SlideShare a Scribd company logo

Dmitriy evdokimov. light and dark side of code instrumentation

Yury Chemerkin
Yury Chemerkin
Technology
1 of 48
Download to read offline
Light and Dark side of Code Instrumentation Dmitriy “D1g1″ Evdokimov DSecRG, Security Researcher
#whoami • Security Researcher in DSecRG – RE – Fuzzing – Mobile security • Organizer: DCG #7812 • Editor in “XAKEP” www.dsecrg.com CONFidence Krakow 2012 2
Agenda 1. Instrumentation . 2. Instrumentation .. 3. Instrumentation … 4. Instrumentation …. 5. Instrumentation ….. 6. Instrumentation …… 7. Instrumentation ……. www.dsecrg.com CONFidence Krakow 2012 3
Intro “It has been proved by scientists that a new point of evolution, any technical progress appears when a Man makes up a new type of tool, but not a product.” www.dsecrg.com CONFidence Krakow 2012 4
Instrumentation Instrumentation is a technique adding extra code to an program/environment for monitoring/change some program behavior. Environment Program Program Own Own extra extra code code www.dsecrg.com CONFidence Krakow 2012 5
Why is it necessary? Parallel optimization Simulation Memory debugging Virtualization Emulation Software profiling Performance analysis Testing Automated debugging Correctness checking Error detection Collecting code metrics Binary translation Optimization Memory leak detection www.dsecrg.com CONFidence Krakow 2012 6
Instrumentation in information security Control flow analysis Security test case generation Unpack Code coverage Virtual patching Malware analysis Vulnerability detection Privacy monitoring Taint analysis Antivirus technology Sandboxing Program shepherding Data flow analysis Shellcode detection Deobfuscation Fuzzing Reverse engineering Behavior based security Forensic Transparent debugging Data Structure Restoring Security enforcement www.dsecrg.com CONFidence Krakow 2012 7
Analysis Criterion Static analysis Dynamic analysis Code vs. data Problem No problem Code coverage Big (but not all) One way Information about values No information All information Self-modifying code Problem No problem Interaction with the No Yes environment Unused code Analysis No analysis JIT code Problem No problem www.dsecrg.com CONFidence Krakow 2012 8
Code Discovery Memory After static analysis 0101010110101001010010 Instr 1 After dynamic analysis 0101010101101010101010 Instr 2 Instr 3 1111010101110101000111 jump reg InstrDATA 4 Instr 1011100111001010101011 5 Instr 4 6 Instr Instr 7 5 jmp 0x0ABCD PADDING 0111010110100111100110 Instr 7 cont. Instr 8 1010101101110001001011 Instr 9 Instr 6 10 Instr www.dsecrg.com CONFidence Krakow 2012 9
The general scheme of code instrumentation 1. Find points of instrumentation; 2. Insert instrumentation; 3. Take control from program; 4. Save context of the program; 5. Execute own code; 6. Restore context of the program; 7. Return control to program. www.dsecrg.com CONFidence Krakow 2012 10
Source Data Source data Source code Byte code Binary code www.dsecrg.com CONFidence Krakow 2012 11
Classification of target instrumentation Instrumentation With source code Without source code Source code Byte code Binary code Linker/Compiler Byte code Executable file Interpreter/VM Process Environment Dynamic binary instrumentation Static binary modification Byte code instrumentation Link-time/Compilation-time Source code instrumentation Environment - Static instrumentation Hardware - Load-time - Dynamic www.dsecrg.com CONFidence Krakow 2012 12
Source code instrumentation • Source code* – Source code instrumentation • Manual skills • Plugins for IDE – Link-time/Compilation-time instrumentation • Options of linker/compiler • Tools: Visual Studio Profiler, gcc, TAU, OPARI, Diablo, Phoenix, LLVM, Rational Purify, Valgrind *Unreal condition for security specialist =) www.dsecrg.com CONFidence Krakow 2012 13
Unmoral programming www.dsecrg.com CONFidence Krakow 2012 14
Byte code instrumentation Byte code – intermediate representation between source code and machine code. … Java VM Dalvik VM AVM/AVM2 CLR www.dsecrg.com CONFidence Krakow 2012 15
Instrumentation byte-code (I) Source code Compilation Byte-code Load Virtual machine Loader JIT Lib Lib Execute Lib Machine code www.dsecrg.com CONFidence Krakow 2012 16
