Nullcon Presentation

8/7/2019 Nullcon Presentation

1/31

Automatic Program Analysis

withDynamic Binary Instrumentation

Sunil Kumar

([email protected])

http://null.co.in/ http://nullcon.net/


2/31

#whoami

Research Associate @ iViZ Techno Solutions

MCA(007) from Goa University i.e. GUMCA07.

http://www.linkedin.com/in/sunilkr86 Twitter @_skare; @_ice_22

http://www.linkedin.com/in/sunilkr86http://www.linkedin.com/in/sunilkr86http://www.linkedin.com/in/sunilkr86


3/31

Sections

.program analysis

.dynamic behavior

.dynamic binary instrumentation .Pin

.puncture

.conclusion



4/31


5/31

program analysis::Static Analysis

Static Properties Hash

Signature/Byte Patterns

Strings

Code Analysis

Safe because we did not run it?

Mostly.

Match against known data.



6/31

program analysis::Static Analysis

One side of the coin.

May fail if

Obfuscated strings.

Variants.

Code in non-standard sections {.data,}

Self modifying code.

Brand new.



7/31

program analysis::Dynamic Analysis

a.k.a. Behavior Analysis

Let Us C (see)

Dynamic Properties File Operations

Registry Operations

Network Operations

Interaction with other processes

Dangerous unless run in controlled

environment / sandbox.http://null.co.in/ http://nullcon.net/


8/31

instrumentation

Instruments that record , analyze, summarize,organize, debate in explained information that

are illustrative, non illustrative hard bound,

paper bag, jacketed, non jacketed withforward introduction, table of content, index,

that are intended for the enlightenment,

understanding, enrichment, enhancement,

education of human brain through sensory

route of vision...sometimes touch!



9/31

Dynamic Binary Instrumentation

Instrument code just before it runs (Just In

Time)

No need to re-link.

Discover code at runtime

Handle dynamically generated code.

Attach to running process.

[cgo_2010_final.ppt]



10/31

A Dynamic Binary Instrumentation engine

based on Post-Link Optimizer Spike.

Developed by Intel Corporation.

Oldest available release Pin-2.6-24110 dated

13/01/2009.

Latest release Pin-2.8-39028 dated

02/02/2011.

Alternatives: DynamoRIO, Valgrind



11/31

Advantages of Pin Provides rich set of APIs in C/C++/Assembly for creating

instrumentation tools a.k.a PinTools.

Multiplatform: Supports IA-32, IA64, Intel64

Supports Windows, Linux MacOS

Robust: If you can run it, you can Pin it.

Multithreaded applications

Self modifying code

Support signals and exceptions

Efficient Compiler optimization and code inlining.



12/31

Advantages of Pin Provides rich set of APIs in C/C++/Assembly for creating

instrumentation tools a.k.a PinTools.

Multiplatform: Supports IA-32, IA64, Intel64

Supports Windows, Linux MacOS

Robust: If you can run it, you can Pin it.

Multithreaded applications

Self modifying code

Support signals and exceptions

Efficient Compiler optimization and code inlining.

Bypass Debug-Protection. (DEMO)



13/31

Pin Capabilities

Inert code at arbitrary places in executable

code.

Just-In-Time compilation

Automatic save/restore registers to avoid

interference.

Dynamic code discovery.

Instrument anything ever executed*.



14/31

Pin Capabilities

Inert code at arbitrary places in executable

code.

Just-In-Time compilation

Automatic save/restore registers to avoid

interference.

Dynamic code discovery.

Instrument anything ever executed*. (*User Mode)



15/31


16/31

but I do want these too

Kernel Mode

Isolated I/O.

Handling exceptions of PinTools.



17/31

What for me but?


Read Instructions

Operands

Operations Methods

Parameters

Return Values

Modules

Write Instructions

Operands

Operations Methods

Parameters

Return Values


18/31

Pin Design



19/31

Pin Workflow



20/31

Pin Instrumentation

Modes

JIT

Using Code-Cache

All Instrumentation granularities

Flexible

Probe

Binary modified in place.

Limited to Routine level instrumentation.

Less flexible.

Faster than JIT in some cases.



21/31

Pin Instrumentation

Granularities

INS

BBL

Trace RTN

Requires symbol support- dbghelp.dll v6.11.1.404.

IMG



22/31

a Simple PinTool

#include pin.H

int main(int argc, char *argv[])

{

if(PIN_Init(argc,argv))

return -1;

IMG_AddInstrumentFunction(Image, 0);

PIN_AddFiniFunction(Fini,0);

PIN_StartProgram();

return 0;

}



23/31

.puncture

A PinTool for behavior analysis.

3 Stage:

A text file of call logs.

XML of categorized events.

HTML Report = XML+XSL+CSS

Instrumentation Methods

Instrumentation at boundary

ReplaceSignature



24/31

Instrumentation at Boundary


UnPinned

BAAR(x,x) retn

FOO BAAR

*Conceptual View


25/31

Instrumentation at Boundary


Pinned

b4BAAR(W,x,Z)

BAAR(x,x)afterBAAR(X,Y,Z)

return

FOO BAAR

b4BAARafterBAAR

*Conceptual View


26/31

ReplaceSignature


UnPinned

call BAAR retn

FOO BAAR

*Conceptual View


27/31

ReplaceSignature


Pinned

call BAARretn

FOO BAAR

PIN_CallApplicationFunction

wrappedBAAR

*Conceptual View


28/31


29/31

.conclusion

Although DBI Frameworks like Pin are not

primarily developed to test and optimize

performance, code coverage etc., they have

enough capabilities to be used as softwaresecurity research tool too.



30/31

Contacts

Pin http://www.pintool.org

Pin user group pinheades@yahoo-groups

Me: [email protected]

http://www.pintool.org/mailto:[email protected]:[email protected]://www.pintool.org/


31/31

Thanks

htt // ll t/

Documents

Nullcon Presentation