![Page 1: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/1.jpg)
Dynamic Data Structure Excava1on or “Gimme back my symbol table!”
Asia Slowinska, Traian Stancescu,
Herbert Bos VU University Amsterdam
![Page 2: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/2.jpg)
Anonymous bytes only…
2
![Page 3: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/3.jpg)
struct employee { char name [128]; int year; int month; int day; }; struct employee* foo (struct employee* src) { struct employee dst; // init dst }
Goals • Long term: reverse engineer complex soVware
3
![Page 4: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/4.jpg)
struct s1{ char f1 [128]; int f2; int f3; int f4; }; struct s1* fun1 (struct s1* a1) { struct s1 l1; }
Goals • Long term: reverse engineer complex soVware • Short term: reverse engineer data structures
4
![Page 5: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/5.jpg)
WHY? 5
![Page 6: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/6.jpg)
Applica1on I: legacy binary protec1on
• Legacy binaries everywhere • We suspect they are vulnerable
But… How to protect legacy code from memory corrup1on? Answer: find the buffers and make sure that all accesses to them do not stray beyond array bounds.
6
![Page 7: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/7.jpg)
Applica1on II: binary analysis
• We found a suspicious binary – is it malware? • A program crashed… -‐ let’s inves1gate!
But…
Without symbols, what can we do? Answer: generate the symbols ourselves!
7
![Page 8: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/8.jpg)
(demo later)
8
![Page 9: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/9.jpg)
Why is it difficult?
1. struct employee { 2. char name[128]; 3. int year; 4. int month; 5. int day; 6. }; 7. 8. struct employee e; 9. e.year = 2010;
Instr 1 Instr 2
MISSING
• Data structures
• Seman1cs
9
![Page 10: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/10.jpg)
Data structures: key insight
1. struct employee { 2. char name[128]; 3. int year; 4. int month; 5. int day 6. }; 7. 8. struct employee e; 9. e.year = 2010;
Yes, data is un
structured…
But – usage is
NOT!
10
![Page 11: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/11.jpg)
Data structures: key insight
1. struct employee { 2. char name[128]; 3. int year; 4. int month; 5. int day 6. }; 7. 8. struct employee e; 9. e.year = 2010;
Yes, data is un
structured…
But – usage is
NOT!
11
![Page 12: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/12.jpg)
1. struct employee { 2. char name[128]; 3. int year; 4. int month; 5. int day 6. }; 7. 8. struct employee e; 9. e.year = 2010;
Data structures: key insight
Analyse dynam
ically
test
KLEE/ S2E
inputs
app
Emulator
data structures 12
![Page 13: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/13.jpg)
3. and A is an address of an array, then *(A + 8) is perhaps an element of this array
elem2!
elem3!
elem4!
elem5!
elem0!
elem1!
A
Intui1on • Observe how memory
is used at run1me to detect data structures
• E.g., if A is a pointer…
1. and A is a func1on frame pointer, then *(A + 8) is perhaps a func1on argument
parent EBP!
return addr !
fun arg1!
fun arg2!
A
2. and A is an address of a structure, then *(A + 8) is perhaps a field in this structure
field0!
field1 !
field2!
field3 !
A
3. and A is an address of an array, then *(A + 8) is perhaps an element of this array
13
![Page 14: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/14.jpg)
Arrays are tricky
Access paoern & detec1on: • elem = next++;
– Look for chains of accesses in a loop
14
![Page 15: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/15.jpg)
Arrays are tricky
Access paoern & detec1on: • elem = next++;
– Look for chains of accesses in a loop
• elem = array[i];
– Look for sets of accesses with the same base in a linear space
15
![Page 16: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/16.jpg)
Arrays are tricky
Access paoern & detec1on: • elem = next++;
– Look for chains of accesses in a loop
• elem = array[i];
– Look for sets of accesses with the same base in a linear space
Challenges: • Boundary elements accessed outside
the loop • Nested loops • Mul1ple loops in sequence
16
![Page 17: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/17.jpg)
More challenges
Examples: • Decide which memory
accesses are relevant – Problems caused by e.g.,
memset-like func1ons
Suggested by memset
array 1 array 2 structure
17
![Page 18: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/18.jpg)
More challenges
Examples: • Decide which memory
accesses are relevant – Problems caused by e.g.,
memset-like func1ons • Even more in the paper
Suggested by memset
array 1 array 2 structure
18
![Page 19: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/19.jpg)
Results in terms of accuracy – heap memory
variables
bytes
19
![Page 20: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/20.jpg)
demo now
20
![Page 21: Dynamic(DataStructure(Excavaon ( - Hack In The Box …conference.hackinthebox.org/hitbsecconf2011ams/materials... · 2017-10-15 · Dynamic(DataStructure(Excavaon (or“ Gimme(back(my(symbol(table!”(((Asia](https://reader031.vdocument.in/reader031/viewer/2022022014/5b38af107f8b9ab9068da54b/html5/thumbnails/21.jpg)
Conclusions
• We can recover data structures by tracking memory accesses
• We believe we can protect legacy binaries • We are working on data coverage
21