Instrumentation byte code (II) • Byte-code – Static instrumentation • Static byte code instrumentation – Load-time instrumentation • Custom byte code loader – Dynamic instrumentation • Dynamic byte-code instrumentation www.dsecrg.com CONFidence Krakow 2012 17
Instrumentation Java (I) Mechanisms: • java.lang.instrument package; • Java Platform Debugger Architecture (JPDA) . www.dsecrg.com CONFidence Krakow 2012 18
Instrumentation Java (II) • Static instrumentation – Modification *.class files • Load-time instrumentation – ClassFileLoadHook – Custom ClassLoader • Dynamic instrumentation – ClassFileLoadHook -> RetransformClasses Tools: Javassist, ObjectWeb ASM, BCEL, JOIE, reJ JavaSnoop, Serp, JMangler www.dsecrg.com CONFidence Krakow 2012 19
Instrumentation .NET • Static instrumentation – Modification DLL files • Load-time instrumentation – AppDomain.Load()/Assembly.Load() – Joint redirection – Via event handler Tools: ReFrameworker, MBEL, RAIL, Cecil www.dsecrg.com CONFidence Krakow 2012 20
Instrumentation ActionScript (I) • ActionScript2 – AVM – Tags that (can) contain bytecode: • DefineButton (7), DefineButton2 (34), DefineSprite (39), DoAction (12), DoInitAction (59), PlaceObject2 (26), PlaceObject3 (70). • ActionScript3 – AVM2 – Tags that (can) contain bytecode: • DoABC (82), RawABC (72). www.dsecrg.com CONFidence Krakow 2012 21
AVM2 Architecture AS3 .abc function (x:int):int { return x+10 } .abc parser MIR JIT Compiler .abc @1 arg +8// argv getlocal 1 Verifier Bytecode MIR Code Generator @2 load [@1+4] pushint 10 @3 imm 10 add @4 add (@2,@3) returnvalue Interpreter MD Code Generator @5 ret @4 // @4:eax (x86, PPC, ARM, etc.) x86 Runtime System (Type System, Object Model) mov eax,(eap+8) mov eax,(eax+4) add eax,10 Memory Manager/Garbage Collector ret www.dsecrg.com CONFidence Krakow 2012 22
Instrumentation ActionScript (I) AVM tag Original SWF file Header Tags Instrumenteted SWF file www.dsecrg.com CONFidence Krakow 2012 23
Instrumentation AVM (II) • Static instrumentation – Add : • trace() • dump() • debug() • debugfile() • debugline() – Modification: • Create own class + change class name = hook! www.dsecrg.com CONFidence Krakow 2012 24
Instrumentation binary code • The executable file • Environment – Static code instrumentation – Modifying call table • Static binary instrumentation • IDT, CPU MSRs, GDT, SSDT, • Process IRP тable – Debuggers • … • Debugging API – Modifying OS options – Modifying call table/other structure • SHIM • IAT • LD_PRELOAD • … • AppInt_DLLs – Dynamic code instrumentation • DLL injection • Dynamic binary instrumentation • … • Hardware – Reproduction of the – Hardware debug features environment • Debug registers • Emulation • Hardware debuggers • Virtualization • … www.dsecrg.com CONFidence Krakow 2012 25
Static Binary Instrumentation (I) Static binary instrumentation/Physical code integration/Static binary code rewriting Edited Header Header • Realization: Segment of Segment of code code – With reallocation: Segment of Segment of • Level of segment; data data • Level of function; Extra segment of code – Without reallocation. Extra segment of data www.dsecrg.com CONFidence Krakow 2012 26
Static Binary Instrumentation (II) Reallocation: 1) Function Displacement + Entry Point Linking; 2) Branch Conversion; 3) Instruction Padding; 4) Instrumentation. Tools: DynInst, EEL, ATOM, PEBIL, ERESI, TAU, Vulcan, BIRD, Aslan(4514N) www.dsecrg.com CONFidence Krakow 2012 27
Debuggers • Breakpoints: • Software App Debugger • Hardware • Debugger + scripting: OS • WinDBG + pykd • OllyDBG + python = Immunity Debuggers Processor • GDB + PythonGDB • Python library's*: Buggery, IDAPython, ImmLIB, lldb, PyDBG, PyDbgEng, pygdb , python-ptrace , vtrace, WinAppDbg, … *See “Python Arsenal for Reverse Engineering” www.dsecrg.com CONFidence Krakow 2012 28
Dynamic Binary Instrumentation Dynamic binary instrumentation/Virtual code integration/Dynamic binary rewriting DBI App1 App2 OS Processor Tools: PIN, DynamoRIO, DynInst, Valgrind, BAP, KEDR, Fit, ERESI, Detour, Vulcan, SpiderPig www.dsecrg.com CONFidence Krakow 2012 29
