modifying binaries with dyninst

Paradyn Project

Paradyn / Dyninst WeekMadison, Wisconsin

April 29-May 1, 2013

Modifying Binaries with Dyninst

Andrew Bernat

Instrumentation vs. modificationo Instrumentation:

o Inserts logically orthogonal code into a program

oDoes not alter the original CFGoHas no cumulative effect on the original

programo Single-entry, single-exit

o Modification:oChanges become part of the original CFGoMay alter behavior of the original codeo Should not cause unexpected side-effects!

2Binary Modification with Dyninst

Example


some_func

other_func

Obligatory “why binaries” slide:o No source code (or debugging info)

requiredo Legacy codeoMalicious codeo Proprietary binaries or librarieso Stripped binaries

o Include the effects of compiler, linker, and other tools

o Allow modification during execution


5

Binary modification interfaces

5a0a80: push %ebp 5a0a81: mov %esp,%ebp 5a0a83: sub $0x18,%esp 5a0a86: mov 0x10(%ebp),%edx 5a0a89: cmp 0x14(%ebp),%edx 5a0a8c: ja 5a0abb ...5a0abb: call 6b0930 ...

EEL, Etch, Vulcan, DynamoRIO, Valgrind, FIT, SecondWrite

sortstrlenredrawabort

Dyninst, PINFIT (Lancet)

✓Preserves validity

X Coarse granularity

✓Fine granularity

X Requires user expertise

X Users must ensure validity

Function Modification Instruction Modification CFG Modification

mainsin

malloc

Binary Modification with Dyninst

✓Fine granularity

X Users must ensure validity

6

Binary modification via the CFG

Original Binary Code

Modified Binary Code


Structured Binary Editingo Enforce CFG validity constraint

o Ensure modified CFG can be instantiated as new code

oMaintain validity of the underlying binaryo Define CFG transformation algebra

oClosed under validity constraintoOperate on functions, loops, blocks, and

edgeso Handle indirect control flow

oValidity cannot be determined without analysis


CFG Validityo A CFG is valid if each element is valid

oAll blocks are validoAll non-exit blocks have out-edge(s)oAt least one entry blocko Edge types represent realizable control flow


Valid Examples Invalid ExamplesValid Examples(PPC, ARM only)

9

CFG transformation algebra

Block Splitting Block Joining Edge Redirection

Predicate InsertionEdge Insertion

Block and Edge Modification

Code InsertionCall Insertion


10

Indirect validityo Transforming the CFG may alter indirect

control flowoCorrupting a function pointero Skipping a jump table guard predicateo Detect alterations with slicing-based

analysis

Valid

Unknown

Invalid


Allow Conservative: disallowMiddle ground: monitor

Optimistic: allowDisallow

Practice: PatchAPI Interface


Dyninst

ParseAPI

A Dyninst Component

Dataflow API

A Dyninst Component

ProcControl

APIA Dyninst

Component

Patch API

A Dyninst Component

Stack Walker

APIA Dyninst

Component

DynCA Dyninst

Value-Added Library

SymtabAPI

A Dyninst Component

InstructionAPI

A Dyninst Component

CodegenA Dyninst

Component

o Point/Snippet instrumentation interface

o Interactive modification interface

o Accessible from BPatch

o Changes not reflected at BPatch layer

o Callbacks for updating user data

PatchAPI Overviewo CFG classes

o PatchBlock, PatchEdge, PatchFunctiono Binary file class

o PatchObjecto Instrumentation

o Point, PatchMgro Modification

o PatchModifier, PatchCallback


, Snippet

class MySnippet : public PatchAPI::Snippeto bool generate(Point *point, Buffer

&buffer)o Point provides context for code generationoBuffer is a code container

o Snippet::Ptr PatchAPI::convert(BPatch_snippet *)oConvert BPatch_snippets to PatchAPI

snippets


class PatchModifiero bool redirect(PatchEdge *, PatchBlock

*);o PatchBlock *split(PatchBlock *,

Address);o bool remove(vector<PatchBlock *>);o bool remove(PatchFunction *);o InsertedCode::Ptr insert(PatchObject *, SnippetPtr, Point

*);o class InsertedCode:

oPatchBlock *entry()ovector<PatchEdge *> &exits()oset<PatchBlock *> &blocks()


class PatchCallbacko Interface class for CFG modification

updateso Register one (or more) child classeso Notify on CFG element:

oCreationoDestructionoBlock splittingoNew in-edge or out-edgeoRemoved in-edge or out-edge

o Notify on Point creation, destruction, or change 15Binary Modification with Dyninst

