Wei-Bo Chen, profile picture
Uploaded byWei-Bo Chen
PDF, PPTX4,618 views

Klee and angr

Klee and Angr are tools for symbolic execution. Klee is a symbolic virtual machine that executes programs symbolically and generates test cases by solving constraints. It works on LLVM bitcode. Angr is a Python framework for analyzing binaries using static and dynamic symbolic analysis. It lifts binaries into an intermediate representation called VEX to analyze machine code across architectures. Both tools explore all paths in a program and solve path constraints to generate inputs that execute each path.

Technology
In this document
Powered by AI

The presenter is Chen Weibin, a master's student at National Chiao Tung University, involved with Software Quality Laboratory and Bamboofox.

Symbolic execution is analyzed for program inputs. Tools like S2e, Angr, Triton, and Klee are highlighted, focusing on hitting all code lines and detecting dangerous operations.

Klee, a symbolic virtual machine, enables test case generation. Steps for installation and compiling source code to LLVM bitcode are provided, illustrated with an example.

Functions in Klee include making memory symbolic, adding conditions, using asserts, and working with libraries; examples of how to apply these functionalities are presented.

Klee's environment modeling incorporates command-line arguments, environment variables, and symbolic file creation, enhancing the symbolic analysis.

Klee uses solvers like MetaSMT and Z3. It functions as an interpreter loop, managing symbolic states and handling conditional branches during program execution.

Diagrams illustrate Klee's execution process from stepping through branches to solving conditional constraints until completion or timeout.

Exercises include challenges like finding sums or products of continuous numbers, linking to relevant resources for practice.

Angr is introduced as a Python framework for analyzing binaries, supporting static and dynamic analysis, with a flow of loading binaries and initializing states.

Installation of Angr is discussed, with flow and commands shared for initializing states, simulating execution, and managing simulation managers.Simgr management techniques in Angr, outlining state handling, including active, deadended, pruned, and unsat states.

Hooking allows Angr to replace functions with custom SimProcedures, enabling deeper analysis on how executed code interacts with external libraries.

Details on how symbolic functions like scanf work, including how they handle input and manage library functionality through symbolic summaries.

Further exercises focus on local binaries and server responses for exploit generation, followed by a question and answer session.

