Presentation is loading. Please wait.

Presentation is loading. Please wait.

PASTE 2011 Szeged, Hungary September 5, 2011 Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller.

Published bySophie Barnicle Modified over 9 years ago

Similar presentations

Presentation on theme: "PASTE 2011 Szeged, Hungary September 5, 2011 Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller."— Presentation transcript:

1 PASTE 2011 Szeged, Hungary September 5, 2011 Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller Computer Sciences Department University of Wisconsin - Madison

2 Why Binary Code? o Source code isn’t available o Source code isn’t the right representation 2 Labeling Library Functions in Stripped Binaries

3 Binary Tools Need Symbol Tables o Debugging Tools o GDB, IDA Pro… o Instrumentation Tools o PIN, Dyninst,… o Static Analysis Tools o CodeSurfer/x86,… o Security Analysis Tools o IDA Pro,… 3 Labeling Library Functions in Stripped Binaries

4 Function locations Complicated by: o Missing symbol information o Variability in function layout (e.g. code sharing, outlined basic blocks) o High degree of indirect control flow program binary Restoring Information 4 Labeling Library Functions in Stripped Binaries targ80c3bd0 targ80c3df4

5 What about semantic information? o Program’s interaction with the operating system (system calls) encapsulated by wrapper functions Restoring Information 5 Labeling Library Functions in Stripped Binaries Library fingerprinting: identify functions based on patterns learned from exemplar libraries program binary targ80c3bd0 targ80c3df4

6 stripped binary parsing + library fingerprinting + binary rewriting unstrip 6 Labeling Library Functions in Stripped Binaries targ80c3bd0 targ80c3df4 getpid accept

7 : mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 mov %edx, %ebx cmp %0xffffff83,%eax jae syscall_error ret Set up system call arguments int $0x80 Invoke a system call mov %edx, %ebx cmp %0xffffff83,%eax jae syscall_error ret Error check and return mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx Save registers

8 : mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 mov %edx, %ebx cmp %0xffffff83,%eax jae syscall_error ret int $0x80 mov %edx, %ebx cmp %0xffffff83,%eax jae syscall_error ret mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx : cmpl $0x0,%gs:0xc jne 80f669c mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx call *0x814e93c mov %edx, %ebx cmp %0xffffff83,%eax jae syscall_error ret push %esi call enable_asyncancel mov %eax,%esi mov %ebx,%edx mov $0x66,%eax mov $0x5,%ebx lea 0x8(%esp),%ecx call *0x8181578 mov %edx, %ebx xchg %eax,%esi call disable_acynancel mov %esi,%eax pop %esi cmp $0xffffff83,%eax jae syscall_error ret : cmpl $0x0,%gs:0xc jne 80f669c mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 mov %edx, %ebx cmp %0xffffff83,%eax jae syscall_error ret push %esi call enable_asyncancel mov %eax,%esi mov %ebx,%edx mov $0x66,%eax mov $0x5,%ebx lea 0x8(%esp),%ecx int $0x80 mov %edx, %ebx xchg %eax,%esi call disable_acynancel mov %esi,%eax pop %esi cmp $0xffffff83,%eax jae syscall_error ret glibc 2.5 on RHEL with GCC 3.4.4 The same function can be realized in a variety of ways in the binary glibc 2.5 on RHEL with GCC 4.1.2 glibc 2.2.4 on RHEL with GCC 2.95.3

9 o Function inlining o Code reordering o Minor code changes o Alternative code sequences Binary-level Code Variations 9 Labeling Library Functions in Stripped Binaries

10 Semantic Descriptors o Rather than recording byte patterns, we take a semantic approach o Record information that is likely to be invariant across multiple versions of the function 10 : mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 mov %edx, %ebx cmp %0xffffff83,%eax jae 8048300 ret mov %esi,%esi int $0x80 mov %0x66,%eax mov $0x5,%ebx { }, 5 Labeling Library Functions in Stripped Binaries

11 Building Semantic Descriptors 11 Labeling Library Functions in Stripped Binaries We parse an input binary, locate system calls and wrapper function calls, and employ dataflow analysis. binary reboot: push %ebp mov %esp,%ebp sub $0x10,%esp push %edi push %ebx mov 0x8(%ebp),%edx mov $0xfee1dead,%edi mov $0x28121969,%ecx push %ebx mov %edi,%ebx mov $0x58,%eax int $0x80 … SYSTEM CALL 0x580x28121969 EAX EBXECX %edi 0xfee 1 dead { } EAX (reboot)

