Professional Documents
Culture Documents
#whoami
Security Researcher in DSecRG
RE Fuzzing Mobile security
www.dsecrg.com
Agenda
1. 2. 3. 4. 5. 6. 7. Instrumentation . Instrumentation .. Instrumentation Instrumentation . Instrumentation .. Instrumentation Instrumentation .
CONFidence Krakow 2012 3
www.dsecrg.com
Intro
It has been proved by scientists that a new point of evolution, any technical progress appears when a Man makes up a new type of tool, but not a product.
www.dsecrg.com
Instrumentation
Instrumentation is a technique adding extra code to an program/environment for monitoring/change some program behavior.
Environment Program Own extra code Program
www.dsecrg.com
Why is it necessary?
Parallel optimization Simulation Virtualization Emulation Performance analysis Automated debugging Error detection Binary translation Optimization Memory leak detection Software profiling Testing Correctness checking Collecting code metrics Memory debugging
www.dsecrg.com
Malware analysis
Shellcode detection
Fuzzing
www.dsecrg.com
Analysis
Criterion Code vs. data Code coverage Information about values Self-modifying code Interaction with the environment Unused code JIT code Static analysis Problem Big (but not all) No information Problem No Analysis Problem Dynamic analysis No problem One way All information No problem Yes No analysis No problem
www.dsecrg.com
Code Discovery
Memory After static analysis 0101010110101001010010 Instr 1 0101010101101010101010 Instr 2 Instr 3 1111010101110101000111 jump reg InstrDATA 4 Instr 1011100111001010101011 5 Instr 4 6 Instr Instr 7 5 jmp 0x0ABCD PADDING 0111010110100111100110 Instr 7 cont. Instr 8 1010101101110001001011 Instr 9 Instr 6 10 Instr After dynamic analysis
www.dsecrg.com
www.dsecrg.com
Source Data
Source data
Source code
Byte code
Binary code
www.dsecrg.com
11
Environment Dynamic binary instrumentation Static binary modification Byte code instrumentation Link-time/Compilation-time Source code instrumentation - Static instrumentation - Load-time - Dynamic www.dsecrg.com CONFidence Krakow 2012
Link-time/Compilation-time instrumentation
Options of linker/compiler
Tools: Visual Studio Profiler, gcc, TAU, OPARI, Diablo, Phoenix, LLVM, Rational Purify, Valgrind
*Unreal condition for security specialist =)
www.dsecrg.com CONFidence Krakow 2012 13
Unmoral programming
www.dsecrg.com
14
www.dsecrg.com
15
Virtual machine
JIT Execute
Lib
Lib
Machine code
www.dsecrg.com CONFidence Krakow 2012 16
Load-time instrumentation
Custom byte code loader
Dynamic instrumentation
Dynamic byte-code instrumentation
www.dsecrg.com
17
www.dsecrg.com
18
Tools: Javassist, ObjectWeb ASM, BCEL, JOIE, reJ JavaSnoop, Serp, JMangler
www.dsecrg.com CONFidence Krakow 2012 19
Instrumentation .NET
Static instrumentation
Modification DLL files
Load-time instrumentation
AppDomain.Load()/Assembly.Load() Joint redirection Via event handler
ActionScript3
AVM2 Tags that (can) contain bytecode:
DoABC (82), RawABC (72).
www.dsecrg.com CONFidence Krakow 2012 21
AVM2 Architecture
AS3 .abc function (x:int):int { return x+10 } .abc parser .abc getlocal 1 Verifier Bytecode pushint 10 add returnvalue Interpreter MIR JIT Compiler @1 arg +8// argv MIR Code Generator @2 load [@1+4] @3 imm 10 @4 add (@2,@3) MD Code Generator @5 ret @4 // @4:eax (x86, PPC, ARM, etc.)
x86 Runtime System (Type System, Object Model) mov eax,(eap+8) mov eax,(eax+4) add eax,10 Memory Manager/Garbage Collector ret
www.dsecrg.com CONFidence Krakow 2012 22
Header
Tags
www.dsecrg.com
23
Modification:
Create own class + change class name = hook!
www.dsecrg.com CONFidence Krakow 2012 24
Environment
Debugging API
Modifying OS options
SHIM LD_PRELOAD AppInt_DLLs DLL injection
Hardware
www.dsecrg.com
25
Without reallocation.
www.dsecrg.com CONFidence Krakow 2012
Debuggers
Breakpoints:
Software Hardware
App OS Processor Debugger
Debugger + scripting:
Python library's*: Buggery, IDAPython, ImmLIB, lldb, PyDBG, PyDbgEng, pygdb , python-ptrace , vtrace, WinAppDbg,
Tools: PIN, DynamoRIO, DynInst, Valgrind, BAP, KEDR, Fit, ERESI, Detour, Vulcan, SpiderPig
www.dsecrg.com CONFidence Krakow 2012 29
www.dsecrg.com
30
Kinds of DBI
Mode:
user-mode; kernel-mode.
Mode of work:
- Start to finish; - Attach.
Functionality
Modes of execution:
Interpretation-mode; Probe-mode; JIT-mode.
www.dsecrg.com CONFidence Krakow 2012
JIT
Probe Performance
31
DBI Frameworks*
Frameworks PIN OS Linux, Windows, MacOS Linux, Windows Linux, FreeBSD, Windows Linux, MacOS Arch x86, x86-64, Itanium, ARM x86, x86-64 x86, x86-64, ppc32, ARM, ppc64 x86, x86-64, ppc32, ARM, ppc64 Modes JIT, Probe Features Attach mode
DynamoRIO DynInst
Runtime optimization Static & Dynamic binary instrumentation IR VEX, Heavyweight DBA tools
Valgrind
JIT
www.dsecrg.com
33
Levels of granularity
Instruction; Basic Block*; Trace/Superblock; Function; Section; Events; Binary image.
CONFidence Krakow 2012 34
www.dsecrg.com
www.dsecrg.com
35
Overhead
O=X+Y Y = N*Z Z = K+L O Tool Overhead; X Instrumentation Routines Overhead; Y Analysis Routines Overhead; N Frequency of Calling Analysis Routine; Z Work Performed in the Analysis Routine; K Work Required to Transition to Analysis Routine; L Work Performed Inside the Analysis Routine.
www.dsecrg.com CONFidence Krakow 2012 36
Rewriting instructions
Platforms:
with fixed-length instruction; with variable-length instructions.
www.dsecrg.com
37
www.dsecrg.com
38
SHELLCODE 1
AMSS GSM
Malicious SMS
Baseband processor
www.dsecrg.com CONFidence Krakow 2012 39
Instrumentation in ARM
ARM modes:
ARM
Length(instr) = 4 byte
Thumb
Length(instr) = 2 byte
Thumb2
Length(instr) = 2/4 byte
Jazzle
For more detail see A Dynamic Binary Instrumentation Engine for the ARM Architecture presentation.
www.dsecrg.com CONFidence Krakow 2012 40
Emulation
OS
www.dsecrg.com
41
Virtualization
App1 App1 VMM Processor Native VMM OS VMM OS Processor Hosted VMM OS
www.dsecrg.com
44
www.dsecrg.com
45
Conclusion
www.dsecrg.com
46
Contact
www.dsecrg.com
47
Windows 8
Apps:
C++ & DirectX C# & XAML HTML & JavaScript & CSS
www.dsecrg.com
48