Embed presentation

Download as PDF, PPTX
Klee and Angr bananaappletw @ UCCU Hacker 2017/10/29
$whoami • 陳威伯(bananaappletw) • Master of National Chiao Tung University • Organizations: • Software Quality Laboratory • Bamboofox member • Vice president of NCTUCSC • Specialize in: • symbolic execution • binary exploit • Talks: • HITCON CMT 2015 • HITCON CMT 2017
What is symbolic execution? • Symbolic execution is a means of analyzing a program to determine what inputs cause each part of a program to execute • System-level • S2e(https://github.com/dslab-epfl/s2e) • User-level • Angr(http://angr.io/) • Triton(https://triton.quarkslab.com/) • Code-based • klee(http://klee.github.io/)
Symbolic execution Z == 12 fail() "OK"
Klee • Symbolic virtual machine built on top of the LLVM compiler infrastructure • Website: http://klee.github.io/ • Github: https://github.com/klee/klee • Klee paper: http://llvm.org/pubs/2008-12-OSDI-KLEE.pdf (Worth reading) • Main goal of Klee: 1. Hit every line of executable code in the program 2. Detect at each dangerous operation
Installation • Install docker • sudo apt-get install docker.io • Get klee image • sudo docker pull klee/klee • Run klee docker image • sudo docker run --rm -ti --ulimit='stack=-1:-1' klee/klee • Test environment • Ubuntu 17.04 desktop amd64
Introduction • Klee is a symbolic machine to generate test cases • Need source code to compile to LLVM bitcode • Steps: • Replace input with Klee function to make memory region symbolic • Compile source code to LLVM bitcode • Run Klee • Get the test cases and path's information
Steps • Source code at ~/klee_src/examples/get_sign.c • Include klee library #include <klee/klee.h> • Make input symbolic klee_make_symbolic(&a, sizeof(a), "a"); • Compile to LLVM bitcode clang -I ../../include -emit-llvm -c -g get_sign.c
Steps • Examine LLVM bitcode llvm-dis get_sign.bc • Running KLEE klee get_sign.bc • Show information about test case ktest-tool ./klee-last/*.ktest
get_sign.c #include <klee/klee.h> int get_sign(int x) { if (x == 0) return 0; if (x < 0) return -1; else return 1; } int main() { int a; klee_make_symbolic(&a, sizeof(a), "a"); return get_sign(a); }
get_sign.ll define i32 @main() #0 { %1 = alloca i32, align 4 %a = alloca i32, align 4 store i32 0, i32* %1 call void @llvm.dbg.declare(metadata !{i32* %a}, metadata !25), !dbg !26 %2 = bitcast i32* %a to i8*, !dbg !27 call void @klee_make_symbolic(i8* %2, i64 4, i8* getelementptr inbounds ([2 x i8]* @.str, i32 0, i32 0)), !dbg !27 %3 = load i32* %a, align 4, !dbg !28 %4 = call i32 @get_sign(i32 %3), !dbg !28 ret i32 %4, !dbg !28 }
Result
Functions • klee_make_symbolic(address, size, name) Make memory address symbolic klee_make_symbolic(&c, sizeof(c), "c"); Notice: Don't overlap symbolic memory regions • klee_assume(condition) Add condition constraint on input klee_assume((c==2)||(d==3)); • klee_prefer_cex(object, condition) When generating test cases, prefer certain values between equivalent test cases klee_prefer_cex(input, 32 <= input[i] && input[i] <= 126);
Functions • Insert assert on target path klee_assert(0) • Find assert test case ls ./klee-last/ | grep .assert • Show information about test case ktest-tool ./klee-last/*.ktest • Using GNU c library functions Run with --libc=uclibc --posix-runtime parameters
Environment Modeling • For example: • command-line arguments • environment variables • file • data and metadata • network packets • …… • Klee redirects library call to models • If fd refers to a concrete file Klee use pread to multiplex access from KLEE’s many states onto the one actual underlying file descriptor • If fd refers to a symbolic file read() copies from the underlying symbolic buffer
Environment Modeling • -sym-arg <N> Replace by a symbolic argument with length N • -sym-args <MIN> <MAX> <N> Replace by at least MIN arguments and at most MAX arguments, each with maximum length N • -sym-files <NUM> <N> Make NUM symbolic files (‘A’, ‘B’, ‘C’, etc.), each with size N (excluding stdin) • -sym-stdin <N> Make stdin symbolic with size N
Solver • MetaSMT • STP(Default option for Klee) • Z3
Architecture • Represent Klee as an interpreter loop which select a state to run and then symbolically executes a single instruction in the context of that state • When Klee meets the conditional branch instruction, it clones the state so that it could explore both paths • By implementing heap as immutable map, portions of the heap structure itself can also be shared amongst multiple states(copy on write)
Architecture • Potentially dangerous operations implicitly generate branches that check if any input value exists that could cause an error(e.g., zero divisor) • When processing instruction, if all given operands are concrete, performs the operation natively, returning a constant expression • When KLEE detects an error or when a path reaches an exit call, Klee solves the current path's constraints
Diagram 1. Step the program until it meets the branch #include <klee/klee.h> int get_sign(int x) { if (x == 0) return 0; if (x < 0) return -1; else return 1; } int main() { int a; klee_make_symbolic(&a, sizeof(a), "a"); return get_sign(a); }
