SlideShare a Scribd company logo

Triton and symbolic execution on gdb

Wei-Bo Chen
Wei-Bo Chen

50 mins talk on HITCON Community 2017

Technology
1 of 71
Download to read offline
Triton and Symbolic execution on GDB bananaappletw @ HITCON 2017/08/26
$whoami • 陳威伯(bananaappletw) • Master of National Chiao Tung University • Organizations: • Software Quality Laboratory • Bamboofox member • Vice president of NCTUCSC • Specialize in: • symbolic execution • binary exploit • Talks: • HITCON CMT 2015
Outline • Why symbolic execution? • Symbolic execution? • Triton • SymGDB
Why symbolic execution?
In the old days • Static analysis • Dynamic analysis
Static analysis • objdump • IDA PRO
Dynamic analysis • GDB • ltrace • strace
Symbolic execution!!!
What is symbolic execution? • Symbolic execution is a means of analyzing a program to determine what inputs cause each part of a program to execute • System-level • S2e(https://github.com/dslab-epfl/s2e) • User-level • Angr(http://angr.io/) • Triton(https://triton.quarkslab.com/) • Code-based • klee(http://klee.github.io/)
Symbolic execution Z == 12 fail() "OK"
Triton • Website: https://triton.quarkslab.com/ • A dynamic binary analysis framework written in C++. • developed by Jonathan Salwan • Python bindings • Triton components: • Symbolic execution engine • Tracer • AST representations • SMT solver Interface
Triton Structure
Symbolic execution engine • The symbolic engine maintains: • a table of symbolic registers states • a map of symbolic memory states • a global set of all symbolic references Step Register Instruction Set of symbolic expressions init eax = UNSET None ⊥ 1 eax = φ1 mov eax, 0 {φ1=0} 2 eax = φ2 inc eax {φ1=0,φ2=φ1+1} 3 eax = φ3 add eax, 5 {φ1=0,φ2=φ1+1,φ3=φ2+5}
Triton Tracer • Tracer provides: • Current opcode executed • State context (register and memory) • Translate the control flow into AST Representations • Pin tracer support
AST representations • Triton converts the x86 and the x86-64 instruction set semantics into AST representations • Triton's expressions are on SSA form • Instruction: add rax, rdx • Expression: ref!41 = (bvadd ((_ extract 63 0) ref!40) ((_ extract 63 0) ref!39)) • ref!41 is the new expression of the RAX register • ref!40 is the previous expression of the RAX register • ref!39 is the previous expression of the RDX register
AST representations • mov al, 1 • mov cl, 10 • mov dl, 20 • xor cl, dl • add al, cl
Static single assignment form(SSA form) • Each variable is assigned exactly once • y := 1 • y := 2 • x := y Turns into • y1 := 1 • y2 := 2 • x1 := y2
Why SSA form? y1 := 1 (This assignment is not necessary) y2 := 2 x1 := y2 • When Triton process instructions, it could ignore some unnecessary instructions. • It saves time and memory.
Symbolic variables • Imagine symbolic is a infection • Make ecx as symbolic variable • convertRegisterToSymbolicVariable(REG.ECX) • isRegisterSymbolized(REG.ECX) == True • test ecx, ecx (ZF = ECX & ECX = ECX) • je +7 (isRegisterSymbolized(REG.EIP) == True)(jump to nop if ZF=1) • mov edx, 0x64 • nop
SMT solver Interface
Example • Defcamp 2015 r100 • Program require to input the password • Password length could up to 255 characters
Defcamp 2015 r100
Defcamp 2015 r100
Defcamp 2015 r100 • Set Architecture • Load segments into triton • Define fake stack ( RBP and RSP ) • Symbolize user input • Start to processing opcodes • Set constraint on specific point of program • Get symbolic expression and solve it
Set Architecture
Load segments into triton
Define fake stack ( RBP and RSP )
Symbolize user input
Start to processing opcodes
Get symbolic expression and solve it
Some problems of Triton • The whole procedure is too complicated • High learning cost to use Triton • With support of debugger, many steps could be simplified
SymGDB • Repo: https://github.com/SQLab/symgdb • Symbolic execution support for GDB • Combined with: • Triton • GDB Python API • Symbolic environment • symbolize argv
Design and Implementation • GDB Python API • Failed method • Successful method • Flow • SymGDB System Structure • Implementation of System Internals • Relationship between SymGDB classes • Supported Commands • Symbolic Execution Process in GDB • Symbolic Environment • symbolic argv • Debug tips
GDB Python API • API: https://sourceware.org/gdb/onlinedocs/gdb/Python-API.html • Source python script in .gdbinit • Functionalities: • Register GDB command • Register event handler (ex: breakpoint) • Execute GDB command and get output • Read, write, search memory
Register GDB command
Register event handler
Execute GDB command and get output
Read memory
Write memory