Dynamic Binary Instrumentation • Dynamic Binary Instrumentation (DBI) is a process control and analysis technique that involves injecting instrumentation code into a running process. • Dynamic binary analysis (DBA) tools such as profilers and checkers help programmers create better software. • Dynamic binary instrumentation (DBI) frameworks make it easy to build new DBA tools. •DBA tools consist: – instrumentation routines; – analysis routines. www.dsecrg.com CONFidence Krakow 2012 30
Kinds of DBI Mode: Mode of work: – user-mode; - Start to finish; – kernel-mode. - Attach. Modes of execution: Functionality JIT – Interpretation-mode; – Probe-mode; Probe – JIT-mode. Performance www.dsecrg.com CONFidence Krakow 2012 31
DBI Frameworks* Frameworks OS Arch Modes Features PIN Linux, x86, x86-64, JIT, Probe Attach mode Windows, Itanium, ARM MacOS DynamoRIO Linux, x86, x86-64 JIT, Probe Runtime Windows optimization DynInst Linux, x86, x86-64, Probe Static & FreeBSD, ppc32, ARM, Dynamic binary Windows ppc64 instrumentation Valgrind Linux, MacOS x86, x86-64, JIT IR – VEX, ppc32, ARM, Heavyweight ppc64 DBA tools *For more details see “DBI:Intro” presentation from ZeroNights conference www.dsecrg.com CONFidence Krakow 2012 32
Start work with DBI www.dsecrg.com CONFidence Krakow 2012 33
Levels of granularity • Instruction; • Basic Block*; • Trace/Superblock; • Function; • Section; • Events; • Binary image. www.dsecrg.com CONFidence Krakow 2012 34
Self-modifying code & DBI Detect: – Written-protecting code pages – Checking store address – Inserting extra code www.dsecrg.com CONFidence Krakow 2012 35
Overhead O=X+Y Y = N*Z Z = K+L O – Tool Overhead; X – Instrumentation Routines Overhead; Y – Analysis Routines Overhead; N – Frequency of Calling Analysis Routine; Z – Work Performed in the Analysis Routine; K – Work Required to Transition to Analysis Routine; L – Work Performed Inside the Analysis Routine. www.dsecrg.com CONFidence Krakow 2012 36
Rewriting instructions • Platforms: – with fixed-length instruction; – with variable-length instructions. www.dsecrg.com CONFidence Krakow 2012 37
Rewriting code (I) • Easy / simple / boring / regular example – Rewriting prolog function www.dsecrg.com CONFidence Krakow 2012 38
Rewriting code (II) • Hardcore example: – Mobile phone firmware rewriting Bootloader reboot Flash SHELLCODE 1 AMSS Malicious SMS GSM Baseband processor www.dsecrg.com CONFidence Krakow 2012 39
Instrumentation in ARM ARM modes: – ARM • Length(instr) = 4 byte – Thumb • Length(instr) = 2 byte – Thumb2 • Length(instr) = 2/4 byte – Jazzle For more detail see “A Dynamic Binary Instrumentation Engine for the ARM Architecture” presentation. www.dsecrg.com CONFidence Krakow 2012 40
Emulation App1 OS Emulator OS Processor www.dsecrg.com CONFidence Krakow 2012 41
Instrumentation & Bochs • Bochs can be called with instrumentation support. • C++ callbacks occur when certain events happen: – Poweron/Reset/Shutdown; – Branch Taken/Not Taken/Unconditional; – Opcode Decode (All relevant fields, lengths); – Interrupt /Exception; – Cache /TLB Flush/Prefetch; – Memory Read/Write. • “bochs-python-instrumentation” patch by Ero Carrera www.dsecrg.com CONFidence Krakow 2012 42
Virtualization App1 OS App1 OS VMM VMM OS Processor Processor Native VMM Hosted VMM *VMM - Virtual Machine Monitor www.dsecrg.com CONFidence Krakow 2012 43
Instrumentation & virtualization Stages: 1. Save the VM-exit reason information in the VMCS; 2. Save guest context information; 3. Load the host-state area; 4. Transfer control to the hypervisor; 5. Run own code. *VMCS - Virtual Machine Control Structure www.dsecrg.com CONFidence Krakow 2012 44
Instrumentation in Mobile World Mobile Platform Language Executable file format Android Java Dex iOS Objective-C Mach-O Windows Phone .NET PE www.dsecrg.com CONFidence Krakow 2012 45
Conclusion One can implement instrumentation of everything! www.dsecrg.com CONFidence Krakow 2012 46
Contact Twitter: @evdokimovds E-mail: d.evdokimov@dsecrg.com www.dsecrg.com CONFidence Krakow 2012 47
Windows 8 • Apps: – C++ & DirectX – C# & XAML – HTML & JavaScript & CSS www.dsecrg.com CONFidence Krakow 2012 48

