Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatic Reverse Engineering of Program Data Structures from Binary Execution Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Dept. of Computer Science and CERIAS.

Published byAntony Chapman Modified over 9 years ago

Similar presentations

Presentation on theme: "Automatic Reverse Engineering of Program Data Structures from Binary Execution Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Dept. of Computer Science and CERIAS."— Presentation transcript:

1 Automatic Reverse Engineering of Program Data Structures from Binary Execution Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Dept. of Computer Science and CERIAS Purdue University March 3 rd, 2010 The 17 th Annual Network and Distributed System Security Symposium

2 Problem Definition  Recover data structure specifications from binary  Syntactic  Layout  Offset  Size  Semantic  ip_addr_t, pid_t, …  input_t  malloc_arg_t, format_string_t…

3 Security Applications -- Memory Forensics thread_info mm count pgd mmap mmap_avl mmap_sem mm_struct task_struct vm_end vm_start vm_flags vm_inode vm_ops vm_next vm_area_struct file task_struct* exec_domain supervisor_stack[0] count fdtable *fdt fdtable fdtab file_lock file *fd_array[32]

4 char [4] unused[1020] stack_frame_pointer return_address char* Security Applications -- Vulnerability Discovery input_t 1 void main(int argc, char* argv[]) 2 { 3 char tempname[1024]; 4 strcpy(tempname, argv[1]); 5} $./a.out aaa’\n’ $./a.out aaaaaaaaaaaaaaaa…a’\n’

5 Security Applications -- Program Signature = Laika [Cozzie et al., OSDI’08] Using Data structure as a classifier  Malware Signature struct A { int a; char b; int c; float d; }; struct A { int a; char b; int c; float d; }; struct B { int h; char i; int j; float k; }; struct B { int h; char i; int j; float k; };

6 Security Applications  Memory forensics  Vulnerability discovery  Program signature  Protocol format reverse engineering  Virtual machine introspection ……

7 Related Work  Type inference  Hindley-Miner algorithm [Miner, 1978]  Iterative type analysis [Ungar et al, PLDI’90]  Object-oriented type inference [Palsberg et al, OOPSLA’91]  Abstract type inference  Lakwit [Callahan et al, ICSE’97]  Dynamic Abstract Type Inference [Guo et al, ISSTA’06] Require source code

8 Related Work (binary-based)  Variable discovery (DIVINE) [Balakrishnan and Reps, 2004,2007,2008]  Static binary points-to analysis, alias analysis  No semantics  Decompilation [Mycrof, ESOP’99]  Execution-equivalent code  Protocol format reverse engineering  Polyglot [Caballero et al,CCS’07], AutoFormat [Lin et al, NDSS’08], ANPA [Wondracek et al, NDSS’08], Tupni [Cui et al, CCS’08], Prospex [Comparetti et al., Oakland’09], ReFormat [Wang et al, ESORICS’09], Dispatcher [Caballero,CCS’09], …  Input and output messages

9 Overview Type Resolution Points Data flow tracking, Type Resolution Application binary Data Structure Specification REWARDS Reverse Engineering Work for Automatic Revelation of Data Structures

10 Key Ideas 1 80480a0: call 0x80480b4 2 80480a5: mov $0x1,%eax 3 80480aa: mov $0x0,%ebx … 10 80480c1: call 0x8048110 1180480c6: mov eax, 0x8049124 … 36 8048110: mov $0x14,%eax 37 8048115: int $0x80 38 8048117: ret 1 struct { 2 unsigned int pid; 3 char data[16]; 4 }test; 5 6 void foo(){ 7 char *p="hello world"; 8 test.pid=getpid(); 9 strcpy(test.data,p); 10 } … bss_0x08049124{ +00: pid_t, +04: char[12], +16: unused[4] } fun_0x080480b4{ -28: unused[20], -08: char *, -04: stack_frame_t, +00: ret_addr_t } Type Resolution Point Data Flow foo fun_0x08048110{ +00: ret_addr_t } getpid global var test