Failed method • At first, I try to use Triton callback to get memory and register values • Register callbacks: • needConcreteMemoryValue • needConcreteRegisterValue • Process the following sequence of code • mov eax, 5 • mov ebx,eax (Trigger needConcreteRegisterValue) • We need to set Triton context of eax
Triton callbacks
Problems • Values from GDB are out of date • Consider the following sequence of code • mov eax, 5 • We set breakpoint here, and call Triton's processing() • mov ebx,eax (trigger callback to get eax value, eax = 5) • mov eax, 10 • mov ecx, eax (Trigger again, get eax = 5) • Because context state not up to date
Tried solutions • Before needed value derived from GDB, check if it is not in the Triton's context yet Not working! Triton will fall into infinite loop
Successful method • Copy GDB context into Triton • Load all the segments into Triton context • Symbolic execution won't affect original GDB state • User could restart symbolic execution from breakpoint
Flow • Get debugged program state by calling GDB Python API • Get the current program state and yield to triton • Set symbolic variable • Set the target address • Run symbolic execution and get output • Inject back to debugged program state
SymGDB System Structure
Implementation of System Internals • Three classes in the symGDB • Arch(), GdbUtil(), Symbolic() • Arch() • Provide different pointer size、register name • GdbUtil() • Read write memory、read write register • Get memory mapping of program • Get filename and detect architecture • Get argument list • Symbolic() • Set constraint on pc register • Run symbolic execution
Relationship between SymGDB classes
Supported Commands Command Option Functionality symbolize argv memory [address][size] Make symbolic target address Set target address triton None Run symbolic execution answer None Print symbolic variables debug symbolic gdb Show debug messages
Symbolic Execution Process in GDB • gdb.execute("info registers", to_string=True) to get registers • gdb.selected_inferior().read_memory(address, length) to get memory • setConcreteMemoryAreaValue and setConcreteRegisterValue to set triton state • In each instruction, use isRegisterSymbolized to check if pc register is symbolized or not • Set target address as constraint • Call getModel to get answer • gdb.selected_inferior().write_memory(address, buf, length) to inject back to debugged program state
Symbolic Environment: symbolic argv • Using "info proc all" to get stack start address • Examining memory content from stack start address • argc • argv[0] • argv[1] • …… • null • env[0] • env[1] • …… • null argc argument counter(integer) argv[0] program name (pointer) argv[1] program args (pointers) … argv[argc-1] null end of args (integer) env[0] environment variables (pointers) env[1] … env[n] null end of environment (integer)
Debug tips • Simplify: https://github.com/JonathanSalwan/Triton/blob/master/src/example s/python/simplification.py
Demo • Examples • crackme hash • crackme xor • GDB commands • Combined with Peda
crackme hash • Source: https://github.com/illera88/Ponce/blob/master/examples/crackme_h ash.cpp • Program will pass argv[1] to check function • In check function, argv[1] xor with serial(fixed string) • If sum of xored result equals to 0xABCD • print "Win" • else • print "fail"
crackme hash
crackme hash
crackme hash
crackme xor • Source: https://github.com/illera88/Ponce/blob/master/examples/crackme_xor.cpp • Program will pass argv[1] to check function • In check function, argv[1] xor with 0x55 • If xored result not equals to serial(fixed string) • return 1 • print "fail" • else • go to next loop • If program go through all the loop • return 0 • print "Win"
crackme xor
crackme xor
crackme xor
GDB commands
GDB commands
Combined with Peda • Same demo video of crackme hash • Using find(peda command) to find argv[1] address • Using symbolize memory argv[1]_address argv[1]_length to symbolic argv[1] memory
Combined with Peda
Drawbacks • Triton doesn't support GNU c library • Why? • SMT Semantics Supported: https://triton.quarkslab.com/documentation/doxygen/SMT_Semanti cs_Supported_page.html • Triton has to implement system call interface to support GNU c library a.k.a. support "int 0x80"
Triton versus Angr Difference Triton Angr Architecture support x86 amd64 x86 amd64 arm …… GNU c library support No Yes Path explore No Yes
References • Wiki: https://en.wikipedia.org/wiki/Symbolic_execution • Triton: https://triton.quarkslab.com/ • GDB Python API: https://sourceware.org/gdb/onlinedocs/gdb/Python-API.html • Peda: https://github.com/longld/peda • Ponce: https://github.com/illera88/Ponce • Angr: http://angr.io/
Bamboofox
Q & A
Thank you

