Bestand wählen
Merken

Implementing an LLVM based Dynamic Binary Instrumentation framework

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
so the the the the and so over the next local today we're going to talk about the new offices up DBI framework which is called QBD i.e. out DB mate means that any Binary Instrumentation dynamics well you know binary also it's tradition is to observer monitor and modified some parts of their some parts of a program or a library and that we have a speaker chose to bend acidic this year by chance there but there is a security researchers chose likes attacking white books crypto anchored Monday with ground and city instead he is our focus the reverse engineering any lacks whiskey there you go procedures years give them a hand please have
uh so it's in the middle of the job but the singer's uh so we work at what's up with is of French consulting secured company and during for work we use a lot of BIO and for the past year and a half leading together researching DBI frameworks and also working on wall framework and what you want today is to try to demystify what the DBF forward he's always which works and try to show you how we went about implementing only BI and we hope to inspire you about the users of the framework and maybe even a helping us on all so I start
the easiest of points and interaction of what is exactly instrumentation so
basically this state is the transformation of a program into its own measurement to so you making an instrument and this insulin what you can do is that can also any state of the program at any time during the run time and then after that what you really need to do the tool will to make the data collection and the processing of those data so
was that's quite abstract so what could you do with that kind of instrumentation well I'm pretty sure most of you if you programming SiOsub use already use Valgrind and maybe the textual and that's survival and is instrumentation for Morgan mentioned is instrumentation tool and what it does it's quite simple it will try memory-allocation in the adaptation during the run time and also track memory accesses and with that information it is able to both the text and use of free memory leaks the free but also all the long memory access and and it tells you whether you are you are accessing the sorry to bite of side of the boundary that I read that you've allocated on that case in the the uh so it's quite useful another 1 proper use cases forcing so in closing 1 of the answers in your generating random inputs and sending it to a program and try to make it crashed but 1 of the thing you want to do is to generate interesting random includes so you want to know if between 2 random input if the new 1 you generating arch all our exploring more part of the code are generating more state transition and things like that so you want to measure the execution and 1 of the main criteria can measure is the measuring the code coverage so DVI framework is a very good thing to measure code coverage and if you use we nice cell basically size so using a DBN framework which is isn't and to gather MIT code-coverage informations and if you go deeper you can even use the information you have about what's instruction I suggested to try to build a symbolic representation of the parameter for and then you get the Doppler saving Grand Challenge and that was held little over 1 year and a half ago the last thing you can do is we got centuries ecution phrases which means recording everything that happens in a program once you have that you can replay those execution traces then you get something that looked like a time as the burger where you can go forward and backward and you can try to track everything that's happening in the program we don't relaunching its also something that I've been working on this for was software side-channel attacks attack against the cryptography so you using the execution trace to generate side-channel information and trying to recover key from of this gated uh cryptography so so far out 1 of the
question 14 did you might be asking is why not use the burgers because the because can do all of that the problems that the burgers although there are some there are men for humans not for machines and they're very slow so if you imagine a the burger that's attached to a target and you imagine the target dispose you press continue this is what happens on the on your system so the divergence and resume goal to become old because well decide to reschedule the inclusion of the target to halve the whole scrutiny of the process that happens and then the targeted at every point which is like attracting the art which just back into go and then the kernel the moon will decide to do that we see that the nature of of this should be cached by the the burger basically so it's going to send a signal to the debugger and rescheduled the addition of the diverter and why you doing that for 1 continuing breakpoint it you doing for over bonded crossing between user and can events and also you drink to process for scattering so it's quite slow hostal
of maybe you've of seeing those kind of Mexican doing suggest what you this to reverse engineer binary that takes a password and what you do is you try to measure the vacation time what you're trying different passwords and not trade execution time something more interesting which is the insertion counts the number of instructions issued to the and you can try to bridge falls apart sort of character by character is for and what you see on the top is gdb and what you about them is in 13 so on the bottom you see that it actually can take a lot of cases and that you see the number of instructions and while gdb is extremely slow and even though the instruction com international our us sole yet you don't want to use you don't want to use the debugger you want to use a dynamic instrumentation framework and so the solution
well it's to get rid of the kernel the and how all of the other solution except if you want to really pay for them at the system is to run the instrumentation inside the target
so instrumentation techniques so there's a few different way to do that the 1st 1 is from source code and I'm pretty sure anybody everybody has done that is just adding print statement to your code and get information it's basic instrumentation but you could be most smarter and try to do that automatically at compile time with the compiler in general solutions when you work from binary and when you were from binary does basically to approach the 1st 1 is to take the binary emphatically party and other hooks to additional good you insert into the binary and the last 1 is dynamic buyer instrumentation so from source code is really boring there's nothing very complex and interesting to know about that but from static binary patching invoking all its crude and Barbara because you have to know what I mean advance for you want to insert SuFu which is not really possible and so this talk is about dynamic Binary Instrumentation so there's a few existing frameworks