Diagram 1. Step the program until it meets the branch 2. If all given operands are concrete, return constant expression. If not, record current condition constraints and clone the state. #include <klee/klee.h> int get_sign(int x) { if (x == 0) return 0; if (x < 0) return -1; else return 1; } int main() { int a; klee_make_symbolic(&a, sizeof(a), "a"); return get_sign(a); }
Diagram 1. Step the program until it meets the branch 2. If all given operands are concrete, return constant expression. If not, record current condition constraints and clone the state 3. Step the states until they hit exit call or error X==0 Constraints: X!=0 Next instruction: if (x < 0) Constraints: X==0 Next instruction: return 0;
Diagram 1. Step the program until it meets the branch 2. If all given operands are concrete, return constant expression. If not, record current condition constraints and clone the state 3. Step the states until they hit exit call or error 4. Solve the conditional constraint X==0 Constraints: X!=0 Next instruction: if (x < 0) Constraints: X==0 Next instruction: return 0;
Diagram 1. Step the program until it meets the branch 2. If all given operands are concrete, return constant expression. If not, record current condition constraints and clone the state 3. Step the states until they hit exit call or error 4. Solve the conditional constraint 5. Loop until no remaining states or user-defined timeout is reached
Exercises • ccr Sum of continuous number https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/67 • Suicide Product of continuous number https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/68
Angr • Website: http://angr.io/ • Angr is a python framework for analyzing binaries. It combines both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks. • Flow • Loading a binary into the analysis program. • Translating a binary into an intermediate representation (IR). • Performing the actual analysis
Installation • sudo apt-get install -y python-pip python-dev libffi-dev build-essential virtualenvwrapper • Virtualenv • mkvirtualenv angr && pip install angr • Direct install in system • sudo pip install angr • Test environment • Ubuntu 17.04 desktop amd64
Flow • Import angr import angr • Load the binary and initialize angr project project = angr.Project('./ais3_crackme') • Define argv1 as 100 bytes bitvectors argv1 = claripy.BVS("argv1",100*8) • Initialize the state with argv1 state = project.factory.entry_state(args=["./crackme1",argv1])
Flow • Initialize the simulation manager simgr = p.factory.simgr(state) • Explore the states that matches the condition simgr.explore(find= 0x400602) • Extract one state from found states found = simgr.found[0] • Solve the expression with solver solution = found.solver.eval(argv1, cast_to=str)
ais3 crackme • Binary could be found in: https://github.com/angr/angr- doc/blob/master/examples/ais3_crackme/ • Run binary with argument • If argument is correct print "Correct! that is the secret key!" • else print "I'm sorry, that's the wrong secret key!"
Target address
Solution import angr import claripy project = angr.Project("./ais3_crackme") argv1 = claripy.BVS("argv1",100*8) state = project.factory.entry_state(args=["./crackme1",argv1]) simgr = project.factory.simgr(state) simgr.explore(find=0x400602) found = simgr.found[0] solution = found.solver.eval(argv1, cast_to=str) print(repr(solution))
Result
Loader • Load the binary through angr.Project • Loading options • auto_load_libs • When there is no SimProcedure • True(Default, real library function is executed) • False(return a generic "stub" SimProcedure called ReturnUnconstrained)
Intermediate Representation • In order to be able to analyze and execute machine code from different CPU architectures, Angr performs most of its analysis on an intermediate representation • Angr's intermediate representation is VEX(Valgrind), since the uplifting of binary code into VEX is quite well supported
Intermediate Representation • IR abstracts away several architecture differences when dealing with different architectures • Register names: VEX models the registers as a separate memory space, with integer offsets • Memory access: The IR abstracts difference between architectures access memory in different ways • Memory segmentation: Some architectures support memory segmentation through the use of special segment registers • Instruction side-effects: Most instructions have side-effects
Intermediate Representation • addl %eax, %ebx • t3 = GET:I32(0) • # get %eax, a 32-bit integer • t2 = GET:I32(12) • # get %ebx, a 32-bit integer • t1 = Add32(t3,t2) • # addl • PUT(0) = t1 • # put %eax
Simulation Managers • simgr.step() Step forward all states in a given stash by one basic block • simgr.run() Step until everything terminates • simgr.explore(conditions) • find, avoid: • An address to find or avoid • A set or list of addresses to find or avoid • A function that takes a state and returns whether or not it matches.
Bit-Vector Symbol • claripy.BVS(name, size) • name: The name of the symbol. • size: The size (in bits) of the bit-vector. • chop(bits) • bits: A list of smaller bitvectors, each bits in length.
State • Property • registers: The state's register file as a flat memory region • memory: The state's memory as a flat memory region • solver(e.g., se): The solver engine for this state • posix: information about the operating system or environment model(e.g., posix.files[fd]) • add_constraints(BVS condition) • inspect.b(event, when=angr.BP_AFTER, action=debug_func) • event: mem_read, reg_write • when: BP_BEFORE or BP_AFTER • action: debug_func
