Date post: | 18-May-2015 |
Category: |
Technology |
Upload: | sunil-kumar |
View: | 1,162 times |
Download: | 1 times |
Automatic Program Analysiswith
Dynamic Binary Instrumentation
Sunil Kumar
http://null.co.in/ http://nullcon.net/
#whoami
• Research Associate @ iViZ Techno Solutions
• MCA(007) from Goa University i.e. GUMCA07.
• http://www.linkedin.com/in/sunilkr86
• Twitter @_skare; @_ice_22
http://null.co.in/ http://nullcon.net/
Sections
• .program analysis
• .dynamic behavior
• .dynamic binary instrumentation
• .Pin
• .puncture
• .conclusion
http://null.co.in/ http://nullcon.net/
program analysis
• In computer science, program analysis is the process of automatically analysing the behaviour of computer programs.
» http://en.wikipedia.org/wiki/Program_analysis
• Two approaches:
– Static Program Analysis.
– Dynamic Program Analysis.
http://null.co.in/ http://nullcon.net/
program analysis::Static Analysis
• Static Properties
– Hash
– Signature/Byte Patterns
– Strings
• Code Analysis
• Safe because we did not run it?
– Mostly.
• Match against known data.
http://null.co.in/ http://nullcon.net/
program analysis::Static Analysis
• One side of the coin.
• May fail if
– Obfuscated strings.
– Variants.
– Code in non-standard sections {.data,…}
– Self modifying code.
– Brand new.
http://null.co.in/ http://nullcon.net/
program analysis::Dynamic Analysis
• a.k.a. Behavior Analysis
• Let Us C (“see”)
• Dynamic Properties
– File Operations
– Registry Operations
– Network Operations
– Interaction with other processes…
• Dangerous unless run in controlled environment / sandbox.
http://null.co.in/ http://nullcon.net/
instrumentation• Instruments that record , analyze, summarize,
organize, debate in explained information that are illustrative, non illustrative hard bound, paper bag, jacketed, non jacketed with forward introduction, table of content, index, that are intended for the enlightenment, understanding, enrichment, enhancement, education of human brain through sensory route of vision...sometimes touch!
http://null.co.in/ http://nullcon.net/
Dynamic Binary Instrumentation
• Instrument code just before it runs (Just In Time)
• No need to re-link.
• Discover code at runtime
• Handle dynamically generated code.
• Attach to running process.
• [cgo_2010_final.ppt]
http://null.co.in/ http://nullcon.net/
• A Dynamic Binary Instrumentation engine based on Post-Link Optimizer “Spike”.
• Developed by Intel Corporation.
• Oldest available release Pin-2.6-24110 dated 13/01/2009.
• Latest release Pin-2.8-39028 dated 02/02/2011.
• Alternatives: DynamoRIO, Valgrind
http://null.co.in/ http://nullcon.net/
Advantages of Pin• Provides rich set of APIs in C/C++/Assembly for creating
instrumentation tools a.k.a PinTools.• Multiplatform:
– Supports IA-32, IA64, Intel64– Supports Windows, Linux MacOS
• Robust:– If you can run it, you can Pin it.– Multithreaded applications– Self modifying code– Support signals and exceptions
• Efficient– Compiler optimization and code inlining.
http://null.co.in/ http://nullcon.net/
Advantages of Pin• Provides rich set of APIs in C/C++/Assembly for creating
instrumentation tools a.k.a PinTools.• Multiplatform:
– Supports IA-32, IA64, Intel64– Supports Windows, Linux MacOS
• Robust:– If you can run it, you can Pin it.– Multithreaded applications– Self modifying code– Support signals and exceptions
• Efficient– Compiler optimization and code inlining.
• Bypass Debug-Protection. (DEMO)
http://null.co.in/ http://nullcon.net/
Pin Capabilities
• Inert code at arbitrary places in executable code.
• Just-In-Time compilation
• Automatic save/restore registers to avoid interference.
• Dynamic code discovery.
