the postmodern binary analysis
TRANSCRIPT
![Page 1: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/1.jpg)
THE POSTMODERN BINARY ANALYSISOnur ALANBEL
![Page 2: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/2.jpg)
$ id -un
➤ Computer Engineer (IZTECH)
➤ Developer @TaintAll (taintall.com)
➤ AppSec Researcher
➤ Blog: onuralanbel.pro
➤ @onuralanbel
➤ https://packetstormsecurity.com/search/?q=onur+alanbel
![Page 3: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/3.jpg)
AGENDA
➤ Dynamic Binary Instrumentation
➤ Taint Analysis
➤ Constraint Solving With Z3
➤ Symbolic/Concolic Execution
![Page 4: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/4.jpg)
DYNAMIC BINARY INSTRUMENTATION
➤ Inject instrumentation code into a running binary.
![Page 5: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/5.jpg)
DYNAMIC BINARY INSTRUMENTATION
➤ Inject instrumentation code into a running binary.
➤ Instrumentation code executes as normal instructions.
![Page 6: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/6.jpg)
DYNAMIC BINARY INSTRUMENTATION
➤ Inject instrumentation code into a running binary.
➤ Instrumentation code executes as normal instructions.
➤ Instrumentation is transparent to the application.
![Page 7: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/7.jpg)
DBI FRAMEWORKS
➤ Intel PIN Framework
➤ Win, Lin, OS X
➤ No IL
![Page 8: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/8.jpg)
DBI FRAMEWORKS
➤ Intel PIN Framework
➤ Win, Lin, OS X
➤ No IL
➤ Valgrind
➤ Lin, OS X
➤ IL
![Page 9: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/9.jpg)
DBI FRAMEWORKS
➤ Intel PIN Framework
➤ Win, Lin, OS X
➤ No IL
➤ Valgrind
➤ Lin, OS X
➤ IL
➤ DynamoRIO
➤ Win, Lin, Android
➤ No IL
![Page 10: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/10.jpg)
DBI FRAMEWORKS
➤ Intel PIN Framework
➤ Win, Lin, OS X
➤ No IL
➤ Valgrind
➤ Lin, OS X
➤ IL
➤ DynamoRIO
➤ Win, Lin, Android
➤ No IL
➤ May be others like
➤ PEMU
➤ …
![Page 11: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/11.jpg)
INSTRUCTION COUNTING
![Page 12: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/12.jpg)
SIMPLE SIDE CHANNEL ATTACK
![Page 13: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/13.jpg)
CAN WE DO BETTER?
➤ Use snapshots instead of Re-run
![Page 14: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/14.jpg)
CAN WE DO BETTER?
➤ Use snapshots instead of Re-run
➤ Use multi-threading
![Page 15: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/15.jpg)
CAN WE DO BETTER?
➤ Use snapshots instead of Re-run
➤ Use multi-threading
➤ What about doing something smarter?
![Page 16: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/16.jpg)
TAINT ANALYSIS
➤ Which parts of the code can be controlled or affected by tainted data (usually user input)
![Page 17: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/17.jpg)
TAINT ANALYSIS
➤ Which parts of the code can be controlled or affected by tainted data (usually user input)
![Page 18: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/18.jpg)
TAINT ANALYSIS
taint RAX
![Page 19: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/19.jpg)
TAINT ANALYSIS
taint RAX
mov RCX, RAX
![Page 20: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/20.jpg)
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
![Page 21: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/21.jpg)
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
…….
mov RCX, ptr [0x1234]
![Page 22: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/22.jpg)
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
…….
mov RCX, ptr [0x1234]
pop RBX
![Page 23: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/23.jpg)
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
…….
mov RCX, ptr [0x1234]
pop RBX
stop tainting
![Page 24: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/24.jpg)
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
…….
mov RCX, ptr [0x1234]
pop RBX
stop tainting
Which are the tainted regs?
![Page 25: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/25.jpg)
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
…….
mov RCX, ptr [0x1234]
pop RBX
stop tainting
Which are the tainted regs?
Which are the tainted mems?
![Page 26: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/26.jpg)
TAINT ANALYSIS
taint RAX
mov RCX, RAX
push RCX
…….
mov RCX, ptr [0x1234]
pop RBX
stop tainting
Which are the tainted regs?
Which are the tainted mems?
