![Why DBI
…...
if (size < sizeof(min_buf)) {
iov_to_buf(iov, iovcnt, 0, min_buf, size);
memset(&min_buf[size], 0, sizeof(min_buf) - size);
}
else if (iov->iov_len < MAXIMUM_ETHERNET_HDR_LEN) {
/* This is very unlikely, but may happen. */
iov_to_buf(iov, iovcnt, 0, min_buf, MAXIMUM_ETHERNET_HDR_LEN);
filter_buf = min_buf;
}
…...](https://image.slidesharecdn.com/dbi-161121122724/85/Dynamic-Binary-Instrumentation-3-320.jpg)
![….
if (size < sizeof(min_buf)) {
printf(“Good size branchn”);
iov_to_buf(iov, iovcnt, 0, min_buf, size);
memset(&min_buf[size], 0, sizeof(min_buf) - size);
}
else if (iov->iov_len < MAXIMUM_ETHERNET_HDR_LEN) {
/* This is very unlikely, but may happen. */
printf(“Got a rare casen”);
iov_to_buf(iov, iovcnt, 0, min_buf, MAXIMUM_ETHERNET_HDR_LEN);
filter_buf = min_buf;
}
….](https://image.slidesharecdn.com/dbi-161121122724/85/Dynamic-Binary-Instrumentation-4-320.jpg)
![#include <iostream>
#include "pin.H"
UINT64 icount = 0;
VOID IncCounter() {
icount++;}
VOID Instruction(INS ins, VOID *v) {
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)IncCounter, IARG_END);}
VOID Fini(INT32 code, VOID *v) {
std::cerr << "Count " << icount << endl;}
int main(int argc, char * argv[]) {
PIN_Init(argc, argv);
INS_AddInstrumentFunction(Instruction, 0);
PIN_AddFiniFunction(Fini, 0);
PIN_StartProgram();
return 0;}
Analysis
Instrumentation](https://image.slidesharecdn.com/dbi-161121122724/85/Dynamic-Binary-Instrumentation-7-320.jpg)
Dynamic Binary Instrumentation
- 2. What is Instrumentation ● Inserting extra lines of code into the processes memory. ● Intel’s PIN, Google’s Address Sanitizer, DynamoRIO, Valgrind, GDB. ● Useful for reverse engineering and malware analysis.
- 3. Why DBI …... if (size < sizeof(min_buf)) { iov_to_buf(iov, iovcnt, 0, min_buf, size); memset(&min_buf[size], 0, sizeof(min_buf) - size); } else if (iov->iov_len < MAXIMUM_ETHERNET_HDR_LEN) { /* This is very unlikely, but may happen. */ iov_to_buf(iov, iovcnt, 0, min_buf, MAXIMUM_ETHERNET_HDR_LEN); filter_buf = min_buf; } …...
- 4. …. if (size < sizeof(min_buf)) { printf(“Good size branchn”); iov_to_buf(iov, iovcnt, 0, min_buf, size); memset(&min_buf[size], 0, sizeof(min_buf) - size); } else if (iov->iov_len < MAXIMUM_ETHERNET_HDR_LEN) { /* This is very unlikely, but may happen. */ printf(“Got a rare casen”); iov_to_buf(iov, iovcnt, 0, min_buf, MAXIMUM_ETHERNET_HDR_LEN); filter_buf = min_buf; } ….
- 5. Installation guidelines ● https://labs.portcullis.co.uk/blog/an-introduction-to-binary-dynamic- analysis/ ● https://software.intel. com/sites/landingpage/pintool/docs/76991/Pin/html/
- 6. Where’s the code? ● Comes with pre-existing scripts. ● Feature to add custom scripts. ● Written in C or C++. ● Examples in ~/pin/source/tools/SimpleExamples/
- 7. #include <iostream> #include "pin.H" UINT64 icount = 0; VOID IncCounter() { icount++;} VOID Instruction(INS ins, VOID *v) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)IncCounter, IARG_END);} VOID Fini(INT32 code, VOID *v) { std::cerr << "Count " << icount << endl;} int main(int argc, char * argv[]) { PIN_Init(argc, argv); INS_AddInstrumentFunction(Instruction, 0); PIN_AddFiniFunction(Fini, 0); PIN_StartProgram(); return 0;} Analysis Instrumentation
- 8. Execution $ pin -t inscount.so -- /bin/ls inscount.cpp inscount.so inscount.o Count 422838 Output of inscount $
- 9. Detecting Heap bugs ● Keep list of used and free chunks. ● If input is read to any of these chunks, check sizes and number of bytes being read. ● In case of structure objects, check for input being read to an address inside a chunk. ● If input is read to free chunk => UAF. ● If number of bytes read > size of chunk => heap overflow. ● If chunk_start + size - address < number of bytes => heap overflow.
- 10. The code ● Heap_trace.cpp ● Need to check for other functions like scanf(), strncpy(), memcpy() etc. ● Alerts: ○ When the same chunk is returned by malloc more than once. ○ When the same chunk is going to be freed more than once. ○ When input crosses chunk boundaries. ○ When input is copied to free chunks. ● Around 200 lines of code (excluding the nice comments). ● Let’s have a look. ● Demo1
- 11. C or C++ ? That’s it? ● Kudos to the owners. ● Blankwall - Python Pin. ● A python wrapper to PIN. ● Not yet complete.
- 12. import sys, pin total = 0 info = file("inscount.out", "w") def counter(trace_addr): global total x = pin.TRACE_BblHead(trace_addr) y = pin.BBL_Address(x) instrucs = pin.BBL_NumIns(x) total += instrucs info.write("Basic Block @ %x SIZE: %x NUM INS= IN BLOCK: %x TOTAL: %xn" % (y, pin.BBL_Size (x), instrucs, total )) pin.TRACE_AddInstrumentFunction(counter)
- 13. $ pin -t obj-intel64/Python_Pin.so -m ins_count.py -- /bin/ls $ cat inscount.out|head Basic Block @ 7ffff7ddb2d0 SIZE: 8 NUM INS= IN BLOCK: 2 TOTAL: 2 Basic Block @ 7ffff7ddea40 SIZE: 55 NUM INS= IN BLOCK: 16 TOTAL: 18 Basic Block @ 7ffff7ddeaef SIZE: 6 NUM INS= IN BLOCK: 2 TOTAL: 1a Basic Block @ 7ffff7ddead8 SIZE: 17 NUM INS= IN BLOCK: 6 TOTAL: 20
- 14. Heap_Tracer.py ? ● 90 lines of code. ( Hurray! ) ● Let’s take a look. ● Demo2