SlideShare a Scribd company logo

The Postmodern Binary Analysis

O
Onur Alanbel

This document discusses dynamic binary instrumentation and taint analysis techniques. It describes how frameworks like Intel PIN, Valgrind, and DynamoRIO can be used to inject instrumentation code into running binaries. It also explains how taint tracking can identify which parts of code are affected by tainted user input. Symbolic execution and constraint solving with Z3 are presented as methods to perform taint analysis and concolic execution on binaries. Open source tools like Triton, Angr, and BitBlaze TEMU are referenced for dynamic binary analysis.

Internet
1 of 54
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
THE POSTMODERN BINARY ANALYSIS Onur ALANBEL
$ id -un ➤ Computer Engineer (IZTECH) ➤ Developer @TaintAll (taintall.com) ➤ AppSec Researcher ➤ Blog: onuralanbel.pro ➤ @onuralanbel ➤ https://packetstormsecurity.com/search/?q=onur+alanbel
AGENDA ➤ Dynamic Binary Instrumentation ➤ Taint Analysis ➤ Constraint Solving With Z3 ➤ Symbolic/Concolic Execution
DYNAMIC BINARY INSTRUMENTATION ➤ Inject instrumentation code into a running binary.
DYNAMIC BINARY INSTRUMENTATION ➤ Inject instrumentation code into a running binary. ➤ Instrumentation code executes as normal instructions.
DYNAMIC BINARY INSTRUMENTATION ➤ Inject instrumentation code into a running binary. ➤ Instrumentation code executes as normal instructions. ➤ Instrumentation is transparent to the application.
DBI FRAMEWORKS ➤ Intel PIN Framework ➤ Win, Lin, OS X ➤ No IL
DBI FRAMEWORKS ➤ Intel PIN Framework ➤ Win, Lin, OS X ➤ No IL ➤ Valgrind ➤ Lin, OS X ➤ IL
DBI FRAMEWORKS ➤ Intel PIN Framework ➤ Win, Lin, OS X ➤ No IL ➤ Valgrind ➤ Lin, OS X ➤ IL ➤ DynamoRIO ➤ Win, Lin, Android ➤ No IL
DBI FRAMEWORKS ➤ Intel PIN Framework ➤ Win, Lin, OS X ➤ No IL ➤ Valgrind ➤ Lin, OS X ➤ IL ➤ DynamoRIO ➤ Win, Lin, Android ➤ No IL ➤ May be others like ➤ PEMU ➤ …
INSTRUCTION COUNTING
SIMPLE SIDE CHANNEL ATTACK
CAN WE DO BETTER? ➤ Use snapshots instead of Re-run
CAN WE DO BETTER? ➤ Use snapshots instead of Re-run ➤ Use multi-threading
CAN WE DO BETTER? ➤ Use snapshots instead of Re-run ➤ Use multi-threading ➤ What about doing something smarter?
TAINT ANALYSIS ➤ Which parts of the code can be controlled or affected by tainted data (usually user input)
TAINT ANALYSIS ➤ Which parts of the code can be controlled or affected by tainted data (usually user input)
TAINT ANALYSIS taint RAX
TAINT ANALYSIS taint RAX mov RCX, RAX
TAINT ANALYSIS taint RAX mov RCX, RAX push RCX
TAINT ANALYSIS taint RAX mov RCX, RAX push RCX ……. mov RCX, ptr [0x1234]
TAINT ANALYSIS taint RAX mov RCX, RAX push RCX ……. mov RCX, ptr [0x1234] pop RBX
TAINT ANALYSIS taint RAX mov RCX, RAX push RCX ……. mov RCX, ptr [0x1234] pop RBX stop tainting
TAINT ANALYSIS taint RAX mov RCX, RAX push RCX ……. mov RCX, ptr [0x1234] pop RBX stop tainting Which are the tainted regs?
TAINT ANALYSIS taint RAX mov RCX, RAX push RCX ……. mov RCX, ptr [0x1234] pop RBX stop tainting Which are the tainted regs? Which are the tainted mems?
