Light And Dark Side Of Code Instrumentation

  • 808 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
808
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
38
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Light and Dark side of Code Instrumentation Dmitriy “D1g1″ Evdokimov DSecRG, Security Researcher
  • 2. #whoami• Security Researcher in DSecRG – RE – Fuzzing – Mobile security• Organizer: DCG #7812• Editor in “XAKEP”Digital Security Positive Hack Days 2012 2
  • 3. Agenda1. Instrumentation .2. Instrumentation ..3. Instrumentation …4. Instrumentation ….5. Instrumentation …..6. Instrumentation ……7. Instrumentation …….Digital Security Positive Hack Days 2012 3
  • 4. Intro“It has been proved by scientists that a new point of evolution, any technical progress appears when a Man makes up a new type of tool, but not a product.”Digital Security Positive Hack Days 2012 4
  • 5. InstrumentationInstrumentation is a technique adding extra code to an program/environment for monitoring/change some program behavior. Environment Program Program Own Own extra extra code codeDigital Security Positive Hack Days 2012 5
  • 6. Why is it necessary? Parallel optimization Simulation Memory debugging Virtualization Emulation Software profiling Performance analysis Testing Automated debugging Correctness checking Error detection Collecting code metrics Binary translation Optimization Memory leak detectionDigital Security Positive Hack Days 2012 6
  • 7. Instrumentation in information security Control flow analysis Security test case generation Unpack Code coverage Virtual patching Malware analysis Vulnerability detection Privacy monitoring Taint analysis Antivirus technology Sandboxing Program shepherding Data flow analysis Shellcode detection Deobfuscation Fuzzing Reverse engineering Behavior based security Forensic Transparent debugging Data Structure Restoring Security enforcementDigital Security Positive Hack Days 2012 7
  • 8. Analysis Criterion Static analysis Dynamic analysis Code vs. data Problem No problem Code coverage Big (but not all) One way Information about values No information All information Self-modifying code Problem No problem Interaction with the No Yes environment Unused code Analysis No analysis JIT code Problem No problemDigital Security Positive Hack Days 2012 8
  • 9. Code Discovery MemoryAfter static analysis 0101010110101001010010 Instr 1 After dynamic analysis 0101010101101010101010 Instr 2 Instr 3 1111010101110101000111 jump reg InstrDATA 4 Instr 1011100111001010101011 5 Instr 4 6 Instr Instr 7 5 jmp 0x0ABCD PADDING 0111010110100111100110 Instr 7 cont. Instr 8 1010101101110001001011 Instr 9 Instr 6 10 Instr Digital Security Positive Hack Days 2012 9
  • 10. The general scheme of code instrumentation1. Find points of instrumentation;2. Insert instrumentation;3. Take control from program;4. Save context of the program;5. Execute own code;6. Restore context of the program;7. Return control to program.Digital Security Positive Hack Days 2012 10
  • 11. Source Data Source data Source code Byte code Binary codeDigital Security Positive Hack Days 2012 11
  • 12. Classification of target instrumentation Instrumentation With source code Without source code Source code Byte code Binary code Linker/Compiler Byte code Executable file Interpreter/VM Process Environment Dynamic binary instrumentation Static binary modification Byte code instrumentation Link-time/Compilation-time Source code instrumentation Environment - Static instrumentation Hardware - Load-timeDigital- Dynamic Security Positive Hack Days 2012 12
  • 13. Source code instrumentation• Source code* – Source code instrumentation • Manual skills • Plugins for IDE – Link-time/Compilation-time instrumentation • Options of linker/compiler• Tools: Visual Studio Profiler, gcc, TAU, OPARI, Diablo, Phoenix, LLVM, Rational Purify, Valgrind *Unreal condition for security specialist =)Digital Security Positive Hack Days 2012 13
  • 14. Unmoral programmingDigital Security Positive Hack Days 2012 14
  • 15. Byte code instrumentationByte code – intermediate representation between source code and machine code. … Java VM Dalvik VM AVM/AVM2 CLRDigital Security Positive Hack Days 2012 15
