1. Light and Dark side of Code
Instrumentation
Dmitriy “D1g1″ Evdokimov
DSecRG, Security Researcher
2. #whoami
• Security Researcher in DSecRG
– RE
– Fuzzing
– Mobile security
• Organizer: DCG #7812
• Editor in “XAKEP”
Digital Security Positive Hack Days 2012 2
4. Intro
“It has been proved by scientists that a new
point of evolution, any technical progress
appears when a Man makes up a new type of
tool, but not a product.”
Digital Security Positive Hack Days 2012 4
5. Instrumentation
Instrumentation is a technique adding extra
code to an program/environment for
monitoring/change some program behavior.
Environment
Program Program
Own Own
extra extra
code code
Digital Security Positive Hack Days 2012 5
6. Why is it necessary?
Parallel optimization
Simulation
Memory debugging
Virtualization
Emulation
Software profiling
Performance analysis
Testing
Automated debugging Correctness checking
Error detection Collecting code metrics
Binary translation Optimization
Memory leak detection
Digital Security Positive Hack Days 2012 6
7. Instrumentation in information
security
Control flow analysis Security test case generation
Unpack Code coverage
Virtual patching Malware analysis Vulnerability detection
Privacy monitoring Taint analysis
Antivirus technology
Sandboxing Program shepherding
Data flow analysis Shellcode detection
Deobfuscation Fuzzing
Reverse engineering
Behavior based security Forensic
Transparent debugging
Data Structure Restoring
Security enforcement
Digital Security Positive Hack Days 2012 7
8. Analysis
Criterion Static analysis Dynamic analysis
Code vs. data Problem No problem
Code coverage Big (but not all) One way
Information about values No information All information
Self-modifying code Problem No problem
Interaction with the No Yes
environment
Unused code Analysis No analysis
JIT code Problem No problem
Digital Security Positive Hack Days 2012 8
10. The general scheme of code
instrumentation
1. Find points of instrumentation;
2. Insert instrumentation;
3. Take control from program;
4. Save context of the program;
5. Execute own code;
6. Restore context of the program;
7. Return control to program.
Digital Security Positive Hack Days 2012 10
11. Source Data
Source data
Source code Byte code Binary code
Digital Security Positive Hack Days 2012 11
15. Byte code instrumentation
Byte code – intermediate representation
between source code and machine code.
…
Java VM Dalvik VM AVM/AVM2 CLR
Digital Security Positive Hack Days 2012 15
26. Static Binary Instrumentation (I)
Static binary instrumentation/Physical code
integration/Static binary code rewriting
Edited Header
Header
• Realization: Segment of Segment of
code code
– With reallocation:
Segment of Segment of
• Level of segment; data data
• Level of function; Extra segment
of code
– Without reallocation.
Extra segment
of data
Digital Security Positive Hack Days 2012 26
27. Static Binary Instrumentation (II)
Reallocation:
1) Function Displacement + Entry Point Linking;
2) Branch Conversion;
3) Instruction Padding;
4) Instrumentation.
Tools: DynInst, EEL, ATOM, PEBIL, ERESI, TAU,
Vulcan, BIRD, Aslan(4514N)
Digital Security Positive Hack Days 2012 27
30. Dynamic Binary Instrumentation
• Dynamic Binary Instrumentation (DBI) is a process control and
analysis technique that involves injecting instrumentation code
into a running process.
• Dynamic binary analysis (DBA) tools such as profilers and
checkers help programmers create better software.
• Dynamic binary instrumentation (DBI) frameworks make it easy
to build new DBA tools.
•DBA tools consist:
– instrumentation routines;
– analysis routines.
Digital Security Positive Hack Days 2012 30
31. Kinds of DBI
Mode: Mode of work:
– user-mode; - Start to finish;
– kernel-mode. - Attach.
