470 likes | 498 Views
Light and Dark side of Code Instrumentation. Dmitriy “D1g1″ Evdokimov DSecRG , Security Researcher. # whoami. Security Researcher in DSecRG RE Fuzzing Mobile security Organizer: DCG #7812 Editor in “XAKEP”. Agenda. Instrumentation . Instrumentation .. Instrumentation …
E N D
Light and Dark side of Code Instrumentation Dmitriy “D1g1″ Evdokimov DSecRG, Security Researcher
#whoami • Security Researcherin DSecRG • RE • Fuzzing • Mobile security • Organizer: DCG #7812 • Editor in “XAKEP” CONFidence Krakow 2012
Agenda • Instrumentation . • Instrumentation .. • Instrumentation … • Instrumentation …. • Instrumentation ….. • Instrumentation …… • Instrumentation ……. CONFidence Krakow 2012
Intro “It has been proved by scientists that a new point of evolution, any technical progress appears when a Man makes up a new type of tool, but not a product.” CONFidence Krakow 2012
Instrumentation Instrumentation is a technique adding extra code to an program/environment for monitoring/change some program behavior. Environment Program Program Own extra code Own extra code CONFidence Krakow 2012
Why is it necessary? Parallel optimization Simulation Memory debugging Virtualization Emulation Software profiling Performance analysis Testing Automated debugging Correctness checking Error detection Collecting code metrics Optimization Binary translation Memory leak detection CONFidence Krakow 2012
Instrumentation in information security • Security test case generation • Control flow analysis • Unpack Code coverage • Virtual patching • Malware analysis • Vulnerability detection Privacy monitoring • Taint analysis • Antivirus technology • Program shepherding • Sandboxing Data flow analysis • Shellcode detection • Fuzzing • Deobfuscation • Reverse engineering • Behavior based security • Forensic • Transparent debugging Data Structure Restoring Security enforcement CONFidence Krakow 2012
Analysis CONFidence Krakow 2012
Code Discovery Memory After static analysis Instr 1 0101010110101001010010 Instr 1 After dynamic analysis Instr 2 Instr 2 0101010101101010101010 Instr 3 Instr 3 1111010101110101000111 jump reg jump reg Instr 4 DATA Instr 1011100111001010101011 Instr 4 5 Instr 6 Instr 5 Instr 7 0111010110100111100110 Instr 7 cont. jmp 0x0ABCD PADDING Instr 8 Instr 6 Instr 9 1010101101110001001011 Instr 10 CONFidence Krakow 2012
The general scheme of code instrumentation • Find points of instrumentation; • Insert instrumentation; • Take control from program; • Save context of the program; • Execute own code; • Restore context of the program; • Return control to program. CONFidence Krakow 2012
Source Data Source data Source code Byte code Binary code CONFidence Krakow 2012
Classificationoftarget instrumentation Instrumentation With source code Without source code Source code Byte code Binary code Linker/Compiler Byte code Executable file Interpreter/VM Process Source code instrumentation • Link-time/Compilation-time • instrumentation • Byte code instrumentation • Static • Load-time • Dynamic • Static binary instrumentation • Dynamic binary instrumentation • Environment modification Environment Hardware CONFidence Krakow 2012
Source code instrumentation • Source code* • Source code instrumentation • Manual skills • Plugins for IDE • Link-time/Compilation-time instrumentation • Options of linker/compiler • Tools: Visual Studio Profiler, gcc, TAU, OPARI, Diablo, Phoenix, LLVM, Rational Purify, Valgrind *Unreal condition for security specialist=) CONFidence Krakow 2012
Unmoral programming CONFidence Krakow 2012
Byte code instrumentation Byte code – intermediate representation between source code and machine code. … Java VM Dalvik VM AVM/AVM2 CLR CONFidence Krakow 2012