TAINT ANALYSIS taint RAX mov RCX, RAX push RCX ……. mov RCX, ptr [0x1234] pop RBX stop tainting Which are the tainted regs? Which are the tainted mems? RAX, RBX and 8 addresses
 from the stack
TAINT ANALYSIS taint RAX mov AL, 0x1
TAINT ANALYSIS taint RAX mov AL, 0x1 mov ECX, EAX
TAINT ANALYSIS taint RAX mov AL, 0x1 mov ECX, EAX cmp ECX, EBX
TAINT ANALYSIS taint RAX mov AL, 0x1 mov ECX, EAX cmp ECX, EBX jz 0x4321
TAINT ANALYSIS taint RAX mov AL, 0x1 mov ECX, EAX cmp ECX, EBX jz 0x4321 Can we control this branch?
TAINT ANALYSIS taint RAX mov AL, 0x1 mov ECX, EAX cmp CL, BL jz 0x4321 What about this one?
TAINT ANALYSIS taint RAX mov AL, 0x1 mov ECX, EAX cmp CL, BL jz 0x4321 What about this one? taint RCX xor RCX, RDX
TAINT ANALYSIS taint RAX mov AL, 0x1 mov ECX, EAX cmp CL, BL jz 0x4321 What about this one? taint RCX xor RCX, RDX add RAX, RCX
TAINT ANALYSIS taint RAX mov AL, 0x1 mov ECX, EAX cmp CL, BL jz 0x4321 What about this one? taint RCX xor RCX, RDX add RAX, RCX Should RAX be tainted?
TAINT ANALYSIS taint RAX mov AL, 0x1 mov ECX, EAX cmp CL, BL jz 0x4321 What about this one? taint RCX xor RCX, RCX mov RAX, RCX Now, should be ?
TAINT ANALYSIS ➤ With the help of PIN’s Inspection API (TaintAll)
TAINT ANALYSIS ➤ With the help of PIN’s Inspection API (TaintAll) ➤ With the help of Symbolic Execution (Triton Framework)
TAINT ANALYSIS ➤ With the help of PIN’s Inspection API (TaintAll) ➤ With the help of Symbolic Execution (Triton Framework) ➤ Using an Intermediate Language (TaintGrind)
TAINT ANALYSIS WITH TRITON Triton/src/examples/pin/ runtime_memory_tainting.py with a little modification
TAINT ANALYSIS WITH TRITON Triton/src/examples/pin/ runtime_memory_tainting.py with a little modification
A LITTLE BIT OF Z3 ➤ “Z3 is a state-of-the art theorem prover from Microsoft Research”
A LITTLE BIT OF Z3 ➤ “Z3 is a state-of-the art theorem prover from Microsoft Research” ➤ Input format is an extension of SMT-LIB 2.0 standard
A LITTLE BIT OF Z3 ➤ “Z3 is a state-of-the art theorem prover from Microsoft Research” ➤ Input format is an extension of SMT-LIB 2.0 standard
A LITTLE BIT OF Z3 ➤ “Z3 is a state-of-the art theorem prover from Microsoft Research” ➤ Input format is an extension of SMT-LIB 2.0 standard ➤ Or use Z3Py
The Postmodern Binary Analysis
For a real world example Search: “Reversing the petya ransomware with constraint solvers”
SYMBOLIC EXECUTION ➤ x = input()
 y = x * 5
 if x < 20:
 print “ok”
 else:
 print “nope”
SYMBOLIC EXECUTION ➤ x = input()
 y = x * 5
 if x < 20:
 print “ok”
 else:
 print “nope” y=sym_x*5 sym_x x < 20 ok nope
CONCRETE EXECUTION ➤ x = input()
 y = x * 5
 if x < 20:
 print “ok”
 else:
 print “nope” y=sym_x*5 sym_x x < 20 ok nope
CONCOLIC EXECUTION ➤ x = input()
 y = x * 5
 if x < 20:
 print “ok”
 else:
 print “nope” y=sym_x*5 sym_x x < 20 ok nope
The Postmodern Binary Analysis
OPEN SOURCE DBA FRAMEWORKS/TOOLS ➤ Triton ➤ Angr ➤ BitBlaze TEMU ➤ Valgrind Tools ➤ PIN Tools
REFERENCES ➤ http://uninformed.org/index.cgi?v=7&a=1&p=3 ➤ https://software.intel.com/sites/landingpage/pintool/docs/ 76991/Pin/html/ ➤ http://smtlib.cs.uiowa.edu/solvers.shtml

