analisi simbolica con angr - berghem-in-the-middle ets · 1/13/2019 · analisi simbolica con angr...
TRANSCRIPT
![Page 1: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/1.jpg)
Analisi simbolicacon angr
Enrico Bacis- Hackers eat Pizza 2019 -
![Page 2: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/2.jpg)
$ wh
oam
i
Enrico BacisPhD student @ UniBG
Organizzazioni:● Unibg Seclab● BgLUG● Hacklab BITM
Ambiti di ricerca:● Access Control● Database Security● Mobile Security
![Page 3: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/3.jpg)
Outline
● Tecniche di Binary Analysis
● Come funziona l’analisi simbolica
● Il framework angr
● Utilizzo base
● Altre informazioni su angr
![Page 4: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/4.jpg)
Tecniche di Binary Analysis
![Page 5: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/5.jpg)
Static Analysis
● objdump
![Page 6: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/6.jpg)
Static Analysis
● objdump● IDA
![Page 7: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/7.jpg)
Static Analysis Dynamic Analysis
● objdump● IDA
● gdb (& friends)
![Page 8: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/8.jpg)
Static Analysis Dynamic Analysis
● objdump● IDA
● gdb (& friends)● radare2
![Page 9: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/9.jpg)
Limiti
![Page 10: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/10.jpg)
Limiti
![Page 11: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/11.jpg)
Limiti
![Page 12: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/12.jpg)
Come funziona l’analisi simbolica(a.k.a. quattro slide rubate da qualsiasi presentazione su angr mai fatta)
![Page 13: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/13.jpg)
![Page 14: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/14.jpg)
![Page 15: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/15.jpg)
![Page 16: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/16.jpg)
![Page 17: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/17.jpg)
![Page 18: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/18.jpg)
![Page 19: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/19.jpg)
start
end
avoid
avoid
![Page 20: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/20.jpg)
start
end
avoid
avoid
![Page 21: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/21.jpg)
angrhttps://angr.io
![Page 22: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/22.jpg)
Cosa è angr● Framework per binary analysis in python che combina analisi statica e
dinamica simbolica (“concolic analysis” da concrete e symbolic)
● Sviluppato da UCSB (terzo posto DARPA Cyber Grand Challenge)
● Basato su VEX (Valgrind), supporta moltissime architetture
● Flusso di analisi:
○ L’eseguibile viene caricato nel framework
○ Il codice binario viene trasformato in IR (intermediate representation)
○ L’analisi viene eseguita
![Page 23: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/23.jpg)
Utilizzo base
![Page 24: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/24.jpg)
ais3 crackme● https://github.com/angr/angr-doc/tree/master/examples/ais3_crackme
● Si esegue il binario con un argomento
● Se l’argomento è corretto
○ stdout: “Correct! that is the secret key!”
● Altrimenti
○ stdout: “I’m sorry, that’s the wrong secret key!”
![Page 25: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/25.jpg)
Target
![Page 26: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/26.jpg)
Target
![Page 27: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/27.jpg)
Target
![Page 28: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/28.jpg)
import angr, claripyproject = angr.Project("./ais3_crackme")
![Page 29: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/29.jpg)
import angr, claripyproject = angr.Project("./ais3_crackme")
# create an initial state with a symbolic bit vector as argv1argv1 = claripy.BVS("argv1", 100*8) # 100 bytesinitial_state = project.factory.entry_state(args=["./ais3_crackme", argv1])
![Page 30: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/30.jpg)
import angr, claripyproject = angr.Project("./ais3_crackme")
# create an initial state with a symbolic bit vector as argv1argv1 = claripy.BVS("argv1", 100*8) # 100 bytesinitial_state = project.factory.entry_state(args=["./ais3_crackme", argv1])
# create a path group using the created initial statesm = project.factory.simulation_manager(initial_state)
# symbolically execute the program until we reach the wanted value of the IPsm.explore(find=0x400602) # find a way to reach the addressfound = sm.found[0]
![Page 31: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/31.jpg)
import angr, claripyproject = angr.Project("./ais3_crackme")
# create an initial state with a symbolic bit vector as argv1argv1 = claripy.BVS("argv1", 100*8) # 100 bytesinitial_state = project.factory.entry_state(args=["./ais3_crackme", argv1])
# create a path group using the created initial statesm = project.factory.simulation_manager(initial_state)
# symbolically execute the program until we reach the wanted value of the IPsm.explore(find=0x400602) # find a way to reach the addressfound = sm.found[0]
# ask the symbolic solver the value of argv1 in the reached state as a stringsolution = found.solver.eval(argv1, cast_to=bytes)print(repr(solution))
![Page 32: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/32.jpg)
import angr, claripyproject = angr.Project("./ais3_crackme")
# create an initial state with a symbolic bit vector as argv1argv1 = claripy.BVS("argv1",100*8) # 100 bytesinitial_state = project.factory.entry_state(args=["./ais3_crackme", argv1])
# create a path group using the created initial statesm = project.factory.simulation_manager(initial_state)
# symbolically execute the program until we reach the wanted value of the IPsm.explore(find=0x400602) # find a way to reach the addressfound = sm.found[0]
# ask the symbolic solver the value of argv1 in the reached state as a stringsolution = found.solver.eval(argv1, cast_to=bytes)print(repr(solution))
![Page 33: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/33.jpg)
$ python3 solve.py ais3{I_tak3_g00d_n0t3s}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
![Page 34: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/34.jpg)
Altre informazioni su angr
![Page 35: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/35.jpg)
Cosa altro può fare angr?
● Symbolic Procedures
● Automatic ROP chain building
● Automatic binary hardening
● Automatic exploit generation ( per DECREE e binari Linux semplici )
![Page 36: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/36.jpg)
Installazioneangr si installa via pip
C’è anche un container docker:
$ mkvirtualenv angr$ pip install angr
$ docker run -it angr/angr
![Page 37: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/37.jpg)
Riferimenti
● angr: https://github.com/angr
● angr-doc: https://github.com/angr/angr-doc
● angr-course: https://github.com/angr/acsac-course
● z3: https://github.com/mwrlabs/z3_and_angr_binary_analysis_workshop
● https://www.slideshare.net/bananaappletw/triton-and-symbolic-execution-on-gdbdef-con-china-97054877
![Page 38: Analisi simbolica con angr - Berghem-in-the-Middle ETS · 1/13/2019 · Analisi simbolica con angr Enrico Bacis - Hackers eat Pizza 2019 -](https://reader036.vdocuments.us/reader036/viewer/2022071412/61095d101130cc12112af140/html5/thumbnails/38.jpg)