Instrumentation byte-code (I) Source code Compilation Byte-code Load Virtual machine Loader JIT Execute Lib Lib Lib Machine code CONFidence Krakow 2012
Instrumentation byte code (II) • Byte-code • Static instrumentation • Static byte code instrumentation • Load-time instrumentation • Custom byte code loader • Dynamic instrumentation • Dynamic byte-code instrumentation CONFidence Krakow 2012
Instrumentation Java (I) • Mechanisms: • java.lang.instrument package; • Java Platform Debugger Architecture (JPDA) . CONFidence Krakow 2012
Instrumentation Java (II) • Static instrumentation • Modification *.class files • Load-time instrumentation • ClassFileLoadHook • Custom ClassLoader • Dynamic instrumentation • ClassFileLoadHook -> RetransformClasses Tools: Javassist, ObjectWeb ASM, BCEL, JOIE, reJJavaSnoop, Serp, JMangler CONFidence Krakow 2012
Instrumentation .NET • Static instrumentation • Modification DLL files • Load-time instrumentation • AppDomain.Load()/Assembly.Load() • Joint redirection • Viaevent handler Tools: ReFrameworker, MBEL, RAIL, Cecil CONFidence Krakow 2012
Instrumentation ActionScript (I) • ActionScript2 • AVM • Tags that (can) contain bytecode: • DefineButton (7), DefineButton2 (34), DefineSprite (39), DoAction (12), DoInitAction (59), PlaceObject2 (26), PlaceObject3 (70). • ActionScript3 • AVM2 • Tags that (can) contain bytecode: • DoABC (82), RawABC (72). CONFidence Krakow 2012
AVM2 Architecture .abc AS3 function (x:int):int { return x+10 } .abc parser MIR @1 arg +8// argv @2 load [@1+4] @3 imm 10 @4 add (@2,@3) @5 ret @4 // @4:eax JIT Compiler .abc getlocal 1 pushint 10 add returnvalue Bytecode Verifier MIR Code Generator Interpreter MD Code Generator (x86, PPC, ARM, etc.) x86 moveax,(eap+8) moveax,(eax+4) add eax,10 ret Runtime System (Type System, Object Model) Memory Manager/Garbage Collector CONFidence Krakow 2012
Instrumentation ActionScript (I) AVM tag Original SWF file Tags Header Instrumenteted SWF file CONFidence Krakow 2012
Instrumentation AVM (II) • Static instrumentation • Add : • trace() • dump() • debug() • debugfile() • debugline() • Modification: • Create own class + change class name = hook! CONFidence Krakow 2012
Instrumentation binary code • Environment • Modifying call table • IDT, CPU MSRs, GDT, SSDT, IRP тable • … • Modifying OS options • SHIM • LD_PRELOAD • AppInt_DLLs • DLL injection • … • Reproduction of the environment • Emulation • Virtualization • The executable file • Static code instrumentation • Static binary instrumentation • Process • Debuggers • Debugging API • Modifying call table/other structure • IAT • … • Dynamic code instrumentation • Dynamic binary instrumentation • Hardware • Hardware debug features • Debug registers • Hardware debuggers • … CONFidence Krakow 2012
Static Binary Instrumentation (I) Static binary instrumentation/Physical code integration/Static binary code rewriting • Realization: • With reallocation: • Level of segment; • Level of function; • Without reallocation. Edited Header Header Segment ofcode Segment ofcode Segment of data Segment of data Extra segment ofcode Extra segment of data CONFidence Krakow 2012
Static Binary Instrumentation (II) Reallocation: 1) Function Displacement + Entry Point Linking; 2) Branch Conversion; 3) Instruction Padding; 4) Instrumentation. Tools: DynInst, EEL, ATOM, PEBIL, ERESI, TAU, Vulcan, BIRD, Aslan(4514N) CONFidence Krakow 2012
Debuggers • Breakpoints: • Software • Hardware • Debugger + scripting: • WinDBG + pykd • OllyDBG + python = Immunity Debuggers • GDB + PythonGDB • Python library's*: Buggery, IDAPython, ImmLIB, lldb, PyDBG, PyDbgEng, pygdb , python-ptrace , vtrace, WinAppDbg, … *See “Python Arsenal for Reverse Engineering” App Debugger OS Processor CONFidence Krakow 2012
