Presentation is loading. Please wait.

Presentation is loading. Please wait.

Light and Dark side of Code Instrumentation Dmitriy “D1g1″ Evdokimov DSecRG, Security Researcher.

Similar presentations


Presentation on theme: "Light and Dark side of Code Instrumentation Dmitriy “D1g1″ Evdokimov DSecRG, Security Researcher."— Presentation transcript:

1 Light and Dark side of Code Instrumentation Dmitriy “D1g1″ Evdokimov DSecRG, Security Researcher

2 #whoami Security Researcher in DSecRG – RE – Fuzzing – Mobile security Organizer: DCG #7812 Editor in “XAKEP” CONFidence Krakow 20122www.dsecrg.com

3 Agenda 1.Instrumentation. 2.Instrumentation.. 3.Instrumentation … 4.Instrumentation …. 5.Instrumentation ….. 6.Instrumentation …… 7.Instrumentation ……. CONFidence Krakow 20123www.dsecrg.com

4 Intro “It has been proved by scientists that a new point of evolution, any technical progress appears when a Man makes up a new type of tool, but not a product.” CONFidence Krakow 20124www.dsecrg.com

5 Instrumentation Instrumentation is a technique adding extra code to an program/environment for monitoring/change some program behavior. CONFidence Krakow 20125 Own extra code Program Own extra code Program Environment www.dsecrg.com

6 Why is it necessary? CONFidence Krakow 20126 Simulation Emulation Performance analysis Correctness checking Memory debugging Parallel optimization Collecting code metrics Automated debugging Software profiling Optimization Testing Error detection Virtualization Memory leak detection www.dsecrg.com Binary translation

7 Instrumentation in information security CONFidence Krakow 20127 Control flow analysis Taint analysis Data flow analysis Code coverage Privacy monitoring Vulnerability detection Fuzzing Virtual patching Malware analysis Shellcode detection Reverse engineering Deobfuscation Unpack Data Structure Restoring Sandboxing Antivirus technology Forensic Transparent debugging Program shepherding Security test case generation Behavior based security www.dsecrg.com Security enforcement

8 Analysis CONFidence Krakow 20128 CriterionStatic analysisDynamic analysis Code vs. dataProblemNo problem Code coverageBig (but not all)One way Information about valuesNo informationAll information Self-modifying codeProblemNo problem Interaction with the environment NoYes Unused codeAnalysisNo analysis JIT codeProblemNo problem www.dsecrg.com

9 Code Discovery CONFidence Krakow 20129 0101010110101001010010 0101010101101010101010 1111010101110101000111 1011100111001010101011 0111010110100111100110 1010101101110001001011 Memory Instr 1 Instr Instr 7 Instr 8 Instr 10 Instr 3 jump reg Instr 2 5 Instr 7 cont. Instr 4 Instr 6 Instr 9 After static analysis Instr 1 DATA Instr 5 PADDING Instr 6 Instr 3 jump reg Instr 2 Instr 4 jmp 0x0ABCD After dynamic analysis www.dsecrg.com

10 The general scheme of code instrumentation 1.Find points of instrumentation; 2.Insert instrumentation; 3.Take control from program; 4.Save context of the program; 5.Execute own code; 6.Restore context of the program; 7.Return control to program. CONFidence Krakow 201210www.dsecrg.com

11 Source Data CONFidence Krakow 201211 Source data Source codeByte codeBinary code www.dsecrg.com

12 Classification of target instrumentation CONFidence Krakow 201212 Instrumentation With source codeWithout source code Source code Linker/Compiler Byte codeBinary code Byte code Interpreter/VM Executable file Process Environment Hardware Source code instrumentationLink-time/Compilation-time instrumentation Byte code instrumentation - Static - Load-time - Dynamic Static binary instrumentationDynamic binary instrumentationEnvironment modification www.dsecrg.com

13 Source code instrumentation Source code* – Source code instrumentation Manual skills Plugins for IDE – Link-time/Compilation-time instrumentation Options of linker/compiler Tools: Visual Studio Profiler, gcc, TAU, OPARI, Diablo, Phoenix, LLVM, Rational Purify, Valgrind CONFidence Krakow 201213 *Unreal condition for security specialist =) www.dsecrg.com

14 Unmoral programming CONFidence Krakow 201214www.dsecrg.com

15 Byte code instrumentation Byte code – intermediate representation between source code and machine code. CONFidence Krakow 201215 … Java VM Dalvik VM AVM/AVM2 CLR www.dsecrg.com

16 Instrumentation byte-code (I) CONFidence Krakow 201216 Source code Byte-code Loader JIT Lib Machine code Compilation Execute Load Virtual machine www.dsecrg.com

17 Instrumentation byte code (II) Byte-code – Static instrumentation Static byte code instrumentation – Load-time instrumentation Custom byte code loader – Dynamic instrumentation Dynamic byte-code instrumentation CONFidence Krakow 201217www.dsecrg.com

18 Instrumentation Java (I) CONFidence Krakow 201218www.dsecrg.com Mechanisms: java.lang.instrument package; Java Platform Debugger Architecture (JPDA).

