Light and Dark side of Code      Instrumentation  Dmitriy “D1g1″ Evdokimov  DSecRG, Security Researcher
#whoami• Security Researcher in DSecRG      – RE      – Fuzzing      – Mobile security• Organizer: DCG #7812• Editor in “X...
Agenda1.    Instrumentation .2.    Instrumentation ..3.    Instrumentation …4.    Instrumentation ….5.    Instrumentation ...
Intro“It has been proved by scientists that a new   point of evolution, any technical progress   appears when a Man makes ...
InstrumentationInstrumentation is a technique adding extra  code to an program/environment for  monitoring/change some pro...
Why is it necessary?                                      Parallel optimization            Simulation                     ...
Instrumentation in information                    security            Control flow analysis                Security test c...
Analysis             Criterion         Static analysis         Dynamic analysis          Code vs. data            Problem ...
Code Discovery                                   MemoryAfter static analysis     0101010110101001010010                   ...
The general scheme of code                      instrumentation1.    Find points of instrumentation;2.    Insert instrumen...
Source Data                           Source data        Source code          Byte code           Binary codewww.dsecrg.co...
Classification of target                    instrumentation                             Instrumentation With source code  ...
Source code instrumentation• Source code*      – Source code instrumentation            • Manual skills            • Plugi...
Unmoral programmingwww.dsecrg.com         CONFidence Krakow 2012   14
Byte code instrumentationByte code – intermediate representation  between source code and machine code.                   ...
Instrumentation byte-code (I)             Source code         Compilation               Byte-code                         ...
Instrumentation byte code (II)• Byte-code      – Static instrumentation            • Static byte code instrumentation     ...
Instrumentation Java (I)         Mechanisms:                 • java.lang.instrument package;                 • Java Platfo...
Instrumentation Java (II)• Static instrumentation      – Modification *.class files• Load-time instrumentation      – Clas...
Instrumentation .NET• Static instrumentation      – Modification DLL files• Load-time instrumentation      – AppDomain.Loa...
Instrumentation ActionScript (I)• ActionScript2      – AVM      – Tags that (can) contain bytecode:            • DefineBut...
AVM2 Architecture                           AS3                        .abc                 function (x:int):int {        ...
Instrumentation ActionScript (I)                       AVM tag   Original SWF file         Header                         ...
Instrumentation AVM (II)• Static instrumentation      – Add :            •    trace()            •    dump()            • ...
Instrumentation binary code• The executable file                              • Environment      – Static code instrumenta...
Static Binary Instrumentation (I)Static binary instrumentation/Physical code  integration/Static binary code rewriting    ...
Static Binary Instrumentation (II)Reallocation:1) Function Displacement + Entry Point Linking;2) Branch Conversion;3) Inst...
Debuggers• Breakpoints:     •    Software                                                                   App           ...
Dynamic Binary InstrumentationDynamic binary instrumentation/Virtual code  integration/Dynamic binary rewriting           ...
Dynamic Binary Instrumentation• Dynamic Binary Instrumentation (DBI) is a process control andanalysis technique that invol...
Kinds of DBIMode:                              Mode of work:      – user-mode;                 - Start to finish;      – k...
DBI Frameworks* Frameworks                   OS                   Arch                    Modes      FeaturesPIN          ...
Start work with DBIwww.dsecrg.com         CONFidence Krakow 2012   33
Levels of granularity•   Instruction;•   Basic Block*;•   Trace/Superblock;•   Function;•   Section;•   Events;•   Binary ...
Self-modifying code & DBIDetect:      – Written-protecting code pages      – Checking store address      – Inserting extra...
Overhead                            O=X+Y                            Y = N*Z                            Z = K+LO – Tool Ov...
Rewriting instructions• Platforms:      – with fixed-length instruction;      – with variable-length instructions.www.dsec...
Rewriting code (I)• Easy / simple / boring / regular example      – Rewriting prolog functionwww.dsecrg.com          CONFi...
