modifying binaries with dyninst
DESCRIPTION
Modifying Binaries with Dyninst. Andrew Bernat. Instrumentation vs. modification. Instrumentation: Inserts logically orthogonal code into a program Does not alter the original CFG Has no cumulative effect on the original program Single-entry, single-exit Modification: - PowerPoint PPT PresentationTRANSCRIPT
Paradyn Project
Paradyn / Dyninst WeekMadison, Wisconsin
April 29-May 1, 2013
Modifying Binaries with Dyninst
Andrew Bernat
Instrumentation vs. modificationo Instrumentation:
o Inserts logically orthogonal code into a program
oDoes not alter the original CFGoHas no cumulative effect on the original
programo Single-entry, single-exit
o Modification:oChanges become part of the original CFGoMay alter behavior of the original codeo Should not cause unexpected side-effects!
2Binary Modification with Dyninst
Example
3Binary Modification with Dyninst
some_func
other_func
Obligatory “why binaries” slide:o No source code (or debugging info)
requiredo Legacy codeoMalicious codeo Proprietary binaries or librarieso Stripped binaries
o Include the effects of compiler, linker, and other tools
o Allow modification during execution
4Binary Modification with Dyninst
5
Binary modification interfaces
5a0a80: push %ebp 5a0a81: mov %esp,%ebp 5a0a83: sub $0x18,%esp 5a0a86: mov 0x10(%ebp),%edx 5a0a89: cmp 0x14(%ebp),%edx 5a0a8c: ja 5a0abb ...5a0abb: call 6b0930 ...
EEL, Etch, Vulcan, DynamoRIO, Valgrind, FIT, SecondWrite
sortstrlenredrawabort
Dyninst, PINFIT (Lancet)
✓Preserves validity
X Coarse granularity
✓Fine granularity
X Requires user expertise
X Users must ensure validity
Function Modification Instruction Modification CFG Modification
mainsin
malloc
Binary Modification with Dyninst
✓Fine granularity
X Users must ensure validity
6
Binary modification via the CFG
Original Binary Code
Modified Binary Code
Binary Modification with Dyninst
Structured Binary Editingo Enforce CFG validity constraint
o Ensure modified CFG can be instantiated as new code
oMaintain validity of the underlying binaryo Define CFG transformation algebra
oClosed under validity constraintoOperate on functions, loops, blocks, and
edgeso Handle indirect control flow
oValidity cannot be determined without analysis
7Binary Modification with Dyninst
CFG Validityo A CFG is valid if each element is valid
oAll blocks are validoAll non-exit blocks have out-edge(s)oAt least one entry blocko Edge types represent realizable control flow
8Binary Modification with Dyninst
Valid Examples Invalid ExamplesValid Examples(PPC, ARM only)
9
CFG transformation algebra
Block Splitting Block Joining Edge Redirection
Predicate InsertionEdge Insertion
Block and Edge Modification
Code InsertionCall Insertion
Binary Modification with Dyninst
10
Indirect validityo Transforming the CFG may alter indirect
control flowoCorrupting a function pointero Skipping a jump table guard predicateo Detect alterations with slicing-based
analysis
Valid
Unknown
Invalid
Binary Modification with Dyninst
Allow Conservative: disallowMiddle ground: monitor
Optimistic: allowDisallow
Practice: PatchAPI Interface
11Binary Modification with Dyninst
Dyninst
ParseAPI
A Dyninst Component
Dataflow API
A Dyninst Component
ProcControl
APIA Dyninst
Component
Patch API
A Dyninst Component
Stack Walker
APIA Dyninst
Component
DynCA Dyninst
Value-Added Library
SymtabAPI
A Dyninst Component
InstructionAPI
A Dyninst Component
CodegenA Dyninst
Component
o Point/Snippet instrumentation interface
o Interactive modification interface
o Accessible from BPatch
o Changes not reflected at BPatch layer
o Callbacks for updating user data
PatchAPI Overviewo CFG classes
o PatchBlock, PatchEdge, PatchFunctiono Binary file class
o PatchObjecto Instrumentation
o Point, PatchMgro Modification
o PatchModifier, PatchCallback
12Binary Modification with Dyninst
, Snippet
class MySnippet : public PatchAPI::Snippeto bool generate(Point *point, Buffer
&buffer)o Point provides context for code generationoBuffer is a code container
o Snippet::Ptr PatchAPI::convert(BPatch_snippet *)oConvert BPatch_snippets to PatchAPI
snippets
13Binary Modification with Dyninst
class PatchModifiero bool redirect(PatchEdge *, PatchBlock
*);o PatchBlock *split(PatchBlock *,