and the first one is Valgrind as I mentioned existence thousand is open source of however only supports Unix platforms and is very complex to use not to using the command line tool but to right through instrumentation to another 1 is you know real which exists in 2002 which is open source it's cross-platform across architecture however it's very hard to use to because if you basically have to manipulate the instructions in a family yourself which is quite a a form and the last 1 is in the in which is the most popular 1 because it's very user-friendly however it only supporting the platforms and it's close cells so why we made all in 2015 what they wanted was to have a cross-platform and course architecture DBN framework then all of those framework where we look quite a long time ago so there was a new things you could try to do that and we wanted to focus on mobile and embedded targets because that's basically where I never working on in order to job also wanted to try to have something that 1st forcing parentless modeler meaning we could use it with all the reverse engineering to easily and also because our past in cracking theorem basically uh we wanted to focus on heavy instrumentation which means that in something lot of things generating lots of data so I'm
going to explain to understand of following of the little you need to understand how the BI exactly work so I'm going to try to explain that and if I did it correctly the so the the simple idea that that right instrument adjustable dynamically inserting the instrumentation so you would the good you wrought inside the binary during time
so to this you would do the same in all of the code that's going to be executive and then of you passing the instructions to instrumentation Tool that analyze them and generate the appropriate that instrumentation and then the instrumentation gets inserted into the education flow and its executives and then you have back-and-forth can however that in
this this looks simple but there's
a few problems with this this graphic
not look like 1 of the problems of the 1st 1 is this something that you can't just you don't know when you get a binary what part of the binary school because school data school than others a lot of unpredictable branching and jump everywhere so you can observe these assembled a whole binary in advance so you need to discover what is going to be the gold of the binary as you go drinking ecution basically what this means is that you will a short piece of code a block of code something that has a series of instruction you can predict will be secure that and then that ends which of control false statement like conditional term for call that you cannot resolve and you executive this piece of code and then you word forms to flow next what's the next instruction want executives and this we you discover the next book of could you want to cute and you'd the thicker the next block of code so that they can form a short cycle of execution and not the other
problem you have is uh about the instrumentation the code that you're generating because the instrumentation codes generated is much larger than the original called because the sum of the tyrannical plus the instrumentation you're adding and compiler I look down there and tried to the fits all the code into the binary not waste so there's not much space left around in the courts section segment of the binary so you cannot instrumented in place you can just added in the binary there's not enough space so you need to write it somewhere else and this introduce the problem of relocating Georgian code of the binary so the problem which relocating
is that the code contains refer relative reference to memory addresses so you might have a job that say and I'll jump to the instruction from divide for world all of you might have a memory access that say all going into that piece of data which is 1 thousand 37 bytes of backwards from my position and if you remove it if you move everything will these friends becomes invalid so this means we need to actually compute your right in the original codes to fix all those references and in our engine and what group present for the going this stop this is what we call patching so it's you summerize
everything you need to do this in the cycle of life of the DBI engine is stopped by disassembling the 1st piece of wood want to execute then it's it pattern to make it repeatable then you got instrumentation to depart on a piece of code it that symbol somewhere in executable memory somewhere else and then EPA executed and once again you should finish it looks at what the next piece of putty for these acute and start again so now it's
explain some of the overall level of section we have to deal with all of that you know of course and so you find in the of all the people in the real and for you no so all
of the all of the stuff you find you and this is what we we all the institution and here and I think what is called a control fuel sold really at the end of visibility of the dominant or construction of which can be adjourned for example on this school to on the 1 and 2 with this kind of structure of the cultural for just go on and mean you start function and it's just because everybody block on you don't have any way to interact it so what we wanted some kind of and the control
flow and by this I mean we want after of the 1st block to take the control but we want to be about tools to religion all the faucets modify its to jump inside our own called there are we will execute of the logic of the Indian and we'll be about to go to the magazine reduction and so on
but here in fact everything is about keeping control of the execution and this is
much more difficult that we can't expect because what we want
it's it's false as requires to modify the original installation of the binary but we don't want to modify the original idea of your of the software we want to know the all to execute it as it was and that's and this is quite difficult and we could write a lots of through a level of tools yeah so what do we need in fact very very simple thing we need the motor architecture disassembler but we also need a merger architecture assembler and if possible it should also cross-platform please and when it's some kind of an intermediate representation to walk on and this representation has shown me link a link between the distance from the and the assembler sold this requirements were quite strong and also what we don't want well basically we don't have unlimited resources so if possible we control things like to implement and mood architecture doesn't run a similar come also on the intermediate representations of we don't really want to like passed every single manual for every CPU of every single pass picture we want to support because of the I like develop a manual but you remember an exemption so we don't have any of you stand on passing them but things out challenges in the sense of a few yards there is a new player on that's the URIs called a lot of here and what is Italian at and that's the key was created tool of focus on compiler technology on this this just-in-time engine on but there's a killer them is of course formation the framework also very well known of software today which is the claim compiler I'm sure like everybody does in this room trying compiler and so on but it's more than this it's like water which it from that provides tons of things to play with binaries the so
