ProgramVulnerability AnalysisUsing DBICodeEngn Co-AdministratorDDeok9@gmail.com2011.7.2www.CodeEngn.comCodeEngn	  ReverseE...
Outline• What is DBI ?• Before that• How ?• A simple example• Demo !2
What is DBI ?• InstrumentationKeyword :To gather information, insert code• Dynamic Binary InstrumentationKeyword : Running...
Static Analysis• Summary- Without running- Considering all execution paths in a program- Tools : Sonar, cppcheck, Prevent,...
Static Analysis5Check OutCodingModifyCompile ErrorDefectCheck In
Dynamic Analysis• Summary- Running- Considering single execution path- Input dependency6
Winner• Dynamic AnalysisMore preciseBecause > works with real values in the run-time• if ( you think Ollydbg & IDA Disasse...
Source Analysis• Source Analysis- Language dependency- Access high-level information- Tools : Source insight8
Binary Analysis• Binary Analysis- Platform dependency- Access low-level information ex) register- Complexity, Lack of High...
DRAW• Binary AnalysisOriginal source code is not needed• Source AnalysisJust you look at source10
SBI• Static Binary Instrumentation- Before the program is run- Rewrites object code or executable code- Disassemble -> ins...
DBI• Dynamic Binary Instrumentation- Run-time- By external process, grafted onto the client process12
Winner• DBI1. Client program doesn’t require to be prepared2. Naturally covers all client code13
Usefulness of DBI• Do not need Recompiling and Relinking• Find the specific code during execution• Handle dynamically gener...
Use• Trace procedure generating• Fault tolerance studies• Emulating new instructions• Code coverage -> t / all * 100• Memo...
Before that• Taint AnalysisKind of information flowTo see the flow from the external input effect16
Taint propagationTaintedUntaintedTainted17
Taint propagation18Untrusted source 1 Untrusted source 2
Use• Detecting flawsif ( tracking user data == available )I see where untrusted code swimming• Data Lifetime Analysis19
How ?• Dynamic Binary Instrumentation ToolsPin :Win & Linux & MAC, Intermediate LanguageDynamoRIO :Win & Linux & MACTEMU :...
How ?• Use PIN ToolWindows, Linux, MAC OSXCustom Code ( C or C++ )Attach the running fileExtensive APIPinheads21
Pin ?• http://pintool.orgOne of JIT ( Just In Time ) compilerNot input bytecode, but a regular executableIntercept instruc...
Pin : Instrumentation EnginePintool : Instrumentation ToolApplication :Target Program or Process23Pin ?
24Pin ?
25Pin ?
26Pin ?
27Pin ?
28Pin ?
Install• if ( Install window )you need to visual c++• else if ( install linux )you need to gcc-c++• else if ( install mac ...
A Simple Example30• Inscount & Itrace & Pinatrace• Step by modify codeInscountMItraceMPinatrace
Inscount- count the total number of instructions executed31
Modify Inscount32
Itrace• ItraceInstruction Address TraceHow to pass argumentsUseful understanding the control flow of a program for debuggin...
Itrace34
Modify Itrace35
insertPredicatedCall ?36To avoid generating references to instructions that are predicated whenthe predicate is falsePredi...
Pinatrace• PinatraceMemory Reference TraceUseful debugging and for simulating a data cache in processor37
Pinatrace38770B89DA : Instrumentation PointsR/W :Access Type0023F434 : &Address4 : R/W Size0x01 : *Address
Vera• Use vera !Shmoocon 2011 Danny QuistVisualizing Executables for Reversing & AnalysisBetter OEP detection & IDA Pro Pl...
Demo !• if ( Use DBI withVera )you will see the memory flow ( easily )• Andyou will see the pattern of vulnerable program a...
Demo !41
Zero-day !1. HookVulnerability Functionstrcpy, strcat, sprintf, scanf, fscanf, strstr, strchr2. Andmonitoring ESI3. Olleh!...
Zero-day !43
Zero-day !44
reference• http://translate.google.co.kr/?hl=ko&tab=wT• http://www.pintool.org/• http://www.youtube.com/watch?v=9nlWbDdxKj...
Q & A46www.CodeEngn.comCodeEngn	  ReverseEngineering	  Conference
Quiz47OR, XOR 연산에서A 가 Taint 된 값( 1 ) 이라고 가정했을 때B 의 값이 무엇일 때 “Taint 되었다”라고 할까요 ??답과 간단한 이유를 말해주세용hint ) AND 연산일때 B 가 1일때 Ta...
Upcoming SlideShare
Loading in …5
×

[2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석

1,428
-1

Published on

2011 CodeEngn Conference 05

DBI 란 Dynamic Binary Instrumentation 의 약자이다. 이는 실행 중인 어떤 Process 또는 Program 에 특수한 목적으로 사용될 임의의 코드를 삽입하는 방법이다. 이를 이용하여 동적으로 생성된 Code 처리, 특정 코드의 발견, 실행중인 Process 분석 등을 할 수 있다. 주로 컴퓨터 구조 연구, 프로그램, 스레드 분 석에 이용되며, Taint Analysis 에 대한 개념, 각종 Tool 과 사용 방법, 간단한 예제, 최신 취약점 분석 등 을 통하여 DBI 를 알아보도록 한다.

http://codeengn.com/conference/05

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,428
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

