dbi for computer security: uses and comparative...agenda outline 1 an introduction to dbi what (the...
TRANSCRIPT
![Page 1: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/1.jpg)
DBI for Computer Security: Uses and Comparative
Juan Antonio Artal‡, Ricardo J. Rodrıguez†, Jose Merseguer‡
« All wrongs reversed
[email protected], [email protected], [email protected]
@RicardoJRdez ※ www.ricardojrodriguez.es
†Universidad Politecnica de Madrid ‡ Universidad de ZaragozaMadrid, Spain Zaragoza, Spain
June 21th, 2013
3rd Edition of Hack in Paris
Sequoia Lodge Hotel, Disneyland Paris
![Page 2: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/2.jpg)
$whoami
$whoami
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 2 / 44
![Page 3: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/3.jpg)
$whoami
$whoami
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 2 / 44
![Page 4: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/4.jpg)
$whoami
$whoami
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 2 / 44
![Page 5: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/5.jpg)
$whoami
$whoami
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 2 / 44
![Page 6: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/6.jpg)
$whoami
$whoami
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 2 / 44
![Page 7: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/7.jpg)
$whoami
$whoami
CLS member since early beginnings (2000)
Ph.D.student at University of Zaragoza
Working currently for Technical University of Madrid
Performance analysis of complex systemsSecure software engineeringFault-Tolerant systems (design and analysis)Malware analysis (techniques and relative stuff)Safety analysis in component-based systems
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 2 / 44
![Page 8: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/8.jpg)
$whoami
$whoami
CLS member since early beginnings (2000)
Ph.D.student at University of Zaragoza
Working currently for Technical University of Madrid
Performance analysis of complex systemsSecure software engineeringFault-Tolerant systems (design and analysis)Malware analysis (techniques and relative stuff)Safety analysis in component-based systems
My Ph.D. viva is next Monday! Cross fingers!! ⌣
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 2 / 44
![Page 9: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/9.jpg)
Development Code License
Development Code License
GPL v3(http://gplv3.fsf.org/)
Intel Open Source License(http://opensource.org/licenses/
intel-open-source-license.html)
Specified in each source file
Source available at
http://webdiis.unizar.es/~ricardo/files/
HIP2013.tar.gz
(VS2008 project + this slides)
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 3 / 44
![Page 10: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/10.jpg)
Development Code License
Development Code License
GPL v3(http://gplv3.fsf.org/)
Intel Open Source License(http://opensource.org/licenses/
intel-open-source-license.html)
Specified in each source file
Source available at
http://webdiis.unizar.es/~ricardo/files/
HIP2013.tar.gz
(VS2008 project + this slides)no add-ons. . . trust me ⌣
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 3 / 44
![Page 11: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/11.jpg)
Agenda
Outline
1 An Introduction to DBIWhat (the hell) is Dynamic Binary Instrumentation (DBI)?How does DBI work?Uses of DBI in Computer Security
2 DBI FrameworksDBI Framework: What is?Types of DBI frameworksAnalysis and Comparative
3 Applying DBI to Computer Security. . .Developing DBAs with Pin: PintoolsDBI vulnerability searchTaint analysisReverse Engineering
4 Conclusions and Acknowledgments
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 4 / 44
![Page 12: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/12.jpg)
An Introduction to DBI
Outline
1 An Introduction to DBIWhat (the hell) is Dynamic Binary Instrumentation (DBI)?How does DBI work?Uses of DBI in Computer Security
2 DBI FrameworksDBI Framework: What is?Types of DBI frameworksAnalysis and Comparative
3 Applying DBI to Computer Security. . .Developing DBAs with Pin: PintoolsDBI vulnerability searchTaint analysisReverse Engineering
4 Conclusions and Acknowledgments
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 5 / 44
![Page 13: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/13.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (I)
DBI: Dynamic Binary Instrumentation
Main Words
Instrumentation ??Dynamic ??Binary ??
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 6 / 44
![Page 14: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/14.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (I)
DBI: Dynamic Binary Instrumentation
Main Words
Instrumentation ??Dynamic ??Binary ??
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 6 / 44
![Page 15: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/15.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (II)Instrumentation?
Instrumentation
“Being able to observe, monitor and modify the behaviour of acomputer program” (Gal Diskin)
Arbitrary addition of code in executables to collect some information
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 7 / 44
![Page 16: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/16.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (II)Instrumentation?
