Presentation is loading. Please wait.

Presentation is loading. Please wait.

Instrumentation - initial results Sung Kim, Jeff Perkins MIT.

Published byMarjorie Patterson Modified over 9 years ago

Similar presentations

Presentation on theme: "Instrumentation - initial results Sung Kim, Jeff Perkins MIT."— Presentation transcript:

1 Instrumentation - initial results Sung Kim, Jeff Perkins MIT

2 Front-endFront-end Running Program Front-end: Observe/record status of some interesting data in software Daikon Invariant Detector Instrumented code Daikon Input file

3 Windows front-end Based on DynamoRIO, a tool developed by determina ® Debug information Records function enter and exit points Records parameter values at function enter/exit points Currently it only supports Primitive data types String (char *)

4 Windows front-end DynamoRIO CALL RET Windows binary Windows Program database Symbol Table Debug Interface Access SDK Symbol Mapping & Value Fetching Logic Daikon Input file Instrumentation Instrumented Windows binary Symbol Data file

5 Simple Program (buffer.c*) void decode (char *request_data, char *user_id, char *password, char *hostid) { […] return; } main () { […] decode (data, "jhp“, "stata“,"\200\036\124\056"); […] } * From “Exploiting Software: How to Break Code” by Greg Hoglund, Gary McGrawGreg HoglundGary McGraw

6 Simple Program (buffer.exe) buffer!decode: push ebp mov ebp,esp [...] mov esp,ebp pop ebp ret

7 Simple Program (buffer.exe) buffer!decode: push ebp mov ebp,esp [...] mov esp,ebp pop ebp ret Add instrument code

8 Simple Program (buffer.exe) buffer!decode: push ebp mov ebp,esp [...] mov esp,ebp pop ebp ret push %esp call print [...] push %eax call print [...]

9 Daikon Input File (dtrace)..decode (char *, char *, char *, char *):::ENTER request_data "id=jhp0&pw=stata0" 1 user_id "" 1 password "" 1 hostid "€T." 1

10 Challenges - CALL address mismatch main: push x push y […] call (foo) 00401005 […] jmp 004010ad 0x401005 mov eax,x add eax,y ret 0x400a0ad (real foo)

11 Challenges - CALL address mismatch main: push x push y […] call (foo) 00401005 […] jmp 004010ad 0x401005 mov eax,x add eax,y ret 0x400a0ad (real foo) Check instr address after a CALL to find function

12 Challenges – CALL/RET pair mismatch 00INDIRECT CALL @ 0x7c816fce to 0x7c90e642 00 stack: 0x7c816fd4 0xfffffffe 01 INDIRECT CALL @ 0x7c90e64c to 0x7c915a65 01 stack: 0x7c90e64e 0x7c816fd4 01 RETURN @ 0x7c90e64e to 0x7c816fd4 [...] 27 CALL @ 0x7c9132f3 to 0x7c90e3e1 27 stack: 0x000007e4 0x0012fe7c 28 INDIRECT CALL @ 0x7c90e3eb to 0x00300014 28 stack: 0x7c90e3ed 0x7c9132f8 28 RETURN @ 0x7c90e3ed to 0x7c9132f8 28 return value: 0x00000000 27 RETURN @ 0x7c91330f to 0x7c81cd91 27 return value: 0x00000000 27 INDIRECT CALL @ 0x7c81cd94 to 0x7c90e88e 27 stack: 0x7c81cd96 0xffffffff 28 INDIRECT CALL @ 0x7c90e898 28 stack: 0x7c90e89a 0x7c81cd96

