Presentation "Light and Dark side of Code Instrumentation"
advertisement
Light and Dark side of Code
Instrumentation
Dmitriy “D1g1″ Evdokimov
DSecRG, Security Researcher
#whoami
• Security Researcher in DSecRG
– RE
– Fuzzing
– Mobile security
• Organizer: DCG #7812
• Editor in “XAKEP”
www.dsecrg.com
CONFidence Krakow 2012
2
Agenda
1.
2.
3.
4.
5.
6.
7.
Instrumentation .
Instrumentation ..
Instrumentation …
Instrumentation ….
Instrumentation …..
Instrumentation ……
Instrumentation …….
www.dsecrg.com
CONFidence Krakow 2012
3
Intro
“It has been proved by scientists that a new
point of evolution, any technical progress
appears when a Man makes up a new type of
tool, but not a product.”
www.dsecrg.com
CONFidence Krakow 2012
4
Instrumentation
Instrumentation is a technique adding extra
code to an program/environment for
monitoring/change some program behavior.
Environment
Program
Program
Own
extra
code
www.dsecrg.com
Own
extra
code
CONFidence Krakow 2012
5
Why is it necessary?
Parallel optimization
Simulation
Memory debugging
Virtualization
Emulation
Software profiling
Performance analysis
Testing
Automated debugging
Error detection
Binary translation
www.dsecrg.com
Correctness checking
Collecting code metrics
Optimization
Memory leak detection
CONFidence Krakow 2012
6
Instrumentation in information
security
Security test case generation
Control flow analysis
Code coverage
Unpack
Virtual patching
Malware analysis
Privacy monitoring
Vulnerability detection
Taint analysis
Antivirus technology
Program shepherding
Sandboxing
Data flow analysis
Shellcode detection
Deobfuscation
Fuzzing
Reverse engineering
Behavior based security
Forensic
Transparent debugging
Data Structure Restoring
Security enforcement
www.dsecrg.com
CONFidence Krakow 2012
7
Analysis
Criterion
Static analysis
Dynamic analysis
Code vs. data
Problem
No problem
Code coverage
Big (but not all)
One way
Information about values
No information
All information
Self-modifying code
Problem
No problem
Interaction with the
environment
No
Yes
Unused code
Analysis
No analysis
JIT code
Problem
No problem
www.dsecrg.com
CONFidence Krakow 2012
8
Code Discovery
Memory
After static analysis
0101010110101001010010
Instr 1
After dynamic analysis
0101010101101010101010
Instr 2
Instr 3
1111010101110101000111
jump reg
InstrDATA
4 Instr
1011100111001010101011
5 Instr
Instr
4 6
Instr 5
7
jmp
0111010110100111100110
Instr0x0ABCD
7 cont.
PADDING
Instr 8
1010101101110001001011
Instr 9
InstrInstr
6 10
www.dsecrg.com
CONFidence Krakow 2012
9
The general scheme of code
instrumentation
1.
2.
3.
4.
5.
6.
7.
Find points of instrumentation;
Insert instrumentation;
Take control from program;
Save context of the program;
Execute own code;
Restore context of the program;
Return control to program.
www.dsecrg.com
CONFidence Krakow 2012
10
Source Data
Source data
Source code
www.dsecrg.com
Byte code
CONFidence Krakow 2012
Binary code
11
Classification of target
instrumentation
Instrumentation
With source code
Source code
Linker/Compiler
Without source code
Byte code
Binary code
Byte code
Executable file
Interpreter/VM
Process
Environment
Source
Link-time/Compilation-time
Byte
Static
Dynamic
code
binary
code
binary
instrumentation
instrumentation
modification
instrumentation
-instrumentation
Static
- Load-time
- Dynamic
www.dsecrg.com
CONFidence Krakow 2012
Environment
Hardware
12
Source code instrumentation
• Source code*
– Source code instrumentation
• Manual skills
• Plugins for IDE
– Link-time/Compilation-time instrumentation
• Options of linker/compiler
• Tools: Visual Studio Profiler, gcc, TAU, OPARI,
Diablo, Phoenix, LLVM, Rational Purify, Valgrind
*Unreal condition for security specialist =)
www.dsecrg.com
CONFidence Krakow 2012
13
Unmoral programming
www.dsecrg.com
CONFidence Krakow 2012
14
Byte code instrumentation
Byte code – intermediate representation
between source code and machine code.
