Successfully reported this slideshow.

Nullcon 2011- Behaviour Analysis with DBI

0

Share

1 of 31
1 of 31

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Nullcon 2011- Behaviour Analysis with DBI

  1. 1. Automatic Program Analysis with Dynamic Binary Instrumentation Sunil Kumar (sunil.kumar@ivizsecurity.com) http://null.co.in/ http://nullcon.net/
  2. 2. #whoami • Research Associate @ iViZ Techno Solutions • MCA(007) from Goa University i.e. GUMCA07. • http://www.linkedin.com/in/sunilkr86 • Twitter @_skare; @_ice_22 http://null.co.in/ http://nullcon.net/
  3. 3. Sections • .program analysis • .dynamic behavior • .dynamic binary instrumentation • .Pin • .puncture • .conclusion http://null.co.in/ http://nullcon.net/
  4. 4. program analysis • In computer science, program analysis is the process of automatically analysing the behaviour of computer programs. » http://en.wikipedia.org/wiki/Program_analysis • Two approaches: – Static Program Analysis. – Dynamic Program Analysis. http://null.co.in/ http://nullcon.net/
  5. 5. program analysis::Static Analysis • Static Properties – Hash – Signature/Byte Patterns – Strings • Code Analysis • Safe because we did not run it? – Mostly. • Match against known data. http://null.co.in/ http://nullcon.net/
  6. 6. program analysis::Static Analysis • One side of the coin. • May fail if – Obfuscated strings. – Variants. – Code in non-standard sections {.data,…} – Self modifying code. – Brand new. http://null.co.in/ http://nullcon.net/
  7. 7. program analysis::Dynamic Analysis • a.k.a. Behavior Analysis • Let Us C (“see”) • Dynamic Properties – File Operations – Registry Operations – Network Operations – Interaction with other processes… • Dangerous unless run in controlled environment / sandbox. http://null.co.in/ http://nullcon.net/
  8. 8. instrumentation • Instruments that record , analyze, summarize, organize, debate in explained information that are illustrative, non illustrative hard bound, paper bag, jacketed, non jacketed with forward introduction, table of content, index, that are intended for the enlightenment, understanding, enrichment, enhancement, education of human brain through sensory route of vision...sometimes touch! http://null.co.in/ http://nullcon.net/
  9. 9. Dynamic Binary Instrumentation • Instrument code just before it runs (Just In Time) • No need to re-link. • Discover code at runtime • Handle dynamically generated code. • Attach to running process. • [cgo_2010_final.ppt] http://null.co.in/ http://nullcon.net/
  10. 10. • A Dynamic Binary Instrumentation engine based on Post-Link Optimizer “Spike”. • Developed by Intel Corporation. • Oldest available release Pin-2.6-24110 dated 13/01/2009. • Latest release Pin-2.8-39028 dated 02/02/2011. • Alternatives: DynamoRIO, Valgrind http://null.co.in/ http://nullcon.net/
  11. 11. Advantages of Pin • Provides rich set of APIs in C/C++/Assembly for creating instrumentation tools a.k.a PinTools. • Multiplatform: – Supports IA-32, IA64, Intel64 – Supports Windows, Linux MacOS • Robust: – If you can run it, you can Pin it. – Multithreaded applications – Self modifying code – Support signals and exceptions • Efficient – Compiler optimization and code inlining. http://null.co.in/ http://nullcon.net/
  12. 12. Advantages of Pin • Provides rich set of APIs in C/C++/Assembly for creating instrumentation tools a.k.a PinTools. • Multiplatform: – Supports IA-32, IA64, Intel64 – Supports Windows, Linux MacOS • Robust: – If you can run it, you can Pin it. – Multithreaded applications – Self modifying code – Support signals and exceptions • Efficient – Compiler optimization and code inlining. • Bypass Debug-Protection. (DEMO) http://null.co.in/ http://nullcon.net/
