Nullcon 2011- Behaviour Analysis with DBI

1,435 views

Published on

Presented at NullCon-Dwitiya (2011).
Title: Automatic Behavior Analysis with Dynamic Binary Instrumnetation

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,435
On SlideShare
0
From Embeds
0
Number of Embeds
33
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Nullcon 2011- Behaviour Analysis with DBI

  1. 1. Automatic Program Analysis with Dynamic Binary Instrumentation Sunil Kumar (sunil.kumar@ivizsecurity.com)http://null.co.in/ http://nullcon.net/
  2. 2. #whoami • Research Associate @ iViZ Techno Solutions • MCA(007) from Goa University i.e. GUMCA07. • http://www.linkedin.com/in/sunilkr86 • Twitter @_skare; @_ice_22http://null.co.in/ http://nullcon.net/
  3. 3. Sections • .program analysis • .dynamic behavior • .dynamic binary instrumentation • .Pin • .puncture • .conclusionhttp://null.co.in/ http://nullcon.net/
  4. 4. program analysis • In computer science, program analysis is the process of automatically analysing the behaviour of computer programs. » http://en.wikipedia.org/wiki/Program_analysis • Two approaches: – Static Program Analysis. – Dynamic Program Analysis.http://null.co.in/ http://nullcon.net/
  5. 5. program analysis::Static Analysis • Static Properties – Hash – Signature/Byte Patterns – Strings • Code Analysis • Safe because we did not run it? – Mostly. • Match against known data.http://null.co.in/ http://nullcon.net/
  6. 6. program analysis::Static Analysis • One side of the coin. • May fail if – Obfuscated strings. – Variants. – Code in non-standard sections {.data,…} – Self modifying code. – Brand new.http://null.co.in/ http://nullcon.net/
  7. 7. program analysis::Dynamic Analysis • a.k.a. Behavior Analysis • Let Us C (“see”) • Dynamic Properties – File Operations – Registry Operations – Network Operations – Interaction with other processes… • Dangerous unless run in controlled environment / sandbox.http://null.co.in/ http://nullcon.net/
  8. 8. instrumentation • Instruments that record , analyze, summarize, organize, debate in explained information that are illustrative, non illustrative hard bound, paper bag, jacketed, non jacketed with forward introduction, table of content, index, that are intended for the enlightenment, understanding, enrichment, enhancement, education of human brain through sensory route of vision...sometimes touch!http://null.co.in/ http://nullcon.net/
  9. 9. Dynamic Binary Instrumentation • Instrument code just before it runs (Just In Time) • No need to re-link. • Discover code at runtime • Handle dynamically generated code. • Attach to running process. • [cgo_2010_final.ppt]http://null.co.in/ http://nullcon.net/
  10. 10. • A Dynamic Binary Instrumentation engine based on Post-Link Optimizer “Spike”. • Developed by Intel Corporation. • Oldest available release Pin-2.6-24110 dated 13/01/2009. • Latest release Pin-2.8-39028 dated 02/02/2011. • Alternatives: DynamoRIO, Valgrindhttp://null.co.in/ http://nullcon.net/
  11. 11. Advantages of Pin • Provides rich set of APIs in C/C++/Assembly for creating instrumentation tools a.k.a PinTools. • Multiplatform: – Supports IA-32, IA64, Intel64 – Supports Windows, Linux MacOS • Robust: – If you can run it, you can Pin it. – Multithreaded applications – Self modifying code – Support signals and exceptions • Efficient – Compiler optimization and code inlining.http://null.co.in/ http://nullcon.net/
  12. 12. Advantages of Pin • Provides rich set of APIs in C/C++/Assembly for creating instrumentation tools a.k.a PinTools. • Multiplatform: – Supports IA-32, IA64, Intel64 – Supports Windows, Linux MacOS • Robust: – If you can run it, you can Pin it. – Multithreaded applications – Self modifying code – Support signals and exceptions • Efficient – Compiler optimization and code inlining. • Bypass Debug-Protection. (DEMO)http://null.co.in/ http://nullcon.net/