13 Challenges – CALL/RET pair mismatch 00INDIRECT CALL @ 0x7c816fce to 0x7c90e642 00 stack: 0x7c816fd4 0xfffffffe 01 INDIRECT CALL @ 0x7c90e64c to 0x7c915a65 01 stack: 0x7c90e64e 0x7c816fd4 01 RETURN @ 0x7c90e64e to 0x7c816fd4 [...] 27 CALL @ 0x7c9132f3 to 0x7c90e3e1 27 stack: 0x000007e4 0x0012fe7c 28 INDIRECT CALL @ 0x7c90e3eb to 0x00300014 28 stack: 0x7c90e3ed 0x7c9132f8 28 RETURN @ 0x7c90e3ed to 0x7c9132f8 28 return value: 0x00000000 27 RETURN @ 0x7c91330f to 0x7c81cd91 27 return value: 0x00000000 27 INDIRECT CALL @ 0x7c81cd94 to 0x7c90e88e 27 stack: 0x7c81cd96 0xffffffff 28 INDIRECT CALL @ 0x7c90e898 28 stack: 0x7c90e89a 0x7c81cd96

14 Challenges – CALL/RET pair mismatch CALL/RET address Table CALLRET Store the next instr address Check the return address

15 Challenges – Validity of pointers main () { char *ptr; // no initialization foo(ptr); } foo (char * ptr) { *ptr = ‘c’; }

16 Challenges – Validity of pointers main () { char *ptr; // no initialization foo(ptr); } foo (char * ptr) { *ptr = ‘c’; }

17 Challenges – Validity of pointers Problems: 1.At the foo enter point ptr is not initialized 2.Not clear if ptr is string (series of chars) or a single char pointer main () { char *ptr; // no initialization foo(ptr); } foo (char * ptr) { *ptr = ‘c’; }

18 Challenges – Validity of pointers Problems: 1.At the foo enter point ptr is not initialized 2.Not clear if ptr is string (series of chars) or a single char pointer main () { char *ptr; // no initialization foo(ptr); } foo (char * ptr) { *ptr = ‘c’; } Partial solutions: 1. 1.Check if a given address is valid 2. 2.If the pointer (char *) is NULL terminated in the MAX_STR_LEN range

19 Future Work Need to Support –global variables –arrays and pointers char *, char **, int [] –complex and typedef data types struct typedef char * string –C++ method calls and classes

20 Instrumentation - initial results Sung Kim, Jeff Perkins MIT

Download ppt "Instrumentation - initial results Sung Kim, Jeff Perkins MIT."

Similar presentations

CS 11 C track: lecture 7 Last week: structs, typedef, linked lists This week: hash tables more on the C preprocessor extern const.

CS 11 C track: lecture 7 Last week: structs, typedef, linked lists This week: hash tables more on the C preprocessor extern const.
Senem Kumova Metin Spring2009 STACKS AND QUEUES Chapter 10 in A Book on C.

Senem Kumova Metin Spring2009 STACKS AND QUEUES Chapter 10 in A Book on C.
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Structures in C.

Structures in C.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
RECITATION - 09/20/2010 BY SSESHADR Buflab. Agenda Reminders  Bomblab should be finished up  Exam 1 is on Tuesday 09/28/2010 Stack Discipline Buflab.

RECITATION - 09/20/2010 BY SSESHADR Buflab. Agenda Reminders  Bomblab should be finished up  Exam 1 is on Tuesday 09/28/2010 Stack Discipline Buflab.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
– 1 – 15-213, F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.

– 1 – , F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.
Chapter 6 Programming in Machine Language The LC-3 Simulator

Chapter 6 Programming in Machine Language The LC-3 Simulator
Semantics of Calls and Returns

Semantics of Calls and Returns
UBC104 Embedded Systems Functions & Pointers.

UBC104 Embedded Systems Functions & Pointers.
Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, 2003. 1 Defining and Using Procedures Creating Procedures.

Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, Defining and Using Procedures Creating Procedures.
TCSS 372A Computer Architecture. Getting Started Get acquainted (take pictures) Review Web Page (http://faculty.washington.edu/lcrum)http://faculty.washington.edu/lcrum.

TCSS 372A Computer Architecture. Getting Started Get acquainted (take pictures) Review Web Page (
CS2422 Assembly Language & System Programming November 7, 2006.

CS2422 Assembly Language & System Programming November 7, 2006.
Recitation 2: Assembly & gdb Andrew Faulring 15213 Section A 16 September 2002.

Recitation 2: Assembly & gdb Andrew Faulring Section A 16 September 2002.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google