1 / 47

Light and Dark side of Code Instrumentation

Light and Dark side of Code Instrumentation. Dmitriy “D1g1″ Evdokimov DSecRG , Security Researcher. # whoami. Security Researcher in DSecRG RE Fuzzing Mobile security Organizer: DCG #7812 Editor in “XAKEP”. Agenda. Instrumentation . Instrumentation .. Instrumentation …

cais
Download Presentation

Light and Dark side of Code Instrumentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Light and Dark side of Code Instrumentation Dmitriy “D1g1″ Evdokimov DSecRG, Security Researcher

  2. #whoami • Security Researcherin DSecRG • RE • Fuzzing • Mobile security • Organizer: DCG #7812 • Editor in “XAKEP” CONFidence Krakow 2012

  3. Agenda • Instrumentation . • Instrumentation .. • Instrumentation … • Instrumentation …. • Instrumentation ….. • Instrumentation …… • Instrumentation ……. CONFidence Krakow 2012

  4. Intro “It has been proved by scientists that a new point of evolution, any technical progress appears when a Man makes up a new type of tool, but not a product.” CONFidence Krakow 2012

  5. Instrumentation Instrumentation is a technique adding extra code to an program/environment for monitoring/change some program behavior. Environment Program Program Own extra code Own extra code CONFidence Krakow 2012

  6. Why is it necessary? Parallel optimization Simulation Memory debugging Virtualization Emulation Software profiling Performance analysis Testing Automated debugging Correctness checking Error detection Collecting code metrics Optimization Binary translation Memory leak detection CONFidence Krakow 2012

  7. Instrumentation in information security • Security test case generation • Control flow analysis • Unpack Code coverage • Virtual patching • Malware analysis • Vulnerability detection Privacy monitoring • Taint analysis • Antivirus technology • Program shepherding • Sandboxing Data flow analysis • Shellcode detection • Fuzzing • Deobfuscation • Reverse engineering • Behavior based security • Forensic • Transparent debugging Data Structure Restoring Security enforcement CONFidence Krakow 2012

  8. Analysis CONFidence Krakow 2012

  9. Code Discovery Memory After static analysis Instr 1 0101010110101001010010 Instr 1 After dynamic analysis Instr 2 Instr 2 0101010101101010101010 Instr 3 Instr 3 1111010101110101000111 jump reg jump reg Instr 4 DATA Instr 1011100111001010101011 Instr 4 5 Instr 6 Instr 5 Instr 7 0111010110100111100110 Instr 7 cont. jmp 0x0ABCD PADDING Instr 8 Instr 6 Instr 9 1010101101110001001011 Instr 10 CONFidence Krakow 2012

  10. The general scheme of code instrumentation • Find points of instrumentation; • Insert instrumentation; • Take control from program; • Save context of the program; • Execute own code; • Restore context of the program; • Return control to program. CONFidence Krakow 2012

  11. Source Data Source data Source code Byte code Binary code CONFidence Krakow 2012

  12. Classificationoftarget instrumentation Instrumentation With source code Without source code Source code Byte code Binary code Linker/Compiler Byte code Executable file Interpreter/VM Process Source code instrumentation • Link-time/Compilation-time • instrumentation • Byte code instrumentation • Static • Load-time • Dynamic • Static binary instrumentation • Dynamic binary instrumentation • Environment modification Environment Hardware CONFidence Krakow 2012

  13. Source code instrumentation • Source code* • Source code instrumentation • Manual skills • Plugins for IDE • Link-time/Compilation-time instrumentation • Options of linker/compiler • Tools: Visual Studio Profiler, gcc, TAU, OPARI, Diablo, Phoenix, LLVM, Rational Purify, Valgrind *Unreal condition for security specialist=) CONFidence Krakow 2012

  14. Unmoral programming CONFidence Krakow 2012

  15. Byte code instrumentation Byte code – intermediate representation between source code and machine code. … Java VM Dalvik VM AVM/AVM2 CLR CONFidence Krakow 2012

  16. Instrumentation byte-code (I) Source code Compilation Byte-code Load Virtual machine Loader JIT Execute Lib Lib Lib Machine code CONFidence Krakow 2012

