Presentation is loading. Please wait.

Presentation is loading. Please wait.

The 17th Annual Network and Distributed System Security Symposium

Published byHendri Sumadi Modified over 6 years ago

Similar presentations

Presentation on theme: "The 17th Annual Network and Distributed System Security Symposium"— Presentation transcript:

1 The 17th Annual Network and Distributed System Security Symposium
Automatic Reverse Engineering of Program Data Structures from Binary Execution Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Dept. of Computer Science and CERIAS Purdue University March 3rd, 2010

2 Problem Definition Recover data structure specifications from binary
Syntactic Layout Offset Size Semantic ip_addr_t, pid_t, … input_t malloc_arg_t, format_string_t…

3 Security Applications -- Memory Forensics
thread_info mm count pgd mmap mmap_avl mmap_sem mm_struct task_struct vm_end vm_start vm_flags vm_inode vm_ops vm_next vm_area_struct file task_struct* exec_domain supervisor_stack[0] fdtable *fdt fdtable fdtab file_lock file *fd_array[32]

4 Security Applications -- Vulnerability Discovery
1 void main(int argc, char* argv[]) 2 { char tempname[1024]; strcpy(tempname, argv[1]); } $ ./a.out aaa’\n’ char [4] unused[1020] stack_frame_pointer return_address char* input_t $ ./a.out aaaaaaaaaaaaaaaa…a’\n’

5 Security Applications -- Program Signature
struct B {   int h; char i;   int j; float k; }; struct A {   int a; char b;   int c; float d; }; = Laika [Cozzie et al., OSDI’08] Using Data structure as a classifier  Malware Signature

6 Security Applications
Memory forensics Vulnerability discovery Program signature Protocol format reverse engineering Virtual machine introspection

7 Related Work Require source code Type inference
Hindley-Miner algorithm [Miner, 1978] Iterative type analysis [Ungar et al, PLDI’90] Object-oriented type inference [Palsberg et al, OOPSLA’91] Abstract type inference Lakwit [Callahan et al, ICSE’97] Dynamic Abstract Type Inference [Guo et al, ISSTA’06] Require source code

8 Related Work (binary-based)
Variable discovery (DIVINE)[Balakrishnan and Reps, 2004,2007,2008] Static binary points-to analysis, alias analysis No semantics Decompilation [Mycrof, ESOP’99] Execution-equivalent code Protocol format reverse engineering Polyglot [Caballero et al,CCS’07] , AutoFormat [Lin et al, NDSS’08], ANPA [Wondracek et al, NDSS’08], Tupni [Cui et al, CCS’08], Prospex [Comparetti et al., Oakland’09], ReFormat [Wang et al, ESORICS’09], Dispatcher [Caballero,CCS’09] , … Input and output messages

9 Type Resolution Points
Overview Type Resolution Points Data Structure Specification Application binary Data flow tracking, Type Resolution REWARDS Reverse Engineering Work for Automatic Revelation of Data Structures

10 Key Ideas Data Flow Type Resolution Point foo global var test getpid
a0: call x80480b4<foo> a5: mov $0x1,%eax aa: mov $0x0,%ebx c1: call x <getpid> 80480c6: mov eax, 0x : mov $0x14,%eax : int $0x80 : ret 1 struct { 2 unsigned int pid; 3 char data[16]; 4 }test; 5 6 void foo(){ 7 char *p="hello world"; 8 test.pid=getpid(); 9 strcpy(test.data,p); 10 } fun_0x080480b4{ -28: unused[20], -08: char *, -04: stack_frame_t, +00: ret_addr_t } foo bss_0x { +00: pid_t, +04: char[12], +16: unused[4] } Data Flow global var test Type Resolution Point fun_0x { +00: ret_addr_t } getpid

11 Type Resolution Point - I
<getpid> : mov $0x14,%eax : int $0x80 : ret System calls Syscall num  Syscall_enter: Type parameter passing registers (i.e., ebx, ecx, edx, esi, edi, and ebp) if they involved Syscall_exit: type return value (eax)

