Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.

Published byRuby Barnett Modified over 8 years ago

Similar presentations

Presentation on theme: "Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat."— Presentation transcript:

1 Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat

2 Binary Instrumentation 2 Safe and Efficient Instrumentation Instrumentation modifies the original code Moves original code Allocates new memory Overwrites original code This affects the behavior of: Moved code Code that references moved code Code that references changed memory And can cause incorrect execution

3 Sensitivity Models A program is sensitive to a particular modification if that modification changes the program’s behavior Current binary instrumenters rely on fixed sensitivity models And may fail to preserve behavior Compensating for sensitivity imposes overhead 3 Safe and Efficient Instrumentation push $(ret_addr) jmp printf call printf ret pop %eax call compensate_ret_addr jmp %eax

4 Safe and Efficient Approach Safe and Efficient Approach Efficiency vs Sensitivity 4 Safe and Efficient Instrumentation Sensitivity Malware Optimized Code Conventional Code Efficiency Pin, Valgrind, … Dyninst Safe and Efficient Approach

5 How do we do this? Formalization of code relocation Visible behavior Instruction sensitivity External sensitivity Implementation in Dyninst Analysis phase Transformation phase Analysis and performance results 5 Safe and Efficient Instrumentation

6 Three Questions What program behavior do we wish to preserve? How does modification affect instructions? How do instructions change program behavior? 6 Safe and Efficient Instrumentation

7 Approach Preserve visible behavior Relationship of input to output Identify sensitive instructions Those whose behavior is changed Only compensate for externally sensitive instructions Those whose sensitivity affects visible behavior 7 Safe and Efficient Instrumentation

8 Original Binary Instrumented Binary Visible Behavior Intuition: we can change anything that does not affect the output of the program 8 Safe and Efficient Instrumentation XYX + AY + B Instrumentation Input Instrumentation Output

9 Sensitivity What does instrumentation change? Addresses of instructions Contents of memory Shape of the address space Directly affected instructions: Access the PC (and are moved) Read modified memory Test allocated memory 9 Safe and Efficient Instrumentation

10 Sensitivity Examples 10 Safe and Efficient Instrumentation main: push %ebp mov %esp, %ebp … call worker … leave ret worker: push %ebp mov %esp, %ebp … ret jumptable: push %ebp mov %esp, %ebp call get_pc_thunk add $(offset), %ebx mov (%ebx, %eax, 4), %ecx jmp *%ecx get_pc_thunk: mov (%esp), %ebx ret Call/Return Pair:Jumptable: protect: call initialize … initialize: pop %esi mov $(unpack_base), %edi mov $0x0, %ebx loop_top: mov (%esi, %ebx, 4), %eax call unpack mov %eax, (%edi, %ebx, 4) inc %ebx cmp %ebx, $0x42 jnz loop_top jmp $(unpacked_base) Self-Unpacking Code (Simplified):

11 Sensitivity Is Not Enough An instruction is externally sensitive if it causes a visible change in behavior Approximation: or changes control flow This requires: The sensitive instruction must produce different values These differences must reach an instruction that affects output (or control flow) … and change its behavior 11 Safe and Efficient Instrumentation

12 Program Modification 12 Safe and Efficient Instrumentation Analysis Compensation Code Original Binary Modified Binary Original Code Relocated Code

13 Analysis Phase Identify sensitive instructions InstructionAPI: used and defined sets Determine affected instructions DepGraphAPI: forward slice Analyze effects of modification SymEval: symbolic expansion of the slice 13 Safe and Efficient Instrumentation

14 Analysis Example: Call/Return Pair 14 Safe and Efficient Instrumentation main: push %ebp mov %esp, %ebp … call worker … leave ret worker: push %ebp mov %esp, %ebp … ret Call/Return Pair: Sensitivity: call (moved, uses PC) Slice: call ret Symbolic Expansion: call: ret:

15 Analysis Example: Jumptable 15 Safe and Efficient Instrumentation Sensitivity: call (moved, uses PC) Slice: call mov (%esp), %ebx Symbolic Expansion: call: mov: add: mov: jmp: jumptable: push %ebp mov %esp, %ebp call get_pc_thunk add $(offset), %ebx mov (%ebx, %eax, 4), %ecx jmp *%ecx get_pc_thunk: mov (%esp), %ebx ret Jumptable: add $(offset), %ebx mov (%ebx, %eax, 4), %ecx jmp *%ecx

16 Analysis Example: Unpacking Code 16 Safe and Efficient Instrumentation Sensitivity: call (moved, uses PC) Slice: call initialize pop %esi mov (%esi, %ebx, 4), %eax call unpack … Symbolic Expansion: call: pop: mov: protect: call initialize … initialize: pop %esi mov $(unpack_base), %edi mov $0x0, %ebx loop_top: mov (%esi, %ebx, 4), %eax call unpack mov %eax, (%edi, %ebx, 4) inc %ebx cmp %ebx, $0x42 jnz loop_top jmp $(unpacked_base) Self-Unpacking Code (Simplified)

17 Compensation Phase Generates the relocated code Current instrumenter approach: Treat each instruction individually May miss optimization opportunities New approach: group transformation Derived from Dyninst heuristics 17 Safe and Efficient Instrumentation

18 Instruction Transformation Emulate each externally sensitive instruction Replace some instructions (e.g., calls) with sequences Some sequences impose high overhead E.g., run-time compensation 18 Safe and Efficient Instrumentation pop %eax call compensate_ret_addr jmp %eax ret call printf push $(orig_ret_addr) jmp printf