  13. 13. Pin Capabilities • Inert code at arbitrary places in executable code. • Just-In-Time compilation • Automatic save/restore registers to avoid interference. • Dynamic code discovery. • Instrument anything ever executed*.http://null.co.in/ http://nullcon.net/
  14. 14. Pin Capabilities • Inert code at arbitrary places in executable code. • Just-In-Time compilation • Automatic save/restore registers to avoid interference. • Dynamic code discovery. • Instrument anything ever executed*. • (*User Mode)http://null.co.in/ http://nullcon.net/
  15. 15. Pin Capabilities • Inert code at arbitrary places in executable code. • Just-In-Time compilation • Automatic save/restore registers to avoid interference. • Dynamic code discovery. • Instrument anything ever executed*. If Pin doesn’t have it, you don’t want ithttp://null.co.in/ http://nullcon.net/
  16. 16. but I do want these too… • Kernel Mode • Isolated I/O. • Handling exceptions of PinTools.http://null.co.in/ http://nullcon.net/
  17. 17. What for me but? Read Write  Instructions  Instructions  Operands  Operands  Operations  Operations  Methods  Methods  Parameters  Parameters  Return Values  Return Values  Moduleshttp://null.co.in/ http://nullcon.net/
  18. 18. Pin Designhttp://null.co.in/ http://nullcon.net/
  19. 19. Pin Workflowhttp://null.co.in/ http://nullcon.net/
  20. 20. Pin Instrumentation Modes • JIT – Using Code-Cache – All Instrumentation granularities – Flexible • Probe – Binary modified in place. – Limited to Routine level instrumentation. – Less flexible. – Faster than JIT in some cases.http://null.co.in/ http://nullcon.net/
  21. 21. Pin Instrumentation Granularities • INS • BBL • Trace • RTN – Requires symbol support- dbghelp.dll v6.11.1.404. • IMGhttp://null.co.in/ http://nullcon.net/
  22. 22. a Simple PinTool #include “pin.H” int main(int argc, char *argv[]) { if(PIN_Init(argc,argv)) return -1; IMG_AddInstrumentFunction(Image, 0); PIN_AddFiniFunction(Fini,0); PIN_StartProgram(); return 0; }http://null.co.in/ http://nullcon.net/
  23. 23. .puncture • A PinTool for behavior analysis. • 3 Stage: – A text file of call logs. – XML of categorized events. – HTML Report = XML+XSL+CSS • Instrumentation Methods – Instrumentation at boundary – ReplaceSignaturehttp://null.co.in/ http://nullcon.net/
  24. 24. Instrumentation at Boundary • UnPinned FOO BAAR BAAR(x,x) retn *Conceptual Viewhttp://null.co.in/ http://nullcon.net/
  25. 25. Instrumentation at Boundary • Pinned FOO BAAR b4BAAR b4BAAR(W,x,Z) afterBAAR afterBAAR(X,Y,Z) BAAR(x,x) return *Conceptual Viewhttp://null.co.in/ http://nullcon.net/
  26. 26. ReplaceSignature • UnPinned FOO BAAR call BAAR retn *Conceptual Viewhttp://null.co.in/ http://nullcon.net/
  27. 27. ReplaceSignature • Pinned FOO wrappedBAAR BAAR call BAAR PIN_CallApplicationFunction retn *Conceptual Viewhttp://null.co.in/ http://nullcon.net/
  28. 28. Logger Requirements • 3 Modules – Registry Logger (ADVAPI32.DLL) – File Logger (KERNEL32.DLL) – Network Logger (WS2_32.DLL) • Final Output – A PinTool : Call Log in plain text. – PinParser : RawText => XML} – XSLT+CSS+JS for Visualization • [DEMO]http://null.co.in/ http://nullcon.net/
  29. 29. .conclusion • Although DBI Frameworks like Pin are not primarily developed to test and optimize performance, code coverage etc., they have enough capabilities to be used as software security research tool too.http://null.co.in/ http://nullcon.net/
  30. 30. Contacts • Pin http://www.pintool.org • Pin user group pinheades@yahoo-groups • Me: badboy16a@gmail.comhttp://null.co.in/ http://nullcon.net/
  31. 31. Thanks…http://null.co.in/ http://nullcon.net/

×