12 Type Resolution Point - II
ce: mov %eax,0x4(%esp) <arg2> d2: movl $0x , (%esp) <arg1> d9: call 0x80480e <strcpy> Standard Library Call (API) Type corresponding argument and return value More wealth than System call 2016 APIs in Libc.so.6 vs. 289 sys call (2.6.15)

13 Type Resolution Point - III
Other type revealing instructions in binary code String related (e.g., MOVS/B/D/W, LOADS/STOS/B/D/W) Floating-point related (e.g., FADD, FABS, FST) Pointer-related (e.g., MOV (%edx), %ebx)

14 Backward Type Resolution
Source Sinks arg1 movl $0x ,%eax call 0x80480e0<strcpy> mov %eax, (%esp) char* char* char* strcpy(char*, char*) Backward

15 Forward Type Resolution
Source call 0x <getpid> return pid_t to %eax mov %eax, 0x pid_t pid_t pid_t Forward

16 Data Flow Propagation Similar to taint analysis, using shadow memory to keep the variable attributes and track the propagation New challenges Two-way type resolution Dynamic life time of stack and heap variables Memory locations will be reused Multiple instances of the same type

17 Implementations PIN Dynamic Binary Instrumentation
A pin-tool on top of Pin-2.6 Data structures of interest: File information Network communication Process information Input-influenced (for vulnerability discovery) PIN

18 Evaluations Experiment set up Ground truth  debug information
10 utility binaries (e.g., ls, ps, ping, netstat…) Linux , gcc-3.4, 2G mem Ground truth  debug information

19 Experimental Results False negative: the data structure we missed (compared with the ground truth) Global:70% Heap: 55% Stack: 60% Why false negative Dynamic analysis

20 Experimental Results False positive (we get the wrong data type)
Global: 3% Heap: 0% Stack: 15%

21 Sources of False Positives
Loss of data structure hierarchy There is no corresponding type resolution point with the same hierarchical type Heuristics exist (e.g., AutoFormat [Lin et al, NDSS’08]) Path-sensitive memory reuse Compiler might assign different local variables declared in different program paths to the same memory address Path-sensitive analysis Type cast int a=(float)b;

22 Application I: Memory Forensics
... b0 5b fe b7 b0 5b fe b e a b c7 b0 af 4a c7 b0 af 4a a 080521a struct 0x804dd4f { 00: pthread_t; 04: int; 08: socket; 12: struct sockaddr_in; 28: time_t; 32: time_t; 36: unused[4]; 40: struct 0x804ddfb*; }; b0 5b fe b7 b0 5b fe b7 e 0a b c7 b0 af 4a c7 b0 af 4a 58 2a 05 08

23 Application I: Memory Forensics
... b0 5b fe b7 b0 5b fe b e a b c7 b0 af 4a c7 b0 af 4a a 080521a { 00: sin_family; 02: sin_port; 04: sin_addr; 08: sin_zero; }; struct 0x804dd4f { 00: pthread_t; 04: int; 08: socket; 12: struct sockaddr_in; 28: time_t; 32: time_t; 36: unused[4]; 40: struct 0x804ddfb*; }; 02 00 92 7e 0a b e 0a b ip_addr_t:

24 Application II: Vulnerability Discovery
Program buffer overflow #total #real integer overflow Format string ncompress-4.2.4 1 bftpd 3 gzip-1.2.4 nullhttpd-0.5.0 5 2 xzgv-5.8 8 gnuPG-1.4.3 ipgrab-0.9.9 cfingerd-1.4.3 4 ngircd-0.8.2 12 Suspects True

25 Discussion Dynamic analysis Only user-level data structure
Full coverage of data structures Only user-level data structure OS kernel Obfuscated binary can cheat REWARDS No library call Memory cast Lack of other application-specific type resolution points Other APIs E.g., browser-related

26 Summary REWARDS Key insight Binary only Dynamic analysis
Data flow tracking Key insight Using system call/API/Type revealing instruction as type resolution point Two-way type resolution Unique benefits to memory forensics and vulnerability discovery An Reverse Engineering Work for Automatic Revelation of Data Structures

27 The 17th Annual Network and Distributed System Security Symposium
Automatic Reverse Engineering of Program Data Structures from Binary Execution Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Dept. of Computer Science and CERIAS Purdue University March 3rd, 2010