Recommended

Light And Dark Side Of Code Instrumentation
Light And Dark Side Of Code InstrumentationLight And Dark Side Of Code Instrumentation
Light And Dark Side Of Code InstrumentationPositive Hack Days
 
Network Attack Injection
Network Attack InjectionNetwork Attack Injection
Network Attack InjectionJoao Antunes
 
Attacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsAttacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsRoberto Natella
 
Agile testen vts politie Nederland
Agile testen vts politie NederlandAgile testen vts politie Nederland
Agile testen vts politie NederlandpascaldufourNL
 
A%20study%20of%20web%20application%20vulnerabilities%20and%20vulnerability%20...
A%20study%20of%20web%20application%20vulnerabilities%20and%20vulnerability%20...A%20study%20of%20web%20application%20vulnerabilities%20and%20vulnerability%20...
A%20study%20of%20web%20application%20vulnerabilities%20and%20vulnerability%20...Chinnappa Doss
 
Visibility najaarsevent testnet
Visibility najaarsevent testnetVisibility najaarsevent testnet
Visibility najaarsevent testnetPascal Dufour
 
Technology radar-october-2012
Technology radar-october-2012Technology radar-october-2012
Technology radar-october-2012Ganeshram Ramamurthy
 
Brief Introduction To Teseda
Brief Introduction To TesedaBrief Introduction To Teseda
Brief Introduction To TesedaRhokanson
 

Recommended

Light And Dark Side Of Code Instrumentation
Light And Dark Side Of Code InstrumentationLight And Dark Side Of Code Instrumentation
Light And Dark Side Of Code InstrumentationPositive Hack Days
 
Network Attack Injection
Network Attack InjectionNetwork Attack Injection
Network Attack InjectionJoao Antunes
 
Attacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsAttacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsRoberto Natella
 
Agile testen vts politie Nederland
Agile testen vts politie NederlandAgile testen vts politie Nederland
Agile testen vts politie NederlandpascaldufourNL
 
A%20study%20of%20web%20application%20vulnerabilities%20and%20vulnerability%20...
A%20study%20of%20web%20application%20vulnerabilities%20and%20vulnerability%20...A%20study%20of%20web%20application%20vulnerabilities%20and%20vulnerability%20...
A%20study%20of%20web%20application%20vulnerabilities%20and%20vulnerability%20...Chinnappa Doss
 
Visibility najaarsevent testnet
Visibility najaarsevent testnetVisibility najaarsevent testnet
Visibility najaarsevent testnetPascal Dufour
 
Technology radar-october-2012
Technology radar-october-2012Technology radar-october-2012
Technology radar-october-2012Ganeshram Ramamurthy
 
Brief Introduction To Teseda
Brief Introduction To TesedaBrief Introduction To Teseda
Brief Introduction To TesedaRhokanson
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 
Coding Naked
Coding NakedCoding Naked
Coding NakedCaleb Jenkins
 
Developing and-benchmarking-native-linux-applications-on-android
Developing and-benchmarking-native-linux-applications-on-androidDeveloping and-benchmarking-native-linux-applications-on-android
Developing and-benchmarking-native-linux-applications-on-androidElvis Jon Freddy Sitinjak
 
___ qr code ________ lims (1)
___ qr code ________ lims (1) ___ qr code ________ lims (1)
___ qr code ________ lims (1)Naowal Siripatana
 
Msp phone
Msp phoneMsp phone
Msp phoneRogério Rodrigues
 
Iniciando desenvolvimento para Windows Phone 7
Iniciando desenvolvimento para Windows Phone 7Iniciando desenvolvimento para Windows Phone 7
Iniciando desenvolvimento para Windows Phone 7Rogério Rodrigues
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPKZhi Guan
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
10 Reasons Your Software Sucks 2014 - Tax Day Edition!
10 Reasons Your Software Sucks 2014 - Tax Day Edition!10 Reasons Your Software Sucks 2014 - Tax Day Edition!
10 Reasons Your Software Sucks 2014 - Tax Day Edition!Caleb Jenkins
 
Android and Intel Inside
Android and Intel InsideAndroid and Intel Inside
Android and Intel InsideIntel Developer Zone Community
 
RTF - Prasad bhatt
RTF - Prasad bhattRTF - Prasad bhatt
RTF - Prasad bhattRoopa Nadkarni
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
PVS-Studio in 2021 - Feature Overview
PVS-Studio in 2021 - Feature OverviewPVS-Studio in 2021 - Feature Overview
PVS-Studio in 2021 - Feature OverviewAndrey Karpov
 
Web2MexADL - CSMR Presentation
Web2MexADL - CSMR PresentationWeb2MexADL - CSMR Presentation
Web2MexADL - CSMR Presentationjccastrejon
 
Ci for Android
Ci for AndroidCi for Android
Ci for AndroidAlexey Ustenko
 
Постоянное тестирование интеграции
Постоянное тестирование интеграцииПостоянное тестирование интеграции
Постоянное тестирование интеграцииSQALab
 
Continuous Inspection of Code Quality: SonarQube
Continuous Inspection of Code Quality: SonarQubeContinuous Inspection of Code Quality: SonarQube
Continuous Inspection of Code Quality: SonarQubeEmre Dündar
 
MongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataMongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataChris Richardson
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Code Coverage Revised : EclEmma on JaCoCo
Code Coverage Revised : EclEmma on JaCoCoCode Coverage Revised : EclEmma on JaCoCo
Code Coverage Revised : EclEmma on JaCoCoEvgeny Mandrikov
 
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware descriptionYury Chemerkin
 