in fact forests of them already has everything the was supporter lots of architecture by all the major 1 at the end of the 286 it's it's it's easy for you provide both studies of some government as some rough but our model and this is also provided this intermediate representations are that that link basically the only and the some and maybe some of you already about the as an intermediate representation but there is this is not this 1 this is not the intermediate representations which is used for the compiler past it's another 1 of moral in the 1 on which is called the idea and matching code and or at the end and entity and the smaller than the representation is this glue between the Jesus on the and that's some graph so what is an
immensely that's not even a very basic simple instructions here the fall the DDI it's just 1 of them in the process of exploring the code the instructions just a series of bytes all but if you look at from Freud we did with this list of bytes and that of the and just point of this and this in fact is an intermediate representation already it's a very simple 1 you of like to take there is lively and things which is the instruction and that the estrogen is composed of 2 list of but basically if and if it's simple you have like all the interesting information about and it's or it is something that we can work on so adamantly it's as you see very minimalist long if you structures and the it's also totally generates all for all the architecture of the use the same representation which is quite good to work on because we can do things in a totally generic way but still it encodes lots something about instruction but these everything we need to work on the intuition but at the side it's kind of very role OK it's simple but it is the structure of of simple but using them to complex thing that's going on and feel like something that complex and why and also they wanted to do to be generated so for this and that some of compromises and for example the door conquered everything but an instruction vary a lot of blue of bit of everywhere in fact and it's make using this layer of a treaty so for example we
want to create instruction that's 1 thing that we will need to do for the BI and these are instruction use the same representation of like the EU things slightly bit different ways for example here we have a mole of and this small as we have seen is a lot OK a history of around grouped in the side and instruction but the thing is this representation it's not documented it's not really stand out our every institution and possibly user is all non-coding and the optimal way to to look at the group called our so it's it's not the thing that has not been created the world via an intermediate representation that you can work on basically and here we also want to batch
friction so we need to modify it so if you take a look at the jump it's very simple only like which on 1 operand which is an immediate but if you want to modify it will need to go from to move this down we can see OK it's the the difference would be forced to credits and I got commodification we
assume that we want to create batch so a series of transformations on there it's very that is a very simple example of what we all what is in this region that we will need to punch in fact here it's an instruction which is referencing memory using the program counter so basically ourselves said at the moment we need to move this construction elsewhere in the memory but if you more instruction as well there of the restaurants will be broken because it was based on the true and address of this intuition which is here so let's have a look we are moving it but what would will be forced to do is OK we have more than structure and it's written on another address in memory but we need to replace the the register of the program counter we have another register and that's what is will be on loaded with the origin of has value and by this way when we will execute this instruction with the reference would be the same but as you can see we are broking things here we are modifying the behavior of the program because we are erasing this register so basically what you need is also to Bacup's that's for just and after like exhibiting the modifying instruction you also need to restore this restriction so as you can see creation and creation creation and modification lots of variation here on the and intermediate representation which is kind of art and the difficult walking and so soul the oncogene is a bit painful to work on and you can see here was very very simple batch and it's already quite complex with a lot of that on the lot of steps and we also have a feeling which is so you see that we have been forced to backup something to biker produced and sold you can feel that it would be not only that the only patch when you need to buy up register also we can feel that you will need some generates steps that will be needed like a bit everywhere and so basically we need abstractions and the
idea is to have like a magical in which we can call the pageant in it's it's really names like and I would get this idiot will take 1 constriction in input 1 original instruction apply our transformation in it using extraction and then the output list 1 or more instruction and the for this basically now where the vision like
some twisted vision but with said OK maybe
maybe you we can identify the steps that are required to apply the transformation so maybe you can say all care of this is in fact just a series of of transformation some of them up to the generator so maybe we can just we group them and tried to integrate them in sort of like in the language of a specific language which would be is specialized in but binary on the of part of the idea was OK all of the instruction and even if the representation is generated the representation the search and we will have will be after picture of this specific us all the batch will be asked each of this effect but possibly may be that the language can be generated and express modification for more than 1 and architecture
and so we have also some Annex I we have this from schematic I will not explain everything here but what we can explain is that basically the issue let you is that you have to wear a view of the world of the original program and you all of the the world of the DBI so 1 guest 1 lost and you have interaction between them so the idea of the abstraction was trying to make things a bit more organized the tool in fact be able to see the relation the relation between them and on by you don't to find this relation also trying to um traits abstraction that allow us to work more easily we have the binary and to express the complexity and in a simple way I would like to show you what it really means of with you by using this this is something which is part of the language and it's something which is a temporary register so be against you have seen the operators just before In