11 Type Resolution Point - I  System calls  Syscall num   Syscall_enter: Type parameter passing registers (i.e., ebx, ecx, edx, esi, edi, and ebp) if they involved  Syscall_exit: type return value (eax) 36 8048110: mov $0x14,%eax 37 8048115: int $0x80 38 8048117: ret

12 Type Resolution Point - II  Standard Library Call (API)  Type corresponding argument and return value  More wealth than System call  2016 APIs in Libc.so.6 vs. 289 sys call (2.6.15) 13 80480ce: mov %eax,0x4(%esp) 14 80480d2: movl $0x8049128, (%esp) 15 80480d9: call 0x80480e0

13 Type Resolution Point - III  Other type revealing instructions in binary code  String related (e.g., MOVS/B/D/W, LOADS/STOS/B/D/W)  Floating-point related (e.g., FADD, FABS, FST)  Pointer-related (e.g., MOV (%edx), %ebx)

14 Backward Type Resolution Source Sinks movl $0x8049128,%eax mov %eax, (%esp) call 0x80480e0 Backward strcpy(char*, char*)char* arg1

15 Forward Type Resolution Source call 0x8048110 return pid_t to %eax mov %eax, 0x8049124 Forward pid_t

16 Data Flow Propagation  Similar to taint analysis, using shadow memory to keep the variable attributes and track the propagation  New challenges  Two-way type resolution  Dynamic life time of stack and heap variables  Memory locations will be reused  Multiple instances of the same type

17 Implementations  Dynamic Binary Instrumentation  A pin-tool on top of Pin-2.6  http://www.pintool.org/ http://www.pintool.org/  Data structures of interest:  File information  Network communication  Process information  Input-influenced (for vulnerability discovery) PIN

18 Evaluations  Experiment set up  10 utility binaries (e.g., ls, ps, ping, netstat…)  Linux 2.6.18, gcc-3.4, 2G mem  Ground truth  debug information

19 Experimental Results  False negative: the data structure we missed (compared with the ground truth)  Global:70%  Heap: 55%  Stack: 60%  Why false negative  Dynamic analysis

20 Experimental Results  False positive (we get the wrong data type)  Global: 3%  Heap: 0%  Stack: 15%

21 Sources of False Positives  Loss of data structure hierarchy  There is no corresponding type resolution point with the same hierarchical type  Heuristics exist (e.g., AutoFormat [Lin et al, NDSS’08] )  Path-sensitive memory reuse  Compiler might assign different local variables declared in different program paths to the same memory address  Path-sensitive analysis  Type cast  int a=(float)b;

22 Application I: Memory Forensics... 08052170 b0 5b fe b7 b0 5b fe b7 05 00 00 00 02 00 92 7e 08052180 0a 00 00 0b 00 00 00 00 00 00 00 00 c7 b0 af 4a 08052190 c7 b0 af 4a 00 00 00 00 58 2a 05 08 00 00 00 00 080521a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00... struct 0x804dd4f { 00: pthread_t; 04: int; 08: socket; 12: struct sockaddr_in; 28: time_t; 32: time_t; 36: unused[4]; 40: struct 0x804ddfb*; }; b0 5b fe b7 05 00 00 00 02 00 92 7e 0a 00 00 0b.. 00 00 c7 b0 af 4a 00 00 58 2a 05 08

23 Application I: Memory Forensics... 08052170 b0 5b fe b7 b0 5b fe b7 05 00 00 00 02 00 92 7e 08052180 0a 00 00 0b 00 00 00 00 00 00 00 00 c7 b0 af 4a 08052190 c7 b0 af 4a 00 00 00 00 58 2a 05 08 00 00 00 00 080521a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00... { 00: sin_family; 02: sin_port; 04: sin_addr; 08: sin_zero; }; 02 00 92 7e 0a 00 00 0b 02 00 92 7e 0a 00 00 0b.. 00 00 00 00 00 00 ip_addr_t: 10.0.0.11 struct 0x804dd4f { 00: pthread_t; 04: int; 08: socket; 12: struct sockaddr_in; 28: time_t; 32: time_t; 36: unused[4]; 40: struct 0x804ddfb*; };