  • 16. Instrumentation byte-code (I) Source code Compilation Byte-code Load Virtual machine Loader JIT Lib Execute Lib Lib Machine codeDigital Security Positive Hack Days 2012 16
  • 17. Instrumentation byte code (II)• Byte-code – Static instrumentation • Static byte code instrumentation – Load-time instrumentation • Custom byte code loader – Dynamic instrumentation • Dynamic byte code instrumentationDigital Security Positive Hack Days 2012 17
  • 18. Instrumentation Java (I) Mechanisms: • java.lang.instrument package; • Java Platform Debugger Architecture (JPDA) .Digital Security Positive Hack Days 2012 18
  • 19. Instrumentation Java (II)• Static instrumentation – Modification *.class files• Load-time instrumentation – ClassFileLoadHook – Custom ClassLoader• Dynamic instrumentation – ClassFileLoadHook -> RetransformClassesTools: Javassist, ObjectWeb ASM, BCEL, JOIE, reJ JavaSnoop, Serp, JManglerDigital Security Positive Hack Days 2012 19
  • 20. Instrumentation .NET• Static instrumentation – Modification DLL files• Load-time instrumentation – AppDomain.Load()/Assembly.Load() – Joint redirection – Via event handlerTools: ReFrameworker, MBEL, RAIL, CecilDigital Security Positive Hack Days 2012 20
  • 21. Instrumentation ActionScript (I)• ActionScript2 – AVM – Tags that (can) contain bytecode: • DefineButton (7), DefineButton2 (34), DefineSprite (39), DoAction (12), DoInitAction (59), PlaceObject2 (26), PlaceObject3 (70).• ActionScript3 – AVM2 – Tags that (can) contain bytecode: • DoABC (82), RawABC (72).Digital Security Positive Hack Days 2012 21
  • 22. AVM2 Architecture AS3 .abc function (x:int):int { return x+10 } .abc parser MIR JIT Compiler .abc @1 arg +8// argv getlocal 1 Verifier Bytecode MIR Code Generator @2 load [@1+4] pushint 10 @3 imm 10 add @4 add (@2,@3) returnvalue Interpreter MD Code Generator @5 ret @4 // @4:eax (x86, PPC, ARM, etc.) x86 Runtime System (Type System, Object Model) mov eax,(eap+8) mov eax,(eax+4) add eax,10 Memory Manager/Garbage Collector retDigital Security Positive Hack Days 2012 22
  • 23. Instrumentation ActionScript (I) AVM tag Original SWF file Header TagsInstrumentetedSWF file Digital Security Positive Hack Days 2012 23
  • 24. Instrumentation AVM (II)• Static instrumentation – Add : • trace() • dump() • debug() • debugfile() • debugline() – Modification: • Create own class + change class name = hook!Digital Security Positive Hack Days 2012 24
  • 25. Instrumentation binary code• The executable file • Environment – Static code instrumentation – Modifying call table • Static binary instrumentation • IDT, CPU MSRs, GDT, SSDT,• Process IRP тable – Debuggers • … • Debugging API – Modifying OS options – Modifying call table/other structure • SHIM • IAT • LD_PRELOAD • … • AppInt_DLLs – Dynamic code instrumentation • DLL injection • Dynamic binary instrumentation • …• Hardware – Reproduction of the – Hardware debug features environment • Debug registers • Emulation • Hardware debuggers • Virtualization • …Digital Security Positive Hack Days 2012 25
  • 26. Static Binary Instrumentation (I)Static binary instrumentation/Physical code integration/Static binary code rewriting Edited Header Header• Realization: Segment of Segment of code code – With reallocation: Segment of Segment of • Level of segment; data data • Level of function; Extra segment of code – Without reallocation. Extra segment of dataDigital Security Positive Hack Days 2012 26
  • 27. Static Binary Instrumentation (II)Reallocation:1) Function Displacement + Entry Point Linking;2) Branch Conversion;3) Instruction Padding;4) Instrumentation. Tools: DynInst, EEL, ATOM, PEBIL, ERESI, TAU, Vulcan, BIRD, Aslan(4514N)Digital Security Positive Hack Days 2012 27
  • 28. Debuggers• Breakpoints: • Software App Debugger • Hardware• Debugger + scripting: OS • WinDBG + pykd • OllyDBG + python = Immunity Debuggers Processor • GDB + PythonGDB• Python librarys*: Buggery, IDAPython, ImmLIB, lldb, PyDBG, PyDbgEng, pygdb , python-ptrace , vtrace, WinAppDbg, … *See “Python Arsenal for Reverse Engineering”Digital Security Positive Hack Days 2012 28
  • 29. Dynamic Binary InstrumentationDynamic binary instrumentation/Virtual code integration/Dynamic binary rewriting DBI App1 App2 OS ProcessorTools: PIN, DynamoRIO, DynInst, Valgrind, BAP, KEDR, Fit, ERESI, Detour, Vulcan, SpiderPigDigital Security Positive Hack Days 2012 29