Rewriting code (II)• Hardcore example:      – Mobile phone firmware rewriting                                Bootloader   ...
Instrumentation in ARMARM modes:      – ARM            • Length(instr) = 4 byte      – Thumb            • Length(instr) = ...
Emulation                 App1                      OS                        Emulator                            OS      ...
Instrumentation & Bochs• Bochs can be called with instrumentation support.• C++ callbacks occur when certain events happen...
Virtualization                                                            App1               OS           App1            ...
Instrumentation & virtualizationStages:1. Save the VM-exit reason information in the VMCS;2. Save guest context informatio...
Instrumentation in                              Mobile World           Mobile Platform          Language             Execu...
ConclusionOne can implement instrumentation of everything! www.dsecrg.com    CONFidence Krakow 2012     46
ContactTwitter: @evdokimovdsE-mail: d.evdokimov@dsecrg.comwww.dsecrg.com   CONFidence Krakow 2012   47
Windows 8• Apps:      – C++ & DirectX      – C# & XAML      – HTML & JavaScript & CSSwww.dsecrg.com         CONFidence Kra...
Upcoming SlideShare
Loading in …5
×

Dmitriy evdokimov. light and dark side of code instrumentation

657 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
657
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Dmitriy evdokimov. light and dark side of code instrumentation

  1. 1. Light and Dark side of Code Instrumentation Dmitriy “D1g1″ Evdokimov DSecRG, Security Researcher
  2. 2. #whoami• Security Researcher in DSecRG – RE – Fuzzing – Mobile security• Organizer: DCG #7812• Editor in “XAKEP”www.dsecrg.com CONFidence Krakow 2012 2
  3. 3. Agenda1. Instrumentation .2. Instrumentation ..3. Instrumentation …4. Instrumentation ….5. Instrumentation …..6. Instrumentation ……7. Instrumentation …….www.dsecrg.com CONFidence Krakow 2012 3
  4. 4. Intro“It has been proved by scientists that a new point of evolution, any technical progress appears when a Man makes up a new type of tool, but not a product.”www.dsecrg.com CONFidence Krakow 2012 4
  5. 5. InstrumentationInstrumentation is a technique adding extra code to an program/environment for monitoring/change some program behavior. Environment Program Program Own Own extra extra code codewww.dsecrg.com CONFidence Krakow 2012 5
  6. 6. Why is it necessary? Parallel optimization Simulation Memory debugging Virtualization Emulation Software profiling Performance analysis Testing Automated debugging Correctness checking Error detection Collecting code metrics Binary translation Optimization Memory leak detectionwww.dsecrg.com CONFidence Krakow 2012 6
  7. 7. Instrumentation in information security Control flow analysis Security test case generation Unpack Code coverage Virtual patching Malware analysis Vulnerability detection Privacy monitoring Taint analysis Antivirus technology Sandboxing Program shepherding Data flow analysis Shellcode detection Deobfuscation Fuzzing Reverse engineering Behavior based security Forensic Transparent debugging Data Structure Restoring Security enforcementwww.dsecrg.com CONFidence Krakow 2012 7
  8. 8. Analysis Criterion Static analysis Dynamic analysis Code vs. data Problem No problem Code coverage Big (but not all) One way Information about values No information All information Self-modifying code Problem No problem Interaction with the No Yes environment Unused code Analysis No analysis JIT code Problem No problemwww.dsecrg.com CONFidence Krakow 2012 8