Recommended

Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures Aj MaChInE
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationshadooparchbook
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
V8 javascript engine for フロントエンドデベロッパー
V8 javascript engine for フロントエンドデベロッパーV8 javascript engine for フロントエンドデベロッパー
V8 javascript engine for フロントエンドデベロッパーTaketoshi 青野健利
 
Garbage First Garbage Collector (G1 GC): Current and Future Adaptability and ...
Garbage First Garbage Collector (G1 GC): Current and Future Adaptability and ...Garbage First Garbage Collector (G1 GC): Current and Future Adaptability and ...
Garbage First Garbage Collector (G1 GC): Current and Future Adaptability and ...Monica Beckwith
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 

Recommended

Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures Aj MaChInE
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationshadooparchbook
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
V8 javascript engine for フロントエンドデベロッパー
V8 javascript engine for フロントエンドデベロッパーV8 javascript engine for フロントエンドデベロッパー
V8 javascript engine for フロントエンドデベロッパーTaketoshi 青野健利
 
Garbage First Garbage Collector (G1 GC): Current and Future Adaptability and ...
Garbage First Garbage Collector (G1 GC): Current and Future Adaptability and ...Garbage First Garbage Collector (G1 GC): Current and Future Adaptability and ...
Garbage First Garbage Collector (G1 GC): Current and Future Adaptability and ...Monica Beckwith
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
CRC-32
CRC-32CRC-32
CRC-327shi
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaWei-Bo Chen
 
Accelerating HPC Applications on NVIDIA GPUs with OpenACC
Accelerating HPC Applications on NVIDIA GPUs with OpenACCAccelerating HPC Applications on NVIDIA GPUs with OpenACC
Accelerating HPC Applications on NVIDIA GPUs with OpenACCinside-BigData.com
 
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion RecordsScylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion RecordsScyllaDB
 
An Introduction to Higher Order Functions in Spark SQL with Herman van Hovell
An Introduction to Higher Order Functions in Spark SQL with Herman van HovellAn Introduction to Higher Order Functions in Spark SQL with Herman van Hovell
An Introduction to Higher Order Functions in Spark SQL with Herman van HovellDatabricks
 
katagaitai workshop #7 crypto ナップサック暗号と低密度攻撃
katagaitai workshop #7 crypto ナップサック暗号と低密度攻撃katagaitai workshop #7 crypto ナップサック暗号と低密度攻撃
katagaitai workshop #7 crypto ナップサック暗号と低密度攻撃trmr
 
2017年11月02日「radare2」トーク/ワークショップAVTokyo 2017
2017年11月02日「radare2」トーク/ワークショップAVTokyo 2017 2017年11月02日「radare2」トーク/ワークショップAVTokyo 2017
2017年11月02日「radare2」トーク/ワークショップAVTokyo 2017 unixfreaxjp
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
How We Reduced Performance Tuning Time by Orders of Magnitude with Database O...
How We Reduced Performance Tuning Time by Orders of Magnitude with Database O...How We Reduced Performance Tuning Time by Orders of Magnitude with Database O...
How We Reduced Performance Tuning Time by Orders of Magnitude with Database O...ScyllaDB
 
Lockfree list
Lockfree listLockfree list
Lockfree listKumazaki Hiroki
 
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化MITSUNARI Shigeo
 
Ctfのためのpython入門
Ctfのためのpython入門Ctfのためのpython入門
Ctfのためのpython入門shiracamus
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
x86とコンテキストスイッチ
x86とコンテキストスイッチx86とコンテキストスイッチ
x86とコンテキストスイッチMasami Ichikawa
 
Jvm & Garbage collection tuning for low latencies application
Jvm & Garbage collection tuning for low latencies applicationJvm & Garbage collection tuning for low latencies application
Jvm & Garbage collection tuning for low latencies applicationQuentin Ambard
 
Jvm tuning for low latency application & Cassandra
Jvm tuning for low latency application & CassandraJvm tuning for low latency application & Cassandra
Jvm tuning for low latency application & CassandraQuentin Ambard
 
From Query Plan to Query Performance: Supercharging your Apache Spark Queries...
From Query Plan to Query Performance: Supercharging your Apache Spark Queries...From Query Plan to Query Performance: Supercharging your Apache Spark Queries...
From Query Plan to Query Performance: Supercharging your Apache Spark Queries...Databricks
 