this example so this is the same example than before and this was our temporary road itself and with our language which if you want to create something like this says series of constriction in fact you can just say OK I want a temporary register also I want to them and the orders the UK will be chosen as a free register are automatically by in general and they will be identified by an ID so you can work always a late there and by working on it I mean spoken this like was needed for modifying this original instruction and to do this modification in fact what we are doing here it's basically mn replacing a register it in an original insertion solely without doing a substitution that with a temporary register on the original register which is DC and with by using the reassurance here to a temporary 1 so you can see it's kind of language we have like the worlds and kind of valuables and things like this the but and another idea was a as patching a binary is just applying a series of rules because if you want to modify something is because there is a need to do it there is In fact the condition 1 or more conditions that for any input is friction will apply a series of actions and this action is basically they are our transformations that we want to apply on soul let's take a look at some local as what we call a rule the rules in fact so this
is just extracted from the original code of the DTI and this is our patch this is the other thing that replaced the year of program content we have a temporary register and you see there is like 1 condition here so this is only 1 rule 1 condition we condition is the most user register PC and then the action you conceive very some of them but I will not enter into the detail but you can find the other substitute we stand and the temporary register and so on and there are the nice thing with this rule it's generates I mean it's exactly the same role that we are using on diagram on the uh 86 664 and another example here it's pure Mataram and here we basically need to replace the gender as you seen soul that's exactly what you are doing the condition is a bit more complex because we have a condition which appliances right instruction but the idea is always the same you have like the worlds of your language viable thing like this so
what do we learn on 1st and then is really you know a magic piece of software it's very robust it provides star thing and basically just save us from this but the problem we had was of the intermediate representation was so simple in fact that became very complex to play with and you can do it by hand it can really created much by our like with in which case it's it doesn't work it's just breaking your head soul you really need to focus abstraction and we were quite surprised all sample difficulty was to create this abstraction and honestly it's still a work in progress but yeah it's a estimate like quite complex on transformation in something that is very easy to read you just of your list of operation it's very is is to understand what the DBI is doing the binary so
I was yes the remote control for the next part uh so in the next but I want to talk about is how you need to think about cross architecture supports so if you some of the DBI firm work like in Filipino has that trouble supporting instructions applied on they actually tried and then they decided they would not support it anymore and 1 of the reason is that if you don't think about cross-architecture support from the start it can becomes very complex but and actually you how we handle this issue in RGB engine so if you think about what
was going on in Europe in the process you can divide the space into 2 entities the first one is the host so that was contained the DBA engine and intuition to you've written and the 2nd part of the guests and because continue original binary and the instrumented code generated by the DVI engine so you see that this holds gives them energy is taken from the world because it kind of makes sense now this is not the
Vienna so the problem is this the context they share the same memory in the same seaview countries because they're just want process uh and what this means that we we're going to need to switch between the 2 context of the wars and the guest at every cycle during the ecution however we do not get any help from the kernel or the CPU because is not the view of going to use the visualization extension things like that on so this basically means saving and restoring distribu context from the give and of course and by the staff at every time you switch between the 2 however you need to avoid any side effect on the guest because the horse is a word that it's a DVI and does is to be I think the biggest is not the word and should not be aware that you're doing context features between basically another process inside this process so this means that you cannot modified stock and you cannot there is any of its register all as the programmer just scratch and the only way to have something that for this way is that the guests in need to be able to relate Access Memory from the host because you cannot just computer memory addressing the register because again if there is a register and you cannot say that vectors so you want to resume despite because again give modified aspects of the only ways that you need to be able to do direct reference to react to erase the memory address In the guests however related
addressing is extremely constrained by city architecture so under the EC 260 60 can do that is to be uh related memory address but under only have 12 bits and basically if you look at the encoding this that's true limited by a trustful T 4 thousand 96 bits for the minus the and the on so the conclusion of this is that if you want to have a context switch that works nicely on cross-architecture support you need to have a situation where you have a cost memory really close to the guest goes to the instrument that could you generated the other problem is that you want to play nice with data execution prevention and so we could be that next to the symbol because you're generating that gold however we call the whole cannot have a memory data from the read write execute because on some operating system this is of adults so what we doing basically is allocating 2 contiguous memory page 1 of them is really cute the right is the right and this way we can have to satisfy all
those conditions so it looks like this so this is but the 1st page code block and this is the 2nd of that a block this was reading secured this 1 is a right so in the 1st piece of code in the code block is the prolog which will is begin Chattering the context which and to do that and excision gets simply the stored host context there and load the guests context they're using reactive addressing this instrument called the 1 we generate 3 D engine and is a GP which does the inverse of such so the idea behind the the of
basically combine instrument gold we instrumentation data so the data is guaranteed to be directly addressable however when I said 1 memory based from memory pages 4 kilobytes and the most most operating system and this is a lot of space so if you take 1 basic block and then for k based the basic structure never going to well you could but you need a lot of RAM so the solution is that you need to be able to put multiple instrument the basic into the code block and that's you basically have awful lot of the the space left so you can try to do things with that data space