More Related Content

Similar to Dmitriy evdokimov. light and dark side of code instrumentation

MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 
Developing and-benchmarking-native-linux-applications-on-android
Developing and-benchmarking-native-linux-applications-on-androidDeveloping and-benchmarking-native-linux-applications-on-android
Developing and-benchmarking-native-linux-applications-on-androidElvis Jon Freddy Sitinjak
 
___ qr code ________ lims (1)
___ qr code ________ lims (1) ___ qr code ________ lims (1)
___ qr code ________ lims (1)Naowal Siripatana
 
Iniciando desenvolvimento para Windows Phone 7
Iniciando desenvolvimento para Windows Phone 7Iniciando desenvolvimento para Windows Phone 7
Iniciando desenvolvimento para Windows Phone 7Rogério Rodrigues
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPKZhi Guan
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
10 Reasons Your Software Sucks 2014 - Tax Day Edition!
10 Reasons Your Software Sucks 2014 - Tax Day Edition!10 Reasons Your Software Sucks 2014 - Tax Day Edition!
10 Reasons Your Software Sucks 2014 - Tax Day Edition!Caleb Jenkins
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
PVS-Studio in 2021 - Feature Overview
PVS-Studio in 2021 - Feature OverviewPVS-Studio in 2021 - Feature Overview
PVS-Studio in 2021 - Feature OverviewAndrey Karpov
 
Web2MexADL - CSMR Presentation
Web2MexADL - CSMR PresentationWeb2MexADL - CSMR Presentation
Web2MexADL - CSMR Presentationjccastrejon
 
Постоянное тестирование интеграции
Постоянное тестирование интеграцииПостоянное тестирование интеграции
Постоянное тестирование интеграцииSQALab
 
Continuous Inspection of Code Quality: SonarQube
Continuous Inspection of Code Quality: SonarQubeContinuous Inspection of Code Quality: SonarQube
Continuous Inspection of Code Quality: SonarQubeEmre Dündar
 
MongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataMongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataChris Richardson
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Code Coverage Revised : EclEmma on JaCoCo
Code Coverage Revised : EclEmma on JaCoCoCode Coverage Revised : EclEmma on JaCoCo
Code Coverage Revised : EclEmma on JaCoCoEvgeny Mandrikov
 

Similar to Dmitriy evdokimov. light and dark side of code instrumentation (20)

MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Coding Naked
Coding NakedCoding Naked
Coding Naked
 
Developing and-benchmarking-native-linux-applications-on-android
Developing and-benchmarking-native-linux-applications-on-androidDeveloping and-benchmarking-native-linux-applications-on-android
Developing and-benchmarking-native-linux-applications-on-android
 
___ qr code ________ lims (1)
___ qr code ________ lims (1) ___ qr code ________ lims (1)
___ qr code ________ lims (1)
 
Msp phone
Msp phoneMsp phone
Msp phone
 
Iniciando desenvolvimento para Windows Phone 7
Iniciando desenvolvimento para Windows Phone 7Iniciando desenvolvimento para Windows Phone 7
Iniciando desenvolvimento para Windows Phone 7
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPK
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
 
10 Reasons Your Software Sucks 2014 - Tax Day Edition!
10 Reasons Your Software Sucks 2014 - Tax Day Edition!10 Reasons Your Software Sucks 2014 - Tax Day Edition!
10 Reasons Your Software Sucks 2014 - Tax Day Edition!
 
Android and Intel Inside
Android and Intel InsideAndroid and Intel Inside
Android and Intel Inside
 
RTF - Prasad bhatt
RTF - Prasad bhattRTF - Prasad bhatt
RTF - Prasad bhatt
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
PVS-Studio in 2021 - Feature Overview
PVS-Studio in 2021 - Feature OverviewPVS-Studio in 2021 - Feature Overview
PVS-Studio in 2021 - Feature Overview
 
Web2MexADL - CSMR Presentation
Web2MexADL - CSMR PresentationWeb2MexADL - CSMR Presentation
Web2MexADL - CSMR Presentation
 
Ci for Android
Ci for AndroidCi for Android
Ci for Android
 
Постоянное тестирование интеграции
Постоянное тестирование интеграцииПостоянное тестирование интеграции
Постоянное тестирование интеграции
 
Continuous Inspection of Code Quality: SonarQube
Continuous Inspection of Code Quality: SonarQubeContinuous Inspection of Code Quality: SonarQube
Continuous Inspection of Code Quality: SonarQube
 
MongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataMongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring Data
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Code Coverage Revised : EclEmma on JaCoCo
Code Coverage Revised : EclEmma on JaCoCoCode Coverage Revised : EclEmma on JaCoCo
Code Coverage Revised : EclEmma on JaCoCo
 

More from Yury Chemerkin

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware descriptionYury Chemerkin
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromiseYury Chemerkin
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readmeYury Chemerkin
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesYury Chemerkin
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5sYury Chemerkin
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd nsYury Chemerkin
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601Yury Chemerkin
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesYury Chemerkin
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirusYury Chemerkin
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesYury Chemerkin
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesYury Chemerkin
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisYury Chemerkin
 

