Presentation is loading. Please wait.

Presentation is loading. Please wait.

Emily Jacobson and Nathan Rosenblum

Published byΝύξ Αναγνωστάκης Modified over 5 years ago

Similar presentations

Presentation on theme: "Emily Jacobson and Nathan Rosenblum"— Presentation transcript:

1 Emily Jacobson and Nathan Rosenblum
unstrip: Restoring Function Information to Stripped Binaries Using Dyninst Emily Jacobson and Nathan Rosenblum

2 Binary Tools Need Symbol Tables
Debugging Tools GDB, IDA Pro… Instrumentation Tools PIN, Dyninst,… Static Analysis Tools CodeSurfer/x86,… Security Analysis Tools IDA Pro,… unstrip: Restoring Function Information to Stripped Binaries

3 unstrip: Restoring Function Information to Stripped Binaries
unstrip = stripped parsing + binary rewriting push %ebp mov %esp,%ebp sub %0x8,%esp mov 0x8(%ebp),%eax add $0xfffffff8,%esp push %eax call 80c3bd0 call mov %ebp,%esp pop %ebp <targ8056f50>: push %ebp mov %esp,%ebp sub %0x8,%esp mov 0x8(%ebp),%eax add $0xfffffff8,%esp push %eax call <targ80c3bd0> call <targ > mov %ebp,%esp pop %ebp unstrip unstrip: Restoring Function Information to Stripped Binaries

4 New Semantic Information
Important semantic information: program’s interaction with the operating system (system calls) These calls are encapsulated in wrapper functions Library fingerprinting: identify functions based on patterns learned from exemplar libraries unstrip: Restoring Function Information to Stripped Binaries

5 unstrip: Restoring Function Information to Stripped Binaries
unstrip = stripped parsing + library fingerprinting + binary rewriting push %ebp mov %esp,%ebp sub %0x8,%esp mov 0x8(%ebp),%eax add $0xfffffff8,%esp push %eax call 80c3bd0 call mov %ebp,%esp pop %ebp <targ8056f50>: push %ebp mov %esp,%ebp sub %0x8,%esp mov 0x8(%ebp),%eax add $0xfffffff8,%esp push %eax call <targ80c3bd0> call <targ > mov %ebp,%esp pop %ebp unstrip call <getpid> call <kill> unstrip: Restoring Function Information to Stripped Binaries

6 Set up system call arguments
<accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 mov %edx, %ebx cmp %0xffffff83,%eax jae ret mov %esi,%esi mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx Set up system call arguments int $0x80 Invoke a system call mov %edx, %ebx cmp %0xffffff83,%eax jae ret Error check and return

7 The same function can be realized in a variety of ways in the binary
<accept>: mov %ebx,%edx cmpl $0x0,%gs:0xc mov $0x66,%eax jne 80f669c mov %ebx, %edx lea 0x8(%esp),%ecx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx xchg %eax,%esi int $0x80 call libc_disable_acynancel mov %edx, %ebx cmp %0xffffff83,%eax mov %esi,%eax jae pop %esi ret cmp $0xffffff83,%eax push %esi jae syscall_error call libc_enable_asyncancel mov %eax,%esi <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 mov %edx, %ebx cmp %0xffffff83,%eax jae ret mov %esi,%esi glibc 2.5 on RHEL with GCC 4.1.2 glibc on RHEL <accept>: mov %ebx,%edx cmpl $0x0,%gs:0xc mov $0x66,%eax jne 80f669c mov %ebx, %edx lea 0x8(%esp),%ecx mov %0x66,%eax call *0x mov $0x5,%ebx lea 0x4(%esp),%ecx xchg %eax,%esi call *0x814e93c call libc_disable_acynancel mov %edx, %ebx cmp %0xffffff83,%eax mov %esi,%eax jae pop %esi ret cmp $0xffffff83,%eax push %esi jae syscall_error call libc_enable_asyncancel mov %eax,%esi The same function can be realized in a variety of ways in the binary glibc 2.5 on RHEL with GCC 3.4.4

8 Semantic Descriptors Instead, we’ll take a semantic approach
Record information that is likely to be invariant across multiple versions of the function <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 mov %edx, %ebx cmp %0xffffff83,%eax jae ret mov %esi,%esi mov %0x66,%eax mov $0x5,%ebx {<socketcall >} int $0x80 , 5 unstrip: Restoring Function Information to Stripped Binaries