so this is basically what we got in the end of here we have a very specific things which is a selector and the selector is it jumps to someplace inside a code block and this vector and this a case a programmable job but who cannot be modified good because it's trees accused of uh so what he does is to jump to an address exactly contended that the block and this way we can avoid it selects which basic block because you're going to store multiple basic block which a basic agreement to execute and each busy blocked into GP at yet so if you just for around the selector and understanding the different from the top you would execute the basic that you want the from the business this world we are exploiting the remaining this this floating the called constant and shadows physically
so constantly instrumentation constant what you've seen in the past example that we wanted to replace the program Compton wanted to load a constant so this was very very well the statistics for you have them all that has a 64 bit immediate to register but this is because it's assistance with instruction set but then there are you also very limited in the in the size of the images you can note into a register so basically we use this constant space in the same way as on literary form if you already reverse engineer oncology you know that there is a piece of code and then next 3 piece of it up and also the that directly with that the reference by the In this for the same way so this way we can load any kind of data we wanting to all instrumentation we dealt with in of space and the other thing which is more interesting concept is what we call instruction shadows on this is not entirely new it's inspired from Valgrind vibrant and the way they track memory adaptation generalisation of is that they created what they called memory shingles for also for 1 page of memory you allocate your program they create a small Burford that about inside the buffer into bits represent the states basically of each byte of the they were picture and this is shadowing basically the memory and so it's some kind of variable that's bonded to the to the memory and we we wanted to do the same stuff but for instruction so it's so is basically a means for us to abstract the idea of living variables inside the instrumentation quote to make up in line of some of its transition very easy 1 of the world the main use case right now is to recover memory access so memory access a bit of a problem if you want to recruit everything that's going on your program because uh to re gold read memory access you need to instrument before instructional right and accessing instrument after the assumption so you're adding a lot of instrumentation and for example if you want to call you old code in the call by then you need to switch contexts again so you making to convex fish for instruction and then Europe uh instrumentation becomes very slow so the solution is to do what we called inline instrumentation where you are going to do the recording of the memory access directly in assembly without using the instrumentation to itself and this is of variables the shadows basically are used for that so for instruction that do memory access to we create shadows that are used to sing told of that were access and yet success so you can execute the 4 basic block and an idea and you can just query the shadows of that basically log to know which address but the power transfer so to realize all of that it's not easy if you think about it in the milky architecture context because we need a cross-platform and you visit the memory management unit and we not structure of that uh because we want to allocate memory vision won't want to change those Bishop emissions and also we want to cross architecture some that works in memory we don't want to create a binary and the disk and it's not that simple a lot of us ever simply assume that they're going to create sections in the binary object and things like that but this is not the case that is what and the so
this again because when the 11
imperfect was started the 1st alluvium for low level of its machine so they had that byte code that 1st crossed nearly cross architecture and 1 of the thing they did is build just-in-time engine to execute that bytecodes and being a just-in-time engine this is very close to the design of a DVI and so they have everything we would need for that and I hope we cannot use directly the just-in-time engine however because although they're very well designed that do that 3 feet all use is in the we work but inside and then you have all the functions you need if you want to create a just-in-time although cross-architecture memory management abstractions and also this fully in memory of some which is a different so what we learned from that is that really you
to prejudice this environment of them is really perfect for the job but also the designing a just-in-time engine for DVI taking into account across Architecture problem is really difficult because a key easily be logged on to secure architecture if to stop assuming that you can simply access of memory with that that's a bit of for example and so you need to think about portability from the start if you want to design that kind of project
thank you so all this I insight on small plots also of our project which is called I could be I could be I stand for quot slab dynamic Binary Instrumentation no we are like very imaginative and the so it's across platforms cross architecture of the DI framework by cause that's only means that to date runs on Linux Mac OS windows related and IOS on the we really focus on the last few months to learning something user-friendly which is kind our you have like a big Indians very complex nationally but really really wanted to of something really is the sole as a key we focus on clinically eyes extensive documentation and the we also provide binary packages for major operating system on Linux distribution but and it's a modular design noun by this what remains is basically the core engine of the DBI should only do which is essential for I sold no on T and TV and stuff for laughing related to onto to the develop animal like everything which is not part of the DBI and the ozone ID was of keeping the things simple or is that by keeping the thing simple you don't force users to do things in your way basically you don't have we don't have like 1 injection out that you would need to use and that force you to do things in a certain way and limits you basically by doing this and what we have at the and it's by basically is integration because valid as just a library a static of dynamic library your choice and so if created with this library of Python bindings school or the radio fast experimentations and we also of like of food integration with stridor of Friday uh I'm sure a lot security no what is it it's like very very nice framework for instrument in binary on in the different way on the are really of perfect overwhelmed by using to get my re read if you combine the polar of the DBI 2 dBi and free died something really impressive rules here with the more of current from that basically we some of you will be too late for the air and support but USC in it's basically adding rules in fact the engine itself is already here is already working running on our and we just need to about know just finished the rules and maybe also focus on some of the 64 but we need to improve the memory access because transferred we don't of the assumed your access to the bit of problem and we also want to focus on the conditioning an exception but not in the same way that most of engine work because we really want to get the court very simple so it will be probably integrating we have something like and then to a library of something and know a bit the side of the project but we don't know exactly right now so the more time