19 Instrumentation Java (II) Static instrumentation – Modification *.class files Load-time instrumentation – ClassFileLoadHook – Custom ClassLoader Dynamic instrumentation – ClassFileLoadHook -> RetransformClasses Tools: Javassist, ObjectWeb ASM, BCEL, JOIE, reJ JavaSnoop, Serp, JMangler CONFidence Krakow 201219www.dsecrg.com

20 Instrumentation.NET Static instrumentation – Modification DLL files Load-time instrumentation – AppDomain.Load()/Assembly.Load() – Joint redirection – Via event handler Tools: ReFrameworker, MBEL, RAIL, Cecil CONFidence Krakow 201220www.dsecrg.com

21 Instrumentation ActionScript (I) ActionScript2 – AVM – Tags that (can) contain bytecode: DefineButton (7), DefineButton2 (34), DefineSprite (39), DoAction (12), DoInitAction (59), PlaceObject2 (26), PlaceObject3 (70). ActionScript3 – AVM2 – Tags that (can) contain bytecode: DoABC (82), RawABC (72). CONFidence Krakow 201221www.dsecrg.com

22 AVM2 Architecture.abc.abc parser Bytecode Verifier Interpreter JIT Compiler MIR Code Generator MD Code Generator (x86, PPC, ARM, etc.) Runtime System (Type System, Object Model) Memory Manager/Garbage Collector 22CONFidence Krakow 2012 AS3 function (x:int):int { return x+10 }.abc getlocal 1 pushint 10 add returnvalue MIR @1 arg +8// argv @2 load [@1+4] @3 imm 10 @4 add (@2,@3) @5 ret @4 // @4:eax x86 mov eax,(eap+8) mov eax,(eax+4) add eax,10 ret www.dsecrg.com

23 Instrumentation ActionScript (I) CONFidence Krakow 201223www.dsecrg.com Original SWF file Header Tags AVM tag Instrumenteted SWF file

24 Instrumentation AVM (II) CONFidence Krakow 201224www.dsecrg.com Static instrumentation – Add : trace() dump() debug() debugfile() debugline() – Modification: Create own class + change class name = hook!

25 Instrumentation binary code The executable file – Static code instrumentation Static binary instrumentation Process – Debuggers Debugging API – Modifying call table/other structure IAT … – Dynamic code instrumentation Dynamic binary instrumentation Hardware – Hardware debug features Debug registers Hardware debuggers … CONFidence Krakow 201225www.dsecrg.com Environment – Modifying call table IDT, CPU MSRs, GDT, SSDT, IRP тable … – Modifying OS options SHIM LD_PRELOAD AppInt_DLLs DLL injection … – Reproduction of the environment Emulation Virtualization

26 Static Binary Instrumentation (I) Static binary instrumentation/Physical code integration/Static binary code rewriting Realization: – With reallocation: Level of segment; Level of function; – Without reallocation. CONFidence Krakow 201226www.dsecrg.com Header Edited Header Segment of code Segment of data Extra segment of code Extra segment of data Segment of code Segment of data

27 Static Binary Instrumentation (II) Reallocation: 1) Function Displacement + Entry Point Linking; 2) Branch Conversion; 3) Instruction Padding; 4) Instrumentation. CONFidence Krakow 201227www.dsecrg.com Tools: DynInst, EEL, ATOM, PEBIL, ERESI, TAU, Vulcan, BIRD, Aslan(4514N)

28 Debuggers Breakpoints: Software Hardware Debugger + scripting: WinDBG + pykd OllyDBG + python = Immunity Debuggers GDB + PythonGDB Python library's*: Buggery, IDAPython, ImmLIB, lldb, PyDBG, PyDbgEng, pygdb, python-ptrace, vtrace, WinAppDbg, … *See “Python Arsenal for Reverse Engineering” CONFidence Krakow 201228www.dsecrg.com AppDebugger Processor OS

29 Dynamic Binary Instrumentation Dynamic binary instrumentation/Virtual code integration/Dynamic binary rewriting Tools: PIN, DynamoRIO, DynInst, Valgrind, BAP, KEDR, Fit, ERESI, Detour, Vulcan, SpiderPig CONFidence Krakow 201229www.dsecrg.com App1App2 Processor OS DBI