Instrumentation
“Being able to observe, monitor and modify the behaviour of acomputer program” (Gal Diskin)
Arbitrary addition of code in executables to collect some information
Analyse and control everything around an executable code
Collect some informationArbitrary code insertion
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 7 / 44
![Page 17: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/17.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (III)
Instrumentation ??Dynamic ??Binary ??
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 8 / 44
![Page 18: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/18.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (III)
Instrumentation What is happening. . .Dynamic ??Binary ??
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 8 / 44
![Page 19: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/19.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (III)
Instrumentation What is happening. . .Dynamic ??Binary ??
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 8 / 44
![Page 20: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/20.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (IV)Dynamic?
Code analysis
Static
BEFORE executionAll possible execution paths are explored → not extremely good forperformance
Dynamic
DURING the executionJust one execution path (it may depend on the input data!)
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 9 / 44
![Page 21: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/21.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (V)
Instrumentation What is happening. . .Dynamic ??Binary ??
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 10 / 44
![Page 22: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/22.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (V)
Instrumentation What is happening. . .Dynamic DURING the execution. . .Binary ??
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 10 / 44
![Page 23: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/23.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (V)
Instrumentation What is happening. . .Dynamic DURING the execution. . .Binary ??
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 10 / 44
![Page 24: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/24.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (IV)Binary?
Dynamic analysis
Source code available
Source codeCompiler
No source code (common case ⌣)Binary
Static (i.e., creating a new binary – with extras)Dynamic
Environment
EmulationVirtual
Debugging
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 11 / 44
![Page 25: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/25.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (VI)
Instrumentation What is happening. . .Dynamic DURING the execution. . .Binary ??
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 12 / 44
![Page 26: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/26.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (VI)
Instrumentation What is happening. . .Dynamic DURING the execution. . .Binary of a binary (executable). . .
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 12 / 44
![Page 27: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/27.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (VII)DBI advantages
Binary instrumentation: advantages
Programming language (totally) independent
Machine-mode vision
We can instrument proprietary software
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 13 / 44
![Page 28: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/28.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (VII)DBI advantages
Binary instrumentation: advantages
Programming language (totally) independent
Machine-mode vision
We can instrument proprietary software
Dynamic Instrumentation: advantages
No need to recompile/relink each time
Allow to find on-the-fly code
Dynamically generated code
Allow to instrument a process in execution already (attach)
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 13 / 44
![Page 29: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/29.jpg)
An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)?
DBI: What is? (IIX)DBI disadvantages
Main disadvantages
Overhead (by the instrumentation during execution)
⇓ performance (analyst hopelessness!)
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 14 / 44
![Page 30: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/30.jpg)
An Introduction to DBI How does DBI work?
How does DBI work? (I)
Recall: arbitrary code addition duringthe execution of a binary
Running code
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 15 / 44
![Page 31: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/31.jpg)
An Introduction to DBI How does DBI work?
How does DBI work? (I)
Recall: arbitrary code addition duringthe execution of a binary
What do I insert? →
instrumentation function
Running code
Arbitrary
code
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 15 / 44
![Page 32: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/32.jpg)
An Introduction to DBI How does DBI work?
How does DBI work? (I)
Recall: arbitrary code addition duringthe execution of a binary
What do I insert? →
instrumentation function
Where? → addition places
Running code
Arbitrary
code
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 15 / 44
![Page 33: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/33.jpg)
An Introduction to DBI How does DBI work?
How does DBI work? (II)Placing DBI in the context of dynamic analysis
Definition (informal)
Executable transformation
Total control over execution
No need of architectural support
Binary
Hardware
Debugger
Debugging
Hardware
Binary
Virtualization
Hardware
Binary
DBI
Binary
Emulation
Hardware
Emulador
Virtualization
Total control?