12 Building Semantic Descriptors Recursively 12 Labeling Library Functions in Stripped Binaries sethostid: … call open … call write … mov $0x6, eax int $0x80 … { } open: … mov $0x5, eax int $0x80 … { } write: … mov $0x4, eax int $0x80 … { } {,, }

13 unstrip Building a Descriptor Database 13 Labeling Library Functions in Stripped Binaries Descriptor Database : mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 … Locate wrapper functions Build semantic descriptors { }: accept { }: listen { }: getpid … glibc reference library glibc reference library

14 glibc reference library glibc reference library glibc reference library glibc reference library glibc reference library glibc reference library glibc reference library glibc reference library unstrip Building a Descriptor Database 14 Labeling Library Functions in Stripped Binaries Descriptor Database Build semantic descriptors Locate wrapper functions { }: accept { }: listen { }: getpid … { }: accept { }: listen { }: getpid … { }: accept { }: listen { }: getpid … { }: accept { }: listen { }: getpid … 1 : mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 … 1 : mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 … 1 : mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 … 1 : mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 …

15 o Two stages 1)Exact matches 2)Best match based on coverage criterion o Handle minor code variations by allowing flexible matches Pattern Matching Criteria 15 Labeling Library Functions in Stripped Binaries

16 Pattern Matching Criteria 16 Labeling Library Functions in Stripped Binaries A: { } B: {,, } fingerprint from the database semantic descriptor from the code

17 Multiple Matches o It’s possible that two or more functions are indistinguishable o Policy decision: return set of potential matches o In practice, we’ve observed 8% of functions have multiple matches, but the size of the match set is small (≤ 3) 17 Labeling Library Functions in Stripped Binaries

18 unstrip Identifying Functions in a Stripped Binary 18 Labeling Library Functions in Stripped Binaries stripped binary unstripped binary Descriptor Database For each wrapper function { 1. Build the semantic descriptor. 2. Search the database for a match (apply two- stage matching process). 3. Add label to symbol table. }

19 stripped binary parsing + library fingerprinting + binary rewriting Implementation 19 Labeling Library Functions in Stripped Binaries

20 Evaluation o To evaluate across three dimensions of variation, we constructed three data sets: o GCC version o glibc version o distribution vendor o In each set, compile statically-linked binaries, build a DDB, compare unstrip to IDA Pro’s FLIRT o Evaluation measure is accuracy 20 Labeling Library Functions in Stripped Binaries

21 Evaluation Results: GCC Version Study 21 Labeling Library Functions in Stripped Binaries

22 Evaluation Results: glibc Version Study 22 Labeling Library Functions in Stripped Binaries

23 Evaluation Results: Distribution Study 23 Labeling Library Functions in Stripped Binaries

24 24 Labeling Library Functions in Stripped Binaries unstrip is available at http://www.paradyn.org/html/tools/unstrip.html

25 Backup slides follow

26 Evaluation Results: GCC Version Study (Temporal: backwards) 26 Labeling Library Functions in Stripped Binaries

27 Evaluation Results: glibc Version Study (Temporal: backwards) 27 Labeling Library Functions in Stripped Binaries

28 Evaluation Results: Distribution Study (one predicts the rest) 28 Labeling Library Functions in Stripped Binaries

29 Evaluation Results: GCC Version Study (one predicts the rest) 29 Labeling Library Functions in Stripped Binaries

30 Evaluation Results: glibc Version Study (one predicts the rest) 30 Labeling Library Functions in Stripped Binaries

31 Evaluation Results: Distribution Study (one predicts the rest) 31 Labeling Library Functions in Stripped Binaries

Download ppt "PASTE 2011 Szeged, Hungary September 5, 2011 Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
1 Inducements–Call Blocking. Aware of the Service?

1 Inducements–Call Blocking. Aware of the Service?
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
© 2011, the Book Industry Study Group, Inc Book Industry Study Group Supporting an Industry in Transformation BISG Annual Meeting of Members September.

© 2011, the Book Industry Study Group, Inc Book Industry Study Group Supporting an Industry in Transformation BISG Annual Meeting of Members September.
© 2010 Pearson Addison-Wesley. All rights reserved. Addison Wesley is an imprint of Chapter 11: Structure and Union Types Problem Solving & Program Design.

© 2010 Pearson Addison-Wesley. All rights reserved. Addison Wesley is an imprint of Chapter 11: Structure and Union Types Problem Solving & Program Design.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.

Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.
My Alphabet Book abcdefghijklm nopqrstuvwxyz.

My Alphabet Book abcdefghijklm nopqrstuvwxyz.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Addition Facts 1 - 20.

Addition Facts
Year 6 mental test 5 second questions

Year 6 mental test 5 second questions

Similar presentations

Ads by Google