nullcon presentation
TRANSCRIPT
-
8/7/2019 Nullcon Presentation
1/31
Automatic Program Analysis
withDynamic Binary Instrumentation
Sunil Kumar
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
2/31
#whoami
Research Associate @ iViZ Techno Solutions
MCA(007) from Goa University i.e. GUMCA07.
http://www.linkedin.com/in/sunilkr86 Twitter @_skare; @_ice_22
http://null.co.in/ http://nullcon.net/
http://www.linkedin.com/in/sunilkr86http://www.linkedin.com/in/sunilkr86http://www.linkedin.com/in/sunilkr86 -
8/7/2019 Nullcon Presentation
3/31
Sections
.program analysis
.dynamic behavior
.dynamic binary instrumentation .Pin
.puncture
.conclusion
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
4/31
-
8/7/2019 Nullcon Presentation
5/31
program analysis::Static Analysis
Static Properties Hash
Signature/Byte Patterns
Strings
Code Analysis
Safe because we did not run it?
Mostly.
Match against known data.
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
6/31
program analysis::Static Analysis
One side of the coin.
May fail if
Obfuscated strings.
Variants.
Code in non-standard sections {.data,}
Self modifying code.
Brand new.
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
7/31
program analysis::Dynamic Analysis
a.k.a. Behavior Analysis
Let Us C (see)
Dynamic Properties File Operations
Registry Operations
Network Operations
Interaction with other processes
Dangerous unless run in controlled
environment / sandbox.http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
8/31
instrumentation
Instruments that record , analyze, summarize,organize, debate in explained information that
are illustrative, non illustrative hard bound,
paper bag, jacketed, non jacketed withforward introduction, table of content, index,
that are intended for the enlightenment,
understanding, enrichment, enhancement,
education of human brain through sensory
route of vision...sometimes touch!
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
9/31
Dynamic Binary Instrumentation
Instrument code just before it runs (Just In
Time)
No need to re-link.
Discover code at runtime
Handle dynamically generated code.
Attach to running process.
[cgo_2010_final.ppt]
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
10/31
A Dynamic Binary Instrumentation engine
based on Post-Link Optimizer Spike.
Developed by Intel Corporation.
Oldest available release Pin-2.6-24110 dated
13/01/2009.
Latest release Pin-2.8-39028 dated
02/02/2011.
Alternatives: DynamoRIO, Valgrind
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
11/31
Advantages of Pin Provides rich set of APIs in C/C++/Assembly for creating
instrumentation tools a.k.a PinTools.
Multiplatform: Supports IA-32, IA64, Intel64
Supports Windows, Linux MacOS
Robust: If you can run it, you can Pin it.
Multithreaded applications
Self modifying code
Support signals and exceptions
Efficient Compiler optimization and code inlining.
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
12/31
Advantages of Pin Provides rich set of APIs in C/C++/Assembly for creating
instrumentation tools a.k.a PinTools.
Multiplatform: Supports IA-32, IA64, Intel64
Supports Windows, Linux MacOS
Robust: If you can run it, you can Pin it.
Multithreaded applications
Self modifying code
Support signals and exceptions
Efficient Compiler optimization and code inlining.
Bypass Debug-Protection. (DEMO)
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
13/31
Pin Capabilities
Inert code at arbitrary places in executable
code.
Just-In-Time compilation
Automatic save/restore registers to avoid
interference.
Dynamic code discovery.
Instrument anything ever executed*.
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
14/31
Pin Capabilities
Inert code at arbitrary places in executable
code.
Just-In-Time compilation
Automatic save/restore registers to avoid
interference.
Dynamic code discovery.
Instrument anything ever executed*. (*User Mode)
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
15/31
-
8/7/2019 Nullcon Presentation
16/31
but I do want these too
Kernel Mode
Isolated I/O.
Handling exceptions of PinTools.
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
17/31
What for me but?
http://null.co.in/ http://nullcon.net/
Read Instructions
Operands
Operations Methods
Parameters
Return Values
Modules
Write Instructions
Operands
Operations Methods
Parameters
Return Values
-
8/7/2019 Nullcon Presentation
18/31
Pin Design
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
19/31
Pin Workflow
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
20/31
Pin Instrumentation
Modes
JIT
Using Code-Cache
All Instrumentation granularities
Flexible
Probe
Binary modified in place.
Limited to Routine level instrumentation.
Less flexible.
Faster than JIT in some cases.
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
21/31
Pin Instrumentation
Granularities
INS
BBL
Trace RTN
Requires symbol support- dbghelp.dll v6.11.1.404.
IMG
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
22/31
a Simple PinTool
#include pin.H
int main(int argc, char *argv[])
{
if(PIN_Init(argc,argv))
return -1;
IMG_AddInstrumentFunction(Image, 0);
PIN_AddFiniFunction(Fini,0);
PIN_StartProgram();
return 0;
}
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
23/31
.puncture
A PinTool for behavior analysis.
3 Stage:
A text file of call logs.
XML of categorized events.
HTML Report = XML+XSL+CSS
Instrumentation Methods
Instrumentation at boundary
ReplaceSignature
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
24/31
Instrumentation at Boundary
http://null.co.in/ http://nullcon.net/
UnPinned
BAAR(x,x) retn
FOO BAAR
*Conceptual View
-
8/7/2019 Nullcon Presentation
25/31
Instrumentation at Boundary
http://null.co.in/ http://nullcon.net/
Pinned
b4BAAR(W,x,Z)
BAAR(x,x)afterBAAR(X,Y,Z)
return
FOO BAAR
b4BAARafterBAAR
*Conceptual View
-
8/7/2019 Nullcon Presentation
26/31
ReplaceSignature
http://null.co.in/ http://nullcon.net/
UnPinned
call BAAR retn
FOO BAAR
*Conceptual View
-
8/7/2019 Nullcon Presentation
27/31
ReplaceSignature
http://null.co.in/ http://nullcon.net/
Pinned
call BAARretn
FOO BAAR
PIN_CallApplicationFunction
wrappedBAAR
*Conceptual View
-
8/7/2019 Nullcon Presentation
28/31
-
8/7/2019 Nullcon Presentation
29/31
.conclusion
Although DBI Frameworks like Pin are not
primarily developed to test and optimize
performance, code coverage etc., they have
enough capabilities to be used as softwaresecurity research tool too.
http://null.co.in/ http://nullcon.net/
-
8/7/2019 Nullcon Presentation
30/31
Contacts
Pin http://www.pintool.org
Pin user group pinheades@yahoo-groups
http://null.co.in/ http://nullcon.net/
http://www.pintool.org/mailto:[email protected]:[email protected]://www.pintool.org/ -
8/7/2019 Nullcon Presentation
31/31
Thanks
htt // ll t/