  17. Instrumentation byte code (II) • Byte-code • Static instrumentation • Static byte code instrumentation • Load-time instrumentation • Custom byte code loader • Dynamic instrumentation • Dynamic byte-code instrumentation CONFidence Krakow 2012

  18. Instrumentation Java (I) • Mechanisms: • java.lang.instrument package; • Java Platform Debugger Architecture (JPDA) . CONFidence Krakow 2012

  19. Instrumentation Java (II) • Static instrumentation • Modification *.class files • Load-time instrumentation • ClassFileLoadHook • Custom ClassLoader • Dynamic instrumentation • ClassFileLoadHook -> RetransformClasses Tools: Javassist, ObjectWeb ASM, BCEL, JOIE, reJJavaSnoop, Serp, JMangler CONFidence Krakow 2012

  20. Instrumentation .NET • Static instrumentation • Modification DLL files • Load-time instrumentation • AppDomain.Load()/Assembly.Load() • Joint redirection • Viaevent handler Tools: ReFrameworker, MBEL, RAIL, Cecil CONFidence Krakow 2012

  21. Instrumentation ActionScript (I) • ActionScript2 • AVM • Tags that (can) contain bytecode: • DefineButton (7), DefineButton2 (34), DefineSprite (39), DoAction (12), DoInitAction (59), PlaceObject2 (26), PlaceObject3 (70). • ActionScript3 • AVM2 • Tags that (can) contain bytecode: • DoABC (82), RawABC (72). CONFidence Krakow 2012

  22. AVM2 Architecture .abc AS3 function (x:int):int { return x+10 } .abc parser MIR @1 arg +8// argv @2 load [@1+4] @3 imm 10 @4 add (@2,@3) @5 ret @4 // @4:eax JIT Compiler .abc getlocal 1 pushint 10 add returnvalue Bytecode Verifier MIR Code Generator Interpreter MD Code Generator (x86, PPC, ARM, etc.) x86 moveax,(eap+8) moveax,(eax+4) add eax,10 ret Runtime System (Type System, Object Model) Memory Manager/Garbage Collector CONFidence Krakow 2012

  23. Instrumentation ActionScript (I) AVM tag Original SWF file Tags Header Instrumenteted SWF file CONFidence Krakow 2012

  24. Instrumentation AVM (II) • Static instrumentation • Add : • trace() • dump() • debug() • debugfile() • debugline() • Modification: • Create own class + change class name = hook! CONFidence Krakow 2012

  25. Instrumentation binary code • Environment • Modifying call table • IDT, CPU MSRs, GDT, SSDT, IRP тable • … • Modifying OS options • SHIM • LD_PRELOAD • AppInt_DLLs • DLL injection • … • Reproduction of the environment • Emulation • Virtualization • The executable file • Static code instrumentation • Static binary instrumentation • Process • Debuggers • Debugging API • Modifying call table/other structure • IAT • … • Dynamic code instrumentation • Dynamic binary instrumentation • Hardware • Hardware debug features • Debug registers • Hardware debuggers • … CONFidence Krakow 2012

  26. Static Binary Instrumentation (I) Static binary instrumentation/Physical code integration/Static binary code rewriting • Realization: • With reallocation: • Level of segment; • Level of function; • Without reallocation. Edited Header Header Segment ofcode Segment ofcode Segment of data Segment of data Extra segment ofcode Extra segment of data CONFidence Krakow 2012

  27. Static Binary Instrumentation (II) Reallocation: 1) Function Displacement + Entry Point Linking; 2) Branch Conversion; 3) Instruction Padding; 4) Instrumentation. Tools: DynInst, EEL, ATOM, PEBIL, ERESI, TAU, Vulcan, BIRD, Aslan(4514N) CONFidence Krakow 2012

  28. Debuggers • Breakpoints: • Software • Hardware • Debugger + scripting: • WinDBG + pykd • OllyDBG + python = Immunity Debuggers • GDB + PythonGDB • Python library's*: Buggery, IDAPython, ImmLIB, lldb, PyDBG, PyDbgEng, pygdb , python-ptrace , vtrace, WinAppDbg, … *See “Python Arsenal for Reverse Engineering” App Debugger OS Processor CONFidence Krakow 2012