Address);o bool remove(vector<PatchBlock *>);o bool remove(PatchFunction *);o InsertedCode::Ptr insert(PatchObject *, SnippetPtr, Point
*);o class InsertedCode:
oPatchBlock *entry()ovector<PatchEdge *> &exits()oset<PatchBlock *> &blocks()
14Binary Modification with Dyninst
class PatchCallbacko Interface class for CFG modification
updateso Register one (or more) child classeso Notify on CFG element:
oCreationoDestructionoBlock splittingoNew in-edge or out-edgeoRemoved in-edge or out-edge
o Notify on Point creation, destruction, or change 15Binary Modification with Dyninst
Example: Hot Patching Apache Vulnerability o Apache 2.2.21 has several
vulnerabilities:oUsing reverse proxy to access arbitrary
servero Privilege escalation via .htaccess fileoDenial of service with badly formatted
cookieo (and others)
o We used binary modification to patch these flawsoAct on unprepared, executing httpd
daemonoDo not rely on specific compiler version(s)oCreate “click to run” patching tool
16Binary Modification with Dyninst
CVE-2011-3368o Reverse proxy functionality broken in
Apacheo Introduced in 1.3.xo Fixed in 2.3.15 (released November 16,
2011)o Attacker sends illegal URI
oGET @hiddenServer/hiddenFileo Proxy incorrectly forwards request
oGET proxy@hiddenServer/hiddenFileo Attacker can access internal files
17Binary Modification with Dyninst
Hot Patching Overviewo Create CFG “fingerprint” that identifies
patch site(s)oDo not rely on addresses, functions, or
particular instruction sequenceso Create snippets from security patch file
oAccess and update local variableso Insert conditional error handling
o Modify binary to incorporate new codeoMatching patch file
18Binary Modification with Dyninst
Patch File
19Binary Modification with Dyninst
ap_parse_uri(r, uri);
+ if (r->method_number != M_CONNECT+ && !r->parsed_uri.scheme+ && uri[0] != ‘/’+ && !(uri[0] == ‘*’ && uri[1] == ‘\0’)) {+ r->args = NULL;+ r->hostname = NULL;+ r->status = HTTP_BAD_REQUEST;+ }
if (ll[0]) { r->assbackwards = 0; pro = ll; ...
Error ConditionDetection
Error Handling
CFG Fingerprinting
20Binary Modification with Dyninst
ap_parse_uri(r, uri);if (ll[0]) { r->assbackwards = 0; pro = ll; len = strlen(ll);}else { r->assbackwards = 1; pro = “HTTP/0.9”; len = 8;}
ap_parse_uri
strlen
Snippet (error detection)
21Binary Modification with Dyninst
// r->method_number != M_CONNECTboolExpr cond1(ne, r_method_number, constExpr(M_CONNECT));
// !r->parsed_uri.schemeboolExpr cond2(eq, r_parsed_uri_scheme, constExpr(0));
// uri[0] != ‘/’boolExpr cond3(ne, arithExpr(deref, uri), constExpr(‘/’));
// !(uri[0] == ‘*’ && uri[1] == ‘\0’)boolExpr cond4(or, boolExpr(ne, arithExpr(deref, uri), constExpr(‘*’)), boolExpr(ne, arithExpr(deref, ...)));
boolExpr cond(and, boolExpr(and, cond1, cond2), boolExpr(and, cond3, cond4));
Snippet (error handling)
22Binary Modification with Dyninst
// r->args = NULL;arithExpr body1(assign, r_args, constExpr(0));
// r->hostname = NULL;arithExpr body2(assign, r_hostname, constExpr(0));
// r->status = HTTP_BAD_REQUESTarithExpr body3(assign, r_status, constExpr(HTTP_BAD_REQUEST));
// r->uri = apr_pstrdup(r->pool, uri)vector<snippet> call_args;call_args.push_back(r_pool);call_args.push_back(uri);arithExpr body4(assign, r_uri, funcCallExpr(findFunction(“apr_pstrdup”), call_args));
Modification Code
23Binary Modification with Dyninst
b2
ap_parse_uri
b1
strlen
bool patch(PatchBlock *b1, PatchBlock *b2, SnippetPtr snip, Point *point) { IC::Ptr code = PatchModifier::insert(b1->obj(), snip, point);
// Redirect fallthrough of ap_parse_uri call to // the entry of the inserted code region PatchModifier::redirect(getEdge(b1, CALL_FT), code->entry());
// Redirect exits of inserted code to b2 for (iterator iter = code->exits().begin(); iter != code->exits().end(); ++iter) { PatchModifier::redirect(*iter, b2);}
Hot Patching
24Binary Modification with Dyninst
ap_parse_uri
strlenapr_pstrdu
p
Error Detection
Error Handlingap_parse_
uri
Summaryo Structured binary editing
oModify binaries by transforming their CFGso Ensure validity of the resulting binary
o PatchAPI implementationo Interactive CFG modificationoMix modification and instrumentationoCallback interface for updating user data
25Binary Modification with Dyninst
Bernat and Miller, “Structured Binary Editing with a
CFG Transformation Algebra”
Questions?
26Binary Modification with Dyninst