9 Building Semantic Descriptors
reboot: push %ebp mov %esp,%ebp sub $0x10,%esp push %edi push %ebx mov 0x8(%ebp),%edx mov $0xfee1dead,%edi mov $0x ,%ecx mov %edi,%ebx mov $0x58,%eax int $0x80 0xfee1dead binary 0x58 %edi 0x EAX EAX EBX ECX SYSTEM CALL {<reboot, 0xfee1dead, 0x >} We parse an input binary, locate system calls and wrapper function calls, and employ dataflow analysis. unstrip: Restoring Function Information to Stripped Binaries

10 Building a Descriptor Database
unstrip <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 Locate wrapper functions glibc reference library Descriptor Database {<socketcall, 5>}: accept {<socketcall, 4>}: listen {<getpid>}: getpid Build semantic descriptors unstrip: Restoring Function Information to Stripped Binaries

11 Building a Descriptor Database
unstrip 1 <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 Locate wrapper functions 1 <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 glibc reference library 1 <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 1 <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 glibc reference library glibc reference library glibc reference library Descriptor Database {<socketcall, 5>}: accept {<socketcall, 4>}: listen {<getpid>}: getpid {<socketcall, 5>}: accept {<socketcall, 4>}: listen {<getpid>}: getpid {<socketcall, 5>}: accept {<socketcall, 4>}: listen {<getpid>}: getpid {<socketcall, 5>}: accept {<socketcall, 4>}: listen {<getpid>}: getpid Build semantic descriptors unstrip: Restoring Function Information to Stripped Binaries

12 Building a Descriptor Database
Identifying Functions in a Stripped Binary Building a Descriptor Database unstrip 1 <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 Locate functions 1 <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 glibc reference library 1 <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 1 <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 glibc reference library glibc reference library glibc reference library Descriptor Database {<socketcall, 5>}: accept {<socketcall, 4>}: listen {<getpid>}: getpid {<socketcall, 5>}: accept {<socketcall, 4>}: listen {<getpid>}: getpid {<socketcall, 5>}: accept {<socketcall, 4>}: listen {<getpid>}: getpid {<socketcall, 5>}: accept {<socketcall, 4>}: listen {<getpid>}: getpid Build semantic descriptors unstrip: Restoring Function Information to Stripped Binaries

13 Identifying Functions in a Stripped Binary
unstrip For each wrapper function { 1. Build the semantic descriptor. 2. Search the database for a match (two stages). 3. Add label to symbol table. } stripped binary Descriptor Database unstripped binary unstrip: Restoring Function Information to Stripped Binaries

14 unstrip: Restoring Function Information to Stripped Binaries
Evaluation To evaluate across three dimensions of variation, we constructed three data sets: compiler version library version distribution vendor In each set, compile statically-linked binaries, build a DBB, compare unstrip to IDA Pro’s FLIRT Evaluation measure is accuracy unstrip: Restoring Function Information to Stripped Binaries

15 Evaluation Results: Compiler Version Study
unstrip: Restoring Function Information to Stripped Binaries

16 Evaluation Results: Library Version Study
unstrip: Restoring Function Information to Stripped Binaries

17 Evaluation Results: Distribution Study
unstrip: Restoring Function Information to Stripped Binaries

18 unstrip: Restoring Function Information to Stripped Binaries
For full details, tech report available online at: ftp://ftp.cs.wisc.edu/paradyn/papers/Jacobson11Unstrip.pdf unstrip is available at: Come see the unstrip demo today at 2:00 or 2:30 (in 1260 WID/MIR) unstrip: Restoring Function Information to Stripped Binaries

19 unstrip: Restoring Function Information to Stripped Binaries
Extra Slides Some additional results unstrip: Restoring Function Information to Stripped Binaries

20 Evaluation Results: Distribution Study
unstrip: Restoring Function Information to Stripped Binaries

21 Evaluation Results: Toolchain Study (one predicts the rest)
Results from one-predicts-the-rest testing, i.e., patterns predicting all other binaries in this group (averaged), then patterns predicting all other binaries in this group (averaged),… unstrip: Restoring Function Information to Stripped Binaries

22 Evaluation Results: Library Version Study (one predicts the rest)
Results from one-predicts-the-rest testing (as on previous slide) unstrip: Restoring Function Information to Stripped Binaries

23 Evaluation Results: Distribution Study (one predicts the rest)
Results from one-predicts-the-rest testing (as on previous slide) unstrip: Restoring Function Information to Stripped Binaries

Download ppt "Emily Jacobson and Nathan Rosenblum"

Similar presentations

PASTE 2011 Szeged, Hungary September 5, 2011 Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller.