  13. 13. Pin Capabilities • Inert code at arbitrary places in executable code. • Just-In-Time compilation • Automatic save/restore registers to avoid interference. • Dynamic code discovery. • Instrument anything ever executed*. http://null.co.in/ http://nullcon.net/
  14. 14. Pin Capabilities • Inert code at arbitrary places in executable code. • Just-In-Time compilation • Automatic save/restore registers to avoid interference. • Dynamic code discovery. • Instrument anything ever executed*. • (*User Mode) http://null.co.in/ http://nullcon.net/
  15. 15. Pin Capabilities • Inert code at arbitrary places in executable code. • Just-In-Time compilation • Automatic save/restore registers to avoid interference. • Dynamic code discovery. • Instrument anything ever executed*. If Pin doesn’t have it, you don’t want it http://null.co.in/ http://nullcon.net/
  16. 16. but I do want these too… • Kernel Mode • Isolated I/O. • Handling exceptions of PinTools. http://null.co.in/ http://nullcon.net/
  17. 17. What for me but? Read Write  Instructions  Instructions  Operands  Operands  Operations  Operations  Methods  Methods  Parameters  Parameters  Return Values  Return Values  Modules http://null.co.in/ http://nullcon.net/
  18. 18. Pin Design http://null.co.in/ http://nullcon.net/
  19. 19. Pin Workflow http://null.co.in/ http://nullcon.net/
  20. 20. Pin Instrumentation Modes • JIT – Using Code-Cache – All Instrumentation granularities – Flexible • Probe – Binary modified in place. – Limited to Routine level instrumentation. – Less flexible. – Faster than JIT in some cases. http://null.co.in/ http://nullcon.net/
  21. 21. Pin Instrumentation Granularities • INS • BBL • Trace • RTN – Requires symbol support- dbghelp.dll v6.11.1.404. • IMG http://null.co.in/ http://nullcon.net/
  22. 22. a Simple PinTool #include “pin.H” int main(int argc, char *argv[]) { if(PIN_Init(argc,argv)) return -1; IMG_AddInstrumentFunction(Image, 0); PIN_AddFiniFunction(Fini,0); PIN_StartProgram(); return 0; } http://null.co.in/ http://nullcon.net/
  23. 23. .puncture • A PinTool for behavior analysis. • 3 Stage: – A text file of call logs. – XML of categorized events. – HTML Report = XML+XSL+CSS • Instrumentation Methods – Instrumentation at boundary – ReplaceSignature http://null.co.in/ http://nullcon.net/
  24. 24. Instrumentation at Boundary • UnPinned FOO BAAR BAAR(x,x) retn *Conceptual View http://null.co.in/ http://nullcon.net/
  25. 25. Instrumentation at Boundary • Pinned FOO BAAR b4BAAR b4BAAR(W,x,Z) afterBAAR afterBAAR(X,Y,Z) BAAR(x,x) return *Conceptual View http://null.co.in/ http://nullcon.net/
  26. 26. ReplaceSignature • UnPinned FOO BAAR call BAAR retn *Conceptual View http://null.co.in/ http://nullcon.net/
  27. 27. ReplaceSignature • Pinned FOO wrappedBAAR BAAR call BAAR PIN_CallApplicationFunction retn *Conceptual View http://null.co.in/ http://nullcon.net/
  28. 28. Logger Requirements • 3 Modules – Registry Logger (ADVAPI32.DLL) – File Logger (KERNEL32.DLL) – Network Logger (WS2_32.DLL) • Final Output – A PinTool : Call Log in plain text. – PinParser : RawText => XML} – XSLT+CSS+JS for Visualization • [DEMO] http://null.co.in/ http://nullcon.net/
  29. 29. .conclusion • Although DBI Frameworks like Pin are not primarily developed to test and optimize performance, code coverage etc., they have enough capabilities to be used as software security research tool too. http://null.co.in/ http://nullcon.net/
  30. 30. Contacts • Pin http://www.pintool.org • Pin user group pinheades@yahoo-groups • Me: badboy16a@gmail.com http://null.co.in/ http://nullcon.net/
  31. 31. Thanks… http://null.co.in/ http://nullcon.net/

×