24 Application II: Vulnerability Discovery Programbuffer overflow #total #real integer overflow #total #real Format string #total #real ncompress-4.2.4110000 bftpd-1.0.11310000 gzip-1.2.4310000 nullhttpd-0.5.0512100 xzgv-5.8308100 gnuPG-1.4.3013100 ipgrab-0.9.9015100 cfingerd-1.4.3400011 ngircd-0.8.21200011 Suspects True

25 Discussion  Dynamic analysis  Full coverage of data structures  Only user-level data structure  OS kernel  Obfuscated binary can cheat REWARDS  No library call  Memory cast  Lack of other application-specific type resolution points  Other APIs  E.g., browser-related

26 Summary  REWARDS  Binary only  Dynamic analysis  Data flow tracking  Key insight  Using system call/API/Type revealing instruction as type resolution point  Two-way type resolution  Unique benefits to memory forensics and vulnerability discovery

27 Automatic Reverse Engineering of Program Data Structures from Binary Execution Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Dept. of Computer Science and CERIAS Purdue University March 3 rd, 2010 The 17 th Annual Network and Distributed System Security Symposium

28 Backup: Path-sensitive memory reuse 1061 if (udp.len != 0) if (!audp_recv(&udp,&tmpclient,buf,3000)) { 1062 struct header *rc; 1063 struct llheader *llrc; 1064 char k=0; 1065 buf+=sizeof(struct llheader); 1066 udp.len-=sizeof(struct llheader); 1067 llrc=(struct llheader *)(buf-sizeof(struct llheader)); 1068 rc=(struct header *)buf; 1069 if (llrc->type == 0) { 1070 struct llheader ll; 1071 memset((void*)&ll,0,sizeof(struct llheader)); 919 case 'e': { 920 if (strlen(params[0]) > 1) switch (tolower(params[0][1])) { 921 case 's': { 922 struct escan_rec rc; 923 if (num_params \n"); 924 else { 925 memset((void*)&rc,0,sizeof(struct escan_rec)); (pudclient.c)

29 Backup: offline is needed sometimes Source Sinks Variable A gets defined Variable A dies (keep in the shadow log file) The type of Variable A gets resolved Backward

30 Backup: Vulnerability Discovery  Buffer overflow  Format string  Integer overflow fun_0x08048e76{ - 1052: char[13], - 1039: unused[1023],... - 0004: stack_frame_t, +0000: ret_addr_t, +0004: char*} input_t argv fun 0x0805f9a5 {..., - 0284: format_string_t[76], - 0208: unused[204], - 0004: stack_frame_t, +0000: ret_addr_t,...} input_trecv bss 0x0809ac80 {... +91952: int (malloc_arg_t), +91956: int (malloc_arg_t),...} input_t fread

Download ppt "Automatic Reverse Engineering of Program Data Structures from Binary Execution Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Dept. of Computer Science and CERIAS."

Similar presentations

Christo Wilson Project 2: User Programs in Pintos

Christo Wilson Project 2: User Programs in Pintos
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
ByteWeight: Learning to Recognize Functions in Binary Code

ByteWeight: Learning to Recognize Functions in Binary Code
Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.

Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.
The art of exploitation

The art of exploitation
Chapter 7 Process Environment Chien-Chung Shen CIS, UD

Chapter 7 Process Environment Chien-Chung Shen CIS, UD
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
High-Level Language Interface Chapter 17 S. Dandamudi.

High-Level Language Interface Chapter 17 S. Dandamudi.
6.828: PC hardware and x86 Frans Kaashoek

6.828: PC hardware and x86 Frans Kaashoek
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
The Structure of Processes. What is a Process? an instance of running program Program vs process(task) Program : just a passive collection of instructions.

The Structure of Processes. What is a Process? an instance of running program Program vs process(task) Program : just a passive collection of instructions.
Chapter 0.2 – Pointers and Memory. Type Specifiers  const  may be initialised but not used in any subsequent assignment  common and useful  volatile.

Chapter 0.2 – Pointers and Memory. Type Specifiers  const  may be initialised but not used in any subsequent assignment  common and useful  volatile.

Similar presentations

Ads by Google