Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.

Published byHillary Burns Modified over 8 years ago

Similar presentations

Presentation on theme: "Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson."— Presentation transcript:

1 Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson

2 What’s interesting about the security context? Programs designed to evade analysts Precision matters (as always!) Security policies require new program modification capabilities 2 The Evolution of Dyninst in Support of Cyber Security Friendly binary Uncooperative binary Hostile binary

3 Dyninst on the “offense” What happens when programs are designed to evade analysts? Anti-analysis tricks Obfuscated control flow Unpacked code Overwritten code Anti-instrumentation tricks PC-sensitive code Anti-patching Address-space probing 3 The Evolution of Dyninst in Support of Cyber Security

4 Dyninst on the “defense” Another security goal: ensure that a program executes in the way intended by its authors Protecting programs (first- or third-party) may require capabilities that we have not needed in the past System call monitoring More fine-grained instrumentation More aggressive and fine-grained modification 4 The Evolution of Dyninst in Support of Cyber Security

5 How have we already adapated? More robust analysis and instrumentation Nate, Kevin, Drew, Bill Hybrid static + dynamic analysis Kevin Binary modification Drew, Bill, Wenbin New events in ProcControl Emily, Bill 5 The Evolution of Dyninst in Support of Cyber Security

6 Better parsing Challenges Not all binaries contain symbol and other debug info Code is hard to find ParseAPI helps to overcomes these challenges Recursive traversal parsing and gap parsing Leverage machine learning techniques for better function entry point identification 6 The Evolution of Dyninst in Support of Cyber Security

7 Hybrid static + dynamic analysis Challenges Self-modifying programs overwrite code at runtime Statically un-analyzable control flow hides code SD-Dyninst approach 7 The Evolution of Dyninst in Support of Cyber Security Parse from known entry points Instrument control flow that may lead to new code Resume execution overwriteinstrument CALL ptr[eax] exception DIV eax, 0

8 Sensitivity analysis and instrumentation Challenges Instrumentation augments the original code Instrumentation can affect program behavior and sometimes cause incorrect execution How Dyninst handles sensitivities Goal: preserve visible behavior Identify sensitive instructions Compensate for externally-sensitive instructions 8 The Evolution of Dyninst in Support of Cyber Security call printf push $(orig_ret_addr) jmp printf

9 Binary modification Goals Changes become part of the original CFG May alter behavior of the original code Should not cause unexpected side effects How Dyninst handles modification Structured binary editing Modify binaries by transforming their CFGs Ensure validity of the resulting binary PatchAPI Interactive CFG modification Mix modification and instrumentation 9 The Evolution of Dyninst in Support of Cyber Security

10 System call monitoring Goals Identify system call events during program execution Extract interesting information at these events How ProcControlAPI handles this (in v8.2) Leverage ptrace (Linux only) Differentiate between entry and exit events Similar interface as other ProcControl events 10 The Evolution of Dyninst in Support of Cyber Security

11 Where are we now? Ability to analyze packed malware Binary modification System call events 11 The Evolution of Dyninst in Support of Cyber Security

12 What we’re currently working on Ongoing updates to precise handling of program semantics Stack frame modification Extended first-party instrumentation 12 The Evolution of Dyninst in Support of Cyber Security

13 Stack frame modifications One use case: insertion of stack canaries 13 The Evolution of Dyninst in Support of Cyber Security … return address canary … return address local variables … originalmodified local variables …

14 Stack frame modifications Other possibilities Add stack-based local variables Reorder local variables for security or software diversification Remove unused variables ABI changes … 14 The Evolution of Dyninst in Support of Cyber Security

15 Stack frame sensitivity Program may be sensitive to these modifications 15 The Evolution of Dyninst in Support of Cyber Security push %rbp mov %rsp, %rbp … mov 0x10(%rbp),%rdx registers … return address original Assembly for bar … return address modified rdx rbp canary push canary value onto stack 0x18 sensitive  Stack frame for foo Stack frame for bar

16 Stack frame sensitivity An operation is sensitive if it accesses stack memory via a calculated relative distance that is changed. Our next steps: Formal model of stack frame sensitivity Update Dyninst with the analysis and compensation logic needed to handle this sensitivity during instrumentation 16 The Evolution of Dyninst in Support of Cyber Security

17 Complete deployment Extended first-party instrumentation 17 The Evolution of Dyninst in Support of Cyber Security complete executable dynamically- linked libraries executable file depends on libA.so libB.so executable file depends on libA.so libB.so dynamically- generated code dynamically- loaded libraries executable file libD.so JIT’d code libA.so libB.so dynamically- linked libraries libA.so libB.so source code names of dynamically- linked libraries

18 Complete deployment Extended first-party instrumentation Our next steps Enable Dyninst to instrument shared libraries as they load during program startup and via dlopen Enable Dyninst to detect dynamically-generated code (e.g., JIT’d code) during program execution 18 The Evolution of Dyninst in Support of Cyber Security

19 Conclusion Extending Dyninst to support security projects enhances Dyninst features for all users Upcoming new features Stack frame modifications Extended first-party instrumentation Questions? 19 The Evolution of Dyninst in Support of Cyber Security

Download ppt "Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson."

Similar presentations

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
SYSTEM PROGRAMMING & SYSTEM ADMINISTRATION

SYSTEM PROGRAMMING & SYSTEM ADMINISTRATION
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
The Functions and Purposes of Translators Code Generation (Intermediate Code, Optimisation, Final Code), Linkers & Loaders.

The Functions and Purposes of Translators Code Generation (Intermediate Code, Optimisation, Final Code), Linkers & Loaders.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Object Code.

Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Object Code.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.
Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.
Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-3, 2011 Introduction to the PatchAPI Wenbin Fang, Drew Bernat.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-3, 2011 Introduction to the PatchAPI Wenbin Fang, Drew Bernat.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller.

© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
G22.3250-001 Robert Grimm New York University Lightweight RPC.

G Robert Grimm New York University Lightweight RPC.
1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.

1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.
Microprocessors Frame Pointers and the use of the –fomit-frame-pointer switch Feb 25th, 2002.

Microprocessors Frame Pointers and the use of the –fomit-frame-pointer switch Feb 25th, 2002.
Compiled by Benjamin Muganzi 3.2 Functions and Purposes of Translators Computing 9691 Paper 3 1.

Compiled by Benjamin Muganzi 3.2 Functions and Purposes of Translators Computing 9691 Paper 3 1.

Similar presentations

Ads by Google