2011 CodeEngn Conference 05 DBI 란 Dynamic Binary Instrumentation 의 약자이다. 이는 실행 중인 어떤 Process 또는 Program 에 특수한 목적으로 사용될 임의의 코드를 삽입하는 방법이다. 이를 이용하여 동적으로 생성된 Code 처리, 특정 코드의 발견, 실행중인 Process 분석 등을 할 수 있다. 주로 컴퓨터 구조 연구, 프로그램, 스레드 분 석에 이용되며, Taint Analysis 에 대한 개념, 각종 Tool 과 사용 방법, 간단한 예제, 최신 취약점 분석 등 을 통하여 DBI 를 알아보도록 한다. http://codeengn.com/conference/05

1. ProgramVulnerability Analysis
Using DBI
CodeEngn Co-Administrator
DDeok9@gmail.com
2011.7.2
www.CodeEngn.com
CodeEngn
ReverseEngineering
Conference

2. Outline
• What is DBI ?
• Before that
• How ?
• A simple example
• Demo !
2

3. What is DBI ?
• Instrumentation
Keyword :To gather information, insert code
• Dynamic Binary Instrumentation
Keyword : Running program, special purpose, insert code
Running
Arbitrary Code
3

4. Static Analysis
• Summary
- Without running
- Considering all execution paths in a program
- Tools : Sonar, cppcheck, Prevent, KlockWork
4

5. Static Analysis
5
Check Out
Coding
Modify
Compile Error
Defect
Check In

6. Dynamic Analysis
• Summary
- Running
- Considering single execution path
- Input dependency
6

7. Winner
• Dynamic Analysis
More precise
Because > works with real values in the run-time
• if ( you think Ollydbg & IDA Disassembler )
Easy to understand
7

8. Source Analysis
• Source Analysis
- Language dependency
- Access high-level information
- Tools : Source insight
8

9. Binary Analysis
• Binary Analysis
- Platform dependency
- Access low-level information ex) register
- Complexity, Lack of Higher-level semantics, Code Obfuscation
9

10. DRAW
• Binary Analysis
Original source code is not needed
• Source Analysis
Just you look at source
10

11. SBI
• Static Binary Instrumentation
- Before the program is run
- Rewrites object code or executable code
- Disassemble -> instrumentation
11

12. DBI
• Dynamic Binary Instrumentation
- Run-time
- By external process, grafted onto the client process
12

13. Winner
• DBI
1. Client program doesn’t require to be prepared
2. Naturally covers all client code
13

14. Usefulness of DBI
• Do not need Recompiling and Relinking
• Find the specific code during execution
• Handle dynamically generated code
• Analyzing running process
14

15. Use
• Trace procedure generating
• Fault tolerance studies
• Emulating new instructions
• Code coverage -> t / all * 100
• Memory-leak detection
• Thread profiling
• And so on . . .
15

16. Before that
• Taint Analysis
Kind of information flow
To see the flow from the external input effect
16

17. Taint propagation
Tainted
Untainted
Tainted
17

18. Taint propagation
18
Untrusted source 1 Untrusted source 2

19. Use
• Detecting flaws
if ( tracking user data == available )
I see where untrusted code swimming
• Data Lifetime Analysis
19

20. How ?
• Dynamic Binary Instrumentation Tools
Pin :Win & Linux & MAC, Intermediate Language
DynamoRIO :Win & Linux & MAC
TEMU :Win & Linux, QEMU based
Valgrind : Linux
20

21. How ?
• Use PIN Tool
Windows, Linux, MAC OSX
Custom Code ( C or C++ )
Attach the running file
Extensive API
Pinheads
21

22. Pin ?
• http://pintool.org
One of JIT ( Just In Time ) compiler
Not input bytecode, but a regular executable
Intercept instruction and generates more code and execute
22

23. Pin : Instrumentation Engine
Pintool : Instrumentation Tool
Application :Target Program or Process
23
Pin ?

24. 24
Pin ?

25. 25
Pin ?

26. 26
Pin ?

27. 27
Pin ?

28. 28
Pin ?

29. Install
• if ( Install window )
you need to visual c++
• else if ( install linux )
you need to gcc-c++
• else if ( install mac 64bit )
not available
29

30. A Simple Example
30
• Inscount & Itrace & Pinatrace
• Step by modify code
Inscount
M
Itrace
M
Pinatrace

31. Inscount
- count the total number of instructions executed
31

32. Modify Inscount
32

33. Itrace
• Itrace
Instruction Address Trace
How to pass arguments
Useful understanding the control flow of a program for debugging
33

34. Itrace
34

35. Modify Itrace
35

36. insertPredicatedCall ?
36
To avoid generating references to instructions that are predicated when
the predicate is false
Predication is a general architectural feature of the IA-64

37. Pinatrace
• Pinatrace
Memory Reference Trace
Useful debugging and for simulating a data cache in processor
37

38. Pinatrace
38
770B89DA : Instrumentation Points
R/W :Access Type
0023F434 : &Address
4 : R/W Size
0x01 : *Address

39. Vera
• Use vera !
Shmoocon 2011 Danny Quist
Visualizing Executables for Reversing & Analysis
Better OEP detection & IDA Pro Plugin
39

40. Demo !
• if ( Use DBI withVera )
you will see the memory flow ( easily )
• And
you will see the pattern of vulnerable program and patched program
40

41. Demo !
41

42. Zero-day !
1. HookVulnerability Function
strcpy, strcat, sprintf, scanf, fscanf, strstr, strchr
2. And
monitoring ESI
3. Olleh!
It’s possible to modify the parameters
42

43. Zero-day !
43

44. Zero-day !
44

45. reference
• http://translate.google.co.kr/?hl=ko&tab=wT
• http://www.pintool.org/
• http://www.youtube.com/watch?v=9nlWbDdxKjw
45

46. Q & A
46
www.CodeEngn.com
CodeEngn
ReverseEngineering
Conference

47. Quiz
47
OR, XOR 연산에서
A 가 Taint 된 값( 1 ) 이라고 가정했을 때
B 의 값이 무엇일 때 “Taint 되었다”
라고 할까요 ??
답과 간단한 이유를 말해주세용
hint ) AND 연산일때 B 가 1일때 Taint 되었다.