Scylla Summit 2022: Scylla 5.0 New Features, Part 1
Scylla Summit 2022: Scylla 5.0 New Features, Part 1Scylla Summit 2022: Scylla 5.0 New Features, Part 1
Scylla Summit 2022: Scylla 5.0 New Features, Part 1ScyllaDB
 
暗認本読書会10
暗認本読書会10暗認本読書会10
暗認本読書会10MITSUNARI Shigeo
 
Tool up your lamp stack
Tool up your lamp stackTool up your lamp stack
Tool up your lamp stackAgileOnTheBeach
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP StackLorna Mitchell
 

More Related Content

What's hot

CRC-32
CRC-32CRC-32
CRC-327shi
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaWei-Bo Chen
 
Accelerating HPC Applications on NVIDIA GPUs with OpenACC
Accelerating HPC Applications on NVIDIA GPUs with OpenACCAccelerating HPC Applications on NVIDIA GPUs with OpenACC
Accelerating HPC Applications on NVIDIA GPUs with OpenACCinside-BigData.com
 
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion RecordsScylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion RecordsScyllaDB
 
An Introduction to Higher Order Functions in Spark SQL with Herman van Hovell
An Introduction to Higher Order Functions in Spark SQL with Herman van HovellAn Introduction to Higher Order Functions in Spark SQL with Herman van Hovell
An Introduction to Higher Order Functions in Spark SQL with Herman van HovellDatabricks
 
katagaitai workshop #7 crypto ナップサック暗号と低密度攻撃
katagaitai workshop #7 crypto ナップサック暗号と低密度攻撃katagaitai workshop #7 crypto ナップサック暗号と低密度攻撃
katagaitai workshop #7 crypto ナップサック暗号と低密度攻撃trmr
 
2017年11月02日「radare2」トーク/ワークショップAVTokyo 2017
2017年11月02日「radare2」トーク/ワークショップAVTokyo 2017 2017年11月02日「radare2」トーク/ワークショップAVTokyo 2017
2017年11月02日「radare2」トーク/ワークショップAVTokyo 2017 unixfreaxjp
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
How We Reduced Performance Tuning Time by Orders of Magnitude with Database O...
How We Reduced Performance Tuning Time by Orders of Magnitude with Database O...How We Reduced Performance Tuning Time by Orders of Magnitude with Database O...
How We Reduced Performance Tuning Time by Orders of Magnitude with Database O...ScyllaDB
 
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化MITSUNARI Shigeo
 
Ctfのためのpython入門
Ctfのためのpython入門Ctfのためのpython入門
Ctfのためのpython入門shiracamus
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
x86とコンテキストスイッチ
x86とコンテキストスイッチx86とコンテキストスイッチ
x86とコンテキストスイッチMasami Ichikawa
 
Jvm & Garbage collection tuning for low latencies application
Jvm & Garbage collection tuning for low latencies applicationJvm & Garbage collection tuning for low latencies application
Jvm & Garbage collection tuning for low latencies applicationQuentin Ambard
 
Jvm tuning for low latency application & Cassandra
Jvm tuning for low latency application & CassandraJvm tuning for low latency application & Cassandra
Jvm tuning for low latency application & CassandraQuentin Ambard
 
From Query Plan to Query Performance: Supercharging your Apache Spark Queries...
From Query Plan to Query Performance: Supercharging your Apache Spark Queries...From Query Plan to Query Performance: Supercharging your Apache Spark Queries...
From Query Plan to Query Performance: Supercharging your Apache Spark Queries...Databricks
 
Scylla Summit 2022: Scylla 5.0 New Features, Part 1
Scylla Summit 2022: Scylla 5.0 New Features, Part 1Scylla Summit 2022: Scylla 5.0 New Features, Part 1
Scylla Summit 2022: Scylla 5.0 New Features, Part 1ScyllaDB
 

What's hot (20)

CRC-32
CRC-32CRC-32
CRC-32
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON China
 
Accelerating HPC Applications on NVIDIA GPUs with OpenACC
Accelerating HPC Applications on NVIDIA GPUs with OpenACCAccelerating HPC Applications on NVIDIA GPUs with OpenACC
Accelerating HPC Applications on NVIDIA GPUs with OpenACC
 
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion RecordsScylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
 
An Introduction to Higher Order Functions in Spark SQL with Herman van Hovell
An Introduction to Higher Order Functions in Spark SQL with Herman van HovellAn Introduction to Higher Order Functions in Spark SQL with Herman van Hovell
An Introduction to Higher Order Functions in Spark SQL with Herman van Hovell
 
katagaitai workshop #7 crypto ナップサック暗号と低密度攻撃
katagaitai workshop #7 crypto ナップサック暗号と低密度攻撃katagaitai workshop #7 crypto ナップサック暗号と低密度攻撃
katagaitai workshop #7 crypto ナップサック暗号と低密度攻撃
 