Example: Hot Patching Apache Vulnerability o Apache 2.2.21 has several

vulnerabilities:oUsing reverse proxy to access arbitrary

servero Privilege escalation via .htaccess fileoDenial of service with badly formatted

cookieo (and others)

o We used binary modification to patch these flawsoAct on unprepared, executing httpd

daemonoDo not rely on specific compiler version(s)oCreate “click to run” patching tool


CVE-2011-3368o Reverse proxy functionality broken in

Apacheo Introduced in 1.3.xo Fixed in 2.3.15 (released November 16,

2011)o Attacker sends illegal URI

oGET @hiddenServer/hiddenFileo Proxy incorrectly forwards request

oGET proxy@hiddenServer/hiddenFileo Attacker can access internal files


Hot Patching Overviewo Create CFG “fingerprint” that identifies

patch site(s)oDo not rely on addresses, functions, or

particular instruction sequenceso Create snippets from security patch file

oAccess and update local variableso Insert conditional error handling

o Modify binary to incorporate new codeoMatching patch file


Patch File


ap_parse_uri(r, uri);

+ if (r->method_number != M_CONNECT+ && !r->parsed_uri.scheme+ && uri[0] != ‘/’+ && !(uri[0] == ‘*’ && uri[1] == ‘\0’)) {+ r->args = NULL;+ r->hostname = NULL;+ r->status = HTTP_BAD_REQUEST;+ }

if (ll[0]) { r->assbackwards = 0; pro = ll; ...

Error ConditionDetection

Error Handling

CFG Fingerprinting


ap_parse_uri(r, uri);if (ll[0]) { r->assbackwards = 0; pro = ll; len = strlen(ll);}else { r->assbackwards = 1; pro = “HTTP/0.9”; len = 8;}

ap_parse_uri

strlen

Snippet (error detection)


// r->method_number != M_CONNECTboolExpr cond1(ne, r_method_number, constExpr(M_CONNECT));

// !r->parsed_uri.schemeboolExpr cond2(eq, r_parsed_uri_scheme, constExpr(0));

// uri[0] != ‘/’boolExpr cond3(ne, arithExpr(deref, uri), constExpr(‘/’));

// !(uri[0] == ‘*’ && uri[1] == ‘\0’)boolExpr cond4(or, boolExpr(ne, arithExpr(deref, uri), constExpr(‘*’)), boolExpr(ne, arithExpr(deref, ...)));

boolExpr cond(and, boolExpr(and, cond1, cond2), boolExpr(and, cond3, cond4));

Snippet (error handling)


// r->args = NULL;arithExpr body1(assign, r_args, constExpr(0));

// r->hostname = NULL;arithExpr body2(assign, r_hostname, constExpr(0));

// r->status = HTTP_BAD_REQUESTarithExpr body3(assign, r_status, constExpr(HTTP_BAD_REQUEST));

// r->uri = apr_pstrdup(r->pool, uri)vector<snippet> call_args;call_args.push_back(r_pool);call_args.push_back(uri);arithExpr body4(assign, r_uri, funcCallExpr(findFunction(“apr_pstrdup”), call_args));

Modification Code


b2

ap_parse_uri

b1

strlen

bool patch(PatchBlock *b1, PatchBlock *b2, SnippetPtr snip, Point *point) { IC::Ptr code = PatchModifier::insert(b1->obj(), snip, point);

// Redirect fallthrough of ap_parse_uri call to // the entry of the inserted code region PatchModifier::redirect(getEdge(b1, CALL_FT), code->entry());

// Redirect exits of inserted code to b2 for (iterator iter = code->exits().begin(); iter != code->exits().end(); ++iter) { PatchModifier::redirect(*iter, b2);}

Hot Patching


ap_parse_uri

strlenapr_pstrdu

p

Error Detection

Error Handlingap_parse_

uri

Summaryo Structured binary editing

oModify binaries by transforming their CFGso Ensure validity of the resulting binary

o PatchAPI implementationo Interactive CFG modificationoMix modification and instrumentationoCallback interface for updating user data


Bernat and Miller, “Structured Binary Editing with a

CFG Transformation Algebra”

Questions?


modifying binaries with dyninst

Documents

validity6binary modification

toolsallow modification

dyninst component codegen

validity constraintoperate

dyninstcfg validitya

original codeshould

original cfgmay

original cfghas