More from Yury Chemerkin (20)

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
 
Jp3 13
Jp3 13Jp3 13
Jp3 13
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
 
Msft oracle brief
Msft oracle briefMsft oracle brief
Msft oracle brief
 

Recently uploaded

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Dmitriy evdokimov. light and dark side of code instrumentation

  • 1. Light and Dark side of Code Instrumentation Dmitriy “D1g1″ Evdokimov DSecRG, Security Researcher
  • 2. #whoami • Security Researcher in DSecRG – RE – Fuzzing – Mobile security • Organizer: DCG #7812 • Editor in “XAKEP” www.dsecrg.com CONFidence Krakow 2012 2
  • 3. Agenda 1. Instrumentation . 2. Instrumentation .. 3. Instrumentation … 4. Instrumentation …. 5. Instrumentation ….. 6. Instrumentation …… 7. Instrumentation ……. www.dsecrg.com CONFidence Krakow 2012 3
  • 4. Intro “It has been proved by scientists that a new point of evolution, any technical progress appears when a Man makes up a new type of tool, but not a product.” www.dsecrg.com CONFidence Krakow 2012 4
  • 5. Instrumentation Instrumentation is a technique adding extra code to an program/environment for monitoring/change some program behavior. Environment Program Program Own Own extra extra code code www.dsecrg.com CONFidence Krakow 2012 5
  • 6. Why is it necessary? Parallel optimization Simulation Memory debugging Virtualization Emulation Software profiling Performance analysis Testing Automated debugging Correctness checking Error detection Collecting code metrics Binary translation Optimization Memory leak detection www.dsecrg.com CONFidence Krakow 2012 6
  • 7. Instrumentation in information security Control flow analysis Security test case generation Unpack Code coverage Virtual patching Malware analysis Vulnerability detection Privacy monitoring Taint analysis Antivirus technology Sandboxing Program shepherding Data flow analysis Shellcode detection Deobfuscation Fuzzing Reverse engineering Behavior based security Forensic Transparent debugging Data Structure Restoring Security enforcement www.dsecrg.com CONFidence Krakow 2012 7
  • 8. Analysis Criterion Static analysis Dynamic analysis Code vs. data Problem No problem Code coverage Big (but not all) One way Information about values No information All information Self-modifying code Problem No problem Interaction with the No Yes environment Unused code Analysis No analysis JIT code Problem No problem www.dsecrg.com CONFidence Krakow 2012 8
  • 9. Code Discovery Memory After static analysis 0101010110101001010010 Instr 1 After dynamic analysis 0101010101101010101010 Instr 2 Instr 3 1111010101110101000111 jump reg InstrDATA 4 Instr 1011100111001010101011 5 Instr 4 6 Instr Instr 7 5 jmp 0x0ABCD PADDING 0111010110100111100110 Instr 7 cont. Instr 8 1010101101110001001011 Instr 9 Instr 6 10 Instr www.dsecrg.com CONFidence Krakow 2012 9
  • 10. The general scheme of code instrumentation 1. Find points of instrumentation; 2. Insert instrumentation; 3. Take control from program; 4. Save context of the program; 5. Execute own code; 6. Restore context of the program; 7. Return control to program. www.dsecrg.com CONFidence Krakow 2012 10
  • 11. Source Data Source data Source code Byte code Binary code www.dsecrg.com CONFidence Krakow 2012 11
  • 12. Classification of target instrumentation Instrumentation With source code Without source code Source code Byte code Binary code Linker/Compiler Byte code Executable file Interpreter/VM Process Environment Dynamic binary instrumentation Static binary modification Byte code instrumentation Link-time/Compilation-time Source code instrumentation Environment - Static instrumentation Hardware - Load-time - Dynamic www.dsecrg.com CONFidence Krakow 2012 12
  • 13. Source code instrumentation • Source code* – Source code instrumentation • Manual skills • Plugins for IDE – Link-time/Compilation-time instrumentation • Options of linker/compiler • Tools: Visual Studio Profiler, gcc, TAU, OPARI, Diablo, Phoenix, LLVM, Rational Purify, Valgrind *Unreal condition for security specialist =) www.dsecrg.com CONFidence Krakow 2012 13
  • 14. Unmoral programming www.dsecrg.com CONFidence Krakow 2012 14
  • 15. Byte code instrumentation Byte code – intermediate representation between source code and machine code. … Java VM Dalvik VM AVM/AVM2 CLR www.dsecrg.com CONFidence Krakow 2012 15