SimMemory • load(addr, size=None) • addr: memory address • size: The sizein bytes • find(addr, what) • addr: The start address • what: what to search for • store(addr, data, size=None) • addr: address to store at • data: The data(claripy expression or something convertable to a claripy expression) • size: The data size(claripy expression or something convertable to a claripy expression)
Stash types active This stash contains the states that will be stepped by default, unless an alternate stash is specified. deadended A state goes to the deadended stash when it cannot continue the execution for some reason, including no more valid instructions, unsat state of all of its successors, or an invalid instruction pointer. pruned When using LAZY_SOLVES, states are not checked for satisfiability unless absolutely necessary. When a state is found to be unsat in the presence of LAZY_SOLVES, the state hierarchy is traversed to identify when, in its history, it initially became unsat. All states that are descendants of that point (which will also be unsat, since a state cannot become un-unsat) are pruned and put in this stash. unconstrained If the save_unconstrained option is provided to the SimulationManager constructor, states that are determined to be unconstrained (i.e., with the instruction pointer controlled by user data or some other source of symbolic data) are placed here. unsat If the save_unsat option is provided to the SimulationManager constructor, states that are determined to be unsatisfiable (i.e., they have constraints that are contradictory, like the input having to be both "AAAA" and "BBBB" at the same time) are placed here.
Hooking • project.hook(address, hook) • hook is a SimProcedure instance • At every step, angr checks if the current address has been hooked, and if so, runs the hook instead of the binary code at that address • You could also use symbol to locate the address • proj.hook_symbol(name, hook) • You could use hook as function decorator, length is to jump after finishing the hook @proj.hook(0x20000, length=5) def my_hook(state): state.regs.rax = 1
Hooking • proj.is_hooked(address) True or False • proj.unhook(address) Unhook hook on address • proj.hooked_by(address) Return SimProcedure instance
Symbolic Function • Project tries to replace external calls to library functions by using symbolic summaries termed SimProcedures • Because SimProcedures are library hooks written in Python, it has inaccuracy • If you encounter path explosion or inaccuracy, you can do: 1. Disable the SimProcedure 2. Replace the SimProcedure with something written directly to the situation in question 3. Fix the SimProcedure
Symbolic Function(scanf) • Source code: https://github.com/angr/angr/blob/master/angr/procedures/libc/sca nf.py 1. Get first argument(pointer to format string) 2. Define function return type by the architecture 3. Parse format string 4. According format string, read input from file descriptor 0(i.e., standard input) 5. Do the read operation
Symbolic Function(scanf) from angr.procedures.stubs.format_parser import FormatParser from angr.sim_type import SimTypeInt, SimTypeString class scanf(FormatParser): def run(self, fmt): self.argument_types = {0: self.ty_ptr(SimTypeString())} self.return_type = SimTypeInt(self.state.arch.bits, True) fmt_str = self._parse(0) f = self.state.posix.get_file(0) region = f.content start = f.pos (end, items) = fmt_str.interpret(start, 1, self.arg, region=region) # do the read, correcting the internal file position and logging the action self.state.posix.read_from(0, end - start) return items
Symbolic Function(scanf) class SimProcedure(object): @staticmethod def ty_ptr(self, ty): return SimTypePointer(self.arch, ty) class FormatParser(SimProcedure): def _parse(self, fmt_idx): """ fmt_idx: The index of the (pointer to the) format string in the arguments list. """ def interpret(self, addr, startpos, args, region=None): """ Interpret a format string, reading the data at `addr` in `region` into `args` starting at `startpos`. """
def _parse(self, fmt_idx): • int scanf ( const char * format, ... ); • scanf ("%d",&i); fmt_str = self._parse(0) • int sscanf ( const char * s, const char * format, ...); • sscanf (sentence,"%s %*s %d",str,&i); fmt_str = self._parse(1)
def interpret(self, addr, startpos, args, region=None): • int scanf ( const char * format, ... ); • scanf ("%d",&i); f = self.state.posix.get_file(0) region = f.content start = f.pos (end, items) = fmt_str.interpret(start, 1, self.arg, region=region) • int sscanf ( const char * s, const char * format, ...); • sscanf (sentence,"%s %*s %d",str,&i); _, items = fmt_str.interpret(self.arg(0), 2, self.arg, region=self.state.memory)
Exercises • angrman https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/69 Local binary • magicpuzzle Server response the base64-encoded binary, try to find out the differences, and automatically generate the exploit https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/70 • Sushi Server response the base64-encoded binary, try to find out the differences, and automatically generate the exploit https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/72
Q & A

