs.technion.ac.il/~yahave/tocs2011/compilers-lec11.pptx.

Lecture 11 – Code Generation Eran Yahav 1 Reference: Dragon 8. MCD
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT

Similar presentations

Ads by Google