also the more will be on order of the gene itself and its a Python bindings yeah so we just need
to buy altering of broad everything by doing this the yeah it and maybe we should just drawing of this year it so it's OK to have so it's it's a very simple the more I just want you to want to show you how easy and simple we try to make the women to make the so this is a simple binary that take a further on input and that the password the well you can't find it easy if you just look at the software so that that's where I'm very
glad that my colleagues use freaking as a T. keyboards which
is up here as the 2 works uh so yeah so what you're going to try to do is just display every memory access granted by the program and because there's a lot of redirects SUV we're just going to focus on right so we use the pikey BDI findings and the main thing is that this goal but which is called 1 the of the the be able to stop and we simply due to the things we are the memory access go back and rerun the engine from start to stop stop and so the memory go back is this right here and where does it just get analysis of the instruction and information about the memory access made and simply print well you rule to blah-blah-blah only great so genes in the will yeah this yeah not all of the it is a parcel somewhere and now what we want to run it maybe yeah yeah OK I want to ruin it had it's not in their history because it was too is a 0 was a cure this to be a yeah OK so there we go in thank you and so the EU we can run it and you can see is a lot of memory excessive are made by the so this thing and so on right now it's subtree readable there's lots of memory . stuff of so maybe because we know it's about so if we want to see but by a memory
access that are a 1 1 byte long so there we do that we check if the size is 1 we only printed the size is 1 of the so let's that's the
between soul here so interesting and we can see we have byte value on the left then we have a lot of instruction the print that and there is a bit of books on their and maybe source so when she usually thing crypto all we're image may petition algorithms and and so what we can do is not simply due to sense
of but we also filter forks or instruction to see what we get um
it yeah and so it's uh so now there's not that many of works so or instruction left and looks like random at the beginning of the end is interesting because always in the same kind of memory range of that looks like ASCII so that the last thing in the last lady is simply to aggregate those bytes
into a buffer so you see that you have a victory Darius passes the parametres the call back and so on each of those instructions would simply up and the data to or RAM and it's a weird finger radiant uh and if we do
that the we can see we have a some garbage and then at the end of the summer of text that looks like input frightened so if we do go to and the in in what is the correct password so it wasn't a different memory and you can look at it at the end so this to you the whole simple that this kind of binding can be and that's really not part USA DVI few of another with time for in the world the
more so all that I will just or maybe more more
so there OK we try to it on the remote screen need not at the university keyboards here when French so so here we have at the more binary and we relaunched it's it's more but we increase the size of concealed kids them of the United States are at an input screen which is the long 1 needs to move things with little more OK and the idea is OK we want to reverse engineering it and to understand what it tells us all but we
will do this using the idea freedom framework and a pair of so it there it which in my laptop in fact now here will so we so soon load fighter the In
general failure there and we will have
all the binary yeah is located I think there are a lot of which are binary OK work and use right OK I want to load the optimal binary boy 0 or launching trial and the ships from there so yeah I take control of August so here we are in fried eyes Freud environment the most of you already know if your views freedom and what we can do we for it I was accused of things like OK I want I have been really must be that binary and I've seen that there is a function which is called like secret so I would just do our of low-cost Switzerland is right i t i which is OK I want the address of secrets so for the just read on the address of cigarettes I say OK we need an input for this function and basically the will of known to use a string for this input so Freud us to ability to a remote indication of memory and inject the string inside the remote process memory and the using this you can say OK I want and that a function and this is like a function which allow you to do the call of of the of function do is that you wish of the result on by doing sex and so there is no completion if you do 6 showing import basically Friday's exhibiting
your of remote function with the input that I've already like them similar OK so all what we can do with the DVI R and integration that we can simply drift of your choice if you so we we are looking at our DVI so by doing this simply I
guess so we have of the object with them we will create of seduce state think of like the compression theory is in you and then we will try to stack using history in the provision because we have lots of time and go we have basically of of your choice if you which is a little we have initialize it state and we have an initializer your choice strike for it and what we need to do now is to say OK we want to instruments are the the mall binary they it's to avoid the accord to the external library is this is the future of the debris I want be i it's that we can really choose what part of the government to instruments and relented over things executed by themselves so they are we already and you can just do a call on calling soul to using the energy function point our freedom and then the list of the input a list of arguments array and which is input and say OK we have exactly the same output and the same month of return that you and you say OK but you have exactly the same thing so a to is gonna do less now we are adding right now we can do it's adding instrumentations we because here we have just executive of the original court but inside the divided the binary of the DBI sorry and treating the other 1 the 2 of the US instrumentation you just need to use use to his the our something like that of an instruction collection OK so here what they have done the but the key