  9. 9. Code Discovery MemoryAfter static analysis 0101010110101001010010 Instr 1 After dynamic analysis 0101010101101010101010 Instr 2 Instr 3 1111010101110101000111 jump reg InstrDATA 4 Instr 1011100111001010101011 5 Instr 4 6 Instr Instr 7 5 jmp 0x0ABCD PADDING 0111010110100111100110 Instr 7 cont. Instr 8 1010101101110001001011 Instr 9 Instr 6 10 Instr www.dsecrg.com CONFidence Krakow 2012 9
  10. 10. The general scheme of code instrumentation1. Find points of instrumentation;2. Insert instrumentation;3. Take control from program;4. Save context of the program;5. Execute own code;6. Restore context of the program;7. Return control to program.www.dsecrg.com CONFidence Krakow 2012 10
  11. 11. Source Data Source data Source code Byte code Binary codewww.dsecrg.com CONFidence Krakow 2012 11
  12. 12. Classification of target instrumentation Instrumentation With source code Without source code Source code Byte code Binary code Linker/Compiler Byte code Executable file Interpreter/VM Process Environment Dynamic binary instrumentation Static binary modification Byte code instrumentation Link-time/Compilation-time Source code instrumentation Environment - Static instrumentation Hardware - Load-time - Dynamicwww.dsecrg.com CONFidence Krakow 2012 12
  13. 13. Source code instrumentation• Source code* – Source code instrumentation • Manual skills • Plugins for IDE – Link-time/Compilation-time instrumentation • Options of linker/compiler• Tools: Visual Studio Profiler, gcc, TAU, OPARI, Diablo, Phoenix, LLVM, Rational Purify, Valgrind *Unreal condition for security specialist =)www.dsecrg.com CONFidence Krakow 2012 13
  14. 14. Unmoral programmingwww.dsecrg.com CONFidence Krakow 2012 14
  15. 15. Byte code instrumentationByte code – intermediate representation between source code and machine code. … Java VM Dalvik VM AVM/AVM2 CLRwww.dsecrg.com CONFidence Krakow 2012 15
  16. 16. Instrumentation byte-code (I) Source code Compilation Byte-code Load Virtual machine Loader JIT Lib Lib Execute Lib Machine codewww.dsecrg.com CONFidence Krakow 2012 16
  17. 17. Instrumentation byte code (II)• Byte-code – Static instrumentation • Static byte code instrumentation – Load-time instrumentation • Custom byte code loader – Dynamic instrumentation • Dynamic byte-code instrumentationwww.dsecrg.com CONFidence Krakow 2012 17
  18. 18. Instrumentation Java (I) Mechanisms: • java.lang.instrument package; • Java Platform Debugger Architecture (JPDA) .www.dsecrg.com CONFidence Krakow 2012 18
  19. 19. Instrumentation Java (II)• Static instrumentation – Modification *.class files• Load-time instrumentation – ClassFileLoadHook – Custom ClassLoader• Dynamic instrumentation – ClassFileLoadHook -> RetransformClassesTools: Javassist, ObjectWeb ASM, BCEL, JOIE, reJ JavaSnoop, Serp, JManglerwww.dsecrg.com CONFidence Krakow 2012 19
  20. 20. Instrumentation .NET• Static instrumentation – Modification DLL files• Load-time instrumentation – AppDomain.Load()/Assembly.Load() – Joint redirection – Via event handlerTools: ReFrameworker, MBEL, RAIL, Cecilwww.dsecrg.com CONFidence Krakow 2012 20
  21. 21. Instrumentation ActionScript (I)• ActionScript2 – AVM – Tags that (can) contain bytecode: • DefineButton (7), DefineButton2 (34), DefineSprite (39), DoAction (12), DoInitAction (59), PlaceObject2 (26), PlaceObject3 (70).• ActionScript3 – AVM2 – Tags that (can) contain bytecode: • DoABC (82), RawABC (72).www.dsecrg.com CONFidence Krakow 2012 21