Emulation
Executable transformation
Debugging
Architectural support (a must. . . )
J-Y. Marion, D. Reynaud Dynamic Binary Instrumentation for Deobfuscation and Unpacking. DeepSec, 2009J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 16 / 44
![Page 34: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/34.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 35: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/35.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
Call-graphs generation
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 36: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/36.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
Call-graphs generation
Memory leaks detection
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 37: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/37.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
Call-graphs generation
Memory leaks detection
Instruction profiling
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 38: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/38.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
Call-graphs generation
Memory leaks detection
Instruction profiling
Data dependency profiling
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 39: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/39.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
Call-graphs generation
Memory leaks detection
Instruction profiling
Data dependency profiling
Threads profiling
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 40: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/40.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
Call-graphs generation
Memory leaks detection
Instruction profiling
Data dependency profiling
Threads profiling
Race conditions detection
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 41: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/41.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
Call-graphs generation
Memory leaks detection
Instruction profiling
Data dependency profiling
Threads profiling
Race conditions detection
Computer Architecture:
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 42: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/42.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
Call-graphs generation
Memory leaks detection
Instruction profiling
Data dependency profiling
Threads profiling
Race conditions detection
Computer Architecture:
Trace generators (memory)
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 43: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/43.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
Call-graphs generation
Memory leaks detection
Instruction profiling
Data dependency profiling
Threads profiling
Race conditions detection
Computer Architecture:
Trace generators (memory)Branch (and cache) predictors
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 44: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/44.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
Call-graphs generation
Memory leaks detection
Instruction profiling
Data dependency profiling
Threads profiling
Race conditions detection
Computer Architecture:
Trace generators (memory)Branch (and cache) predictorsMemory failures recovery
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 45: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/45.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
Call-graphs generation
Memory leaks detection
Instruction profiling
Data dependency profiling
Threads profiling
Race conditions detection
Computer Architecture:
Trace generators (memory)Branch (and cache) predictorsMemory failures recoverySimulation of speculation strategies
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 46: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/46.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (I)Non security-related uses
Code coverage and metrics
Call-graphs generation
Memory leaks detection
Instruction profiling
Data dependency profiling
Threads profiling
Race conditions detection
Computer Architecture:
Trace generators (memory)Branch (and cache) predictorsMemory failures recoverySimulation of speculation strategies
. . .
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 17 / 44
![Page 47: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/47.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (II)Secuirty-related uses
Data control flow analysis
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 18 / 44
![Page 48: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/48.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (II)Secuirty-related uses
Data control flow analysis
Vulnerability detection
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 18 / 44
![Page 49: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/49.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (II)Secuirty-related uses
Data control flow analysis
Vulnerability detection
Test cases / fuzzing generation
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 18 / 44
![Page 50: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/50.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (II)Secuirty-related uses
Data control flow analysis
Vulnerability detection
Test cases / fuzzing generation
Advance monitoring (NSA way)
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 18 / 44
![Page 51: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/51.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (II)Secuirty-related uses
Data control flow analysis
Vulnerability detection
Test cases / fuzzing generation
Advance monitoring (NSA way)
Reverse Engineering
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 18 / 44
![Page 52: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/52.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (II)Secuirty-related uses
Data control flow analysis
Vulnerability detection
Test cases / fuzzing generation
Advance monitoring (NSA way)
Reverse Engineering
Privacy monitoring
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 18 / 44
![Page 53: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/53.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (II)Secuirty-related uses
Data control flow analysis
Vulnerability detection
Test cases / fuzzing generation
Advance monitoring (NSA way)
Reverse Engineering
Privacy monitoring
Sandboxing
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 18 / 44
![Page 54: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/54.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (II)Secuirty-related uses
Data control flow analysis
Vulnerability detection
Test cases / fuzzing generation
Advance monitoring (NSA way)
Reverse Engineering
Privacy monitoring
Sandboxing
. . .
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 18 / 44
![Page 55: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/55.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (III)Some security tools that use DBI. . .
Vulnerability search
SAGE (Microsoft)SogetisFuzzgrind
Avalanche
Determine
Pincov
Taintdroid
VERA
TraceSurfer
. . .
