Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intermission. Binary parsing 2 The Deconstruction of Dyninst _lock_foo main foo dynamic instrumentation, debugger, static binary analysis tools, malware.

Published byCoral Allison Modified over 8 years ago

Similar presentations

Presentation on theme: "Intermission. Binary parsing 2 The Deconstruction of Dyninst _lock_foo main foo dynamic instrumentation, debugger, static binary analysis tools, malware."— Presentation transcript:

1 Intermission

2 Binary parsing 2 The Deconstruction of Dyninst _lock_foo main foo dynamic instrumentation, debugger, static binary analysis tools, malware analysis, binary editor/rewriter, …

3 3 Familiar territory Benjamin Schwarz, Saumya Debray, and Gregory R. Andrews. Disassembly of executable code revisited. 2002 Cristina Cifuentes and K. John Gough. Decompilation of binary programs. 1995 Richard L. Sites, Anton Chernoff, Matthew B. Kirk, Maurice P. Marks, and Scott G. Robinson. Binary translation. 1993. HenrikTheiling. Extracting safe and precise control flow from binaries. 2000. Ramkumar Chinchani and Eric van den Berg. A fast static analysis approach to detect exploit code inside network flows. 2005. J. Troger and C. Cifuentes. Analysis of virtual method invocation for binary translation. 2002. Laune C. Harris and Barton P. Miller. Practical analysis of stripped binary code. 2005. Christopher Kruegel, William Robertson, Fredrik Valeur, and Giovanni Vigna. Static disassembly of obfuscated binaries. 2004. Nathan Rosenblum, Xiaojin Zhu, Barton P. Miller, and Karen Hunt. Learning to analyze binary computer code. 2008. Amitabh Srivastava and Alan Eustace. ATOM: a system for building customized program analysis tools. 1994. Barton Miller, Jeffrey Hollingsworth, and Mark Callaghan. Dynamic Program Instrumentation for Scalable Performance Tools. 1994.

4 We’ve been down this road… 4 The Deconstruction of Dyninst recursive traversal parsing“gap” parsing heuristicsprobabilistic code models  non-contiguous functions  code sharing  non-returning functions  preamble scanning  handles stripped binaries  learn to recognize function entry points  very accurate gap parsing the DYNINST binary parser

5 What makes a parsing component? 5 The Deconstruction of Dyninst 011101011010 101010101110 101001010101 110001001001 011010110011 010101010101 010010011110 0101110010110 Parsing API simple, intuitive representation 2 functions blocks edges InstructionAPI SymtabAPI platform independence supported by previous Dyninst components 3 Binary code source abstraction 1

6 Flexible code sources 6 The Deconstruction of Dyninst a binary code object Parser code source requirements: code location codedata access to code bytes unsigned char * buf 41 56 49 89 fe 41 55 … mainfoobarbaz function hints & names a few (optional) facts pointer width external linkage PLT

7 Code source contract 7 The Deconstruction of Dyninst boolisValidAddress boolisExecutableAddress void *getPtrToInstruction void *getPtrToData unsignedgetAddressWidth boolisCode boolisData AddresscodeOffset AddresscodeLength Nine mandatory methods SymtabAPI implementation in 232 lines (including optional hints, function names) Any binary code object that can be memory mapped can be parsed

8 Simple control flow interface 8 The Deconstruction of Dyninst FunctionsBlocksEdges start addr. extents containjoined by start addr. end addr. in edges out edges srctarg type

9 Views of control flow 9 The Deconstruction of Dyninst while(!work.empty()) { Block *b = work.pop(); /* do something with b */ edgeiter eit = b->out().begin(); while(eit != b->out().end()) { work.push(*eit++); } Walking a control flow graph starting here What if we only want intraprocedural edges? 