  22. 22. AVM2 Architecture AS3 .abc function (x:int):int { return x+10 } .abc parser MIR JIT Compiler .abc @1 arg +8// argv getlocal 1 Verifier Bytecode MIR Code Generator @2 load [@1+4] pushint 10 @3 imm 10 add @4 add (@2,@3) returnvalue Interpreter MD Code Generator @5 ret @4 // @4:eax (x86, PPC, ARM, etc.) x86 Runtime System (Type System, Object Model) mov eax,(eap+8) mov eax,(eax+4) add eax,10 Memory Manager/Garbage Collector retwww.dsecrg.com CONFidence Krakow 2012 22
  23. 23. Instrumentation ActionScript (I) AVM tag Original SWF file Header TagsInstrumentetedSWF file www.dsecrg.com CONFidence Krakow 2012 23
  24. 24. Instrumentation AVM (II)• Static instrumentation – Add : • trace() • dump() • debug() • debugfile() • debugline() – Modification: • Create own class + change class name = hook!www.dsecrg.com CONFidence Krakow 2012 24
  25. 25. Instrumentation binary code• The executable file • Environment – Static code instrumentation – Modifying call table • Static binary instrumentation • IDT, CPU MSRs, GDT, SSDT,• Process IRP тable – Debuggers • … • Debugging API – Modifying OS options – Modifying call table/other structure • SHIM • IAT • LD_PRELOAD • … • AppInt_DLLs – Dynamic code instrumentation • DLL injection • Dynamic binary instrumentation • …• Hardware – Reproduction of the – Hardware debug features environment • Debug registers • Emulation • Hardware debuggers • Virtualization • …www.dsecrg.com CONFidence Krakow 2012 25
  26. 26. Static Binary Instrumentation (I)Static binary instrumentation/Physical code integration/Static binary code rewriting Edited Header Header• Realization: Segment of Segment of code code – With reallocation: Segment of Segment of • Level of segment; data data • Level of function; Extra segment of code – Without reallocation. Extra segment of datawww.dsecrg.com CONFidence Krakow 2012 26
  27. 27. Static Binary Instrumentation (II)Reallocation:1) Function Displacement + Entry Point Linking;2) Branch Conversion;3) Instruction Padding;4) Instrumentation. Tools: DynInst, EEL, ATOM, PEBIL, ERESI, TAU, Vulcan, BIRD, Aslan(4514N)www.dsecrg.com CONFidence Krakow 2012 27
  28. 28. Debuggers• Breakpoints: • Software App Debugger • Hardware• Debugger + scripting: OS • WinDBG + pykd • OllyDBG + python = Immunity Debuggers Processor • GDB + PythonGDB• Python librarys*: Buggery, IDAPython, ImmLIB, lldb, PyDBG, PyDbgEng, pygdb , python-ptrace , vtrace, WinAppDbg, … *See “Python Arsenal for Reverse Engineering”www.dsecrg.com CONFidence Krakow 2012 28
  29. 29. Dynamic Binary InstrumentationDynamic binary instrumentation/Virtual code integration/Dynamic binary rewriting DBI App1 App2 OS ProcessorTools: PIN, DynamoRIO, DynInst, Valgrind, BAP, KEDR, Fit, ERESI, Detour, Vulcan, SpiderPigwww.dsecrg.com CONFidence Krakow 2012 29
  30. 30. Dynamic Binary Instrumentation• Dynamic Binary Instrumentation (DBI) is a process control andanalysis technique that involves injecting instrumentation codeinto a running process.• Dynamic binary analysis (DBA) tools such as profilers andcheckers help programmers create better software.• Dynamic binary instrumentation (DBI) frameworks make it easyto build new DBA tools.•DBA tools consist: – instrumentation routines; – analysis routines.www.dsecrg.com CONFidence Krakow 2012 30
  31. 31. Kinds of DBIMode: Mode of work: – user-mode; - Start to finish; – kernel-mode. - Attach.Modes of execution: Functionality JIT – Interpretation-mode; – Probe-mode; Probe – JIT-mode. Performancewww.dsecrg.com CONFidence Krakow 2012 31