2017年11月02日「radare2」トーク/ワークショップAVTokyo 2017
2017年11月02日「radare2」トーク/ワークショップAVTokyo 2017 2017年11月02日「radare2」トーク/ワークショップAVTokyo 2017
2017年11月02日「radare2」トーク/ワークショップAVTokyo 2017
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
 
How We Reduced Performance Tuning Time by Orders of Magnitude with Database O...
How We Reduced Performance Tuning Time by Orders of Magnitude with Database O...How We Reduced Performance Tuning Time by Orders of Magnitude with Database O...
How We Reduced Performance Tuning Time by Orders of Magnitude with Database O...
 
Lockfree list
Lockfree listLockfree list
Lockfree list
 
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
 
Ctfのためのpython入門
Ctfのためのpython入門Ctfのためのpython入門
Ctfのためのpython入門
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
 
x86とコンテキストスイッチ
x86とコンテキストスイッチx86とコンテキストスイッチ
x86とコンテキストスイッチ
 
Jvm & Garbage collection tuning for low latencies application
Jvm & Garbage collection tuning for low latencies applicationJvm & Garbage collection tuning for low latencies application
Jvm & Garbage collection tuning for low latencies application
 
Jvm tuning for low latency application & Cassandra
Jvm tuning for low latency application & CassandraJvm tuning for low latency application & Cassandra
Jvm tuning for low latency application & Cassandra
 
From Query Plan to Query Performance: Supercharging your Apache Spark Queries...
From Query Plan to Query Performance: Supercharging your Apache Spark Queries...From Query Plan to Query Performance: Supercharging your Apache Spark Queries...
From Query Plan to Query Performance: Supercharging your Apache Spark Queries...
 
Scylla Summit 2022: Scylla 5.0 New Features, Part 1
Scylla Summit 2022: Scylla 5.0 New Features, Part 1Scylla Summit 2022: Scylla 5.0 New Features, Part 1
Scylla Summit 2022: Scylla 5.0 New Features, Part 1
 
暗認本読書会10
暗認本読書会10暗認本読書会10
暗認本読書会10
 

Similar to Triton and symbolic execution on gdb

Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP StackLorna Mitchell
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceESUG
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the CloudJim Driscoll
 
Code Analysis-run time error prediction
Code Analysis-run time error predictionCode Analysis-run time error prediction
Code Analysis-run time error predictionNIKHIL NAWATHE
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Ryan Cuprak
 
To ∞ (~65K) and beyond! - Sebastiano Gottardo - Codemotion Milan 2016
To ∞ (~65K) and beyond! - Sebastiano Gottardo - Codemotion Milan 2016To ∞ (~65K) and beyond! - Sebastiano Gottardo - Codemotion Milan 2016
To ∞ (~65K) and beyond! - Sebastiano Gottardo - Codemotion Milan 2016Codemotion
 
Scala at Treasure Data
Scala at Treasure DataScala at Treasure Data
Scala at Treasure DataTaro L. Saito
 
¡El mejor lenguaje para automatizar pruebas!
¡El mejor lenguaje para automatizar pruebas!¡El mejor lenguaje para automatizar pruebas!
¡El mejor lenguaje para automatizar pruebas!Antonio Robres Turon
 
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017OpenEBS
 
BigQuery case study in Groovenauts & Dive into the DataflowJavaSDK
BigQuery case study in Groovenauts & Dive into the DataflowJavaSDKBigQuery case study in Groovenauts & Dive into the DataflowJavaSDK
BigQuery case study in Groovenauts & Dive into the DataflowJavaSDKnagachika t
 
Play Framework and Activator
Play Framework and ActivatorPlay Framework and Activator
Play Framework and ActivatorKevin Webber
 
Enter Cookbook: refactoring under a microscope
Enter Cookbook: refactoring under a microscopeEnter Cookbook: refactoring under a microscope
Enter Cookbook: refactoring under a microscopeKamil Samigullin
 
GR8Conf 2009: Practical Groovy DSL by Guillaume Laforge
GR8Conf 2009: Practical Groovy DSL by Guillaume LaforgeGR8Conf 2009: Practical Groovy DSL by Guillaume Laforge
GR8Conf 2009: Practical Groovy DSL by Guillaume LaforgeGR8Conf
 