  29. Dynamic Binary Instrumentation Dynamic binary instrumentation/Virtual code integration/Dynamic binary rewriting Tools: PIN, DynamoRIO, DynInst, Valgrind, BAP, KEDR, Fit, ERESI, Detour, Vulcan, SpiderPig App1 DBI App2 OS Processor CONFidence Krakow 2012

  30. Dynamic Binary Instrumentation • Dynamic Binary Instrumentation (DBI) is a process control and analysis technique that involves injecting instrumentation code into a running process. • Dynamic binary analysis (DBA) tools such as profilers and checkers help programmers create better software. • Dynamic binary instrumentation (DBI) frameworks make it easy to build new DBA tools. • DBA tools consist: • instrumentation routines; • analysis routines. CONFidence Krakow 2012

  31. Kinds of DBI Mode: • user-mode; • kernel-mode. Modes of execution: • Interpretation-mode; • Probe-mode; • JIT-mode. Mode of work: - Start to finish; - Attach. Functionality JIT Probe Performance CONFidence Krakow 2012

  32. DBI Frameworks* *For more details see “DBI:Intro” presentation from ZeroNights conference CONFidence Krakow 2012

  33. Start work with DBI CONFidence Krakow 2012

  34. Levels of granularity • Instruction; • Basic Block*; • Trace/Superblock; • Function; • Section; • Events; • Binary image. CONFidence Krakow 2012

  35. Self-modifying code & DBI Detect: • Written-protecting code pages • Checking store address • Inserting extra code CONFidence Krakow 2012

  36. Overhead O = X + Y Y = N*Z Z = K+L O – Tool Overhead; X – Instrumentation Routines Overhead; Y – Analysis Routines Overhead; N – Frequency of Calling Analysis Routine; Z – Work Performed in the Analysis Routine; K – Work Required to Transition to Analysis Routine; L – Work Performed Inside the Analysis Routine. CONFidence Krakow 2012

  37. Rewriting instructions • Platforms: • with fixed-length instruction; • with variable-length instructions. CONFidence Krakow 2012

  38. Rewriting code (I) • Easy / simple / boring / regular example • Rewriting prolog function CONFidence Krakow 2012

  39. Rewriting code (II) • Hardcore example: • Mobile phone firmware rewriting Bootloader reboot Flash SHELLCODE 1 AMSS Malicious SMS GSM Baseband processor CONFidence Krakow 2012

  40. Instrumentation in ARM ARM modes: • ARM • Length(instr) = 4 byte • Thumb • Length(instr) = 2 byte • Thumb2 • Length(instr) = 2/4 byte • Jazzle For more detail see “A Dynamic Binary Instrumentation Engine for the ARM Architecture” presentation. CONFidence Krakow 2012

  41. Emulation App1 OS Emulator OS Processor CONFidence Krakow 2012

  42. Instrumentation & Bochs • Bochs can be called with instrumentation support. • C++ callbacks occur when certain events happen: • Poweron/Reset/Shutdown; • Branch Taken/Not Taken/Unconditional; • Opcode Decode (All relevant fields, lengths); • Interrupt /Exception; • Cache /TLB Flush/Prefetch; • Memory Read/Write. • “bochs-python-instrumentation” patch by EroCarrera CONFidence Krakow 2012

  43. Virtualization App1 OS App1 OS VMM VMM OS Processor Processor Native VMM Hosted VMM *VMM - Virtual Machine Monitor CONFidence Krakow 2012

  44. Instrumentation & virtualization Stages: • Save the VM-exit reason information in the VMCS; • Save guest context information; • Load the host-state area; • Transfer control to the hypervisor; • Run own code. *VMCS - Virtual Machine Control Structure CONFidence Krakow 2012

  45. Instrumentation in Mobile World CONFidence Krakow 2012

  46. Conclusion One can implement instrumentation of everything! CONFidence Krakow 2012

  47. Contact Twitter: @evdokimovds E-mail: d.evdokimov@dsecrg.com CONFidence Krakow 2012

More Related