  32. 32. DBI Frameworks* Frameworks OS Arch Modes FeaturesPIN Linux, x86, x86-64, JIT, Probe Attach mode Windows, Itanium, ARM MacOSDynamoRIO Linux, x86, x86-64 JIT, Probe Runtime Windows optimizationDynInst Linux, x86, x86-64, Probe Static & FreeBSD, ppc32, ARM, Dynamic binary Windows ppc64 instrumentationValgrind Linux, MacOS x86, x86-64, JIT IR – VEX, ppc32, ARM, Heavyweight ppc64 DBA tools *For more details see “DBI:Intro” presentation from ZeroNights conferencewww.dsecrg.com CONFidence Krakow 2012 32
  33. 33. Start work with DBIwww.dsecrg.com CONFidence Krakow 2012 33
  34. 34. Levels of granularity• Instruction;• Basic Block*;• Trace/Superblock;• Function;• Section;• Events;• Binary image.www.dsecrg.com CONFidence Krakow 2012 34
  35. 35. Self-modifying code & DBIDetect: – Written-protecting code pages – Checking store address – Inserting extra codewww.dsecrg.com CONFidence Krakow 2012 35
  36. 36. Overhead O=X+Y Y = N*Z Z = K+LO – Tool Overhead;X – Instrumentation Routines Overhead;Y – Analysis Routines Overhead;N – Frequency of Calling Analysis Routine;Z – Work Performed in the Analysis Routine;K – Work Required to Transition to Analysis Routine;L – Work Performed Inside the Analysis Routine.www.dsecrg.com CONFidence Krakow 2012 36
  37. 37. Rewriting instructions• Platforms: – with fixed-length instruction; – with variable-length instructions.www.dsecrg.com CONFidence Krakow 2012 37
  38. 38. Rewriting code (I)• Easy / simple / boring / regular example – Rewriting prolog functionwww.dsecrg.com CONFidence Krakow 2012 38
  39. 39. Rewriting code (II)• Hardcore example: – Mobile phone firmware rewriting Bootloader reboot Flash SHELLCODE 1 AMSS Malicious SMS GSM Baseband processorwww.dsecrg.com CONFidence Krakow 2012 39
  40. 40. Instrumentation in ARMARM modes: – ARM • Length(instr) = 4 byte – Thumb • Length(instr) = 2 byte – Thumb2 • Length(instr) = 2/4 byte – Jazzle For more detail see “A Dynamic Binary Instrumentation Engine for the ARM Architecture” presentation.www.dsecrg.com CONFidence Krakow 2012 40
  41. 41. Emulation App1 OS Emulator OS Processorwww.dsecrg.com CONFidence Krakow 2012 41
  42. 42. Instrumentation & Bochs• Bochs can be called with instrumentation support.• C++ callbacks occur when certain events happen: – Poweron/Reset/Shutdown; – Branch Taken/Not Taken/Unconditional; – Opcode Decode (All relevant fields, lengths); – Interrupt /Exception; – Cache /TLB Flush/Prefetch; – Memory Read/Write.• “bochs-python-instrumentation” patch by Ero Carrerawww.dsecrg.com CONFidence Krakow 2012 42
  43. 43. Virtualization App1 OS App1 OS VMM VMM OS Processor Processor Native VMM Hosted VMM *VMM - Virtual Machine Monitorwww.dsecrg.com CONFidence Krakow 2012 43
  44. 44. Instrumentation & virtualizationStages:1. Save the VM-exit reason information in the VMCS;2. Save guest context information;3. Load the host-state area;4. Transfer control to the hypervisor;5. Run own code.*VMCS - Virtual Machine Control Structurewww.dsecrg.com CONFidence Krakow 2012 44
  45. 45. Instrumentation in Mobile World Mobile Platform Language Executable file format Android Java Dex iOS Objective-C Mach-O Windows Phone .NET PEwww.dsecrg.com CONFidence Krakow 2012 45
  46. 46. ConclusionOne can implement instrumentation of everything! www.dsecrg.com CONFidence Krakow 2012 46
  47. 47. ContactTwitter: @evdokimovdsE-mail: d.evdokimov@dsecrg.comwww.dsecrg.com CONFidence Krakow 2012 47
  48. 48. Windows 8• Apps: – C++ & DirectX – C# & XAML – HTML & JavaScript & CSSwww.dsecrg.com CONFidence Krakow 2012 48

×