  • 16. Instrumentation byte-code (I) Source code Compilation Byte-code Load Virtual machine Loader JIT Lib Lib Execute Lib Machine code www.dsecrg.com CONFidence Krakow 2012 16
  • 17. Instrumentation byte code (II) • Byte-code – Static instrumentation • Static byte code instrumentation – Load-time instrumentation • Custom byte code loader – Dynamic instrumentation • Dynamic byte-code instrumentation www.dsecrg.com CONFidence Krakow 2012 17
  • 18. Instrumentation Java (I) Mechanisms: • java.lang.instrument package; • Java Platform Debugger Architecture (JPDA) . www.dsecrg.com CONFidence Krakow 2012 18
  • 19. Instrumentation Java (II) • Static instrumentation – Modification *.class files • Load-time instrumentation – ClassFileLoadHook – Custom ClassLoader • Dynamic instrumentation – ClassFileLoadHook -> RetransformClasses Tools: Javassist, ObjectWeb ASM, BCEL, JOIE, reJ JavaSnoop, Serp, JMangler www.dsecrg.com CONFidence Krakow 2012 19
  • 20. Instrumentation .NET • Static instrumentation – Modification DLL files • Load-time instrumentation – AppDomain.Load()/Assembly.Load() – Joint redirection – Via event handler Tools: ReFrameworker, MBEL, RAIL, Cecil www.dsecrg.com CONFidence Krakow 2012 20
  • 21. Instrumentation ActionScript (I) • ActionScript2 – AVM – Tags that (can) contain bytecode: • DefineButton (7), DefineButton2 (34), DefineSprite (39), DoAction (12), DoInitAction (59), PlaceObject2 (26), PlaceObject3 (70). • ActionScript3 – AVM2 – Tags that (can) contain bytecode: • DoABC (82), RawABC (72). www.dsecrg.com CONFidence Krakow 2012 21
  • 22. AVM2 Architecture AS3 .abc function (x:int):int { return x+10 } .abc parser MIR JIT Compiler .abc @1 arg +8// argv getlocal 1 Verifier Bytecode MIR Code Generator @2 load [@1+4] pushint 10 @3 imm 10 add @4 add (@2,@3) returnvalue Interpreter MD Code Generator @5 ret @4 // @4:eax (x86, PPC, ARM, etc.) x86 Runtime System (Type System, Object Model) mov eax,(eap+8) mov eax,(eax+4) add eax,10 Memory Manager/Garbage Collector ret www.dsecrg.com CONFidence Krakow 2012 22
  • 23. Instrumentation ActionScript (I) AVM tag Original SWF file Header Tags Instrumenteted SWF file www.dsecrg.com CONFidence Krakow 2012 23
  • 24. Instrumentation AVM (II) • Static instrumentation – Add : • trace() • dump() • debug() • debugfile() • debugline() – Modification: • Create own class + change class name = hook! www.dsecrg.com CONFidence Krakow 2012 24
  • 25. Instrumentation binary code • The executable file • Environment – Static code instrumentation – Modifying call table • Static binary instrumentation • IDT, CPU MSRs, GDT, SSDT, • Process IRP тable – Debuggers • … • Debugging API – Modifying OS options – Modifying call table/other structure • SHIM • IAT • LD_PRELOAD • … • AppInt_DLLs – Dynamic code instrumentation • DLL injection • Dynamic binary instrumentation • … • Hardware – Reproduction of the – Hardware debug features environment • Debug registers • Emulation • Hardware debuggers • Virtualization • … www.dsecrg.com CONFidence Krakow 2012 25
  • 26. Static Binary Instrumentation (I) Static binary instrumentation/Physical code integration/Static binary code rewriting Edited Header Header • Realization: Segment of Segment of code code – With reallocation: Segment of Segment of • Level of segment; data data • Level of function; Extra segment of code – Without reallocation. Extra segment of data www.dsecrg.com CONFidence Krakow 2012 26
  • 27. Static Binary Instrumentation (II) Reallocation: 1) Function Displacement + Entry Point Linking; 2) Branch Conversion; 3) Instruction Padding; 4) Instrumentation. Tools: DynInst, EEL, ATOM, PEBIL, ERESI, TAU, Vulcan, BIRD, Aslan(4514N) www.dsecrg.com CONFidence Krakow 2012 27
  • 28. Debuggers • Breakpoints: • Software App Debugger • Hardware • Debugger + scripting: OS • WinDBG + pykd • OllyDBG + python = Immunity Debuggers Processor • GDB + PythonGDB • Python library's*: Buggery, IDAPython, ImmLIB, lldb, PyDBG, PyDbgEng, pygdb , python-ptrace , vtrace, WinAppDbg, … *See “Python Arsenal for Reverse Engineering” www.dsecrg.com CONFidence Krakow 2012 28
  • 29. Dynamic Binary Instrumentation Dynamic binary instrumentation/Virtual code integration/Dynamic binary rewriting DBI App1 App2 OS Processor Tools: PIN, DynamoRIO, DynInst, Valgrind, BAP, KEDR, Fit, ERESI, Detour, Vulcan, SpiderPig www.dsecrg.com CONFidence Krakow 2012 29