[2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석

  1. 1. ProgramVulnerability AnalysisUsing DBICodeEngn Co-AdministratorDDeok9@gmail.com2011.7.2www.CodeEngn.comCodeEngn  ReverseEngineering  Conference
  2. 2. Outline• What is DBI ?• Before that• How ?• A simple example• Demo !2
  3. 3. What is DBI ?• InstrumentationKeyword :To gather information, insert code• Dynamic Binary InstrumentationKeyword : Running program, special purpose, insert codeRunningArbitrary Code3
  4. 4. Static Analysis• Summary- Without running- Considering all execution paths in a program- Tools : Sonar, cppcheck, Prevent, KlockWork4
  5. 5. Static Analysis5Check OutCodingModifyCompile ErrorDefectCheck In
  6. 6. Dynamic Analysis• Summary- Running- Considering single execution path- Input dependency6
  7. 7. Winner• Dynamic AnalysisMore preciseBecause > works with real values in the run-time• if ( you think Ollydbg & IDA Disassembler )Easy to understand7
  8. 8. Source Analysis• Source Analysis- Language dependency- Access high-level information- Tools : Source insight8
  9. 9. Binary Analysis• Binary Analysis- Platform dependency- Access low-level information ex) register- Complexity, Lack of Higher-level semantics, Code Obfuscation9
  10. 10. DRAW• Binary AnalysisOriginal source code is not needed• Source AnalysisJust you look at source10
  11. 11. SBI• Static Binary Instrumentation- Before the program is run- Rewrites object code or executable code- Disassemble -> instrumentation11
  12. 12. DBI• Dynamic Binary Instrumentation- Run-time- By external process, grafted onto the client process12
  13. 13. Winner• DBI1. Client program doesn’t require to be prepared2. Naturally covers all client code13
  14. 14. Usefulness of DBI• Do not need Recompiling and Relinking• Find the specific code during execution• Handle dynamically generated code• Analyzing running process14
  15. 15. Use• Trace procedure generating• Fault tolerance studies• Emulating new instructions• Code coverage -> t / all * 100• Memory-leak detection• Thread profiling• And so on . . .15
  16. 16. Before that• Taint AnalysisKind of information flowTo see the flow from the external input effect16
  17. 17. Taint propagationTaintedUntaintedTainted17
  18. 18. Taint propagation18Untrusted source 1 Untrusted source 2
  19. 19. Use• Detecting flawsif ( tracking user data == available )I see where untrusted code swimming• Data Lifetime Analysis19
  20. 20. How ?• Dynamic Binary Instrumentation ToolsPin :Win & Linux & MAC, Intermediate LanguageDynamoRIO :Win & Linux & MACTEMU :Win & Linux, QEMU basedValgrind : Linux20
  21. 21. How ?• Use PIN ToolWindows, Linux, MAC OSXCustom Code ( C or C++ )Attach the running fileExtensive APIPinheads21
  22. 22. Pin ?• http://pintool.orgOne of JIT ( Just In Time ) compilerNot input bytecode, but a regular executableIntercept instruction and generates more code and execute22
  23. 23. Pin : Instrumentation EnginePintool : Instrumentation ToolApplication :Target Program or Process23Pin ?
  24. 24. 24Pin ?
  25. 25. 25Pin ?
  26. 26. 26Pin ?
  27. 27. 27Pin ?
  28. 28. 28Pin ?
  29. 29. Install• if ( Install window )you need to visual c++• else if ( install linux )you need to gcc-c++• else if ( install mac 64bit )not available29
  30. 30. A Simple Example30• Inscount & Itrace & Pinatrace• Step by modify codeInscountMItraceMPinatrace
  31. 31. Inscount- count the total number of instructions executed31
  32. 32. Modify Inscount32
  33. 33. Itrace• ItraceInstruction Address TraceHow to pass argumentsUseful understanding the control flow of a program for debugging33
  34. 34. Itrace34
  35. 35. Modify Itrace35
  36. 36. insertPredicatedCall ?36To avoid generating references to instructions that are predicated whenthe predicate is falsePredication is a general architectural feature of the IA-64
  37. 37. Pinatrace• PinatraceMemory Reference TraceUseful debugging and for simulating a data cache in processor37
  38. 38. Pinatrace38770B89DA : Instrumentation PointsR/W :Access Type0023F434 : &Address4 : R/W Size0x01 : *Address
  39. 39. Vera• Use vera !Shmoocon 2011 Danny QuistVisualizing Executables for Reversing & AnalysisBetter OEP detection & IDA Pro Plugin39
  40. 40. Demo !• if ( Use DBI withVera )you will see the memory flow ( easily )• Andyou will see the pattern of vulnerable program and patched program40
  41. 41. Demo !41
  42. 42. Zero-day !1. HookVulnerability Functionstrcpy, strcat, sprintf, scanf, fscanf, strstr, strchr2. Andmonitoring ESI3. Olleh!It’s possible to modify the parameters42
  43. 43. Zero-day !43
  44. 44. Zero-day !44
  45. 45. reference• http://translate.google.co.kr/?hl=ko&tab=wT• http://www.pintool.org/• http://www.youtube.com/watch?v=9nlWbDdxKjw45
  46. 46. Q & A46www.CodeEngn.comCodeEngn  ReverseEngineering  Conference
  47. 47. Quiz47OR, XOR 연산에서A 가 Taint 된 값( 1 ) 이라고 가정했을 때B 의 값이 무엇일 때 “Taint 되었다”라고 할까요 ??답과 간단한 이유를 말해주세용hint ) AND 연산일때 B 가 1일때 Taint 되었다.

×