is i have created a jealous straight function that will be cool and runtime for every instruction and this school but we basically here just the dump those generated the post which is the most and also asked for of total analysis of the instruction and although 2 the US the use some history and the original address and this sky of that is is by the way they are managed by the DDI and they are of various Josh there's a lot of things in the but there here we don't know what happened but it's magic you have like the analysis of the inscription on the after of this you only need to are of your callback soul that which it again so what I asked here is that I add the could collection for the for every instruction on that we call Nigel as a function so no other gold like is I did and we can just go back and call again our input function and here we go what we is odorless could function which has been executed on that we see if for every institution and we have the address we have instruction we have the full of GPR context so that did not propose for distance wise lots of them I can see also that in between we have the call for of the excellent laboring URI obj being outside the DTI and and it's basically just on the library of the the which is doing stuff on the on on the surprisingly operate instruction on it's returning 0 so everything worked as before How
soul of to the is low in open source of project or we just just really is it a few days ago of soul non that to to give it a try of its has also been really is under a permissive license soul 2 3 4 and usage extends all poor regressed or anything we of a channel on for another hour on just join us sure interested in in this project and I would like to bound by a really and doing a big thanks to our colleague of course lab on the off all the data destined for supporting us every day and the also specially to Poland dual because of them like major contribution to this really is and you know it would not be the same you know them and also big funds for a course level accompanied to all orders to really is this software like with us permissive license from the lower to grow by his own soul interim
much few and the you if you want to ask questions so like is the between you we only have 1 minute and for them the all right to the quick and secondly contrast this now with about the trace and to them and support so the difference really cool of it so that it's not really cross-platform and not cross architectures some of the main points to be very very fast because we don't have time of point is like the you really out it's all about the granularity and the you the granularity is institutions and model and that's gonna be before or after every instruction and this when you did I can provide you or your a few of like to define but so this is really the main difference it's complementary tools but the and if you can get them later and that the next could be 15 minutes it's growing up something development that means that you're thefts in
a it is be and if the the the back
Binärcode
Diskretes System
Computersicherheit
Gasströmung
Information
Binärcode
Fokalpunkt
Framework <Informatik>
Algorithmische Programmiersprache
Office-Paket
CLI
Gittermodell
Systemprogrammierung
Dijkstra-Algorithmus
Freeware
Framework <Informatik>
Reverse Engineering
LASER <Mikrocomputer>
Abgeschlossene Menge
Mereologie
Luenberger-Beobachter
Optimierung
Ereignishorizont
Versionsverwaltung
Binärcode
Punkt
Framework <Informatik>
Prozess <Informatik>
Interaktives Fernsehen
EDV-Beratung
Gasströmung
Framework <Informatik>
Quantisierung <Physik>
Prozess <Physik>
Weg <Topologie>
Gruppenoperation
Selbstrepräsentation
Zellularer Automat
Gebäude <Mathematik>
Transformation <Mathematik>
ROM <Informatik>
Doppler-Effekt
Framework <Informatik>
Code
Leck
Datensatz
Weg <Topologie>
Kryptologie
Software
XML
Code
Elektronischer Fingerabdruck
Seitenkanalattacke
Optimierung
Betriebsmittelverwaltung
Einflussgröße
Ereignisdatenanalyse
Prozess <Informatik>
Transformation <Mathematik>
Rechenzeit
Rechenzeit
Ein-Ausgabe
Randwert
Software
Festspeicher
Mereologie
Anpassung <Mathematik>
Selbstrepräsentation
Evolutionsstrategie
Messprozess
Speicherverwaltung
Information
Ablaufverfolgung
Eigentliche Abbildung
Prozessautomation
Aggregatzustand
Divergenz <Vektoranalysis>
Addition
Einfügungsdämpfung
Prozess <Physik>
Punkt
Diskretes System
Rechenzeit
Zahlenbereich
Debugging
Physikalisches System
Binärcode
Framework <Informatik>
Ereignishorizont
Quick-Sort
Kernel <Informatik>
Reverse Engineering
Minimum
Debugging
COM
Passwort
Inklusion <Mathematik>
Binärcode
Kernel <Informatik>
Befehl <Informatik>
Diskretes System
Compiler
Hochdruck
Gasströmung
Debugging
Ausnahmebehandlung
Physikalisches System
Quellcode
Binärcode
Framework <Informatik>
Code
Kernel <Informatik>
Quellcode
Patch <Software>
Information
Compiler
Familie <Mathematik>
Zellularer Automat
Systemplattform
Framework <Informatik>
Intel
Open Source
Bildschirmmaske
Informationsmodellierung
Prozess <Informatik>
Reverse Engineering
Theorem
Existenzsatz
Fokalpunkt
Abgeschlossene Menge
Mobiles Internet
Diskretes System
Binärcode
Architektur <Informatik>
Rechenzeit
Open Source
Systemplattform
Gasströmung
Portabilität
Arithmetisches Mittel
Framework <Informatik>
Rechter Winkel
Komplex <Algebra>
Computerarchitektur
Ordnung <Mathematik>
Binärcode
Befehl <Informatik>
Rechenzeit
Reihe
Systemaufruf
Gasströmung
p-Block
Datenfluss
Term
Binärcode
Code
Bildschirmmaske
Maßstab
Code
Konditionszahl
Mereologie
Dreiecksfreier Graph
Gamecontroller
Resolvente
Pac Man <Computerspiel>
Wort <Informatik>
p-Block
Diskretes System
Binärdaten
Gewichtete Summe
Raum-Zeit
Compiler
Kombinatorische Gruppentheorie
ROM <Informatik>
Code
Raum-Zeit
Teilbarkeit
Freeware
Wechselsprung
Rechter Winkel
Prozess <Informatik>
Adressraum
Code
Festspeicher
Codierung
Garbentheorie
Speicheradresse
Fitnessfunktion
Videospiel
Übergang
Symboltabelle
Dreiecksfreier Graph
Patch <Software>
Abstraktionsebene
Assembler
Code
Übergang
Festspeicher
Mustersprache
Dreiecksfreier Graph
Videospiel
Garbentheorie
Konstruktor <Informatik>
Lineares Funktional
Gamecontroller
p-Block
Kontrollfluss
p-Block
Datenstruktur
Mathematische Logik
Ordnungsreduktion
Multiplikation
Kontrollstruktur
Compiler
Wasserdampftafel
Selbstrepräsentation
Zwischensprache
Abstraktionsebene
Assembler
Zentraleinheit
Binärcode
Framework <Informatik>
Übergang
Software
Abstand
Implementierung
Softwareentwickler
Architektur <Informatik>
Assembler
Einfache Genauigkeit
Binder <Informatik>
Fokalpunkt
Disassembler
Gamecontroller
Dateiformat
Computerarchitektur
Disassembler
Compiler
Schlüsselverwaltung
Message-Passing
Bit
Prozess <Physik>
Punkt
Compiler
Selbstrepräsentation
Regulärer Ausdruck
Zwischensprache
Assembler
Komplex <Algebra>
Code
Informationsmodellierung
Maschinencode
Datenstruktur
Beobachtungsstudie
Binärcode
Wald <Graphentheorie>
Architektur <Informatik>
Graph
Reihe
Mailing-Liste
Binder <Informatik>
Selbstrepräsentation
Computerarchitektur
Information
Disassembler
Wechselsprung
Subtraktion
XML
Reibungskraft
Selbstrepräsentation
Selbstrepräsentation
Gruppenkeim
Regulärer Ausdruck
Zwischensprache
Stapelverarbeitung
Konstruktor <Informatik>
TVD-Verfahren
Bit
Momentenproblem
Transformation <Mathematik>