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 19 / 44
![Page 56: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/56.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (IV)Its popularity is in crescendo (1)
Covert Debugging: Circumventing Software Armoring, D. Quist &Valsmith, BH USA 2007/DefCon 15
Generic Unpacking of Self-modifying, Aggressive, Packed BinaryPrograms (P. Bania, CoRR abs/0905.4581 2009)
Tarte Tatin Tools: a set of plugins for malware analysis with Pin, (D.Reynaud, DeepSec 2009)
Dynamic Binary Instrumentation for Deobfuscation and Unpacking(J-Y. Marion & D. Reynaud, DeepSec 2009)
Dumping Shellcode with Pin (S. Porst, Zynamics 2010)
Binary Instrumentation for Security Professionals (G. Diskin, BH USA2011)
Shellcode Analysis using Dynamic Binary Instrumentation (D. Radu &B. Dang, CARO 2011)
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 20 / 44
![Page 57: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/57.jpg)
An Introduction to DBI Uses of DBI in Computer Security
Uses of DBI in Computer Security (V)Its popularity is in crescendo (2)
Hacking using Dynamic Binary Instrumentation (G. Diskin, HITB2012 AMS)
Improving Unpacking Process using DBI techniques (R.J. Rodrıguez,RootedCON 2012)
Improving Software Security with Dynamic Binary Instrumentation(R. Johnson, InfoSec Southwest 2012)
Vulnerability Analysis and Practical Data Flow Analysis &Visualization (J.W. Oh, CanSecWest 2012)
Light and Dark side of Code Instrumentation (D. Evdokimov,CONFidence 2012)
Dynamic Binary Instrumentation Frameworks: I know you’re therespying on me (F. Falcon & N. Riva, RECon 2012)
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 21 / 44
![Page 58: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/58.jpg)
DBI Frameworks
Outline
1 An Introduction to DBIWhat (the hell) is Dynamic Binary Instrumentation (DBI)?How does DBI work?Uses of DBI in Computer Security
2 DBI FrameworksDBI Framework: What is?Types of DBI frameworksAnalysis and Comparative
3 Applying DBI to Computer Security. . .Developing DBAs with Pin: PintoolsDBI vulnerability searchTaint analysisReverse Engineering
4 Conclusions and Acknowledgments
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 22 / 44
![Page 59: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/59.jpg)
DBI Frameworks DBI Framework: What is?
DBI Framework: What is? (I)
Provide a bunch of APIs for tool development
DBA: Dynamic Binary Analysis tool
DBAs types:
Light-weightHeavy-weight (the use intermediate code)
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 23 / 44
![Page 60: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/60.jpg)
DBI Frameworks DBI Framework: What is?
DBI Framework: What is? (I)
Provide a bunch of APIs for tool development
DBA: Dynamic Binary Analysis tool
DBAs types:
Light-weightHeavy-weight (the use intermediate code)
Main componentsCore: just-in-time (JIT) compiler
Controls execution of a binary
Library (this is your own developed tool)
Where?What?
$ < DBI fw core > < myLibrary > < binaryToInstrument >
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 23 / 44
![Page 61: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/61.jpg)
DBI Frameworks DBI Framework: What is?
DBI Framework: What is? (II)
Use modes (most common)
JIT
Modification of a (small) set of instructions before executing themMore robustGood way for repetitive behaviour binaries (e.g., loops)
Probe
Memory patchingLess overhead (it executes native code)Not supported by all DBI fws.
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 24 / 44
![Page 62: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/62.jpg)
DBI Frameworks DBI Framework: What is?
DBI Framework: What is? (II)
Use modes (most common)
JIT
Modification of a (small) set of instructions before executing themMore robustGood way for repetitive behaviour binaries (e.g., loops)
Probe
Memory patchingLess overhead (it executes native code)Not supported by all DBI fws.
Granularity
Instruction Basic Superblock Trace Routine ImageBlock
++ – –
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 24 / 44
![Page 63: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/63.jpg)
DBI Frameworks DBI Framework: What is?
DBI Framework: What is? (II)
Use modes (most common)
JIT
Modification of a (small) set of instructions before executing themMore robustGood way for repetitive behaviour binaries (e.g., loops)
Probe
Memory patchingLess overhead (it executes native code)Not supported by all DBI fws.
Granularity
Instruction Basic Superblock Trace Routine ImageBlock
++ – –
→ Some not supported in some DBI fws.. . .J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 24 / 44
![Page 64: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/64.jpg)
DBI Frameworks Types of DBI frameworks
Types of DBI frameworks (I)
DB fws in the wild
Pin DynInstValgrind Dtrace HDtrans
DynamoRIO Systemap
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 25 / 44
![Page 65: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/65.jpg)
DBI Frameworks Types of DBI frameworks
Types of DBI frameworks (I)
DB fws in the wild
Pin DynInstValgrind Dtrace HDtrans
DynamoRIO Systemap
Mmm. . . what is the much better?
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 25 / 44
![Page 66: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/66.jpg)
DBI Frameworks Types of DBI frameworks
Types of DBI frameworks (I)
DB fws in the wild
Pin DynInstValgrind Dtrace HDtrans
DynamoRIO Systemap
Mmm. . . what is the much better?