…
Java VM
www.dsecrg.com
Dalvik VM
AVM/AVM2
CONFidence Krakow 2012
CLR
15
Instrumentation byte-code (I)
Compilation
Byte-code
Virtual machine
Load
Source code
Loader
Lib
Lib
Lib
Execute
JIT
Machine code
www.dsecrg.com
CONFidence Krakow 2012
16
Instrumentation byte code (II)
• Byte-code
– Static instrumentation
• Static byte code instrumentation
– Load-time instrumentation
• Custom byte code loader
– Dynamic instrumentation
• Dynamic byte-code instrumentation
www.dsecrg.com
CONFidence Krakow 2012
17
Instrumentation Java (I)
Mechanisms:
• java.lang.instrument package;
• Java Platform Debugger Architecture (JPDA) .
www.dsecrg.com
CONFidence Krakow 2012
18
Instrumentation Java (II)
• Static instrumentation
– Modification *.class files
• Load-time instrumentation
– ClassFileLoadHook
– Custom ClassLoader
• Dynamic instrumentation
– ClassFileLoadHook -> RetransformClasses
Tools: Javassist, ObjectWeb ASM, BCEL, JOIE, reJ
JavaSnoop, Serp, JMangler
www.dsecrg.com
CONFidence Krakow 2012
19
Instrumentation .NET
• Static instrumentation
– Modification DLL files
• Load-time instrumentation
– AppDomain.Load()/Assembly.Load()
– Joint redirection
– Via event handler
Tools: ReFrameworker, MBEL, RAIL, Cecil
www.dsecrg.com
CONFidence Krakow 2012
20
Instrumentation ActionScript (I)
• ActionScript2
– AVM
– Tags that (can) contain bytecode:
• DefineButton (7), DefineButton2 (34), DefineSprite (39),
DoAction (12), DoInitAction (59), PlaceObject2 (26),
PlaceObject3 (70).
• ActionScript3
– AVM2
– Tags that (can) contain bytecode:
• DoABC (82), RawABC (72).
www.dsecrg.com
CONFidence Krakow 2012
21
AVM2 Architecture
AS3
.abc
function (x:int):int {
return x+10
}
.abc parser
.abc
getlocal
1 Verifier
Bytecode
pushint 10
add
returnvalue
Interpreter
MIR
JIT Compiler
@1 arg +8// argv
MIRload
Code
Generator
@2
[@1+4]
@3 imm 10
@4 add (@2,@3)
MD Code Generator
@5 ret @4 // @4:eax
(x86, PPC, ARM, etc.)
x86
Runtime System (Type System,
Model)
mov Object
eax,(eap+8)
mov eax,(eax+4)
add eax,10
Memory Manager/Garbage Collector
ret
www.dsecrg.com
CONFidence Krakow 2012
22
Instrumentation ActionScript (I)
Original SWF file
Header
AVM tag
Tags
Instrumenteted
SWF file
www.dsecrg.com
CONFidence Krakow 2012
23
Instrumentation AVM (II)
• Static instrumentation
– Add :
•
•
•
•
•
trace()
dump()
debug()
debugfile()
debugline()
– Modification:
• Create own class + change class name = hook!
www.dsecrg.com
CONFidence Krakow 2012
24
Instrumentation binary code
• Environment
• The executable file
– Static code instrumentation
• Static binary instrumentation
– Modifying call table
• IDT, CPU MSRs, GDT, SSDT,
IRP Ń‚able
• …
• Process
– Debuggers
• Debugging API
– Modifying call table/other structure
– Modifying OS options
•
•
•
•
•
• IAT
• …
– Dynamic code instrumentation
• Dynamic binary instrumentation
• Hardware
– Hardware debug features
• Debug registers
• Hardware debuggers
• …
www.dsecrg.com
SHIM
LD_PRELOAD
AppInt_DLLs
DLL injection
…
– Reproduction of the
environment
• Emulation
• Virtualization
CONFidence Krakow 2012
25
Static Binary Instrumentation (I)
Static binary instrumentation/Physical code
integration/Static binary code rewriting
Header
• Realization:
– With reallocation:
• Level of segment;
• Level of function;
Edited Header
Segment of
code
Segment of
code
Segment of
data
Segment of
data
– Without reallocation.
Extra segment
of code
Extra segment
of data
www.dsecrg.com
CONFidence Krakow 2012
26
Static Binary Instrumentation (II)
Reallocation:
1) Function Displacement + Entry Point Linking;
2) Branch Conversion;
3) Instruction Padding;
4) Instrumentation.
Tools: DynInst, EEL, ATOM, PEBIL, ERESI, TAU,
Vulcan, BIRD, Aslan(4514N)
www.dsecrg.com
CONFidence Krakow 2012
27
Debuggers
• Breakpoints:
•
•
Software
Hardware
App
• Debugger + scripting:
•
•
•
Debugger
OS
WinDBG + pykd
OllyDBG + python = Immunity Debuggers
GDB + PythonGDB
Processor
• Python library's*: Buggery, IDAPython, ImmLIB, lldb, PyDBG,
PyDbgEng, pygdb , python-ptrace , vtrace, WinAppDbg, …
*See “Python Arsenal for Reverse Engineering”
www.dsecrg.com
CONFidence Krakow 2012
28
Dynamic Binary Instrumentation
Dynamic binary instrumentation/Virtual code
integration/Dynamic binary rewriting
DBI
App1
App2
OS
Processor
Tools: PIN, DynamoRIO, DynInst, Valgrind, BAP,
KEDR, Fit, ERESI, Detour, Vulcan, SpiderPig
www.dsecrg.com
CONFidence Krakow 2012
29
Dynamic Binary Instrumentation
• Dynamic Binary Instrumentation (DBI) is a process control and
analysis technique that involves injecting instrumentation code
into a running process.