RAX, RBX and 8 addresses from the stack
![Page 27: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/27.jpg)
TAINT ANALYSIS
taint RAX
mov AL, 0x1
![Page 28: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/28.jpg)
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
![Page 29: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/29.jpg)
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp ECX, EBX
![Page 30: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/30.jpg)
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp ECX, EBX
jz 0x4321
![Page 31: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/31.jpg)
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp ECX, EBX
jz 0x4321
Can we control this branch?
![Page 32: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/32.jpg)
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp CL, BL
jz 0x4321
What about this one?
![Page 33: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/33.jpg)
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp CL, BL
jz 0x4321
What about this one?
taint RCX
xor RCX, RDX
![Page 34: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/34.jpg)
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp CL, BL
jz 0x4321
What about this one?
taint RCX
xor RCX, RDX
add RAX, RCX
![Page 35: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/35.jpg)
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp CL, BL
jz 0x4321
What about this one?
taint RCX
xor RCX, RDX
add RAX, RCX
Should RAX be tainted?
![Page 36: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/36.jpg)
TAINT ANALYSIS
taint RAX
mov AL, 0x1
mov ECX, EAX
cmp CL, BL
jz 0x4321
What about this one?
taint RCX
xor RCX, RCX
mov RAX, RCX
Now, should be ?
![Page 37: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/37.jpg)
TAINT ANALYSIS
➤ With the help of PIN’s Inspection API (TaintAll)
![Page 38: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/38.jpg)
TAINT ANALYSIS
➤ With the help of PIN’s Inspection API (TaintAll)
➤ With the help of Symbolic Execution (Triton Framework)
![Page 39: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/39.jpg)
TAINT ANALYSIS
➤ With the help of PIN’s Inspection API (TaintAll)
➤ With the help of Symbolic Execution (Triton Framework)
➤ Using an Intermediate Language (TaintGrind)
![Page 40: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/40.jpg)
TAINT ANALYSIS WITH TRITON
Triton/src/examples/pin/runtime_memory_tainting.py
with a little modification
![Page 41: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/41.jpg)
TAINT ANALYSIS WITH TRITON
Triton/src/examples/pin/runtime_memory_tainting.py
with a little modification
![Page 42: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/42.jpg)
A LITTLE BIT OF Z3
➤ “Z3 is a state-of-the art theorem prover from Microsoft Research”
![Page 43: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/43.jpg)
A LITTLE BIT OF Z3
➤ “Z3 is a state-of-the art theorem prover from Microsoft Research”
➤ Input format is an extension of SMT-LIB 2.0 standard
![Page 44: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/44.jpg)
A LITTLE BIT OF Z3
➤ “Z3 is a state-of-the art theorem prover from Microsoft Research”
➤ Input format is an extension of SMT-LIB 2.0 standard
![Page 45: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/45.jpg)
A LITTLE BIT OF Z3
➤ “Z3 is a state-of-the art theorem prover from Microsoft Research”
➤ Input format is an extension of SMT-LIB 2.0 standard
➤ Or use Z3Py
![Page 46: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/46.jpg)
![Page 47: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/47.jpg)
For a real world example
Search: “Reversing the petya ransomware with constraint solvers”
![Page 48: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/48.jpg)
SYMBOLIC EXECUTION
➤ x = input()y = x * 5 if x < 20: print “ok” else: print “nope”
![Page 49: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/49.jpg)
SYMBOLIC EXECUTION
➤ x = input()y = x * 5 if x < 20: print “ok” else: print “nope”
y=sym_x*5
sym_x
x < 20
ok nope
![Page 50: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/50.jpg)
CONCRETE EXECUTION
➤ x = input()y = x * 5 if x < 20: print “ok” else: print “nope”
y=sym_x*5
sym_x
x < 20
ok nope
![Page 51: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/51.jpg)
CONCOLIC EXECUTION
➤ x = input()y = x * 5 if x < 20: print “ok” else: print “nope”
y=sym_x*5
sym_x
x < 20
ok nope
![Page 52: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/52.jpg)
![Page 53: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/53.jpg)
OPEN SOURCE DBA FRAMEWORKS/TOOLS
➤ Triton
➤ Angr
➤ BitBlaze TEMU
➤ Valgrind Tools
➤ PIN Tools
![Page 54: The Postmodern Binary Analysis](https://reader033.vdocuments.us/reader033/viewer/2022051300/58ecfff51a28ab9f6d8b45e7/html5/thumbnails/54.jpg)
REFERENCES
➤ http://uninformed.org/index.cgi?v=7&a=1&p=3
➤ https://software.intel.com/sites/landingpage/pintool/docs/76991/Pin/html/
➤ http://smtlib.cs.uiowa.edu/solvers.shtml