• Instrument anything ever executed*.
http://null.co.in/ http://nullcon.net/
Pin Capabilities
• Inert code at arbitrary places in executable code.
• Just-In-Time compilation
• Automatic save/restore registers to avoid interference.
• Dynamic code discovery.
• Instrument anything ever executed*.• (*User Mode)
http://null.co.in/ http://nullcon.net/
Pin Capabilities
• Inert code at arbitrary places in executable code.
• Just-In-Time compilation
• Automatic save/restore registers to avoid interference.
• Dynamic code discovery.
• Instrument anything ever executed*.
http://null.co.in/ http://nullcon.net/
If Pin doesn’t have it, you don’t want it
but I do want these too…
• Kernel Mode
• Isolated I/O.
• Handling exceptions of PinTools.
http://null.co.in/ http://nullcon.net/
What for me but?
http://null.co.in/ http://nullcon.net/
Read
Instructions
Operands
Operations
Methods
Parameters
Return Values
Modules
Write
Instructions
Operands
Operations
Methods
Parameters
Return Values
Pin Design
http://null.co.in/ http://nullcon.net/
Pin Workflow
http://null.co.in/ http://nullcon.net/
Pin Instrumentation Modes
• JIT
– Using Code-Cache
– All Instrumentation granularities
– Flexible
• Probe
– Binary modified in place.
– Limited to Routine level instrumentation.
– Less flexible.
– Faster than JIT in some cases.
http://null.co.in/ http://nullcon.net/
Pin Instrumentation Granularities
• INS
• BBL
• Trace
• RTN
– Requires symbol support- dbghelp.dll v6.11.1.404.
• IMG
http://null.co.in/ http://nullcon.net/
a Simple PinTool
#include “pin.H”
int main(int argc, char *argv[])
{
if(PIN_Init(argc,argv))
return -1;
IMG_AddInstrumentFunction(Image, 0);
PIN_AddFiniFunction(Fini,0);
PIN_StartProgram();
return 0;
}
http://null.co.in/ http://nullcon.net/
.puncture
• A PinTool for behavior analysis.
• 3 Stage:
– A text file of call logs.
– XML of categorized events.
– HTML Report = XML+XSL+CSS
• Instrumentation Methods
– Instrumentation at boundary
– ReplaceSignature
http://null.co.in/ http://nullcon.net/
Instrumentation at Boundary
http://null.co.in/ http://nullcon.net/
• UnPinned
BAAR(x,x) retn
FOO BAAR
*Conceptual View
Instrumentation at Boundary
http://null.co.in/ http://nullcon.net/
• Pinned
b4BAAR(W,x,Z)BAAR(x,x)
afterBAAR(X,Y,Z)return
FOO BAAR
b4BAARafterBAAR
*Conceptual View
ReplaceSignature
http://null.co.in/ http://nullcon.net/
• UnPinned
call BAAR retn
FOO BAAR
*Conceptual View
ReplaceSignature
http://null.co.in/ http://nullcon.net/
• Pinned
call BAARretn
FOO BAAR
PIN_CallApplicationFunction
wrappedBAAR
*Conceptual View
Logger Requirements
• 3 Modules
– Registry Logger (ADVAPI32.DLL)
– File Logger (KERNEL32.DLL)
– Network Logger (WS2_32.DLL)
• Final Output
– A PinTool : Call Log in plain text.
– PinParser : RawText => XML}
– XSLT+CSS+JS for Visualization
• [DEMO]http://null.co.in/ http://nullcon.net/
.conclusion
• Although DBI Frameworks like Pin are not primarily developed to test and optimize performance, code coverage etc., they have enough capabilities to be used as software security research tool too.
http://null.co.in/ http://nullcon.net/
Contacts
• Pin http://www.pintool.org
• Pin user group pinheades@yahoo-groups
• Me: [email protected]
http://null.co.in/ http://nullcon.net/
Thanks…
http://null.co.in/ http://nullcon.net/