More Related Content

PDF
RSA暗号運用でやってはいけない n のこと #ssmjp
bysonickun
 
PDF
MapReduce入門
bySatoshi Noto
 
PDF
ELFの動的リンク
by7shi
 
PDF
SQLite の暗号化
byAkihiro Matsuura
 
PDF
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
byCODE BLUE
 
PDF
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
byMasahiko Sawada
 
PDF
こわくない Git
byKota Saito
 
PDF
MySQL勉強会 クエリチューニング編
byMicroAd, Inc.(Engineer)
 
RSA暗号運用でやってはいけない n のこと #ssmjp
bysonickun
 
MapReduce入門
bySatoshi Noto
 
ELFの動的リンク
by7shi
 
SQLite の暗号化
byAkihiro Matsuura
 
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
byCODE BLUE
 
行ロックと「LOG: process 12345 still waiting for ShareLock on transaction 710 afte...
byMasahiko Sawada
 
こわくない Git
byKota Saito
 
MySQL勉強会 クエリチューニング編
byMicroAd, Inc.(Engineer)
 

What's hot

PDF
関数型プログラミング入門 with OCaml
byHaruka Oikawa
 
PPT
Glibc malloc internal
byMotohiro KOSAKI
 
PDF
知っておきたいSpring Batch Tips
byikeyat
 
PDF
flaws.cloudに挑戦しよう!
byzaki4649
 
PDF
関数型プログラミングのデザインパターンひとめぐり
byKazuyuki TAKASE
 
PDF
CTF for ビギナーズ バイナリ講習資料
bySECCON Beginners
 
PDF
SATySFi 最近の発展と目下実装中の変更
byT. Suwa
 
PPTX
katagaitai CTF勉強会 #3 crypto
bytrmr
 
PDF
Garbage First Garbage Collection (G1 GC) #jjug_ccc #ccc_cd6
byYuji Kubota
 
PDF
Vacuum徹底解説
byMasahiko Sawada
 
PDF
Migration Guide from Java 8 to Java 11 #jjug
byYuji Kubota
 
PDF
入門Transducers
bysohta
 
PDF
JavaScript難読化読経
byYosuke HASEGAWA
 
PDF
π計算
byYuuki Takano
 
PPTX
Stack pivot
bysounakano
 
PDF
MCC CTF講習会 pwn編
byhama7230
 
PDF
オブジェクト指向プログラミングの現在・過去・未来
by増田 亨
 
PDF
コルーチンの使い方
byNaohiro Yoshikawa
 
PDF
TDDBC お題
byTakuto Wada
 
PDF
Linux女子会 - お仕事メリハリ術♪(プロセススケジューラ編)
byYahoo!デベロッパーネットワーク
 
関数型プログラミング入門 with OCaml
byHaruka Oikawa
 
Glibc malloc internal
byMotohiro KOSAKI
 
知っておきたいSpring Batch Tips
byikeyat
 
flaws.cloudに挑戦しよう!
byzaki4649
 
関数型プログラミングのデザインパターンひとめぐり
byKazuyuki TAKASE
 
CTF for ビギナーズ バイナリ講習資料
bySECCON Beginners
 
SATySFi 最近の発展と目下実装中の変更
byT. Suwa
 
katagaitai CTF勉強会 #3 crypto
bytrmr
 
Garbage First Garbage Collection (G1 GC) #jjug_ccc #ccc_cd6
byYuji Kubota
 
Vacuum徹底解説
byMasahiko Sawada
 
Migration Guide from Java 8 to Java 11 #jjug
byYuji Kubota
 
入門Transducers
bysohta
 
JavaScript難読化読経
byYosuke HASEGAWA
 
π計算
byYuuki Takano
 
Stack pivot
bysounakano
 
MCC CTF講習会 pwn編
byhama7230
 
オブジェクト指向プログラミングの現在・過去・未来
by増田 亨
 
コルーチンの使い方
byNaohiro Yoshikawa
 
TDDBC お題
byTakuto Wada
 
Linux女子会 - お仕事メリハリ術♪(プロセススケジューラ編)
byYahoo!デベロッパーネットワーク
 

Similar to Klee and angr

PDF
Symbolic Execution (introduction and hands-on)
byEmilio Coppa
 
PDF
A CTF Hackers Toolbox
byStefan
 
PPTX
Symbolic Execution And KLEE
byShauvik Roy Choudhary, Ph.D.
 
ODP
Klee introduction
byGeorgiana T.
 
PDF
Fuzzing - Part 1
byUTD Computer Security Group
 
DOC
Lex tool manual
bySami Said
 
PDF
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
byAnne Nicolas
 
PDF
WAD : A Module for Converting Fatal Extension Errors into Python Exceptions
byDavid Beazley (Dabeaz LLC)
 
PDF
Byterun, a Python bytecode interpreter - Allison Kaptur at NYCPython
byakaptur
 
PDF
AEG_ Automatic Exploit Generation
byRedhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
 
PDF
HacknamStyle Plaid CTF write-up
byvanhoefm
 
PDF
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
byStHack
 
PDF
SunPy: Python for solar physics
bysegfaulthunter
 
PDF
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
byakaptur
 
PDF
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
byNoSuchCon
 
PDF
talk at Virginia Bioinformatics Institute, December 5, 2013
byericupnorth
 
ODP
Advanced Linux Game Programming
byLeszek Godlewski
 
PDF
Python 2.5 reference card (2009)
bygekiaruj
 
PDF
Extending Python - EuroPython 2014
byfcofdezc
 
PDF
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
byJonathan Salwan
 
Symbolic Execution (introduction and hands-on)
byEmilio Coppa
 
A CTF Hackers Toolbox
byStefan
 
Symbolic Execution And KLEE
byShauvik Roy Choudhary, Ph.D.
 
Klee introduction
byGeorgiana T.
 
Fuzzing - Part 1
byUTD Computer Security Group
 
Lex tool manual
bySami Said
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
byAnne Nicolas
 
WAD : A Module for Converting Fatal Extension Errors into Python Exceptions
byDavid Beazley (Dabeaz LLC)
 
Byterun, a Python bytecode interpreter - Allison Kaptur at NYCPython
byakaptur
 
AEG_ Automatic Exploit Generation
byRedhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
 
HacknamStyle Plaid CTF write-up
byvanhoefm
 
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
byStHack
 
SunPy: Python for solar physics
bysegfaulthunter
 
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
byakaptur
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
byNoSuchCon
 
talk at Virginia Bioinformatics Institute, December 5, 2013
byericupnorth
 
Advanced Linux Game Programming
byLeszek Godlewski
 
Python 2.5 reference card (2009)
bygekiaruj
 
Extending Python - EuroPython 2014
byfcofdezc
 
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
byJonathan Salwan
 

More from Wei-Bo Chen

PPTX
Triton and Symbolic execution on GDB@DEF CON China
byWei-Bo Chen
 
PDF
Triton and symbolic execution on gdb
byWei-Bo Chen
 
PPTX
x86
byWei-Bo Chen
 
PPTX
Format String
byWei-Bo Chen
 
PDF
Ctf For Beginner
byWei-Bo Chen
 
PPTX
Python
byWei-Bo Chen
 
PPTX
Some tips
byWei-Bo Chen
 
Triton and Symbolic execution on GDB@DEF CON China
byWei-Bo Chen
 
Triton and symbolic execution on gdb
byWei-Bo Chen
 
x86
byWei-Bo Chen
 
Format String
byWei-Bo Chen
 
Ctf For Beginner
byWei-Bo Chen
 
Python
byWei-Bo Chen
 
Some tips
byWei-Bo Chen
 

Recently uploaded

PDF
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PDF
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
PDF
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
PDF
Cybersecurity Prevention and Detection: Unit 2
byVICTOR MAESTRE RAMIREZ
 
PDF
How Much Does It Cost To Build Software
bycollinmishell2
 
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
Cybersecurity Prevention and Detection: Unit 2
byVICTOR MAESTRE RAMIREZ
 