19 Group Transformation Emulate the behavior of a group of instructions Motivating example: compiler thunk functions Open questions: Which instructions are included in the group? How is the replacement sequence determined? Current status: hand-crafted templates 19 Safe and Efficient Instrumentation mov (%esp), %ebx ret call ebx_thunk mov $(ret_addr), %ebx

20 Transformation: Call/Return Pair 20 Safe and Efficient Instrumentation main: push %ebp mov %esp, %ebp … call worker … leave ret worker: push %ebp mov %esp, %ebp … ret Original Code main: push %ebp mov %esp, %ebp … call worker … leave ret worker: push %ebp mov %esp, %ebp … ret Relocated Code

21 Transformation: Jumptable 21 Safe and Efficient Instrumentation Original CodeRelocated Code jumptable: push %ebp mov %esp, %ebp call get_pc_thunk add $(offset), %ebx mov (%ebx, %eax, 4), %ecx jmp *%ecx get_pc_thunk: mov (%esp), %ebx ret jumptable: push %ebp mov %esp, %ebp mov $(ret_addr), %ebx add $(offset), %ebx mov (%ebx, %eax, 4), %ecx jmp *%ecx

22 Transformation: Unpacking Code 22 Safe and Efficient Instrumentation Relocated Code protect: call initialize … initialize: pop %esi mov $(unpack_base), %edi mov $0x0, %ebx loop_top: mov (%esi, %ebx, 4), %eax call unpack mov %eax, (%edi, %ebx, 4) inc %ebx cmp %ebx, $0x42 jnz loop_top jmp $(unpacked_base) Original Code protect: jmp initialize … initialize: mov $(ret_addr), %esi mov $(unpack_base), %edi mov $0x0, %ebx loop_top: mov (%esi, %ebx, 4), %eax call unpack mov %eax, (%edi, %ebx, 4) inc %ebx cmp %ebx, $0x42 jnz loop_top jmp $(unpacked_base)

23 Results Type of Binary% PC Sensitive% Externally Sensitive % Unanalyzable Executable (a.out)9.0%0.01%0.59% Library (.so)7.9%0.55%0.72% 23 Safe and Efficient Instrumentation Percentage of PC-Sensitive Instructions (32-bit, GCC, static analysis) Instrumentation Overhead (go, 32-bit, 12.3s base time) Current Dyninst: 23.4s (90.2%) Safe and Efficient Algorithm: 16.3s (32.5%)

24 Future Work Memory sensitivity and compensation Improved pointer analysis Useful user intervention? Investigate group transformations Widen range of input binaries Expand supported platforms 24 Safe and Efficient Instrumentation

25 Questions? 25 Safe and Efficient Instrumentation

26 ASProtect code loop 26 Safe and Efficient Instrumentation 8049756: call 8049761 8049761: mov EDX, ECX 8049763: pop EDI 8049764: push EAX 8049765: pop ESI 8049766: add EDI, 2183 804976c: mov ESI, EDI 804976e: push 0 8049773: jz 804977c 8049779: adc DH, 229 804977c: pop EBX 804977d: mov EAX, 2015212641 8049782: mov ECX, EBX(EDI) 8049785: jmp 804979c 804979c: add ECX, 1586986316 80497a2: xor ESI, 314333756 80497a8: xor ECX, 594915733 80497ae: jmp 80497c3 80497c3: sub ECX, 594948778 80497c9: sub ESI, 64260 80497ce: push ECX, ESP 80497cf: mov EAX, 884377321 80497d4: pop EBX(EDI) 80497d7: jmp 80497ed 80497ed: adc AL, 100 80497f0: sub EBX, 1595026050 80497f6: xor EAX, 34778 80497fb: add EBX, 1595026046 8049801: call 804980c 804980c: mov AX, 2783 8049810: pop ESI 8049811: cmp EBX, 4294965344 8049817: jnz 8049834 804981d: or ESI, 839181910 8049823: jmp 8049847 8049834: mov ESI, 1287570375 8049839: jmp 8049782

27 Emulation Examples 27 Safe and Efficient Instrumentation add %eax, %ebx jnz 0xf3e call fprintf mov (%esi, %ebx, 4), %eax jnz 0xe498d3 add %eax, %ebx push $804391 jmp fprintf lea (%esi, %ebx, 4), %eax call mem_addr_translate mov (%eax), %eax ret pop %eax call addr_translate jmp %eax

Download ppt "Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat."

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
A Binary Agent Technology for COTS Software Integrity Richard Schooler Anant Agarwal InCert Software.

A Binary Agent Technology for COTS Software Integrity Richard Schooler Anant Agarwal InCert Software.
ByteWeight: Learning to Recognize Functions in Binary Code

ByteWeight: Learning to Recognize Functions in Binary Code
Copyright © 2000, Daniel W. Lewis. All Rights Reserved. CHAPTER 5 MIXING C AND ASSEMBLY.

Copyright © 2000, Daniel W. Lewis. All Rights Reserved. CHAPTER 5 MIXING C AND ASSEMBLY.
Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, 2010. All rights reserved. You may modify and copy this slide.

Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, All rights reserved. You may modify and copy this slide.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
COMP 2003: Assembly Language and Digital Logic

COMP 2003: Assembly Language and Digital Logic
15-213 Recitation 8 – 3/25/02 Outline Dynamic Linking Review prior test questions 213 Course Staff Office Hours: See Posting.

Recitation 8 – 3/25/02 Outline Dynamic Linking Review prior test questions 213 Course Staff Office Hours: See Posting.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.

Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.

1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Position Independent Code self sufficiency of combining program.

Position Independent Code self sufficiency of combining program.
Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, 2003. 1 Defining and Using Procedures Creating Procedures.

Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, Defining and Using Procedures Creating Procedures.

Similar presentations

Ads by Google