  • 30. Dynamic Binary Instrumentation• Dynamic Binary Instrumentation (DBI) is a process control andanalysis technique that involves injecting instrumentation codeinto a running process.• Dynamic binary analysis (DBA) tools such as profilers andcheckers help programmers create better software.• Dynamic binary instrumentation (DBI) frameworks make it easyto build new DBA tools.•DBA tools consist: – instrumentation routines; – analysis routines.Digital Security Positive Hack Days 2012 30
  • 31. Kinds of DBIMode: Mode of work: – user-mode; - Start to finish; – kernel-mode. - Attach. FunctionalityModes of execution: JIT – Interpretation-mode; – Probe-mode; Probe – JIT-mode. PerformanceDigital Security Positive Hack Days 2012 31
  • 32. DBI Frameworks* Frameworks OS Arch Modes FeaturesPIN Linux, x86, x86-64, JIT, Probe Attach mode Windows, Itanium, ARM MacOSDynamoRIO Linux, x86, x86-64 JIT, Probe Runtime Windows optimizationDynInst Linux, x86, x86-64, Probe Static & FreeBSD, ppc32, ARM, Dynamic binary Windows ppc64 instrumentationValgrind Linux, MacOS x86, x86-64, JIT IR – VEX, ppc32, ARM, Heavyweight ppc64 DBA tools *For more details see “DBI:Intro” presentation from ZeroNights conferenceDigital Security Positive Hack Days 2012 32
  • 33. Start work with DBIDigital Security Positive Hack Days 2012 33
  • 34. Levels of granularity• Instruction;• Basic Block*;• Trace/Superblock;• Function;• Section;• Events;• Binary image.Digital Security Positive Hack Days 2012 34
  • 35. Self-modifying code & DBIDetect: – Written-protecting code pages – Checking store address – Inserting extra codeDigital Security Positive Hack Days 2012 35
  • 36. Overhead O=X+Y Y = N*Z Z = K+LO – Tool Overhead;X – Instrumentation Routines Overhead;Y – Analysis Routines Overhead;N – Frequency of Calling Analysis Routine;Z – Work Performed in the Analysis Routine;K – Work Required to Transition to Analysis Routine;L – Work Performed Inside the Analysis Routine.Digital Security Positive Hack Days 2012 36
  • 37. Rewriting instructions• Platforms: – with fixed-length instruction; – with variable-length instructions.Digital Security Positive Hack Days 2012 37
  • 38. Rewriting code (I)• Easy / simple / boring / regular example – Rewriting prolog functionDigital Security Positive Hack Days 2012 38
  • 39. Rewriting code (II)• Hardcore example: – Mobile phone firmware rewriting Bootloader reboot Flash SHELLCODE 1 AMSS Malicious SMS GSM Baseband processorDigital Security Positive Hack Days 2012 39
  • 40. Instrumentation in ARMARM modes: – ARM • Length(instr) = 4 byte – Thumb • Length(instr) = 2 byte – Thumb2 • Length(instr) = 2/4 byte – Jazzle For more detail see “A Dynamic Binary Instrumentation Engine for the ARM Architecture” presentation.Digital Security Positive Hack Days 2012 40
  • 41. Emulation App1 OS Emulator OS ProcessorDigital Security Positive Hack Days 2012 41
  • 42. Instrumentation & Bochs• Bochs can be called with instrumentation support.• C++ callbacks occur when certain events happen: – Poweron/Reset/Shutdown; – Branch Taken/Not Taken/Unconditional; – Opcode Decode (All relevant fields, lengths); – Interrupt /Exception; – Cache /TLB Flush/Prefetch; – Memory Read/Write.• “bochs-python-instrumentation” patch by Ero CarreraDigital Security Positive Hack Days 2012 42
  • 43. Virtualization App1 OS App1 OS VMM VMM OS Processor Processor Native VMM Hosted VMM *VMM - Virtual Machine MonitorDigital Security Positive Hack Days 2012 43
  • 44. Instrumentation & virtualizationStages:1. Save the VM-exit reason information in the VMCS;2. Save guest context information;3. Load the host-state area;4. Transfer control to the hypervisor;5. Run own code.*VMCS - Virtual Machine Control StructureDigital Security Positive Hack Days 2012 44
  • 45. Instrumentation in Mobile World Mobile Platform Language Executable file format Android Java Dex iOS Objective-C Mach-O Windows Phone .NET PEDigital Security Positive Hack Days 2012 45
  • 46. ConclusionOne can implement instrumentation of everything! Digital Security Positive Hack Days 2012 46
  • 47. ContactTwitter: @evdokimovdsE-mail: d.evdokimov@dsecrg.comDigital Security Positive Hack Days 2012 47