30 Dynamic Binary Instrumentation Dynamic Binary Instrumentation (DBI) is a process control and analysis technique that involves injecting instrumentation code into a running process. Dynamic binary analysis (DBA) tools such as profilers and checkers help programmers create better software. Dynamic binary instrumentation (DBI) frameworks make it easy to build new DBA tools. DBA tools consist: – instrumentation routines; – analysis routines. CONFidence Krakow 201230www.dsecrg.com

31 Kinds of DBI Mode: – user-mode; – kernel-mode. Modes of execution: – Interpretation-mode; – Probe-mode; – JIT-mode. CONFidence Krakow 201231www.dsecrg.com Mode of work: - Start to finish; - Attach. Performance Functionality JIT Probe

32 DBI Frameworks* FrameworksOSArchModesFeatures PINLinux, Windows, MacOS x86, x86-64, Itanium, ARM JIT, ProbeAttach mode DynamoRIOLinux, Windows x86, x86-64JIT, ProbeRuntime optimization DynInstLinux, FreeBSD, Windows x86, x86-64, ppc32, ARM, ppc64 ProbeStatic & Dynamic binary instrumentation ValgrindLinux, MacOSx86, x86-64, ppc32, ARM, ppc64 JITIR – VEX, Heavyweight DBA tools CONFidence Krakow 201232www.dsecrg.com *For more details see “DBI:Intro” presentation from ZeroNights conference

33 Start work with DBI CONFidence Krakow 201233www.dsecrg.com

34 Levels of granularity Instruction; Basic Block*; Trace/Superblock; Function; Section; Events; Binary image. CONFidence Krakow 201234www.dsecrg.com

35 Self-modifying code & DBI Detect: – Written-protecting code pages – Checking store address – Inserting extra code CONFidence Krakow 201235www.dsecrg.com

36 Overhead O = X + Y Y = N*Z Z = K+L O – Tool Overhead; X – Instrumentation Routines Overhead; Y – Analysis Routines Overhead; N – Frequency of Calling Analysis Routine; Z – Work Performed in the Analysis Routine; K – Work Required to Transition to Analysis Routine; L – Work Performed Inside the Analysis Routine. CONFidence Krakow 201236www.dsecrg.com

37 Rewriting instructions Platforms: – with fixed-length instruction; – with variable-length instructions. CONFidence Krakow 201237www.dsecrg.com

38 Rewriting code (I) Easy / simple / boring / regular example – Rewriting prolog function CONFidence Krakow 201238www.dsecrg.com

39 Rewriting code (II) Hardcore example: – Mobile phone firmware rewriting CONFidence Krakow 201239 GSM AMSS SHELLCODE 1 Bootloader Flash Malicious SMS reboot Baseband processor www.dsecrg.com

40 Instrumentation in ARM ARM modes: – ARM Length(instr) = 4 byte – Thumb Length(instr) = 2 byte – Thumb2 Length(instr) = 2/4 byte – Jazzle For more detail see “A Dynamic Binary Instrumentation Engine for the ARM Architecture” presentation. CONFidence Krakow 201240www.dsecrg.com

41 Emulation CONFidence Krakow 201241www.dsecrg.com App1OS Emulator Processor OS

42 Instrumentation & Bochs Bochs can be called with instrumentation support. C++ callbacks occur when certain events happen: – Poweron/Reset/Shutdown; – Branch Taken/Not Taken/Unconditional; – Opcode Decode (All relevant fields, lengths); – Interrupt /Exception; – Cache /TLB Flush/Prefetch; – Memory Read/Write. “bochs-python-instrumentation” patch by Ero Carrera CONFidence Krakow 201242www.dsecrg.com

43 Virtualization CONFidence Krakow 201243www.dsecrg.com App1OS VMM Processor App1OS VMM Processor OS Native VMM Hosted VMM *VMM - Virtual Machine Monitor

44 Instrumentation & virtualization Stages: 1.Save the VM-exit reason information in the VMCS; 2.Save guest context information; 3.Load the host-state area; 4.Transfer control to the hypervisor; 5.Run own code. *VMCS - Virtual Machine Control Structure CONFidence Krakow 201244www.dsecrg.com

45 Instrumentation in Mobile World CONFidence Krakow 201245 Mobile PlatformLanguageExecutable file format AndroidJavaDex iOSObjective-CMach-O Windows Phone.NETPE www.dsecrg.com

46 Conclusion CONFidence Krakow 201246www.dsecrg.com One can implement instrumentation of everything!

47 Contact Twitter: @evdokimovds E-mail: d.evdokimov@dsecrg.com CONFidence Krakow 201247www.dsecrg.com


Download ppt "Light and Dark side of Code Instrumentation Dmitriy “D1g1″ Evdokimov DSecRG, Security Researcher."

Similar presentations


Ads by Google