[2011 codeengn conference 05] deok9 - dbi(dynamic binary instrumentation)를 이용한 프로그램...
DESCRIPTION
2011 CodeEngn Conference 05 DBI 란 Dynamic Binary Instrumentation 의 약자이다. 이는 실행 중인 어떤 Process 또는 Program 에 특수한 목적으로 사용될 임의의 코드를 삽입하는 방법이다. 이를 이용하여 동적으로 생성된 Code 처리, 특정 코드의 발견, 실행중인 Process 분석 등을 할 수 있다. 주로 컴퓨터 구조 연구, 프로그램, 스레드 분 석에 이용되며, Taint Analysis 에 대한 개념, 각종 Tool 과 사용 방법, 간단한 예제, 최신 취약점 분석 등 을 통하여 DBI 를 알아보도록 한다. http://codeengn.com/conference/05TRANSCRIPT
![Page 1: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/1.jpg)
Program Vulnerability AnalysisUsing DBI
CodeEngn [email protected]
2011.7.2
www.CodeEngn.comCodeEngn ReverseEngineering Conference
![Page 2: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/2.jpg)
Outline
• What is DBI ?
• Before that
• How ?
• A simple example
• Demo !
2
![Page 3: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/3.jpg)
What is DBI ?
• InstrumentationKeyword : To gather information, insert code
• Dynamic Binary Instrumentation Keyword : Running program, special purpose, insert code
Running
Arbitrary Code
3
![Page 4: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/4.jpg)
Static Analysis
• Summary
- Without running
- Considering all execution paths in a program
- Tools : Sonar, cppcheck, Prevent, KlockWork
4
![Page 5: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/5.jpg)
Static Analysis
5
Check Out
Coding
Modify
Compile Error
Defect
Check In
![Page 6: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/6.jpg)
Dynamic Analysis
• Summary
- Running
- Considering single execution path
- Input dependency
6
![Page 7: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/7.jpg)
Winner
• Dynamic Analysis
More precise
Because > works with real values in the run-time
• if ( you think Ollydbg & IDA Disassembler )
Easy to understand
7
![Page 8: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/8.jpg)
Source Analysis
• Source Analysis
- Language dependency
- Access high-level information
- Tools : Source insight
8
![Page 9: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/9.jpg)
Binary Analysis
• Binary Analysis
- Platform dependency
- Access low-level information ex) register
- Complexity, Lack of Higher-level semantics, Code Obfuscation
9
![Page 10: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/10.jpg)
DRAW
• Binary Analysis
Original source code is not needed
• Source Analysis
Just you look at source
10
![Page 11: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/11.jpg)
SBI
• Static Binary Instrumentation
- Before the program is run
- Rewrites object code or executable code
- Disassemble -> instrumentation
11
![Page 12: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/12.jpg)
DBI
• Dynamic Binary Instrumentation
- Run-time
- By external process, grafted onto the client process
12
![Page 13: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/13.jpg)
Winner
• DBI
1. Client program doesn’t require to be prepared
2. Naturally covers all client code
13
![Page 14: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/14.jpg)
Usefulness of DBI
• Do not need Recompiling and Relinking
• Find the specific code during execution
• Handle dynamically generated code
• Analyzing running process
14
![Page 15: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/15.jpg)
Use
• Trace procedure generating
• Fault tolerance studies
• Emulating new instructions
• Code coverage -> t / all * 100
• Memory-leak detection
• Thread profiling
• And so on . . .
15
![Page 16: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/16.jpg)
Before that
• Taint AnalysisKind of information flow
To see the flow from the external input effect
16
![Page 17: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/17.jpg)
Taint propagation
Tainted
Untainted
Tainted
17
![Page 18: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/18.jpg)
Taint propagation
18
Untrusted source 1 Untrusted source 2
![Page 19: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/19.jpg)
Use
• Detecting flawsif ( tracking user data == available )
I see where untrusted code swimming
• Data Lifetime Analysis
19
![Page 20: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/20.jpg)
How ?
