Nullcon 2011- Behaviour Analysis with DBI

Automatic Program Analysiswith

Dynamic Binary Instrumentation

Sunil Kumar

([email protected])

http://null.co.in/ http://nullcon.net/

#whoami

• Research Associate @ iViZ Techno Solutions

• MCA(007) from Goa University i.e. GUMCA07.

• http://www.linkedin.com/in/sunilkr86

• Twitter @_skare; @_ice_22


http://www.linkedin.com/in/sunilkr86

http://www.linkedin.com/in/sunilkr86

Sections

• .program analysis

• .dynamic behavior

• .dynamic binary instrumentation

• .Pin

• .puncture

• .conclusion


program analysis

• In computer science, program analysis is the process of automatically analysing the behaviour of computer programs.

» http://en.wikipedia.org/wiki/Program_analysis

• Two approaches:

– Static Program Analysis.

– Dynamic Program Analysis.


http://en.wikipedia.org/wiki/Computer_science

http://en.wikipedia.org/wiki/Program_analysis

program analysis::Static Analysis

• Static Properties

– Hash

– Signature/Byte Patterns

– Strings

• Code Analysis

• Safe because we did not run it?

– Mostly.

• Match against known data.


program analysis::Static Analysis

• One side of the coin.

• May fail if

– Obfuscated strings.

– Variants.

– Code in non-standard sections {.data,…}

– Self modifying code.

– Brand new.


program analysis::Dynamic Analysis

• a.k.a. Behavior Analysis

• Let Us C (“see”)

• Dynamic Properties

– File Operations

– Registry Operations

– Network Operations

– Interaction with other processes…

• Dangerous unless run in controlled environment / sandbox.


instrumentation• Instruments that record , analyze, summarize,

organize, debate in explained information that are illustrative, non illustrative hard bound, paper bag, jacketed, non jacketed with forward introduction, table of content, index, that are intended for the enlightenment, understanding, enrichment, enhancement, education of human brain through sensory route of vision...sometimes touch!


Dynamic Binary Instrumentation

• Instrument code just before it runs (Just In Time)

• No need to re-link.

• Discover code at runtime

• Handle dynamically generated code.

• Attach to running process.

• [cgo_2010_final.ppt]


• A Dynamic Binary Instrumentation engine based on Post-Link Optimizer “Spike”.

• Developed by Intel Corporation.

• Oldest available release Pin-2.6-24110 dated 13/01/2009.

• Latest release Pin-2.8-39028 dated 02/02/2011.

• Alternatives: DynamoRIO, Valgrind


Advantages of Pin• Provides rich set of APIs in C/C++/Assembly for creating

instrumentation tools a.k.a PinTools.• Multiplatform:

– Supports IA-32, IA64, Intel64– Supports Windows, Linux MacOS

• Robust:– If you can run it, you can Pin it.– Multithreaded applications– Self modifying code– Support signals and exceptions

• Efficient– Compiler optimization and code inlining.


Advantages of Pin• Provides rich set of APIs in C/C++/Assembly for creating

instrumentation tools a.k.a PinTools.• Multiplatform:

– Supports IA-32, IA64, Intel64– Supports Windows, Linux MacOS

• Robust:– If you can run it, you can Pin it.– Multithreaded applications– Self modifying code– Support signals and exceptions

• Efficient– Compiler optimization and code inlining.

• Bypass Debug-Protection. (DEMO)


Pin Capabilities

• Inert code at arbitrary places in executable code.

• Just-In-Time compilation

• Automatic save/restore registers to avoid interference.

• Dynamic code discovery.

• Instrument anything ever executed*.


Pin Capabilities





• Instrument anything ever executed*.• (*User Mode)


Pin Capabilities





• Instrument anything ever executed*.


If Pin doesn’t have it, you don’t want it

but I do want these too…

• Kernel Mode

• Isolated I/O.

• Handling exceptions of PinTools.


What for me but?


Read

Instructions

Operands

Operations

Methods

Parameters

Return Values

Modules

Write

Instructions

Operands

Operations

Methods

Parameters

Return Values

Pin Design


Pin Workflow


Pin Instrumentation Modes

• JIT

– Using Code-Cache

– All Instrumentation granularities

– Flexible

• Probe

– Binary modified in place.

– Limited to Routine level instrumentation.

– Less flexible.

– Faster than JIT in some cases.


Pin Instrumentation Granularities

• INS

• BBL

• Trace

• RTN

– Requires symbol support- dbghelp.dll v6.11.1.404.

• IMG


a Simple PinTool

#include “pin.H”

int main(int argc, char *argv[])

{

if(PIN_Init(argc,argv))

return -1;

IMG_AddInstrumentFunction(Image, 0);

PIN_AddFiniFunction(Fini,0);

PIN_StartProgram();

return 0;

}


.puncture

• A PinTool for behavior analysis.

• 3 Stage:

– A text file of call logs.

– XML of categorized events.

– HTML Report = XML+XSL+CSS

• Instrumentation Methods

– Instrumentation at boundary

– ReplaceSignature


Instrumentation at Boundary


• UnPinned

BAAR(x,x) retn

FOO BAAR

*Conceptual View

Instrumentation at Boundary


• Pinned

b4BAAR(W,x,Z)BAAR(x,x)

afterBAAR(X,Y,Z)return

FOO BAAR

b4BAARafterBAAR

*Conceptual View

ReplaceSignature


• UnPinned

call BAAR retn

FOO BAAR

*Conceptual View

ReplaceSignature


• Pinned

call BAARretn

FOO BAAR

PIN_CallApplicationFunction

wrappedBAAR

*Conceptual View

Logger Requirements

• 3 Modules

– Registry Logger (ADVAPI32.DLL)

– File Logger (KERNEL32.DLL)

– Network Logger (WS2_32.DLL)

• Final Output

– A PinTool : Call Log in plain text.

– PinParser : RawText => XML}

– XSLT+CSS+JS for Visualization

• [DEMO]http://null.co.in/ http://nullcon.net/

.conclusion

• Although DBI Frameworks like Pin are not primarily developed to test and optimize performance, code coverage etc., they have enough capabilities to be used as software security research tool too.


Contacts

• Pin http://www.pintool.org

• Pin user group pinheades@yahoo-groups

• Me: [email protected]


http://www.pintool.org/

mailto:[email protected]

Thanks…


Technology

Nullcon 2011- Behaviour Analysis with DBI