28 Backup: Path-sensitive memory reuse
case 'e': { if (strlen(params[0]) > 1) switch (tolower(params[0][1])) { case 's': { struct escan_rec rc; if (num_params <= 2) Log("escan <dest>\n"); else { memset((void*)&rc,0,sizeof(struct escan_rec)); if (udp.len != 0) if (!audp_recv(&udp,&tmpclient,buf,3000)) { struct header *rc; struct llheader *llrc; char k=0; buf+=sizeof(struct llheader); udp.len-=sizeof(struct llheader); llrc=(struct llheader *)(buf-sizeof(struct llheader)); rc=(struct header *)buf; if (llrc->type == 0) { struct llheader ll; memset((void*)&ll,0,sizeof(struct llheader)); (pudclient.c)

29 Backup: offline is needed sometimes
Source Sinks Variable A gets defined The type of Variable A gets resolved Variable A dies (keep in the shadow log file) Backward

30 Backup: Vulnerability Discovery
Buffer overflow Format string Integer overflow fun_0x08048e76{ - 1052: char[13], - 1039: unused[1023],... - 0004: stack_frame_t, +0000: ret_addr_t, +0004: char*} input_t argv fun 0x0805f9a5 { ..., - 0284: format_string_t[76], - 0208: unused[204], - 0004: stack_frame_t, +0000: ret_addr_t,...} input_t recv bss 0x0809ac80 { ... +91952: int (malloc_arg_t), +91956: int (malloc_arg_t), ...} input_t fread

Download ppt "The 17th Annual Network and Distributed System Security Symposium"

Similar presentations

ByteWeight: Learning to Recognize Functions in Binary Code

ByteWeight: Learning to Recognize Functions in Binary Code
INTROPERF: TRANSPARENT CONTEXT- SENSITIVE MULTI-LAYER PERFORMANCE INFERENCE USING SYSTEM STACK TRACES Chung Hwan Kim*, Junghwan Rhee, Hui Zhang, Nipun.

INTROPERF: TRANSPARENT CONTEXT- SENSITIVE MULTI-LAYER PERFORMANCE INFERENCE USING SYSTEM STACK TRACES Chung Hwan Kim*, Junghwan Rhee, Hui Zhang, Nipun.
Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.

Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Automatic Reverse Engineering of Program Data Structures from Binary Execution Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Dept. of Computer Science and CERIAS.

Automatic Reverse Engineering of Program Data Structures from Binary Execution Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Dept. of Computer Science and CERIAS.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
The Structure of Processes. What is a Process? an instance of running program Program vs process(task) Program : just a passive collection of instructions.

The Structure of Processes. What is a Process? an instance of running program Program vs process(task) Program : just a passive collection of instructions.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Chapter 0.2 – Pointers and Memory. Type Specifiers  const  may be initialised but not used in any subsequent assignment  common and useful  volatile.

Chapter 0.2 – Pointers and Memory. Type Specifiers  const  may be initialised but not used in any subsequent assignment  common and useful  volatile.
Processes and Threads CS550 Operating Systems. Processes and Threads These exist only at execution time They have fast state changes -> in memory and.

Processes and Threads CS550 Operating Systems. Processes and Threads These exist only at execution time They have fast state changes -> in memory and.
Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution Zhiqiang Lin 1 Xuxian Jiang 2, Dongyan Xu 1, Xiangyu Zhang 1 1.

Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution Zhiqiang Lin 1 Xuxian Jiang 2, Dongyan Xu 1, Xiangyu Zhang 1 1.
CS333 Intro to Operating Systems Jonathan Walpole.

CS333 Intro to Operating Systems Jonathan Walpole.
Deriving Input Syntactic Structure From Execution Zhiqiang Lin Xiangyu Zhang Purdue University November 11 th, 2008 The 16th ACM SIGSOFT International.

Deriving Input Syntactic Structure From Execution Zhiqiang Lin Xiangyu Zhang Purdue University November 11 th, 2008 The 16th ACM SIGSOFT International.

Similar presentations

Ads by Google