Selection criteria
Software being maintained
License gives access to the source code
Free
API provided
O.S. and common infrastructure
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 25 / 44
![Page 67: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/67.jpg)
DBI Frameworks Types of DBI frameworks
Types of DBI frameworks (II)Differences y similarities
Characteristics
Ph.D. thesis, Univ. Cambridge
Source code available (GNU GPL v2)
Heavy-weight DBAs (using VEX IR asintermediate code)
http://www.valgrind.org
Instruction Basic block Superblock Trace Routine IMage
Framework Version Supported Arch. O.S. Granularity
Valgrind 3.8.1 (18/09/2012) Arm, PowerPC, s390, x86, x64 Android, OSX, Linux I S
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 26 / 44
![Page 68: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/68.jpg)
DBI Frameworks Types of DBI frameworks
Types of DBI frameworks (II)Differences y similarities
Characteristics
Intel
Source code available (but proprietary license)
It allows to attach a process in execution
http://www.pintool.org/
Instruction Basic block Superblock Trace Routine IMage
Framework Version Supported Arch. O.S. Granularity
Valgrind 3.8.1 (18/09/2012) Arm, PowerPC, s390, x86, x64 Android, OSX, Linux I S
Pin 2.12 (10/10/2012) Arm, IA-64, x86, x64 Windows, Linux I B T R M
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 26 / 44
![Page 69: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/69.jpg)
DBI Frameworks Types of DBI frameworks
Types of DBI frameworks (II)Differences y similarities
Characteristics
MIT, HP, Google
Source code available (BSD-2)
Really good docs
http://www.dynamorio.org/
Instruction Basic block Superblock Trace Routine IMage
Framework Version Supported Arch. O.S. Granularity
Valgrind 3.8.1 (18/09/2012) Arm, PowerPC, s390, x86, x64 Android, OSX, Linux I S
Pin 2.12 (10/10/2012) Arm, IA-64, x86, x64 Windows, Linux I B T R M
DynamoRIO 3.2.0-3 (01/03/2012) x86, x64 Windows, Linux I B T
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 26 / 44
![Page 70: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/70.jpg)
DBI Frameworks Types of DBI frameworks
Types of DBI frameworks (II)Differences y similarities
Similarities
Injected code in C/C++
No need of having the sourcecode of binary to beinstrumented
GNU/Linux x86
Instruction Basic block Superblock Trace Routine IMage
Framework Version Supported Arch. O.S. Granularity
Valgrind 3.8.1 (18/09/2012) Arm, PowerPC, s390, x86, x64 Android, OSX, Linux I S
Pin 2.12 (10/10/2012) Arm, IA-64, x86, x64 Windows, Linux I B T R M
DynamoRIO 3.2.0-3 (01/03/2012) x86, x64 Windows, Linux I B T
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 26 / 44
![Page 71: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/71.jpg)
DBI Frameworks Analysis and Comparative
DBI frameworks comparative (I)
DBA tool for comparative
Counting executed instructions
Two granularities: instruction and basic block
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 27 / 44
![Page 72: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/72.jpg)
DBI Frameworks Analysis and Comparative
DBI frameworks comparative (I)
DBA tool for comparative
Counting executed instructions
Two granularities: instruction and basic block
Comparative Aim
Evaluate the performance of selected DBI fws.
Slowdown:tinstrumented
tno instrumented
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 27 / 44
![Page 73: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/73.jpg)
DBI Frameworks Analysis and Comparative
DBI frameworks comparative (I)
DBA tool for comparative
Counting executed instructions
Two granularities: instruction and basic block
Comparative Aim
Evaluate the performance of selected DBI fws.