10 Edge predicates 10 The Deconstruction of Dyninst while(!work.empty()) { Block *b = work.pop(); /* do something with b */ IntraProc pred; edgeiter eit = b->out().begin(&pred); while(eit != b->out().end()) { work.push(*eit++); } Walking a control flow graph Edge Predicates Tell iterator whether Edge argument should be returned Composable (and, or) Examples:  Intraprocedural  Single function context  Direct branches only

11 Extensible CFG objects 11 The Deconstruction of Dyninst image_func Function Dyninst image_func ParseAPI Function Simple, only need to represent control flow graph Complex, handles instrumentation, liveness, relocation, etc. Special callback points during parsing parse parse parse unresBranchNotify(insn) [derived class does stuff] parse parse parse Factory interface for CFG objects parser custom factory mkfunc() (Function*) image_func

12 What’s in the box? 12 The Deconstruction of Dyninst * box to be released soon Binary Parser Control Flow Graph Representation SymtabAPI-based Code Source  recursive descent parsing  speculative gap parsing  cross platform: x86, x86-64, PPC, IA64, SPARC  graph interface  extensible objects for easy tool integration  exports Dyninst InstructionAPI interface  cross-platform  supports ELF, PE, XCOFF formats

13 Status 13 The Deconstruction of Dyninst conceptioncode refactoringinterface design Dyninst re-integration (major test case) other major test case: compiler provenance (come tomorrow!)

Download ppt "Intermission. Binary parsing 2 The Deconstruction of Dyninst _lock_foo main foo dynamic instrumentation, debugger, static binary analysis tools, malware."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
COM vs. CORBA.

COM vs. CORBA.
ByteWeight: Learning to Recognize Functions in Binary Code

ByteWeight: Learning to Recognize Functions in Binary Code
© 2006 Nathan RosenblumMarch 2006Unconventional Code Constructs The New Dyninst Code Parser: Binary Code Isn't as Simple as it Used to Be Nathan Rosenblum.

© 2006 Nathan RosenblumMarch 2006Unconventional Code Constructs The New Dyninst Code Parser: Binary Code Isn't as Simple as it Used to Be Nathan Rosenblum.
1 Today’s lecture  Last lecture we started talking about control flow in MIPS (branches)  Finish up control-flow (branches) in MIPS —if/then —loops —case/switch.

1 Today’s lecture  Last lecture we started talking about control flow in MIPS (branches)  Finish up control-flow (branches) in MIPS —if/then —loops —case/switch.
Program Representations. Representing programs Goals.

Program Representations. Representing programs Goals.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.
Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.
Code Compaction of an Operating System Kernel Haifeng He, John Trimble, Somu Perianayagam, Saumya Debray, Gregory Andrews Computer Science Department.

Code Compaction of an Operating System Kernel Haifeng He, John Trimble, Somu Perianayagam, Saumya Debray, Gregory Andrews Computer Science Department.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-3, 2011 Introduction to the PatchAPI Wenbin Fang, Drew Bernat.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-3, 2011 Introduction to the PatchAPI Wenbin Fang, Drew Bernat.
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.

1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller.

© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller.
B. Childers, M. L. Soffa, J. Beaver, L. Ber, K. Cammarata, J. Litman, J. Misurda Presented by: Priyanka Puri 1000676053 SOFTTEST: A FRAMEWORK FOR SOFTWARE.

B. Childers, M. L. Soffa, J. Beaver, L. Ber, K. Cammarata, J. Litman, J. Misurda Presented by: Priyanka Puri SOFTTEST: A FRAMEWORK FOR SOFTWARE.
Machine-Learning Assisted Binary Code Analysis

Machine-Learning Assisted Binary Code Analysis
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.

Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Names and Scopes CS 351. Program Binding We should be familiar with this notion. A variable is bound to a method or current block e.g in C++: namespace.

Names and Scopes CS 351. Program Binding We should be familiar with this notion. A variable is bound to a method or current block e.g in C++: namespace.
Previous finals up on the web page use them as practice problems look at them early.

Previous finals up on the web page use them as practice problems look at them early.

Similar presentations

Ads by Google