[artifactconf] Github for People Who Don't Code
[artifactconf] Github for People Who Don't Code[artifactconf] Github for People Who Don't Code
[artifactconf] Github for People Who Don't CodeChristopher Schmitt
 
2013.02.02 지앤선 테크니컬 세미나 - Xcode를 활용한 디버깅 팁(OSXDEV)
2013.02.02 지앤선 테크니컬 세미나 - Xcode를 활용한 디버깅 팁(OSXDEV)2013.02.02 지앤선 테크니컬 세미나 - Xcode를 활용한 디버깅 팁(OSXDEV)
2013.02.02 지앤선 테크니컬 세미나 - Xcode를 활용한 디버깅 팁(OSXDEV)JiandSon
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdfMaxDmitriev
 
Compiler Construction
Compiler ConstructionCompiler Construction
Compiler ConstructionAhmed Raza
 
Implementing a JavaScript Engine
Implementing a JavaScript EngineImplementing a JavaScript Engine
Implementing a JavaScript EngineKris Mok
 

Similar to Triton and symbolic execution on gdb (20)

Tool up your lamp stack
Tool up your lamp stackTool up your lamp stack
Tool up your lamp stack
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP Stack
 
Sista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performanceSista: Improving Cog’s JIT performance
Sista: Improving Cog’s JIT performance
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
 
Code Analysis-run time error prediction
Code Analysis-run time error predictionCode Analysis-run time error prediction
Code Analysis-run time error prediction
 
Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)Exploring Java Heap Dumps (Oracle Code One 2018)
Exploring Java Heap Dumps (Oracle Code One 2018)
 
To ∞ (~65K) and beyond! - Sebastiano Gottardo - Codemotion Milan 2016
To ∞ (~65K) and beyond! - Sebastiano Gottardo - Codemotion Milan 2016To ∞ (~65K) and beyond! - Sebastiano Gottardo - Codemotion Milan 2016
To ∞ (~65K) and beyond! - Sebastiano Gottardo - Codemotion Milan 2016
 
Scala at Treasure Data
Scala at Treasure DataScala at Treasure Data
Scala at Treasure Data
 
¡El mejor lenguaje para automatizar pruebas!
¡El mejor lenguaje para automatizar pruebas!¡El mejor lenguaje para automatizar pruebas!
¡El mejor lenguaje para automatizar pruebas!
 
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
 
BigQuery case study in Groovenauts & Dive into the DataflowJavaSDK
BigQuery case study in Groovenauts & Dive into the DataflowJavaSDKBigQuery case study in Groovenauts & Dive into the DataflowJavaSDK
BigQuery case study in Groovenauts & Dive into the DataflowJavaSDK
 
Play Framework and Activator
Play Framework and ActivatorPlay Framework and Activator
Play Framework and Activator
 
Enter Cookbook: refactoring under a microscope
Enter Cookbook: refactoring under a microscopeEnter Cookbook: refactoring under a microscope
Enter Cookbook: refactoring under a microscope
 
React inter3
React inter3React inter3
React inter3
 
GR8Conf 2009: Practical Groovy DSL by Guillaume Laforge
GR8Conf 2009: Practical Groovy DSL by Guillaume LaforgeGR8Conf 2009: Practical Groovy DSL by Guillaume Laforge
GR8Conf 2009: Practical Groovy DSL by Guillaume Laforge
 
[artifactconf] Github for People Who Don't Code
[artifactconf] Github for People Who Don't Code[artifactconf] Github for People Who Don't Code
[artifactconf] Github for People Who Don't Code
 
2013.02.02 지앤선 테크니컬 세미나 - Xcode를 활용한 디버깅 팁(OSXDEV)
2013.02.02 지앤선 테크니컬 세미나 - Xcode를 활용한 디버깅 팁(OSXDEV)2013.02.02 지앤선 테크니컬 세미나 - Xcode를 활용한 디버깅 팁(OSXDEV)
2013.02.02 지앤선 테크니컬 세미나 - Xcode를 활용한 디버깅 팁(OSXDEV)
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdf
 
Compiler Construction
Compiler ConstructionCompiler Construction
Compiler Construction
 
Implementing a JavaScript Engine
Implementing a JavaScript EngineImplementing a JavaScript Engine
Implementing a JavaScript Engine
 

More from Wei-Bo Chen

Ctf For Beginner
Ctf For BeginnerCtf For Beginner
Ctf For BeginnerWei-Bo Chen
 

More from Wei-Bo Chen (6)

Klee and angr
Klee and angrKlee and angr
Klee and angr
 
Python
PythonPython
Python
 
Some tips
Some tipsSome tips
Some tips
 
Ctf For Beginner
Ctf For BeginnerCtf For Beginner
Ctf For Beginner
 
Format String
Format StringFormat String
Format String
 
x86
x86x86
x86
 

Recently uploaded

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Recently uploaded (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Triton and symbolic execution on gdb

  • 1. Triton and Symbolic execution on GDB bananaappletw @ HITCON 2017/08/26
  • 2. $whoami • 陳威伯(bananaappletw) • Master of National Chiao Tung University • Organizations: • Software Quality Laboratory • Bamboofox member • Vice president of NCTUCSC • Specialize in: • symbolic execution • binary exploit • Talks: • HITCON CMT 2015
  • 3. Outline • Why symbolic execution? • Symbolic execution? • Triton • SymGDB
  • 5. In the old days • Static analysis • Dynamic analysis
  • 7. Dynamic analysis • GDB • ltrace • strace
  • 9. What is symbolic execution? • Symbolic execution is a means of analyzing a program to determine what inputs cause each part of a program to execute • System-level • S2e(https://github.com/dslab-epfl/s2e) • User-level • Angr(http://angr.io/) • Triton(https://triton.quarkslab.com/) • Code-based • klee(http://klee.github.io/)
  • 10. Symbolic execution Z == 12 fail() "OK"
  • 11. Triton • Website: https://triton.quarkslab.com/ • A dynamic binary analysis framework written in C++. • developed by Jonathan Salwan • Python bindings • Triton components: • Symbolic execution engine • Tracer • AST representations • SMT solver Interface
  • 13. Symbolic execution engine • The symbolic engine maintains: • a table of symbolic registers states • a map of symbolic memory states • a global set of all symbolic references Step Register Instruction Set of symbolic expressions init eax = UNSET None ⊥ 1 eax = φ1 mov eax, 0 {φ1=0} 2 eax = φ2 inc eax {φ1=0,φ2=φ1+1} 3 eax = φ3 add eax, 5 {φ1=0,φ2=φ1+1,φ3=φ2+5}
  • 14. Triton Tracer • Tracer provides: • Current opcode executed • State context (register and memory) • Translate the control flow into AST Representations • Pin tracer support
  • 15. AST representations • Triton converts the x86 and the x86-64 instruction set semantics into AST representations • Triton's expressions are on SSA form • Instruction: add rax, rdx • Expression: ref!41 = (bvadd ((_ extract 63 0) ref!40) ((_ extract 63 0) ref!39)) • ref!41 is the new expression of the RAX register • ref!40 is the previous expression of the RAX register • ref!39 is the previous expression of the RDX register
  • 16. AST representations • mov al, 1 • mov cl, 10 • mov dl, 20 • xor cl, dl • add al, cl
  • 17. Static single assignment form(SSA form) • Each variable is assigned exactly once • y := 1 • y := 2 • x := y Turns into • y1 := 1 • y2 := 2 • x1 := y2
  • 18. Why SSA form? y1 := 1 (This assignment is not necessary) y2 := 2 x1 := y2 • When Triton process instructions, it could ignore some unnecessary instructions. • It saves time and memory.
  • 19. Symbolic variables • Imagine symbolic is a infection • Make ecx as symbolic variable • convertRegisterToSymbolicVariable(REG.ECX) • isRegisterSymbolized(REG.ECX) == True • test ecx, ecx (ZF = ECX & ECX = ECX) • je +7 (isRegisterSymbolized(REG.EIP) == True)(jump to nop if ZF=1) • mov edx, 0x64 • nop
  • 21. Example • Defcamp 2015 r100 • Program require to input the password • Password length could up to 255 characters
  • 24. Defcamp 2015 r100 • Set Architecture • Load segments into triton • Define fake stack ( RBP and RSP ) • Symbolize user input • Start to processing opcodes • Set constraint on specific point of program • Get symbolic expression and solve it
  • 27. Define fake stack ( RBP and RSP )
  • 30. Get symbolic expression and solve it
  • 31. Some problems of Triton • The whole procedure is too complicated • High learning cost to use Triton • With support of debugger, many steps could be simplified
  • 32. SymGDB • Repo: https://github.com/SQLab/symgdb • Symbolic execution support for GDB • Combined with: • Triton • GDB Python API • Symbolic environment • symbolize argv
  • 33. Design and Implementation • GDB Python API • Failed method • Successful method • Flow • SymGDB System Structure • Implementation of System Internals • Relationship between SymGDB classes • Supported Commands • Symbolic Execution Process in GDB • Symbolic Environment • symbolic argv • Debug tips
  • 34. GDB Python API • API: https://sourceware.org/gdb/onlinedocs/gdb/Python-API.html • Source python script in .gdbinit • Functionalities: • Register GDB command • Register event handler (ex: breakpoint) • Execute GDB command and get output • Read, write, search memory
  • 37. Execute GDB command and get output
  • 40. Failed method • At first, I try to use Triton callback to get memory and register values • Register callbacks: • needConcreteMemoryValue • needConcreteRegisterValue • Process the following sequence of code • mov eax, 5 • mov ebx,eax (Trigger needConcreteRegisterValue) • We need to set Triton context of eax
  • 42. Problems • Values from GDB are out of date • Consider the following sequence of code • mov eax, 5 • We set breakpoint here, and call Triton's processing() • mov ebx,eax (trigger callback to get eax value, eax = 5) • mov eax, 10 • mov ecx, eax (Trigger again, get eax = 5) • Because context state not up to date
  • 43. Tried solutions • Before needed value derived from GDB, check if it is not in the Triton's context yet Not working! Triton will fall into infinite loop
  • 44. Successful method • Copy GDB context into Triton • Load all the segments into Triton context • Symbolic execution won't affect original GDB state • User could restart symbolic execution from breakpoint
  • 45. Flow • Get debugged program state by calling GDB Python API • Get the current program state and yield to triton • Set symbolic variable • Set the target address • Run symbolic execution and get output • Inject back to debugged program state
  • 47. Implementation of System Internals • Three classes in the symGDB • Arch(), GdbUtil(), Symbolic() • Arch() • Provide different pointer size、register name • GdbUtil() • Read write memory、read write register • Get memory mapping of program • Get filename and detect architecture • Get argument list • Symbolic() • Set constraint on pc register • Run symbolic execution
  • 49. Supported Commands Command Option Functionality symbolize argv memory [address][size] Make symbolic target address Set target address triton None Run symbolic execution answer None Print symbolic variables debug symbolic gdb Show debug messages
  • 50. Symbolic Execution Process in GDB • gdb.execute("info registers", to_string=True) to get registers • gdb.selected_inferior().read_memory(address, length) to get memory • setConcreteMemoryAreaValue and setConcreteRegisterValue to set triton state • In each instruction, use isRegisterSymbolized to check if pc register is symbolized or not • Set target address as constraint • Call getModel to get answer • gdb.selected_inferior().write_memory(address, buf, length) to inject back to debugged program state
  • 51. Symbolic Environment: symbolic argv • Using "info proc all" to get stack start address • Examining memory content from stack start address • argc • argv[0] • argv[1] • …… • null • env[0] • env[1] • …… • null argc argument counter(integer) argv[0] program name (pointer) argv[1] program args (pointers) … argv[argc-1] null end of args (integer) env[0] environment variables (pointers) env[1] … env[n] null end of environment (integer)
  • 53. Demo • Examples • crackme hash • crackme xor • GDB commands • Combined with Peda
  • 54. crackme hash • Source: https://github.com/illera88/Ponce/blob/master/examples/crackme_h ash.cpp • Program will pass argv[1] to check function • In check function, argv[1] xor with serial(fixed string) • If sum of xored result equals to 0xABCD • print "Win" • else • print "fail"
  • 58. crackme xor • Source: https://github.com/illera88/Ponce/blob/master/examples/crackme_xor.cpp • Program will pass argv[1] to check function • In check function, argv[1] xor with 0x55 • If xored result not equals to serial(fixed string) • return 1 • print "fail" • else • go to next loop • If program go through all the loop • return 0 • print "Win"
  • 64. Combined with Peda • Same demo video of crackme hash • Using find(peda command) to find argv[1] address • Using symbolize memory argv[1]_address argv[1]_length to symbolic argv[1] memory
  • 66. Drawbacks • Triton doesn't support GNU c library • Why? • SMT Semantics Supported: https://triton.quarkslab.com/documentation/doxygen/SMT_Semanti cs_Supported_page.html • Triton has to implement system call interface to support GNU c library a.k.a. support "int 0x80"
  • 67. Triton versus Angr Difference Triton Angr Architecture support x86 amd64 x86 amd64 arm …… GNU c library support No Yes Path explore No Yes
  • 68. References • Wiki: https://en.wikipedia.org/wiki/Symbolic_execution • Triton: https://triton.quarkslab.com/ • GDB Python API: https://sourceware.org/gdb/onlinedocs/gdb/Python-API.html • Peda: https://github.com/longld/peda • Ponce: https://github.com/illera88/Ponce • Angr: http://angr.io/
  • 70. Q & A