Functionality
Modes of execution: JIT
– Interpretation-mode;
– Probe-mode; Probe
– JIT-mode. Performance
Digital Security Positive Hack Days 2012 31
32. DBI Frameworks*
Frameworks OS Arch Modes Features
PIN Linux, x86, x86-64, JIT, Probe Attach mode
Windows, Itanium, ARM
MacOS
DynamoRIO Linux, x86, x86-64 JIT, Probe Runtime
Windows optimization
DynInst Linux, x86, x86-64, Probe Static &
FreeBSD, ppc32, ARM, Dynamic binary
Windows ppc64 instrumentation
Valgrind Linux, MacOS x86, x86-64, JIT IR – VEX,
ppc32, ARM, Heavyweight
ppc64 DBA tools
*For more details see “DBI:Intro” presentation from ZeroNights conference
Digital Security Positive Hack Days 2012 32
33. Start work with DBI
Digital Security Positive Hack Days 2012 33
34. Levels of granularity
• Instruction;
• Basic Block*;
• Trace/Superblock;
• Function;
• Section;
• Events;
• Binary image.
Digital Security Positive Hack Days 2012 34
35. Self-modifying code & DBI
Detect:
– Written-protecting code pages
– Checking store address
– Inserting extra code
Digital Security Positive Hack Days 2012 35
36. Overhead
O=X+Y
Y = N*Z
Z = K+L
O – Tool Overhead;
X – Instrumentation Routines Overhead;
Y – Analysis Routines Overhead;
N – Frequency of Calling Analysis Routine;
Z – Work Performed in the Analysis Routine;
K – Work Required to Transition to Analysis Routine;
L – Work Performed Inside the Analysis Routine.
Digital Security Positive Hack Days 2012 36
37. Rewriting instructions
• Platforms:
– with fixed-length instruction;
– with variable-length instructions.
Digital Security Positive Hack Days 2012 37
38. Rewriting code (I)
• Easy / simple / boring / regular example
– Rewriting prolog function
Digital Security Positive Hack Days 2012 38
39. Rewriting code (II)
• Hardcore example:
– Mobile phone firmware rewriting
Bootloader
reboot
Flash
SHELLCODE 1 AMSS
Malicious SMS
GSM
Baseband processor
Digital Security Positive Hack Days 2012 39
40. Instrumentation in ARM
ARM modes:
– ARM
• Length(instr) = 4 byte
– Thumb
• Length(instr) = 2 byte
– Thumb2
• Length(instr) = 2/4 byte
– Jazzle
For more detail see “A Dynamic Binary Instrumentation Engine for the ARM
Architecture” presentation.
Digital Security Positive Hack Days 2012 40
41. Emulation
App1 OS
Emulator
OS
Processor
Digital Security Positive Hack Days 2012 41
42. Instrumentation & Bochs
• Bochs can be called with instrumentation support.
• C++ callbacks occur when certain events happen:
– Poweron/Reset/Shutdown;
– Branch Taken/Not Taken/Unconditional;
– Opcode Decode (All relevant fields, lengths);
– Interrupt /Exception;
– Cache /TLB Flush/Prefetch;
– Memory Read/Write.
• “bochs-python-instrumentation” patch by Ero Carrera
Digital Security Positive Hack Days 2012 42
43. Virtualization
App1 OS
App1 OS
VMM
VMM OS
Processor Processor
Native VMM Hosted VMM
*VMM - Virtual Machine Monitor
Digital Security Positive Hack Days 2012 43
44. Instrumentation & virtualization
Stages:
1. Save the VM-exit reason information in the VMCS;
2. Save guest context information;
3. Load the host-state area;
4. Transfer control to the hypervisor;
5. Run own code.
*VMCS - Virtual Machine Control Structure
Digital Security Positive Hack Days 2012 44
45. Instrumentation in
Mobile World
Mobile Platform Language Executable file format
Android Java Dex
iOS Objective-C Mach-O
Windows Phone .NET PE
Digital Security Positive Hack Days 2012 45