How Much Does It Cost To Build Software
bycollinmishell2
 

Klee and angr

  • 1.
    Klee and Angr bananaappletw@ UCCU Hacker 2017/10/29
  • 2.
    $whoami • 陳威伯(bananaappletw) • Masterof National Chiao Tung University • Organizations: • Software Quality Laboratory • Bamboofox member • Vice president of NCTUCSC • Specialize in: • symbolic execution • binary exploit • Talks: • HITCON CMT 2015 • HITCON CMT 2017
  • 3.
    What is symbolicexecution? • Symbolic execution is a means of analyzing a program to determine what inputs cause each part of a program to execute • System-level • S2e(https://github.com/dslab-epfl/s2e) • User-level • Angr(http://angr.io/) • Triton(https://triton.quarkslab.com/) • Code-based • klee(http://klee.github.io/)
  • 4.
  • 5.
    Klee • Symbolic virtualmachine built on top of the LLVM compiler infrastructure • Website: http://klee.github.io/ • Github: https://github.com/klee/klee • Klee paper: http://llvm.org/pubs/2008-12-OSDI-KLEE.pdf (Worth reading) • Main goal of Klee: 1. Hit every line of executable code in the program 2. Detect at each dangerous operation
  • 6.
    Installation • Install docker •sudo apt-get install docker.io • Get klee image • sudo docker pull klee/klee • Run klee docker image • sudo docker run --rm -ti --ulimit='stack=-1:-1' klee/klee • Test environment • Ubuntu 17.04 desktop amd64
  • 7.
    Introduction • Klee isa symbolic machine to generate test cases • Need source code to compile to LLVM bitcode • Steps: • Replace input with Klee function to make memory region symbolic • Compile source code to LLVM bitcode • Run Klee • Get the test cases and path's information
  • 8.
    Steps • Source codeat ~/klee_src/examples/get_sign.c • Include klee library #include <klee/klee.h> • Make input symbolic klee_make_symbolic(&a, sizeof(a), "a"); • Compile to LLVM bitcode clang -I ../../include -emit-llvm -c -g get_sign.c
  • 9.
    Steps • Examine LLVMbitcode llvm-dis get_sign.bc • Running KLEE klee get_sign.bc • Show information about test case ktest-tool ./klee-last/*.ktest
  • 10.
    get_sign.c #include <klee/klee.h> int get_sign(intx) { if (x == 0) return 0; if (x < 0) return -1; else return 1; } int main() { int a; klee_make_symbolic(&a, sizeof(a), "a"); return get_sign(a); }
  • 11.
    get_sign.ll define i32 @main()#0 { %1 = alloca i32, align 4 %a = alloca i32, align 4 store i32 0, i32* %1 call void @llvm.dbg.declare(metadata !{i32* %a}, metadata !25), !dbg !26 %2 = bitcast i32* %a to i8*, !dbg !27 call void @klee_make_symbolic(i8* %2, i64 4, i8* getelementptr inbounds ([2 x i8]* @.str, i32 0, i32 0)), !dbg !27 %3 = load i32* %a, align 4, !dbg !28 %4 = call i32 @get_sign(i32 %3), !dbg !28 ret i32 %4, !dbg !28 }
  • 12.
  • 13.
    Functions • klee_make_symbolic(address, size,name) Make memory address symbolic klee_make_symbolic(&c, sizeof(c), "c"); Notice: Don't overlap symbolic memory regions • klee_assume(condition) Add condition constraint on input klee_assume((c==2)||(d==3)); • klee_prefer_cex(object, condition) When generating test cases, prefer certain values between equivalent test cases klee_prefer_cex(input, 32 <= input[i] && input[i] <= 126);
  • 14.
    Functions • Insert asserton target path klee_assert(0) • Find assert test case ls ./klee-last/ | grep .assert • Show information about test case ktest-tool ./klee-last/*.ktest • Using GNU c library functions Run with --libc=uclibc --posix-runtime parameters
  • 15.
    Environment Modeling • Forexample: • command-line arguments • environment variables • file • data and metadata • network packets • …… • Klee redirects library call to models • If fd refers to a concrete file Klee use pread to multiplex access from KLEE’s many states onto the one actual underlying file descriptor • If fd refers to a symbolic file read() copies from the underlying symbolic buffer
  • 16.
    Environment Modeling • -sym-arg<N> Replace by a symbolic argument with length N • -sym-args <MIN> <MAX> <N> Replace by at least MIN arguments and at most MAX arguments, each with maximum length N • -sym-files <NUM> <N> Make NUM symbolic files (‘A’, ‘B’, ‘C’, etc.), each with size N (excluding stdin) • -sym-stdin <N> Make stdin symbolic with size N
  • 17.
    Solver • MetaSMT • STP(Defaultoption for Klee) • Z3
  • 18.
    Architecture • Represent Kleeas an interpreter loop which select a state to run and then symbolically executes a single instruction in the context of that state • When Klee meets the conditional branch instruction, it clones the state so that it could explore both paths • By implementing heap as immutable map, portions of the heap structure itself can also be shared amongst multiple states(copy on write)
  • 19.
    Architecture • Potentially dangerousoperations implicitly generate branches that check if any input value exists that could cause an error(e.g., zero divisor) • When processing instruction, if all given operands are concrete, performs the operation natively, returning a constant expression • When KLEE detects an error or when a path reaches an exit call, Klee solves the current path's constraints
  • 20.
    Diagram 1. Step theprogram until it meets the branch #include <klee/klee.h> int get_sign(int x) { if (x == 0) return 0; if (x < 0) return -1; else return 1; } int main() { int a; klee_make_symbolic(&a, sizeof(a), "a"); return get_sign(a); }
  • 21.
