Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller.

Similar presentations


Presentation on theme: "© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller."— Presentation transcript:

1 © 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller University of Wisconsin Jeffrey Hollingsworth University of Maryland

2 – 2 –© 2006 Barton P. Miller Binary Code Analysis and Editing Motivation Multi-platform Open architecture Extensible Open source Testable Suitable for batch processing Accurate Efficient  Binary code analysis is a basic tool of security analysts, application developers, system designers and tool developers.  We are designing and building a new foundation to support such analysis.  Existing binary analysis tools have significant limitations.

3 – 3 –© 2006 Barton P. Miller Binary Code Analysis and Editing Why Binary Code?  Access to the source code often is not possible: Proprietary software packages. Stripped executables. Proprietary libraries: communication (MPI, PVM), linear algebra (NGA), database query (SQL libraries).  Binary code is the only authoritative version of the program. Changes occurring in the compile, optimize and link steps can create non-trivial semantic differences from the source and binary.  Worms and viruses are rarely provided with source code

4 – 4 –© 2006 Barton P. Miller Binary Code Analysis and Editing Binary Analysis and Editing  Analysis: processing of the binary code to extract syntactic and symbolic information. Symbol tables (if present) Decode (disassemble) instructions Control-flow information: basic blocks, loops, functions Data-flow information: from basic register information to highly sophisticated (and expensive) analyses.

5 – 5 –© 2006 Barton P. Miller Binary Code Analysis and Editing Binary Analysis and Editing  Binary rewriting: static (before execution) modification of a binary program: Analyze the program and then insert, remove, or change the binary code, producing a new binary.  Dynamic instrumentation: dynamic (during execution) modification of a binary program: Analyze the code of the running program and then insert, remove, or change the binary code, changing the execution of the program. Can operate on running programs and servers.

6 – 6 –© 2006 Barton P. Miller Binary Code Analysis and Editing Uses of Binary Analysis and Editing  Cyber-forensics Analysis: understand the nature of malicious code Binary-rewriting: produce a new version of the code that might be instrumented, sandboxed, or modified for study. Dynamic instrumentation: same features, but can do it interactively on an executing program. Hybrid static/dynamic: control execution and produce intermediate versions of the binary that can be re-executed (and further instrumented).  Program tracing: instructions, memory accesses, function calls, system calls,...  Debugging  Testing  Performance profiling  Performance modeling  Reverse engineering

7 – 7 –© 2006 Barton P. Miller Binary Code Analysis and Editing Our Starting Point: Dyninst  A machine-independent library for machine level code patching. Functions for binary code analysis Functions for binary code patching  Clean abstractions to encapsulate the tool complexity.  Originally designed as part of the Paradyn performance profiling tool, but now widely used in many areas, including cyber-security.

8 – 8 –© 2006 Barton P. Miller Binary Code Analysis and Editing Dynamic Instrumentation  Does not require recompiling or relinking Saves time: compile and link times are significant in real systems. Can instrument without the source code (e.g., proprietary libraries). Can instrument without linking (relinking is not always possible.  Instrument optimized code.

9 – 9 –© 2006 Barton P. Miller Binary Code Analysis and Editing Dynamic Instrumentation (con’d)  Only instrument what you need, when you need No hidden cost of latent instrumentation. Enables “one pass” tools.  Can instrument running programs (such as Web or database servers) Production systems. Embedded systems. Systems with complex start-up procedures.

10 – 10 –© 2006 Barton P. Miller Binary Code Analysis and Editing The Basic Mechanism Application Program Function foo Trampoline Instrumentation Relocated Instruction(s)

11 – 11 –© 2006 Barton P. Miller Binary Code Analysis and Editing The DynInst Interface  Machine independent representation  Write-once, analyze/instrument-many (portable)  Object-based interface to insert new code: Abstract Syntax Trees (AST’s)  Hides most of the complexity in the API Easy to build tools: e.g., an MPI tracer: 250 lines of C++ code.