Slowdown:tinstrumented
tno instrumented
Diving into the APIs
Pin: ↑ Documentation, ↑↑ Examples, ↑ Tutorials
DynamoRIO: ↑↑ Documentation, ↑ Examples, ↑ Tutorials
Valgrind: ↓ Documentation, ↓ Examples, ↓ Tutorials
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 27 / 44
![Page 74: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/74.jpg)
DBI Frameworks Analysis and Comparative
DBI frameworks comparative (II)
Experimental settings
Hardware
Intel Core2 Duo 2GHz 667MHz, 2GiB DDR2, HDD 120GB
Software
Fedora Core 14 32bits, gcc 4.5.1, GNU Fortran 4.5.1, r3
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 28 / 44
![Page 75: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/75.jpg)
DBI Frameworks Analysis and Comparative
DBI frameworks comparative (II)
Experimental settings
Hardware
Intel Core2 Duo 2GHz 667MHz, 2GiB DDR2, HDD 120GB
Software
Fedora Core 14 32bits, gcc 4.5.1, GNU Fortran 4.5.1, r3
Benchmark
Own benchmark created for the comparative
Considered benchmarks (e.g., SPEC) discarded
Different categories:
Integer computationFloat computationI/OUse of memory
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 28 / 44
![Page 76: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/76.jpg)
DBI Frameworks Analysis and Comparative
DBI frameworks comparative (III): Results (1)Average of memory consumption
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 29 / 44
![Page 77: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/77.jpg)
DBI Frameworks Analysis and Comparative
DBI frameworks comparative (III): Results (2)Slowdown by instrumentations
PIN −O0 Valgrind −O0 DRIO −O0 PIN −O3 Valgrind −O3 DRIO −O30
2
4
6
8
10
12
14
16
18
20
Slo
wdow
n
Instructions
Basic blocks
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 30 / 44
![Page 78: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/78.jpg)
DBI Frameworks Analysis and Comparative
DBI frameworks comparative (III): Results (3)
Conclusions
X Running optimised code or (int/float) computation → DynamoRIO
X Slower solution → Valgrind
Memory consumption
X ↓ PinX ↑ DynamoRIO
Some funny things discovered during the research. . .
No. of instructions differs among the DBI fws. → each one starts in adifferent point
Bug detected when 80-bit numbers rounding in 32 and 64 bits archs.(Valgrind)
Already reported :( (https://bugs.kde.org/show_bug.cgi?id=19791)
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 31 / 44
![Page 79: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/79.jpg)
DBI Frameworks Analysis and Comparative
DBI frameworks comparative (III): Results (4)
Technical Report
Estudio comparativo de frameworks de Instrumentacion Dinamica deEjecutables (J.A. Artal)
Fro Spanish guys. . . (we should write some paper soon on this)
http://webdiis.unizar.es/~ricardo/files/PFC.Estudio.Frameworks.
DBI/Memoria_PFC_EstudioDBI.pdf
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 32 / 44
![Page 80: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/80.jpg)
Applying DBI to Computer Security. . .
Outline
1 An Introduction to DBIWhat (the hell) is Dynamic Binary Instrumentation (DBI)?How does DBI work?Uses of DBI in Computer Security
2 DBI FrameworksDBI Framework: What is?Types of DBI frameworksAnalysis and Comparative
3 Applying DBI to Computer Security. . .Developing DBAs with Pin: PintoolsDBI vulnerability searchTaint analysisReverse Engineering
4 Conclusions and Acknowledgments
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 33 / 44
![Page 81: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/81.jpg)
Applying DBI to Computer Security. . . Developing DBAs with Pin: Pintools
Developing DBAs with Pin: Pintools (I)
VM + code cache + APIinstrumentation
DBA → Pintool
VM: JIT + emulator +dispatcher
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 34 / 44
![Page 82: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/82.jpg)
Applying DBI to Computer Security. . . Developing DBAs with Pin: Pintools
Developing DBAs with Pin: Pintools (I)
VM + code cache + APIinstrumentation
DBA → Pintool
VM: JIT + emulator +dispatcher
1 JIT compiles and instrumentsthe binary code
2 Launched by the dispatcher3 Stored in code cache
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 34 / 44
![Page 83: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/83.jpg)
Applying DBI to Computer Security. . . Developing DBAs with Pin: Pintools
Developing DBAs with Pin: Pintools (I)
VM + code cache + APIinstrumentation
DBA → Pintool
VM: JIT + emulator +dispatcher
1 JIT compiles and instrumentsthe binary code
2 Launched by the dispatcher3 Stored in code cache
Works on the O.S.: user-space
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 34 / 44
![Page 84: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/84.jpg)
Applying DBI to Computer Security. . . Developing DBAs with Pin: Pintools
Developing DBAs with Pin: Pintools (II)An example: inscount.cpp
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 35 / 44
![Page 85: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/85.jpg)
Applying DBI to Computer Security. . . DBI vulnerability search
DBI vulnerability search (I): Double FreeDemo: DoubleFreeDBA.dll
Vulnerability description
CWE-415 (http://cwe.mitre.org/data/definitions/415.html)
Call free() with the same @ → corrupt memory
“Doubly freeing memory may result in a write-what-where condition,allowing an attacker to execute arbitrary code”
DBA developed with Pin (DoubleFreeDBA.dll)
Where?
APIs RtlAllocateHeap (after), RtlAllocateFree (before)
What?
RtlAllocateHeap: keeps returned @ in a listRtlAllocateFree: removes @ from list, and reports if not found!