  • 30. Dynamic Binary Instrumentation • Dynamic Binary Instrumentation (DBI) is a process control and analysis technique that involves injecting instrumentation code into a running process. • Dynamic binary analysis (DBA) tools such as profilers and checkers help programmers create better software. • Dynamic binary instrumentation (DBI) frameworks make it easy to build new DBA tools. •DBA tools consist: – instrumentation routines; – analysis routines. www.dsecrg.com CONFidence Krakow 2012 30
  • 31. Kinds of DBI Mode: Mode of work: – user-mode; - Start to finish; – kernel-mode. - Attach. Modes of execution: Functionality JIT – Interpretation-mode; – Probe-mode; Probe – JIT-mode. Performance www.dsecrg.com CONFidence Krakow 2012 31
  • 32. DBI Frameworks* Frameworks OS Arch Modes Features PIN Linux, x86, x86-64, JIT, Probe Attach mode Windows, Itanium, ARM MacOS DynamoRIO Linux, x86, x86-64 JIT, Probe Runtime Windows optimization DynInst Linux, x86, x86-64, Probe Static & FreeBSD, ppc32, ARM, Dynamic binary Windows ppc64 instrumentation Valgrind Linux, MacOS x86, x86-64, JIT IR – VEX, ppc32, ARM, Heavyweight ppc64 DBA tools *For more details see “DBI:Intro” presentation from ZeroNights conference www.dsecrg.com CONFidence Krakow 2012 32
  • 33. Start work with DBI www.dsecrg.com CONFidence Krakow 2012 33
  • 34. Levels of granularity • Instruction; • Basic Block*; • Trace/Superblock; • Function; • Section; • Events; • Binary image. www.dsecrg.com CONFidence Krakow 2012 34
  • 35. Self-modifying code & DBI Detect: – Written-protecting code pages – Checking store address – Inserting extra code www.dsecrg.com CONFidence Krakow 2012 35
  • 36. Overhead O=X+Y Y = N*Z Z = K+L O – Tool Overhead; X – Instrumentation Routines Overhead; Y – Analysis Routines Overhead; N – Frequency of Calling Analysis Routine; Z – Work Performed in the Analysis Routine; K – Work Required to Transition to Analysis Routine; L – Work Performed Inside the Analysis Routine. www.dsecrg.com CONFidence Krakow 2012 36
  • 37. Rewriting instructions • Platforms: – with fixed-length instruction; – with variable-length instructions. www.dsecrg.com CONFidence Krakow 2012 37
  • 38. Rewriting code (I) • Easy / simple / boring / regular example – Rewriting prolog function www.dsecrg.com CONFidence Krakow 2012 38
  • 39. Rewriting code (II) • Hardcore example: – Mobile phone firmware rewriting Bootloader reboot Flash SHELLCODE 1 AMSS Malicious SMS GSM Baseband processor www.dsecrg.com CONFidence Krakow 2012 39
  • 40. Instrumentation in ARM ARM modes: – ARM • Length(instr) = 4 byte – Thumb • Length(instr) = 2 byte – Thumb2 • Length(instr) = 2/4 byte – Jazzle For more detail see “A Dynamic Binary Instrumentation Engine for the ARM Architecture” presentation. www.dsecrg.com CONFidence Krakow 2012 40
  • 41. Emulation App1 OS Emulator OS Processor www.dsecrg.com CONFidence Krakow 2012 41
  • 42. Instrumentation & Bochs • Bochs can be called with instrumentation support. • C++ callbacks occur when certain events happen: – Poweron/Reset/Shutdown; – Branch Taken/Not Taken/Unconditional; – Opcode Decode (All relevant fields, lengths); – Interrupt /Exception; – Cache /TLB Flush/Prefetch; – Memory Read/Write. • “bochs-python-instrumentation” patch by Ero Carrera www.dsecrg.com CONFidence Krakow 2012 42
  • 43. Virtualization App1 OS App1 OS VMM VMM OS Processor Processor Native VMM Hosted VMM *VMM - Virtual Machine Monitor www.dsecrg.com CONFidence Krakow 2012 43
  • 44. Instrumentation & virtualization Stages: 1. Save the VM-exit reason information in the VMCS; 2. Save guest context information; 3. Load the host-state area; 4. Transfer control to the hypervisor; 5. Run own code. *VMCS - Virtual Machine Control Structure www.dsecrg.com CONFidence Krakow 2012 44
  • 45. Instrumentation in Mobile World Mobile Platform Language Executable file format Android Java Dex iOS Objective-C Mach-O Windows Phone .NET PE www.dsecrg.com CONFidence Krakow 2012 45
  • 46. Conclusion One can implement instrumentation of everything! www.dsecrg.com CONFidence Krakow 2012 46
  • 48. Windows 8 • Apps: – C++ & DirectX – C# & XAML – HTML & JavaScript & CSS www.dsecrg.com CONFidence Krakow 2012 48