PASTE 2011 Szeged, Hungary September 5, 2011 Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller.
ByteWeight: Learning to Recognize Functions in Binary Code

ByteWeight: Learning to Recognize Functions in Binary Code
© 2006 Nathan RosenblumMarch 2006Unconventional Code Constructs The New Dyninst Code Parser: Binary Code Isn't as Simple as it Used to Be Nathan Rosenblum.

© 2006 Nathan RosenblumMarch 2006Unconventional Code Constructs The New Dyninst Code Parser: Binary Code Isn't as Simple as it Used to Be Nathan Rosenblum.
Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad

Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad
Practical session 7 review. Little – Endian What’s in memory? Section.rodata a: DB ‘hello’, 0x20, ’world’, 10, 0 b: DW ‘hello’, 0x20, ’world’, 10, 0 c:

Practical session 7 review. Little – Endian What’s in memory? Section.rodata a: DB ‘hello’, 0x20, ’world’, 10, 0 b: DW ‘hello’, 0x20, ’world’, 10, 0 c:
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
C Prog. To Object Code text text binary binary Code in files p1.c p2.c

C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Attacks Using Stack Buffer Overflow Boxuan Gu

Attacks Using Stack Buffer Overflow Boxuan Gu
Recitation 2: Assembly & gdb Andrew Faulring 15213 Section A 16 September 2002.

Recitation 2: Assembly & gdb Andrew Faulring Section A 16 September 2002.
Machine-Level Programming 3 Control Flow Topics Control Flow Switch Statements Jump Tables.

Machine-Level Programming 3 Control Flow Topics Control Flow Switch Statements Jump Tables.
Y86 Processor State Program Registers

Y86 Processor State Program Registers
Analysis Of Stripped Binary Code Laune Harris University of Wisconsin – Madison

Analysis Of Stripped Binary Code Laune Harris University of Wisconsin – Madison
The Deconstruction of Dyninst: Experiences and Future Directions Drew Bernat, Madhavi Krishnan, Bill Williams, Bart Miller Paradyn Project 1.

The Deconstruction of Dyninst: Experiences and Future Directions Drew Bernat, Madhavi Krishnan, Bill Williams, Bart Miller Paradyn Project 1.
Paradyn Project Petascale Tools Workshop Madison, Wisconsin Aug 4-Aug 7, 2014 Binary Code is Not Easy Xiaozhu Meng, Emily Gember-Jacobson, and Bill Williams.

Paradyn Project Petascale Tools Workshop Madison, Wisconsin Aug 4-Aug 7, 2014 Binary Code is Not Easy Xiaozhu Meng, Emily Gember-Jacobson, and Bill Williams.
Recitation 4: The Stack & Lab3 Andrew Faulring 15213 Section A 30 September 2002.

Recitation 4: The Stack & Lab3 Andrew Faulring Section A 30 September 2002.
1 #include void silly(){ char s[30]; gets(s); printf(%s\n,s); } main(){ silly(); return 0; }

1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }
15-213 Recitation 6 – 2/26/01 Outline Linking Exam Review –Topics Covered –Your Questions Shaheen Gandhi Office Hours: Wednesday.

Recitation 6 – 2/26/01 Outline Linking Exam Review –Topics Covered –Your Questions Shaheen Gandhi Office Hours: Wednesday.
15-213 Recitation 2 – 2/11/02 Outline Stacks & Procedures Homogenous Data –Arrays –Nested Arrays Mengzhi Wang Office Hours: Thursday.

Recitation 2 – 2/11/02 Outline Stacks & Procedures Homogenous Data –Arrays –Nested Arrays Mengzhi Wang Office Hours: Thursday.
Recitation 2: Outline Assembly programming Using gdb L2 practice stuff Minglong Shao Office hours: Thursdays 5-6PM Wean Hall.

Recitation 2: Outline Assembly programming Using gdb L2 practice stuff Minglong Shao Office hours: Thursdays 5-6PM Wean Hall.
Machine-Level Programming 3 Control Flow Topics Control Flow Switch Statements Jump Tables.

Machine-Level Programming 3 Control Flow Topics Control Flow Switch Statements Jump Tables.

Similar presentations

Ads by Google