Abstraktionsebene
Adressraum
Reihe
Zwischensprache
Mailing-Liste
Patch <Software>
Transformation <Mathematik>
Abstraktionsebene
Ein-Ausgabe
Datensicherung
Patch <Software>
Last
Komplex <Algebra>
Adressraum
Festspeicher
Datenstruktur
Stapelverarbeitung
Optimierung
Funktion <Mathematik>
Soundverarbeitung
Domain <Netzwerk>
Architektur <Informatik>
Transformation <Mathematik>
Formale Sprache
Selbstrepräsentation
Reihe
Transformation <Mathematik>
Patch <Software>
Abstraktionsebene
Umwandlungsenthalpie
Formale Sprache
Generizität
Mereologie
Computerarchitektur
Stapelverarbeitung
Bit
Einfügungsdämpfung
Formale Sprache
Reibungskraft
Gruppenoperation
Interaktives Fernsehen
Transformation <Mathematik>
Patch <Software>
Binärcode
Kontextbezogenes System
Optimierung
Programm
Nichtlinearer Operator
Sichtenkonzept
Abstraktionsebene
Relativitätstheorie
Reihe
Schlussregel
Ein-Ausgabe
Abschattung
Gruppenoperation
Schlussregel
Konditionszahl
Mereologie
Ordnung <Mathematik>
Bit
Gruppenoperation
Formale Sprache
Zwischensprache
Transformation <Mathematik>
Patch <Software>
Abstraktionsebene
Code
Arithmetische Folge
Software
Code
Stichprobenumfang
Substitution
Inhalt <Mathematik>
Optimierung
Schreib-Lese-Kopf
Schätzwert
Nichtlinearer Operator
Abstraktionsebene
Schlussregel
Mailing-Liste
Patch <Software>
Diagramm
Komplex <Algebra>
Geschlecht <Mathematik>
Rechter Winkel
Konditionszahl
Selbstrepräsentation
Binärcode
Energiedichte
Fernwartung
Architektur <Informatik>
Prozess <Physik>
Prozess <Informatik>
Code
Mereologie
Computerarchitektur
Binärcode
Code
Raum-Zeit
Kernel <Informatik>
Programmiergerät
Bit
Prozess <Physik>
Stab
Soundverarbeitung
Schreiben <Datenverarbeitung>
Computer
ROM <Informatik>
Kontextbezogenes System
Homepage
Kernel <Informatik>
Homepage
Dämpfung
Code
Adressraum
Netzbetriebssystem
Visualisierung
Speicheradresse
Maßerweiterung
Betriebsmittelverwaltung
Hilfesystem
Soundverarbeitung
Schreiben <Datenverarbeitung>
Architektur <Informatik>
Sichtenkonzept
Relativitätstheorie
Vektorraum
Kontextbezogenes System
Rechter Winkel
Festspeicher
Dreiecksfreier Graph
Lesen <Datenverarbeitung>
Wort <Informatik>
Computerarchitektur
p-Block
Zentraleinheit
Raum-Zeit
Definite-Clause-Grammar
p-Block
Physikalisches System
Kontextbezogenes System
Code
Raum-Zeit
Kontextbezogenes System
Homepage
Homepage
Rechter Winkel
Code
Konditionszahl
Festspeicher
p-Block
Datenstruktur
Betriebsmittelverwaltung
Bit
Adressraum
Konvexer Körper
Abstraktionsebene
Binärcode
Raum-Zeit
Homepage
Netzwerktopologie
Einheit <Mathematik>
Reverse Engineering
Prozess <Informatik>
Notepad-Computer
Maschinelles Sehen
Gerade
Statistik
Systemaufruf
p-Block
Kontextbezogenes System
Abschattung
Variable
Arithmetisches Mittel
Rechter Winkel
Festspeicher
Anpassung <Mathematik>
Garbentheorie
p-Block
Speicherverwaltung
Aggregatzustand
Lesen <Datenverarbeitung>
Objekt <Kategorie>
Gruppenoperation
Assembler
ROM <Informatik>
Code
Kontextbezogenes System
Homepage
Puffer <Netzplantechnik>
Variable
Datensatz
Bildschirmmaske
Mini-Disc
Konstante
Abschattung
Optimierung
Datenstruktur
Bildgebendes Verfahren
Binärcode
Architektur <Informatik>
Vektorraum
Portabilität
Objekt <Kategorie>
Analogieschluss
Wiederherstellung <Informatik>
Computerarchitektur
Speicherverwaltung
Lineares Funktional
Architektur <Informatik>
Abstraktionsebene
Nebenbedingung
Just-in-Time-Compiler
Abstraktionsebene
Assembler
ROM <Informatik>
Übergang
Virtuelle Maschine
Festspeicher
Byte-Code
Computerarchitektur
Speicherverwaltung
Speicherverwaltung
Humanoider Roboter
Distributionstheorie
Bit
Multiplikation
Ausnahmebehandlung
Desintegration <Mathematik>
Information
ROM <Informatik>
Systemplattform
Binärcode
Framework <Informatik>
Methodenbank
Modul <Datentyp>
Prozess <Informatik>
Netzbetriebssystem
Bildschirmfenster
Speicherabzug
Programmbibliothek
Inverser Limes
Softwareentwickler
Maßerweiterung
Mobiles Endgerät
Auswahlaxiom
Binärcode
Schnelltaste
Architektur <Informatik>
Physikalischer Effekt
Diskretes System
Computersicherheit
Thumbnail
Validität
Just-in-Time-Compiler
Gasströmung
Schlussregel
Ausnahmebehandlung
Plot <Graphische Darstellung>
Ein-Ausgabe
Integral
Schnelltaste
Framework <Informatik>
Forcing
Konditionszahl
Festspeicher
Mereologie
Projektive Ebene
Speicherabzug
Computerarchitektur
Schlüsselverwaltung
Programmierumgebung
Zentraleinheit
Lesen <Datenverarbeitung>
Schnelltaste
Software
Passwort
Passwort
Ordnung <Mathematik>
Binärcode
Demo <Programm>
Schreiben <Datenverarbeitung>
Schnelltaste
Stellenring
Rechter Winkel
Adressraum
Datensichtgerät
Festspeicher
Hochdruck
Passwort
Information
Optimierung
Analysis
Schreiben <Datenverarbeitung>
Spannweite <Stochastik>
Bit
Kryptologie
Adressraum
Codierungstheorie
Festspeicher
Open Source
Hochdruck
Passwort
Bildgebendes Verfahren
Normalvektor
Schreiben <Datenverarbeitung>
Puffer <Netzplantechnik>
Adressraum
Festspeicher
Mereologie
Systemaufruf
Verbandstheorie
Passwort
Passwort
Ein-Ausgabe
Hochdruck
Parametrische Erregung
Schnelltaste
Schreiben <Datenverarbeitung>
Reverse Engineering
Ein-Ausgabe
Simplexverfahren
Framework <Informatik>
Zeichenkette
Open Source
Chiffrierung
Elektronische Unterschrift
Reverse Engineering
Last
Notebook-Computer
Ein-Ausgabe
Passwort
Grundraum
Touchscreen
Stellenring
Prozess <Physik>
Adressraum
Information
ROM <Informatik>
Simplexverfahren
Datensichtgerät
Open Source
Physikalisches System
RPC
Elektronische Unterschrift
Indexberechnung
Demo <Programm>
Binärdaten
Lineares Funktional
Sichtenkonzept
Vervollständigung <Mathematik>
Reverse Engineering
Gasströmung
Ein-Ausgabe
Thread
Framework <Informatik>
Rechter Winkel
Festspeicher
Ein-Ausgabe
Gamecontroller
Programmierumgebung
Zeichenkette
Stellenring
Punkt
Kontrollstruktur
Spielkonsole
Adressraum
Information
ROM <Informatik>
Binärcode
Physikalische Theorie
Chiffrierung
Pufferspeicher
Globale Optimierung
Adressraum
Speicherabzug
Programmbibliothek
Flächeninhalt
Abstand
Quellencodierung
Auswahlaxiom
Modul
Demo <Programm>
Analysis
Funktion <Mathematik>
Binärdaten
Lineares Funktional
Parametersystem
Systemaufruf
Rechenzeit
Mailing-Liste
Boolesche Algebra
Computervirus
Ein-Ausgabe
Kontextbezogenes System
Gleichheitszeichen
Systemaufruf
Keller <Informatik>
Integral
Zeichenkette
Objekt <Kategorie>
Funktion <Mathematik>
Thread
Ein-Ausgabe
Mereologie
Speicherabzug
Schlüsselverwaltung
Aggregatzustand
Open Source
Subtraktion
Informationsmodellierung
Punkt
Rechter Winkel
Open Source
Projektive Ebene
Kontrast <Statistik>
Computerarchitektur
Softwareentwickler
Ordnung <Mathematik>
Übergang
Hypermedia
Systemprogrammierung

Metadaten

Formale Metadaten

Titel Implementing an LLVM based Dynamic Binary Instrumentation framework
Serientitel 34th Chaos Communication Congress
Autor Hubain, Charles
Tessier, Cédric
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34835
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract This talk will go over our efforts to implement a new open source DBI framework based on LLVM. We'll explain what DBI is used for, how it works, the implementation challenges we faced and compare a few of the existing frameworks with our own implementation.
Schlagwörter Security

Zugehöriges Material

Folgende Ressource ist Begleitmaterial zum Video
Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback