Light And Dark Side Of Code Instrumentation

1,603 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,603
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
43
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Light And Dark Side Of Code Instrumentation

  1. 1. Light and Dark side of Code Instrumentation Dmitriy “D1g1″ Evdokimov DSecRG, Security Researcher
  2. 2. #whoami• Security Researcher in DSecRG – RE – Fuzzing – Mobile security• Organizer: DCG #7812• Editor in “XAKEP”Digital Security Positive Hack Days 2012 2
  3. 3. Agenda1. Instrumentation .2. Instrumentation ..3. Instrumentation …4. Instrumentation ….5. Instrumentation …..6. Instrumentation ……7. Instrumentation …….Digital Security Positive Hack Days 2012 3
  4. 4. Intro“It has been proved by scientists that a new point of evolution, any technical progress appears when a Man makes up a new type of tool, but not a product.”Digital Security Positive Hack Days 2012 4
  5. 5. InstrumentationInstrumentation is a technique adding extra code to an program/environment for monitoring/change some program behavior. Environment Program Program Own Own extra extra code codeDigital Security Positive Hack Days 2012 5
  6. 6. Why is it necessary? Parallel optimization Simulation Memory debugging Virtualization Emulation Software profiling Performance analysis Testing Automated debugging Correctness checking Error detection Collecting code metrics Binary translation Optimization Memory leak detectionDigital Security Positive Hack Days 2012 6
  7. 7. Instrumentation in information security Control flow analysis Security test case generation Unpack Code coverage Virtual patching Malware analysis Vulnerability detection Privacy monitoring Taint analysis Antivirus technology Sandboxing Program shepherding Data flow analysis Shellcode detection Deobfuscation Fuzzing Reverse engineering Behavior based security Forensic Transparent debugging Data Structure Restoring Security enforcementDigital Security Positive Hack Days 2012 7
  8. 8. Analysis Criterion Static analysis Dynamic analysis Code vs. data Problem No problem Code coverage Big (but not all) One way Information about values No information All information Self-modifying code Problem No problem Interaction with the No Yes environment Unused code Analysis No analysis JIT code Problem No problemDigital Security Positive Hack Days 2012 8
  9. 9. Code Discovery MemoryAfter static analysis 0101010110101001010010 Instr 1 After dynamic analysis 0101010101101010101010 Instr 2 Instr 3 1111010101110101000111 jump reg InstrDATA 4 Instr 1011100111001010101011 5 Instr 4 6 Instr Instr 7 5 jmp 0x0ABCD PADDING 0111010110100111100110 Instr 7 cont. Instr 8 1010101101110001001011 Instr 9 Instr 6 10 Instr Digital Security Positive Hack Days 2012 9
  10. 10. The general scheme of code instrumentation1. Find points of instrumentation;2. Insert instrumentation;3. Take control from program;4. Save context of the program;5. Execute own code;6. Restore context of the program;7. Return control to program.Digital Security Positive Hack Days 2012 10
  11. 11. Source Data Source data Source code Byte code Binary codeDigital Security Positive Hack Days 2012 11
  12. 12. Classification of target instrumentation Instrumentation With source code Without source code Source code Byte code Binary code Linker/Compiler Byte code Executable file Interpreter/VM Process Environment Dynamic binary instrumentation Static binary modification Byte code instrumentation Link-time/Compilation-time Source code instrumentation Environment - Static instrumentation Hardware - Load-timeDigital- Dynamic Security Positive Hack Days 2012 12
  13. 13. Source code instrumentation• Source code* – Source code instrumentation • Manual skills • Plugins for IDE – Link-time/Compilation-time instrumentation • Options of linker/compiler• Tools: Visual Studio Profiler, gcc, TAU, OPARI, Diablo, Phoenix, LLVM, Rational Purify, Valgrind *Unreal condition for security specialist =)Digital Security Positive Hack Days 2012 13
  14. 14. Unmoral programmingDigital Security Positive Hack Days 2012 14
  15. 15. Byte code instrumentationByte code – intermediate representation between source code and machine code. … Java VM Dalvik VM AVM/AVM2 CLRDigital Security Positive Hack Days 2012 15
  16. 16. Instrumentation byte-code (I) Source code Compilation Byte-code Load Virtual machine Loader JIT Lib Execute Lib Lib Machine codeDigital Security Positive Hack Days 2012 16
  17. 17. Instrumentation byte code (II)• Byte-code – Static instrumentation • Static byte code instrumentation – Load-time instrumentation • Custom byte code loader – Dynamic instrumentation • Dynamic byte code instrumentationDigital Security Positive Hack Days 2012 17
  18. 18. Instrumentation Java (I) Mechanisms: • java.lang.instrument package; • Java Platform Debugger Architecture (JPDA) .Digital Security Positive Hack Days 2012 18
  19. 19. Instrumentation Java (II)• Static instrumentation – Modification *.class files• Load-time instrumentation – ClassFileLoadHook – Custom ClassLoader• Dynamic instrumentation – ClassFileLoadHook -> RetransformClassesTools: Javassist, ObjectWeb ASM, BCEL, JOIE, reJ JavaSnoop, Serp, JManglerDigital Security Positive Hack Days 2012 19
  20. 20. Instrumentation .NET• Static instrumentation – Modification DLL files• Load-time instrumentation – AppDomain.Load()/Assembly.Load() – Joint redirection – Via event handlerTools: ReFrameworker, MBEL, RAIL, CecilDigital Security Positive Hack Days 2012 20
  21. 21. Instrumentation ActionScript (I)• ActionScript2 – AVM – Tags that (can) contain bytecode: • DefineButton (7), DefineButton2 (34), DefineSprite (39), DoAction (12), DoInitAction (59), PlaceObject2 (26), PlaceObject3 (70).• ActionScript3 – AVM2 – Tags that (can) contain bytecode: • DoABC (82), RawABC (72).Digital Security Positive Hack Days 2012 21
  22. 22. AVM2 Architecture AS3 .abc function (x:int):int { return x+10 } .abc parser MIR JIT Compiler .abc @1 arg +8// argv getlocal 1 Verifier Bytecode MIR Code Generator @2 load [@1+4] pushint 10 @3 imm 10 add @4 add (@2,@3) returnvalue Interpreter MD Code Generator @5 ret @4 // @4:eax (x86, PPC, ARM, etc.) x86 Runtime System (Type System, Object Model) mov eax,(eap+8) mov eax,(eax+4) add eax,10 Memory Manager/Garbage Collector retDigital Security Positive Hack Days 2012 22
  23. 23. Instrumentation ActionScript (I) AVM tag Original SWF file Header TagsInstrumentetedSWF file Digital Security Positive Hack Days 2012 23
  24. 24. Instrumentation AVM (II)• Static instrumentation – Add : • trace() • dump() • debug() • debugfile() • debugline() – Modification: • Create own class + change class name = hook!Digital Security Positive Hack Days 2012 24
  25. 25. Instrumentation binary code• The executable file • Environment – Static code instrumentation – Modifying call table • Static binary instrumentation • IDT, CPU MSRs, GDT, SSDT,• Process IRP тable – Debuggers • … • Debugging API – Modifying OS options – Modifying call table/other structure • SHIM • IAT • LD_PRELOAD • … • AppInt_DLLs – Dynamic code instrumentation • DLL injection • Dynamic binary instrumentation • …• Hardware – Reproduction of the – Hardware debug features environment • Debug registers • Emulation • Hardware debuggers • Virtualization • …Digital Security Positive Hack Days 2012 25
  26. 26. Static Binary Instrumentation (I)Static binary instrumentation/Physical code integration/Static binary code rewriting Edited Header Header• Realization: Segment of Segment of code code – With reallocation: Segment of Segment of • Level of segment; data data • Level of function; Extra segment of code – Without reallocation. Extra segment of dataDigital Security Positive Hack Days 2012 26
  27. 27. Static Binary Instrumentation (II)Reallocation:1) Function Displacement + Entry Point Linking;2) Branch Conversion;3) Instruction Padding;4) Instrumentation. Tools: DynInst, EEL, ATOM, PEBIL, ERESI, TAU, Vulcan, BIRD, Aslan(4514N)Digital Security Positive Hack Days 2012 27
  28. 28. Debuggers• Breakpoints: • Software App Debugger • Hardware• Debugger + scripting: OS • WinDBG + pykd • OllyDBG + python = Immunity Debuggers Processor • GDB + PythonGDB• Python librarys*: Buggery, IDAPython, ImmLIB, lldb, PyDBG, PyDbgEng, pygdb , python-ptrace , vtrace, WinAppDbg, … *See “Python Arsenal for Reverse Engineering”Digital Security Positive Hack Days 2012 28
  29. 29. Dynamic Binary InstrumentationDynamic binary instrumentation/Virtual code integration/Dynamic binary rewriting DBI App1 App2 OS ProcessorTools: PIN, DynamoRIO, DynInst, Valgrind, BAP, KEDR, Fit, ERESI, Detour, Vulcan, SpiderPigDigital Security Positive Hack Days 2012 29
  30. 30. Dynamic Binary Instrumentation• Dynamic Binary Instrumentation (DBI) is a process control andanalysis technique that involves injecting instrumentation codeinto a running process.• Dynamic binary analysis (DBA) tools such as profilers andcheckers help programmers create better software.• Dynamic binary instrumentation (DBI) frameworks make it easyto build new DBA tools.•DBA tools consist: – instrumentation routines; – analysis routines.Digital Security Positive Hack Days 2012 30
  31. 31. Kinds of DBIMode: Mode of work: – user-mode; - Start to finish; – kernel-mode. - Attach. FunctionalityModes of execution: JIT – Interpretation-mode; – Probe-mode; Probe – JIT-mode. PerformanceDigital Security Positive Hack Days 2012 31
  32. 32. DBI Frameworks* Frameworks OS Arch Modes FeaturesPIN Linux, x86, x86-64, JIT, Probe Attach mode Windows, Itanium, ARM MacOSDynamoRIO Linux, x86, x86-64 JIT, Probe Runtime Windows optimizationDynInst Linux, x86, x86-64, Probe Static & FreeBSD, ppc32, ARM, Dynamic binary Windows ppc64 instrumentationValgrind Linux, MacOS x86, x86-64, JIT IR – VEX, ppc32, ARM, Heavyweight ppc64 DBA tools *For more details see “DBI:Intro” presentation from ZeroNights conferenceDigital Security Positive Hack Days 2012 32
  33. 33. Start work with DBIDigital Security Positive Hack Days 2012 33
  34. 34. Levels of granularity• Instruction;• Basic Block*;• Trace/Superblock;• Function;• Section;• Events;• Binary image.Digital Security Positive Hack Days 2012 34
  35. 35. Self-modifying code & DBIDetect: – Written-protecting code pages – Checking store address – Inserting extra codeDigital Security Positive Hack Days 2012 35
  36. 36. Overhead O=X+Y Y = N*Z Z = K+LO – Tool Overhead;X – Instrumentation Routines Overhead;Y – Analysis Routines Overhead;N – Frequency of Calling Analysis Routine;Z – Work Performed in the Analysis Routine;K – Work Required to Transition to Analysis Routine;L – Work Performed Inside the Analysis Routine.Digital Security Positive Hack Days 2012 36
  37. 37. Rewriting instructions• Platforms: – with fixed-length instruction; – with variable-length instructions.Digital Security Positive Hack Days 2012 37
  38. 38. Rewriting code (I)• Easy / simple / boring / regular example – Rewriting prolog functionDigital Security Positive Hack Days 2012 38
  39. 39. Rewriting code (II)• Hardcore example: – Mobile phone firmware rewriting Bootloader reboot Flash SHELLCODE 1 AMSS Malicious SMS GSM Baseband processorDigital Security Positive Hack Days 2012 39
  40. 40. Instrumentation in ARMARM modes: – ARM • Length(instr) = 4 byte – Thumb • Length(instr) = 2 byte – Thumb2 • Length(instr) = 2/4 byte – Jazzle For more detail see “A Dynamic Binary Instrumentation Engine for the ARM Architecture” presentation.Digital Security Positive Hack Days 2012 40
  41. 41. Emulation App1 OS Emulator OS ProcessorDigital Security Positive Hack Days 2012 41
  42. 42. Instrumentation & Bochs• Bochs can be called with instrumentation support.• C++ callbacks occur when certain events happen: – Poweron/Reset/Shutdown; – Branch Taken/Not Taken/Unconditional; – Opcode Decode (All relevant fields, lengths); – Interrupt /Exception; – Cache /TLB Flush/Prefetch; – Memory Read/Write.• “bochs-python-instrumentation” patch by Ero CarreraDigital Security Positive Hack Days 2012 42
  43. 43. Virtualization App1 OS App1 OS VMM VMM OS Processor Processor Native VMM Hosted VMM *VMM - Virtual Machine MonitorDigital Security Positive Hack Days 2012 43
  44. 44. Instrumentation & virtualizationStages:1. Save the VM-exit reason information in the VMCS;2. Save guest context information;3. Load the host-state area;4. Transfer control to the hypervisor;5. Run own code.*VMCS - Virtual Machine Control StructureDigital Security Positive Hack Days 2012 44
  45. 45. Instrumentation in Mobile World Mobile Platform Language Executable file format Android Java Dex iOS Objective-C Mach-O Windows Phone .NET PEDigital Security Positive Hack Days 2012 45
  46. 46. ConclusionOne can implement instrumentation of everything! Digital Security Positive Hack Days 2012 46
  47. 47. ContactTwitter: @evdokimovdsE-mail: d.evdokimov@dsecrg.comDigital Security Positive Hack Days 2012 47

×