More Related Content

PDF
Hacking the Gateways
Onur Alanbel
 
PDF
Can We Prevent Use-after-free Attacks?
inaz2
 
PDF
Raptor web application firewall
Antonio Costa aka Cooler_
 
PDF
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
RootedCON
 
PDF
0d1n
Antonio Costa aka Cooler_
 
PDF
NSC #2 - Challenge Solution
NoSuchCon
 
PDF
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak
 
PDF
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
RootedCON
 
Hacking the Gateways
Onur Alanbel
 
Can We Prevent Use-after-free Attacks?
inaz2
 
Raptor web application firewall
Antonio Costa aka Cooler_
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
RootedCON
 
0d1n
Antonio Costa aka Cooler_
 
NSC #2 - Challenge Solution
NoSuchCon
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
RootedCON
 

What's hot (20)

PDF
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
PDF
Stealth post-exploitation with phpsploit
Nullbyte Security Conference
 
PDF
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
PDF
Chromium Sandbox on Linux (BlackHoodie 2018)
Patricia Aas
 
PDF
Hacking with Backtrack Lecture-3
Zia Ush Shamszaman
 
PDF
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
 
PDF
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
PDF
44CON 2014 - Breaking AV Software
44CON
 
PDF
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
PPTX
Hacking routers as Web Hacker
HeadLightSecurity
 
PDF
WAF protections and bypass resources
Antonio Costa aka Cooler_
 
PDF
Introduction to VeriFast @ Kyoto
Kiwamu Okabe
 
PDF
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
PDF
How to Setup A Pen test Lab and How to Play CTF
n|u - The Open Security Community
 
PPTX
Kali Linux - Falconer
Tony Godfrey
 
PDF
Understand study
Antonio Costa aka Cooler_
 
PDF
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
FFRI, Inc.
 
PDF
Thunderbolts and Lightning: Very Very Frightening
blowmenowpls
 
PDF
Fuzzing underestimated method of finding hidden bugs
Pawel Rzepa
 
PDF
Talk NullByteCon 2015
Roberto Soares
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
Stealth post-exploitation with phpsploit
Nullbyte Security Conference
 
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Patricia Aas
 
Hacking with Backtrack Lecture-3
Zia Ush Shamszaman
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
 
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
44CON 2014 - Breaking AV Software
44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
Hacking routers as Web Hacker
HeadLightSecurity
 
WAF protections and bypass resources
Antonio Costa aka Cooler_
 
Introduction to VeriFast @ Kyoto
Kiwamu Okabe
 
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
How to Setup A Pen test Lab and How to Play CTF
n|u - The Open Security Community
 
Kali Linux - Falconer
Tony Godfrey
 
Understand study
Antonio Costa aka Cooler_
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
FFRI, Inc.
 
Thunderbolts and Lightning: Very Very Frightening
blowmenowpls
 
Fuzzing underestimated method of finding hidden bugs
Pawel Rzepa
 
Talk NullByteCon 2015
Roberto Soares
 
Ad

Similar to The Postmodern Binary Analysis (20)

PDF
Taint analysis
Edgar Barbosa
 
PDF
A guided fuzzing approach for security testing of network protocol software
binish_hyunseok
 
PPTX
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
Positive Hack Days
 
PDF
Dmitriy D1g1 Evdokimov - DBI Intro
DefconRussia
 
PDF
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...
Code Engn
 
PDF
Dynamic Binary Analysis and Obfuscated Codes
Jonathan Salwan
 
PDF
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Jonathan Salwan
 
PDF
[2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용...
Code Engn
 
PDF
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
StHack
 
PDF
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
Jonathan Salwan
 
PPTX
Memory protection using dynamic tainting
USERAAPKA
 
PPT
Dc 12 Chiueh
wollard
 
PPTX
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
PDF
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
PDF
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Security Conference
 
PDF
Model-checking for efficient malware detection
Pôle Systematic Paris-Region
 
PPT
Georgy Nosenko - An introduction to the use SMT solvers for software security
DefconRussia
 