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 36 / 44
![Page 86: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/86.jpg)
Applying DBI to Computer Security. . . DBI vulnerability search
DBI vulnerability search (I): Double FreeDemo: DoubleFreeDBA.dll
Vulnerability description
CWE-415 (http://cwe.mitre.org/data/definitions/415.html)
Call free() with the same @ → corrupt memory
“Doubly freeing memory may result in a write-what-where condition,allowing an attacker to execute arbitrary code”
DBA developed with Pin (DoubleFreeDBA.dll)
Where?
APIs RtlAllocateHeap (after), RtlAllocateFree (before)
What?
RtlAllocateHeap: keeps returned @ in a listRtlAllocateFree: removes @ from list, and reports if not found!
Friendly reminder: Make a demo. . .J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 36 / 44
![Page 87: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/87.jpg)
Applying DBI to Computer Security. . . DBI vulnerability search
DBI vulnerability search (II): Buffer Overflow (1)Demo: BufferOverflowDBA.dll
Vulnerability description
CWE-120 (http://cwe.mitre.org/data/definitions/120.html)
Copy a buffer without restrictions → arbitrary code execution
“Buffer overflows often can be used to execute arbitrary code [...].Buffer overflows generally lead to crashes [...].”
DBA developed with Pin (BufferOverflowDBA.dll)
Works around scanf
Where?→ API scanf (before)
What?
Checks parameters seeking buffers without limits
Improvements: extend to other vulnerable APIs (e.g., strcpy)
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 37 / 44
![Page 88: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/88.jpg)
Applying DBI to Computer Security. . . DBI vulnerability search
DBI vulnerability search (II): Buffer Overflow (1)Demo: BufferOverflowDBA.dll
Vulnerability description
CWE-120 (http://cwe.mitre.org/data/definitions/120.html)
Copy a buffer without restrictions → arbitrary code execution
“Buffer overflows often can be used to execute arbitrary code [...].Buffer overflows generally lead to crashes [...].”
DBA developed with Pin (BufferOverflowDBA.dll)
Works around scanf
Where?→ API scanf (before)
What?
Checks parameters seeking buffers without limits
Improvements: extend to other vulnerable APIs (e.g., strcpy)
Friendly reminder: Make a demo. . .J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 37 / 44
![Page 89: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/89.jpg)
Applying DBI to Computer Security. . . DBI vulnerability search
DBI vulnerability search (II): Buffer Overflow (2)Demo: ProtectRetAddrDBA.dll
Vulnerability description
CWE-120 (http://cwe.mitre.org/data/definitions/120.html)
Copy a buffer without restrictions → arbitrary code execution
“Buffer overflows often can be used to execute arbitrary code [...].Buffer overflows generally lead to crashes [...].”
DBA developed with Pin (ProtectRetAddrDBA.dll)
Where? → every CALL (before) o RETN (before) in .text section
What?
CALL → stores legitimate return address (EIP + size(CALL))RETN → checks if retn address is in the list. . .
Detected 6 retn changes in ntdll.dll library!!
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 38 / 44
![Page 90: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/90.jpg)
Applying DBI to Computer Security. . . DBI vulnerability search
DBI vulnerability search (II): Buffer Overflow (2)Demo: ProtectRetAddrDBA.dll
Vulnerability description
CWE-120 (http://cwe.mitre.org/data/definitions/120.html)
Copy a buffer without restrictions → arbitrary code execution
“Buffer overflows often can be used to execute arbitrary code [...].Buffer overflows generally lead to crashes [...].”
DBA developed with Pin (ProtectRetAddrDBA.dll)
Where? → every CALL (before) o RETN (before) in .text section
What?
CALL → stores legitimate return address (EIP + size(CALL))RETN → checks if retn address is in the list. . .
Detected 6 retn changes in ntdll.dll library!!
Friendly reminder: Make a demo. . .J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 38 / 44
![Page 91: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/91.jpg)
Applying DBI to Computer Security. . . Taint analysis
DBI vulnerability search (III): Taint analysisDemo: TaintAnalysisDBA.dll
DBA developed with Pin (TaintAnalysisDBA.dll)
Taint analysis of scanf parameters
Where? → API scanf (after)
What?
Trace all registers/memory zones contaminated from the input data
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 39 / 44
![Page 92: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/92.jpg)
Applying DBI to Computer Security. . . Taint analysis
DBI vulnerability search (III): Taint analysisDemo: TaintAnalysisDBA.dll
DBA developed with Pin (TaintAnalysisDBA.dll)
Taint analysis of scanf parameters
Where? → API scanf (after)
What?