    Diagram 1. Step theprogram until it meets the branch 2. If all given operands are concrete, return constant expression. If not, record current condition constraints and clone the state. #include <klee/klee.h> int get_sign(int x) { if (x == 0) return 0; if (x < 0) return -1; else return 1; } int main() { int a; klee_make_symbolic(&a, sizeof(a), "a"); return get_sign(a); }
  • 22.
    Diagram 1. Step theprogram until it meets the branch 2. If all given operands are concrete, return constant expression. If not, record current condition constraints and clone the state 3. Step the states until they hit exit call or error X==0 Constraints: X!=0 Next instruction: if (x < 0) Constraints: X==0 Next instruction: return 0;
  • 23.
    Diagram 1. Step theprogram until it meets the branch 2. If all given operands are concrete, return constant expression. If not, record current condition constraints and clone the state 3. Step the states until they hit exit call or error 4. Solve the conditional constraint X==0 Constraints: X!=0 Next instruction: if (x < 0) Constraints: X==0 Next instruction: return 0;
  • 24.
    Diagram 1. Step theprogram until it meets the branch 2. If all given operands are concrete, return constant expression. If not, record current condition constraints and clone the state 3. Step the states until they hit exit call or error 4. Solve the conditional constraint 5. Loop until no remaining states or user-defined timeout is reached
  • 25.
    Exercises • ccr Sum ofcontinuous number https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/67 • Suicide Product of continuous number https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/68
  • 26.
    Angr • Website: http://angr.io/ •Angr is a python framework for analyzing binaries. It combines both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks. • Flow • Loading a binary into the analysis program. • Translating a binary into an intermediate representation (IR). • Performing the actual analysis
  • 27.
    Installation • sudo apt-getinstall -y python-pip python-dev libffi-dev build-essential virtualenvwrapper • Virtualenv • mkvirtualenv angr && pip install angr • Direct install in system • sudo pip install angr • Test environment • Ubuntu 17.04 desktop amd64
  • 28.
    Flow • Import angr importangr • Load the binary and initialize angr project project = angr.Project('./ais3_crackme') • Define argv1 as 100 bytes bitvectors argv1 = claripy.BVS("argv1",100*8) • Initialize the state with argv1 state = project.factory.entry_state(args=["./crackme1",argv1])
  • 29.
    Flow • Initialize thesimulation manager simgr = p.factory.simgr(state) • Explore the states that matches the condition simgr.explore(find= 0x400602) • Extract one state from found states found = simgr.found[0] • Solve the expression with solver solution = found.solver.eval(argv1, cast_to=str)
  • 30.
    ais3 crackme • Binarycould be found in: https://github.com/angr/angr- doc/blob/master/examples/ais3_crackme/ • Run binary with argument • If argument is correct print "Correct! that is the secret key!" • else print "I'm sorry, that's the wrong secret key!"
  • 31.
  • 32.
    Solution import angr import claripy project= angr.Project("./ais3_crackme") argv1 = claripy.BVS("argv1",100*8) state = project.factory.entry_state(args=["./crackme1",argv1]) simgr = project.factory.simgr(state) simgr.explore(find=0x400602) found = simgr.found[0] solution = found.solver.eval(argv1, cast_to=str) print(repr(solution))
  • 33.
  • 34.
    Loader • Load thebinary through angr.Project • Loading options • auto_load_libs • When there is no SimProcedure • True(Default, real library function is executed) • False(return a generic "stub" SimProcedure called ReturnUnconstrained)
  • 35.
    Intermediate Representation • Inorder to be able to analyze and execute machine code from different CPU architectures, Angr performs most of its analysis on an intermediate representation • Angr's intermediate representation is VEX(Valgrind), since the uplifting of binary code into VEX is quite well supported
  • 36.
    Intermediate Representation • IRabstracts away several architecture differences when dealing with different architectures • Register names: VEX models the registers as a separate memory space, with integer offsets • Memory access: The IR abstracts difference between architectures access memory in different ways • Memory segmentation: Some architectures support memory segmentation through the use of special segment registers • Instruction side-effects: Most instructions have side-effects
  • 37.
    Intermediate Representation • addl%eax, %ebx • t3 = GET:I32(0) • # get %eax, a 32-bit integer • t2 = GET:I32(12) • # get %ebx, a 32-bit integer • t1 = Add32(t3,t2) • # addl • PUT(0) = t1 • # put %eax
  • 38.
    Simulation Managers • simgr.step() Stepforward all states in a given stash by one basic block • simgr.run() Step until everything terminates • simgr.explore(conditions) • find, avoid: • An address to find or avoid • A set or list of addresses to find or avoid • A function that takes a state and returns whether or not it matches.
  • 39.
    Bit-Vector Symbol • claripy.BVS(name,size) • name: The name of the symbol. • size: The size (in bits) of the bit-vector. • chop(bits) • bits: A list of smaller bitvectors, each bits in length.
  • 40.
    State • Property • registers:The state's register file as a flat memory region • memory: The state's memory as a flat memory region • solver(e.g., se): The solver engine for this state • posix: information about the operating system or environment model(e.g., posix.files[fd]) • add_constraints(BVS condition) • inspect.b(event, when=angr.BP_AFTER, action=debug_func) • event: mem_read, reg_write • when: BP_BEFORE or BP_AFTER • action: debug_func