PPT
13517398.ppt
HaipengCai1
 
PPTX
Advanced malware analysis training session4 anti-analysis techniques
Cysinfo Cyber Security Community
 
PPT
Detecting and Preventing Memory Attacks#
gwarloki1
 
Taint analysis
Edgar Barbosa
 
A guided fuzzing approach for security testing of network protocol software
binish_hyunseok
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
Positive Hack Days
 
Dmitriy D1g1 Evdokimov - DBI Intro
DefconRussia
 
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...
Code Engn
 
Dynamic Binary Analysis and Obfuscated Codes
Jonathan Salwan
 
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Jonathan Salwan
 
[2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용...
Code Engn
 
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
StHack
 
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
Jonathan Salwan
 
Memory protection using dynamic tainting
USERAAPKA
 
Dc 12 Chiueh
wollard
 
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Security Conference
 
Model-checking for efficient malware detection
Pôle Systematic Paris-Region
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
DefconRussia
 
13517398.ppt
HaipengCai1
 
Advanced malware analysis training session4 anti-analysis techniques
Cysinfo Cyber Security Community
 
Detecting and Preventing Memory Attacks#
gwarloki1
 
Ad

More from Onur Alanbel (7)

PDF
Başarılı Bir Siber Saldırının Perde Arkası ve Vaka Analizi
Onur Alanbel
 
PDF
SOC Ekiplerinin Problemlerine Güncel Yaklaşımlar
Onur Alanbel
 
PDF
Dünden Bugüne Exploit Dünyası
Onur Alanbel
 
PDF
Shellshock
Onur Alanbel
 
PDF
Binary Hacking Hakkında Herşey
Onur Alanbel
 
PDF
Developing MIPS Exploits to Hack Routers
Onur Alanbel
 
PDF
OWASPTR Uygulama Güvenliği Günü 2013
Onur Alanbel
 
Başarılı Bir Siber Saldırının Perde Arkası ve Vaka Analizi
Onur Alanbel
 
SOC Ekiplerinin Problemlerine Güncel Yaklaşımlar
Onur Alanbel
 
Dünden Bugüne Exploit Dünyası
Onur Alanbel
 
Shellshock
Onur Alanbel
 
Binary Hacking Hakkında Herşey
Onur Alanbel
 
Developing MIPS Exploits to Hack Routers
Onur Alanbel
 
OWASPTR Uygulama Güvenliği Günü 2013
Onur Alanbel
 

Recently uploaded (20)

PDF
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
PPT
Ethics in Information System - Management Information System
faizhossain3
 
PDF
Slides PDF: The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PDF
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
PDF
simpleintnettestmetiaerl for the simple testint
sherlockholmes10009
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PPTX
Internet Safety for Seniors presentation
mwnorman1
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
PPTX
1402_iCSC_-_RESTful_Web_APIs_--_Josef_Hammer.pptx
mwnorman1
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PPTX
Slides PPTX: World Game (s): Eco Economic Epochs.pptx
Steven McGee
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
SlidesGDGoCxRAIS about Google Dialogflow and NotebookLM.pdf
minhtrietgect
 
PPTX
Database Information System - Management Information System
faizhossain3
 
PPTX
E -tech empowerment technologies PowerPoint
kylebalatero12
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PDF
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
PDF
The Evolution of Traditional to New Media .pdf
NIKKODENSMIRO
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PDF
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
Ethics in Information System - Management Information System
faizhossain3
 
Slides PDF: The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
simpleintnettestmetiaerl for the simple testint
sherlockholmes10009
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
Internet Safety for Seniors presentation
mwnorman1
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
1402_iCSC_-_RESTful_Web_APIs_--_Josef_Hammer.pptx
mwnorman1
 
artificial intelligence overview of it and more
yafotin445
 
Slides PPTX: World Game (s): Eco Economic Epochs.pptx
Steven McGee
 
Funds Management Learning Material for Beg
NKKumar16
 
SlidesGDGoCxRAIS about Google Dialogflow and NotebookLM.pdf
minhtrietgect
 
Database Information System - Management Information System
faizhossain3
 
E -tech empowerment technologies PowerPoint
kylebalatero12
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
The Evolution of Traditional to New Media .pdf
NIKKODENSMIRO
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 

The Postmodern Binary Analysis