• Dynamic Binary Instrumentation ToolsPin : Win & Linux & MAC, Intermediate Language
DynamoRIO : Win & Linux & MAC
TEMU : Win & Linux, QEMU based
Valgrind : Linux
20
![Page 21: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/21.jpg)
How ?
• Use PIN ToolWindows, Linux, MAC OSX
Custom Code ( C or C++ )
Attach the running file
Extensive API
Pinheads
21
![Page 22: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/22.jpg)
Pin ?
• http://pintool.orgOne of JIT ( Just In Time ) compiler
Not input bytecode, but a regular executable
Intercept instruction and generates more code and execute
22
![Page 23: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/23.jpg)
Pin : Instrumentation EnginePintool : Instrumentation Tool
Application : Target Program or Process
23
Pin ?
![Page 24: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/24.jpg)
24
Pin ?
![Page 25: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/25.jpg)
25
Pin ?
![Page 26: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/26.jpg)
26
Pin ?
![Page 27: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/27.jpg)
27
Pin ?
![Page 28: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/28.jpg)
28
Pin ?
![Page 29: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/29.jpg)
Install
• if ( Install window ) you need to visual c++
• else if ( install linux ) you need to gcc-c++
• else if ( install mac 64bit ) not available
29
![Page 30: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/30.jpg)
A Simple Example
30
• Inscount & Itrace & Pinatrace
• Step by modify code
Inscount M
ItraceM
Pinatrace
![Page 31: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/31.jpg)
Inscount- count the total number of instructions executed
31
![Page 32: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/32.jpg)
Modify Inscount
32
![Page 33: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/33.jpg)
Itrace
• ItraceInstruction Address Trace
How to pass arguments
Useful understanding the control flow of a program for debugging
33
![Page 34: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/34.jpg)
Itrace
34
![Page 35: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/35.jpg)
Modify Itrace
35
![Page 36: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/36.jpg)
insertPredicatedCall ?
36
To avoid generating references to instructions that are predicated when the predicate is false
Predication is a general architectural feature of the IA-64
![Page 37: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/37.jpg)
Pinatrace
• PinatraceMemory Reference Trace
Useful debugging and for simulating a data cache in processor
37
![Page 38: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/38.jpg)
Pinatrace
38
770B89DA : Instrumentation PointsR/W : Access Type0023F434 : &Address4 : R/W Size0x01 : *Address
![Page 39: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/39.jpg)
Vera
• Use vera !Shmoocon 2011 Danny Quist
Visualizing Executables for Reversing & Analysis
Better OEP detection & IDA Pro Plugin
39
![Page 40: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/40.jpg)
Demo !
• if ( Use DBI with Vera ) you will see the memory flow ( easily )
• And
you will see the pattern of vulnerable program and patched program
40
![Page 41: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/41.jpg)
Demo !
41
![Page 42: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/42.jpg)
Zero-day !
1. Hook Vulnerability Function
strcpy, strcat, sprintf, scanf, fscanf, strstr, strchr
2. And monitoring ESI
3. Olleh! It’s possible to modify the parameters
42
![Page 43: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/43.jpg)
Zero-day !
43
![Page 44: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/44.jpg)
Zero-day !
44
![Page 45: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/45.jpg)
reference
• http://translate.google.co.kr/?hl=ko&tab=wT
• http://www.pintool.org/
• http://www.youtube.com/watch?v=9nlWbDdxKjw
45
![Page 46: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/46.jpg)
Q & A
46
www.CodeEngn.comCodeEngn ReverseEngineering Conference
![Page 47: [2011 CodeEngn Conference 05] Deok9 - DBI(Dynamic Binary Instrumentation)를 이용한 프로그램 취약점 분석](https://reader035.vdocuments.mx/reader035/viewer/2022081800/55389172550346722e8b4853/html5/thumbnails/47.jpg)
Quiz
47
OR, XOR 연산에서A 가 Taint 된 값( 1 ) 이라고 가정했을 때
B 의 값이 무엇일 때 “Taint 되었다”
라고 할까요 ??답과 간단한 이유를 말해주세용
hint ) AND 연산일때 B 가 1일때 Taint 되었다.