  • 41.
    SimMemory • load(addr, size=None) •addr: memory address • size: The sizein bytes • find(addr, what) • addr: The start address • what: what to search for • store(addr, data, size=None) • addr: address to store at • data: The data(claripy expression or something convertable to a claripy expression) • size: The data size(claripy expression or something convertable to a claripy expression)
  • 42.
    Stash types active Thisstash contains the states that will be stepped by default, unless an alternate stash is specified. deadended A state goes to the deadended stash when it cannot continue the execution for some reason, including no more valid instructions, unsat state of all of its successors, or an invalid instruction pointer. pruned When using LAZY_SOLVES, states are not checked for satisfiability unless absolutely necessary. When a state is found to be unsat in the presence of LAZY_SOLVES, the state hierarchy is traversed to identify when, in its history, it initially became unsat. All states that are descendants of that point (which will also be unsat, since a state cannot become un-unsat) are pruned and put in this stash. unconstrained If the save_unconstrained option is provided to the SimulationManager constructor, states that are determined to be unconstrained (i.e., with the instruction pointer controlled by user data or some other source of symbolic data) are placed here. unsat If the save_unsat option is provided to the SimulationManager constructor, states that are determined to be unsatisfiable (i.e., they have constraints that are contradictory, like the input having to be both "AAAA" and "BBBB" at the same time) are placed here.
  • 43.
    Hooking • project.hook(address, hook) •hook is a SimProcedure instance • At every step, angr checks if the current address has been hooked, and if so, runs the hook instead of the binary code at that address • You could also use symbol to locate the address • proj.hook_symbol(name, hook) • You could use hook as function decorator, length is to jump after finishing the hook @proj.hook(0x20000, length=5) def my_hook(state): state.regs.rax = 1
  • 44.
    Hooking • proj.is_hooked(address) True orFalse • proj.unhook(address) Unhook hook on address • proj.hooked_by(address) Return SimProcedure instance
  • 45.
    Symbolic Function • Projecttries to replace external calls to library functions by using symbolic summaries termed SimProcedures • Because SimProcedures are library hooks written in Python, it has inaccuracy • If you encounter path explosion or inaccuracy, you can do: 1. Disable the SimProcedure 2. Replace the SimProcedure with something written directly to the situation in question 3. Fix the SimProcedure
  • 46.
    Symbolic Function(scanf) • Sourcecode: https://github.com/angr/angr/blob/master/angr/procedures/libc/sca nf.py 1. Get first argument(pointer to format string) 2. Define function return type by the architecture 3. Parse format string 4. According format string, read input from file descriptor 0(i.e., standard input) 5. Do the read operation
  • 47.
    Symbolic Function(scanf) from angr.procedures.stubs.format_parserimport FormatParser from angr.sim_type import SimTypeInt, SimTypeString class scanf(FormatParser): def run(self, fmt): self.argument_types = {0: self.ty_ptr(SimTypeString())} self.return_type = SimTypeInt(self.state.arch.bits, True) fmt_str = self._parse(0) f = self.state.posix.get_file(0) region = f.content start = f.pos (end, items) = fmt_str.interpret(start, 1, self.arg, region=region) # do the read, correcting the internal file position and logging the action self.state.posix.read_from(0, end - start) return items
  • 48.
    Symbolic Function(scanf) class SimProcedure(object): @staticmethod defty_ptr(self, ty): return SimTypePointer(self.arch, ty) class FormatParser(SimProcedure): def _parse(self, fmt_idx): """ fmt_idx: The index of the (pointer to the) format string in the arguments list. """ def interpret(self, addr, startpos, args, region=None): """ Interpret a format string, reading the data at `addr` in `region` into `args` starting at `startpos`. """
  • 49.
    def _parse(self, fmt_idx): •int scanf ( const char * format, ... ); • scanf ("%d",&i); fmt_str = self._parse(0) • int sscanf ( const char * s, const char * format, ...); • sscanf (sentence,"%s %*s %d",str,&i); fmt_str = self._parse(1)
  • 50.
    def interpret(self, addr,startpos, args, region=None): • int scanf ( const char * format, ... ); • scanf ("%d",&i); f = self.state.posix.get_file(0) region = f.content start = f.pos (end, items) = fmt_str.interpret(start, 1, self.arg, region=region) • int sscanf ( const char * s, const char * format, ...); • sscanf (sentence,"%s %*s %d",str,&i); _, items = fmt_str.interpret(self.arg(0), 2, self.arg, region=self.state.memory)
  • 51.
    Exercises • angrman https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/69 Local binary •magicpuzzle Server response the base64-encoded binary, try to find out the differences, and automatically generate the exploit https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/70 • Sushi Server response the base64-encoded binary, try to find out the differences, and automatically generate the exploit https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/72
  • 52.