Dynamic Binary Instrumentation Dynamic binary instrumentation/Virtual code integration/Dynamic binary rewriting Tools: PIN, DynamoRIO, DynInst, Valgrind, BAP, KEDR, Fit, ERESI, Detour, Vulcan, SpiderPig App1 DBI App2 OS Processor CONFidence Krakow 2012
Dynamic Binary Instrumentation • Dynamic Binary Instrumentation (DBI) is a process control and analysis technique that involves injecting instrumentation code into a running process. • Dynamic binary analysis (DBA) tools such as profilers and checkers help programmers create better software. • Dynamic binary instrumentation (DBI) frameworks make it easy to build new DBA tools. • DBA tools consist: • instrumentation routines; • analysis routines. CONFidence Krakow 2012
Kinds of DBI Mode: • user-mode; • kernel-mode. Modes of execution: • Interpretation-mode; • Probe-mode; • JIT-mode. Mode of work: - Start to finish; - Attach. Functionality JIT Probe Performance CONFidence Krakow 2012
DBI Frameworks* *For more details see “DBI:Intro” presentation from ZeroNights conference CONFidence Krakow 2012
Start work with DBI CONFidence Krakow 2012
Levels of granularity • Instruction; • Basic Block*; • Trace/Superblock; • Function; • Section; • Events; • Binary image. CONFidence Krakow 2012
Self-modifying code & DBI Detect: • Written-protecting code pages • Checking store address • Inserting extra code CONFidence Krakow 2012
Overhead O = X + Y Y = N*Z Z = K+L O – Tool Overhead; X – Instrumentation Routines Overhead; Y – Analysis Routines Overhead; N – Frequency of Calling Analysis Routine; Z – Work Performed in the Analysis Routine; K – Work Required to Transition to Analysis Routine; L – Work Performed Inside the Analysis Routine. CONFidence Krakow 2012
Rewriting instructions • Platforms: • with fixed-length instruction; • with variable-length instructions. CONFidence Krakow 2012
Rewriting code (I) • Easy / simple / boring / regular example • Rewriting prolog function CONFidence Krakow 2012
Rewriting code (II) • Hardcore example: • Mobile phone firmware rewriting Bootloader reboot Flash SHELLCODE 1 AMSS Malicious SMS GSM Baseband processor CONFidence Krakow 2012
Instrumentation in ARM ARM modes: • ARM • Length(instr) = 4 byte • Thumb • Length(instr) = 2 byte • Thumb2 • Length(instr) = 2/4 byte • Jazzle For more detail see “A Dynamic Binary Instrumentation Engine for the ARM Architecture” presentation. CONFidence Krakow 2012
Emulation App1 OS Emulator OS Processor CONFidence Krakow 2012
Instrumentation & Bochs • Bochs can be called with instrumentation support. • C++ callbacks occur when certain events happen: • Poweron/Reset/Shutdown; • Branch Taken/Not Taken/Unconditional; • Opcode Decode (All relevant fields, lengths); • Interrupt /Exception; • Cache /TLB Flush/Prefetch; • Memory Read/Write. • “bochs-python-instrumentation” patch by EroCarrera CONFidence Krakow 2012
Virtualization App1 OS App1 OS VMM VMM OS Processor Processor Native VMM Hosted VMM *VMM - Virtual Machine Monitor CONFidence Krakow 2012
Instrumentation & virtualization Stages: • Save the VM-exit reason information in the VMCS; • Save guest context information; • Load the host-state area; • Transfer control to the hypervisor; • Run own code. *VMCS - Virtual Machine Control Structure CONFidence Krakow 2012
Instrumentation in Mobile World CONFidence Krakow 2012
Conclusion One can implement instrumentation of everything! CONFidence Krakow 2012
Contact Twitter: @evdokimovds E-mail: d.evdokimov@dsecrg.com CONFidence Krakow 2012