12 – 12 –© 2006 Barton P. Miller Binary Code Analysis and Editing incl ctr sethi %hi(ctr) ld [...],%o1 add %o1,%o1,1 st %o1,[...] SPARC Code Machine Independent Code Abstract Syntax Trees: cau r3,r0,hi%ctr l r4,lo%ctr(r3) addi r4,1(r4) st r4,lo%ctr(r3) Power Code IA32 Code

13 – 13 –© 2006 Barton P. Miller Binary Code Analysis and Editing Basic DynInst Operations  Code query routines: Find control-flow elements: modules, procedures, loops, basic blocks, instructions –For functions, find entry, exit, call sites. –For loops, find entry, exit, body. Find data elements: variables and parameters Call graph (parent/child) queries Intra-procedural control-flow graph Other symbol table information, e.g., line numbers.

14 – 14 –© 2006 Barton P. Miller Binary Code Analysis and Editing Basic DynInst Operations  Code modification routines: Remove Function Call –Disable an existing function call in the application Replace Function Call –Redirect a function call to a new function Replace Function –Redirect all calls (current and future) to a function to a new function. Wrap Function –Allow the new function to call the replaced one (potentially with all its original parameters).

15 – 15 –© 2006 Barton P. Miller Binary Code Analysis and Editing Basic DynInst Operations  Process control: Attach/create process Monitor process status changes Callbacks for fork/exec/exit  Inferior (application processor) operations: Malloc/free –Allocate heap space in application process Inferior RPC –Asynchronously execute a function in the application. Load module –Cause a new.so/.dll to be loaded into the application.

16 – 16 –© 2006 Barton P. Miller Binary Code Analysis and Editing Basic DynInst Operations  Building AST code sequences: Control structures: if and goto Arithmetic and Boolean expressions Get PID/TID operations Read/write registers and global variables Read/write parameters and return value Function call

17 – 17 –© 2006 Barton P. Miller Binary Code Analysis and Editing Dyninst Automated Testing  A test suite of almost 100 operation-specific tests.  Runs each night on each platform on the nightly build.  Variations for different compilers, languages (C, C++, Fortran), stripped vs. non-stripped code, etc.  Results reported on the web (reachable from paradyn.org or dyninst.org home pages):

18 – 18 –© 2006 Barton P. Miller Binary Code Analysis and Editing BinInst Design Goals  Tool-kit component architecture for binary analysis and editing  Open source  Open data structure definitions  Machine-independent abstract interfaces  Batch-enabled analyses  Static and dynamic code patching  All major analysis products are exportable  Enhanced testability and accompanying test suites

19 – 19 –© 2006 Barton P. Miller Binary Code Analysis and Editing Raw Disassembly Symbol Table Dump Call Graph Intra-Proc CFG Binary Decode and Parsing Code Queries and Instrumentation Requests Binary Code AST Static Editing Scenario (Binary Rewriting) Instr Control Code Gen Idiom Signatures

20 – 20 –© 2006 Barton P. Miller Binary Code Analysis and Editing Raw Disassembly Symbol Table Dump Binary Decode and Parsing Binary Code Interactive Editing Scenario (Static or Dynamic) Instr Control Code Gen Call Graph Intra-Proc CFG Idiom Signatures

21 – 21 –© 2006 Barton P. Miller Binary Code Analysis and Editing Raw Disassembly Symbol Table Dump Binary Decode and Parsing Code Queries and Instrumentation Requests Binary Code AST Dynamic Editing Scenario (Dynamic Instrumentation) Instr Control Code Gen Process Control User Process Call Graph Intra-Proc CFG Idiom Signatures Stack Walker

22 – 22 –© 2006 Barton P. Miller Binary Code Analysis and Editing Raw Disassembly Symbol Table Dump Binary Decode and Parsing Binary Code Analysis Scenario Connector 2 Code Surfer VSA Buffer Overrun Other Tool Call Graph Intra-Proc CFG Idiom Signatures

23 – 23 –© 2006 Barton P. Miller Binary Code Analysis and Editing Binary Code Symbol Table Parser PE ELF COFF IA32 AMD64 Power Raw Disassembly Symbol Table Dump Code Parser Instruction Decoder Code Queries and Instrumentation Requests AST Instr Control Code Gen Process Control Call Graph Intra Proc CFG Idiom Signatures Stack Walker Idiom Detector

24 – 24 –© 2006 Barton P. Miller Binary Code Analysis and Editing


Download ppt "© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller."

Similar presentations


Ads by Google