• Dynamic binary analysis (DBA) tools such as profilers and
checkers help programmers create better software.
• Dynamic binary instrumentation (DBI) frameworks make it easy
to build new DBA tools.
•DBA tools consist:
– instrumentation routines;
– analysis routines.
www.dsecrg.com
CONFidence Krakow 2012
30
Kinds of DBI
Mode:
Mode of work:
Modes of execution:
– Interpretation-mode;
– Probe-mode;
– JIT-mode.
www.dsecrg.com
CONFidence Krakow 2012
Functionality
- Start to finish;
- Attach.
– user-mode;
– kernel-mode.
JIT
Probe
Performance
31
DBI Frameworks*
Frameworks
OS
Arch
Modes
Features
PIN
Linux,
Windows,
MacOS
x86, x86-64,
Itanium, ARM
JIT, Probe
Attach mode
DynamoRIO
Linux,
Windows
x86, x86-64
JIT, Probe
Runtime
optimization
DynInst
Linux,
FreeBSD,
Windows
x86, x86-64,
ppc32, ARM,
ppc64
Probe
Static &
Dynamic binary
instrumentation
Valgrind
Linux, MacOS
x86, x86-64,
ppc32, ARM,
ppc64
JIT
IR – VEX,
Heavyweight
DBA tools
*For more details see “DBI:Intro” presentation from ZeroNights conference
www.dsecrg.com
CONFidence Krakow 2012
32
Start work with DBI
www.dsecrg.com
CONFidence Krakow 2012
33
Levels of granularity
•
•
•
•
•
•
•
Instruction;
Basic Block*;
Trace/Superblock;
Function;
Section;
Events;
Binary image.
www.dsecrg.com
CONFidence Krakow 2012
34
Self-modifying code & DBI
Detect:
– Written-protecting code pages
– Checking store address
– Inserting extra code
www.dsecrg.com
CONFidence Krakow 2012
35
Overhead
O=X+Y
Y = N*Z
Z = K+L
O – Tool Overhead;
X – Instrumentation Routines Overhead;
Y – Analysis Routines Overhead;
N – Frequency of Calling Analysis Routine;
Z – Work Performed in the Analysis Routine;
K – Work Required to Transition to Analysis Routine;
L – Work Performed Inside the Analysis Routine.
www.dsecrg.com
CONFidence Krakow 2012
36
Rewriting instructions
• Platforms:
– with fixed-length instruction;
– with variable-length instructions.
www.dsecrg.com
CONFidence Krakow 2012
37
Rewriting code (I)
• Easy / simple / boring / regular example
– Rewriting prolog function
www.dsecrg.com
CONFidence Krakow 2012
38
Rewriting code (II)
• Hardcore example:
– Mobile phone firmware rewriting
Bootloader
reboot
Flash
SHELLCODE 1
AMSS
GSM
Malicious SMS
Baseband processor
www.dsecrg.com
CONFidence Krakow 2012
39
Instrumentation in ARM
ARM modes:
– ARM
• Length(instr) = 4 byte
– Thumb
• Length(instr) = 2 byte
– Thumb2
• Length(instr) = 2/4 byte
– Jazzle
For more detail see “A Dynamic Binary Instrumentation Engine for the ARM
Architecture” presentation.
www.dsecrg.com
CONFidence Krakow 2012
40
Emulation
App1
OS
Emulator
OS
Processor
www.dsecrg.com
CONFidence Krakow 2012
41
Instrumentation & Bochs
• Bochs can be called with instrumentation support.
• C++ callbacks occur when certain events happen:
–
–
–
–
–
–
Poweron/Reset/Shutdown;
Branch Taken/Not Taken/Unconditional;
Opcode Decode (All relevant fields, lengths);
Interrupt /Exception;
Cache /TLB Flush/Prefetch;
Memory Read/Write.
• “bochs-python-instrumentation” patch by Ero Carrera
www.dsecrg.com
CONFidence Krakow 2012
42
Virtualization
App1
App1
OS
OS
VMM
VMM
OS
Processor
Processor
Native VMM
Hosted VMM
*VMM - Virtual Machine Monitor
www.dsecrg.com
CONFidence Krakow 2012
43
Instrumentation & virtualization
Stages:
1. Save the VM-exit reason information in the VMCS;
2. Save guest context information;
3. Load the host-state area;
4. Transfer control to the hypervisor;
5. Run own code.
*VMCS - Virtual Machine Control Structure
www.dsecrg.com
CONFidence Krakow 2012
44
Instrumentation in
Mobile World
Mobile Platform
Language
Executable file format
Android
Java
Dex
iOS
Objective-C
Mach-O
Windows Phone
.NET
PE
www.dsecrg.com
CONFidence Krakow 2012
45
Conclusion
One can implement instrumentation of everything!
www.dsecrg.com
CONFidence Krakow 2012
46
Contact
Twitter: @evdokimovds
E-mail: d.evdokimov@dsecrg.com
www.dsecrg.com
CONFidence Krakow 2012
47