Trace all registers/memory zones contaminated from the input data
Friendly reminder: Make a demo. . .
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 39 / 44
![Page 93: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/93.jpg)
Applying DBI to Computer Security. . . Reverse Engineering
DBI vulnerability search (IV): Reverse EngineeringDemo: EasyPasswordDBA.dll – very naif example
DBA developed with Pin (EasyPasswordDBA.dll)
Seeking for the correct key
Hook when calling to string comparison lstrcmpA
Where?
API lstrcmpA (before)
What?
Log all function parameters
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 40 / 44
![Page 94: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/94.jpg)
Applying DBI to Computer Security. . . Reverse Engineering
DBI vulnerability search (IV): Reverse EngineeringDemo: EasyPasswordDBA.dll – very naif example
DBA developed with Pin (EasyPasswordDBA.dll)
Seeking for the correct key
Hook when calling to string comparison lstrcmpA
Where?
API lstrcmpA (before)
What?
Log all function parameters
This is not longer valid for current apps. . . isn’t it? ⌣
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 40 / 44
![Page 95: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/95.jpg)
Applying DBI to Computer Security. . . Reverse Engineering
DBI vulnerability search (IV): Reverse EngineeringDemo: EasyPasswordDBA.dll – very naif example
DBA developed with Pin (EasyPasswordDBA.dll)
Seeking for the correct key
Hook when calling to string comparison lstrcmpA
Where?
API lstrcmpA (before)
What?
Log all function parameters
This is not longer valid for current apps. . . isn’t it? ⌣
Friendly reminder: Make a demo. . .
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 40 / 44
![Page 96: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/96.jpg)
Conclusions and Acknowledgments
Outline
1 An Introduction to DBIWhat (the hell) is Dynamic Binary Instrumentation (DBI)?How does DBI work?Uses of DBI in Computer Security
2 DBI FrameworksDBI Framework: What is?Types of DBI frameworksAnalysis and Comparative
3 Applying DBI to Computer Security. . .Developing DBAs with Pin: PintoolsDBI vulnerability searchTaint analysisReverse Engineering
4 Conclusions and Acknowledgments
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 41 / 44
![Page 97: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/97.jpg)
Conclusions and Acknowledgments
Conclusions
DBI frameworks: fast and easy development → high potential
NO need of (too much) advanced O.S. programming knowledge
We can focus in what really matters: our DBA tool
Disadvantages:
DBI API knowledgeExecution time
Recall about the DBI fws. comparison. . .
X Running optimised code or (int/float) computation → DynamoRIO
X Slower solution → Valgrind
Memory consumption
X ↓ PinX ↑ DynamoRIO
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 42 / 44
![Page 98: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/98.jpg)
Conclusions and Acknowledgments
Acknowledgments
Gal Diskin
Dimitry “D1g1” Evdokimov
Francisco Falcon & Nahuel Riva
CrackLatinoS (CLS)
Hack in Paris staff, thank you guys & gals!
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 43 / 44
![Page 99: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/99.jpg)
Conclusions and Acknowledgments
Acknowledgments
Gal Diskin
Dimitry “D1g1” Evdokimov
Francisco Falcon & Nahuel Riva
CrackLatinoS (CLS)
Hack in Paris staff, thank you guys & gals!
To you for hearing me stoically. . .
J.A. Artal, R.J. Rodrıguez, J. Merseguer DBI for Computer Security: Uses and Comparative June 21th, 2013 43 / 44
![Page 100: DBI for Computer Security: Uses and Comparative...Agenda Outline 1 An Introduction to DBI What (the hell) is Dynamic Binary Instrumentation (DBI)? How does DBI work? Uses of DBI in](https://reader034.vdocuments.net/reader034/viewer/2022042022/5e7937315afebb57ce792632/html5/thumbnails/100.jpg)
DBI for Computer Security: Uses and Comparative
Juan Antonio Artal‡, Ricardo J. Rodrıguez†, Jose Merseguer‡
« All wrongs reversed
[email protected], [email protected], [email protected]
@RicardoJRdez ※ www.ricardojrodriguez.es
†Universidad Politecnica de Madrid ‡ Universidad de ZaragozaMadrid, Spain Zaragoza, Spain
June 21th, 2013
3rd Edition of Hack in Paris
Sequoia Lodge Hotel, Disneyland Paris