u mad? binary analysis with the angr...what is binary analysis? •software bugs have taken down...
TRANSCRIPT
![Page 1: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/1.jpg)
![Page 2: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/2.jpg)
U Mad? Binary Analysis with the Angr Framework
Ben Denton, PhD. | DESE Research, [email protected] | @b_denton
![Page 3: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/3.jpg)
Intro
• What is binary analysis?
• What is angr? (An unapologetic oversimplification)
• Demos!
![Page 4: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/4.jpg)
What is Binary Analysis?
• Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall of 100,000s of vehicles resulting in billions of dollars in damages 3.
• How can you find these bugs when source code is unavailable?
• Reverse Engineering, Vulnerability Assessment, and Binary Analysis• Process: Disassemble, Triage, Understand, Analyze, Symbolize.
1 Ariane 5: Who Dunnit? https://ieeexplore.ieee.org/document/589224/2 Lessons from Stuxnet https://ieeexplore.ieee.org/document/5742014/3 A Case Study of Toyota Unintended Acceleration and Software Safety https://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_slides.pdf
![Page 5: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/5.jpg)
What is angr?• Binary Analysis Framework developed by the University of California Santa Barbara since 2013.
• Features:• iPython accessible• Powerful analyses• Versatile• Open and expandable• Architecture “independent”
angr
Binary Loader
Intermediate Representation
Data Model Abstraction
Symbolic Execution Engine
![Page 6: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/6.jpg)
Software Analysis•
???
![Page 7: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/7.jpg)
Symbolic Execution•
Constraints
Concretize
![Page 8: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/8.jpg)
Source code is here but our techniques allow for the same analysis without source code.
def f (x, y): if (x > y): x = x + y y = x – y x = x – y if (x – y > 0): call g() return (x, y)
This function swaps the values of x and y when x > y.
The x – y > 0 statement is always false so the call is unreachable.
Symbolic Execution Example
![Page 9: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/9.jpg)
Execute the program on symbolic values.def f (x, y): if (x > y): x = x + y y = x – y x = x – y if (x – y > 0): call g() return (x, y)
Symbolic Execution Example
![Page 10: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/10.jpg)
Execute the program on symbolic values.Symbolic state maps variables to symbolic values.
def f (x, y): if (x > y): x = x + y y = x – y x = x – y if (x – y > 0): call g() return (x, y)
x → Ay → B
Symbolic Execution Example
![Page 11: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/11.jpg)
Execute the program on symbolic values.Symbolic state maps variables to symbolic values.Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions take so far.
def f (x, y): if (x > y): x = x + y y = x – y x = x – y if (x – y > 0): call g() return (x, y)
x → Ay → B
A > B A ≤ B
Symbolic Execution Example
![Page 12: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/12.jpg)
def f (x, y): if (x > y): x = x + y y = x – y x = x – y if (x – y > 0): call g() return (x, y)
x → Ay → B
x → Ay → B
A > B A ≤ B
feasible
Execute the program on symbolic values.Symbolic state maps variables to symbolic values.Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions take so far.All paths in the program form its execution tree, in which some paths are feasible and some are infeasible.
Symbolic Execution Example
![Page 13: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/13.jpg)
def f (x, y): if (x > y): x = x + y y = x – y x = x – y if (x – y > 0): call g() return (x, y)
x → Ay → B
x → Ay → B
x → A + By → B
x → A + By → A
x → B y → A
A > B A ≤ B
true
true
feasible
Execute the program on symbolic values.Symbolic state maps variables to symbolic values.Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions take so far.All paths in the program form its execution tree, in which some paths are feasible and some are infeasible.
Symbolic Execution Example
![Page 14: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/14.jpg)
def f (x, y): if (x > y): x = x + y y = x – y x = x – y if (x – y > 0): call g() return (x, y)
x → Ay → B
x → Ay → B
x → A + By → B
x → A + By → A
x → B y → A
A > B A ≤ B
true
true
B - A > 0 B - A ≤ 0
feasible
Execute the program on symbolic values.Symbolic state maps variables to symbolic values.Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions take so far.All paths in the program form its execution tree, in which some paths are feasible and some are infeasible.
Symbolic Execution Example
![Page 15: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/15.jpg)
def f (x, y): if (x > y): x = x + y y = x – y x = x – y if (x – y > 0): call g() return (x, y)
x → Ay → B
x → Ay → B
x → A + By → B
x → A + By → A
x → B y → A
x → By → A
A > B A ≤ B
true
true
B - A > 0 B - A ≤ 0
feasible
infeasible
Execute the program on symbolic values.Symbolic state maps variables to symbolic values.Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions take so far.All paths in the program form its execution tree, in which some paths are feasible and some are infeasible.
Symbolic Execution Example
![Page 16: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/16.jpg)
def f (x, y): if (x > y): x = x + y y = x – y x = x – y if (x – y > 0): call g() return (x, y)
x → Ay → B
x → Ay → B
x → A + By → B
x → A + By → A
x → B y → A
x → By → A
x → By → A
A > B A ≤ B
true
true
B - A > 0 B - A ≤ 0
feasible
feasibleinfeasible
Execute the program on symbolic values.Symbolic state maps variables to symbolic values.Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions take so far.All paths in the program form its execution tree, in which some paths are feasible and some are infeasible.
Symbolic Execution Example
![Page 17: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/17.jpg)
Symbolic Execution Example
x = int (input())if x ≤ 10: if x < 100: print “Two!” else: print “Lots!”else: print “One!”
![Page 18: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/18.jpg)
Symbolic Execution Example
x = int (input())if x ≤ 10: if x < 100: print “Two!” else: print “Lots!”else: print “One!”
![Page 19: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/19.jpg)
Symbolic Execution Example
x = int (input())if x ≤ 10: if x < 100: print “Two!” else: print “Lots!”else: print “One!”
![Page 20: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/20.jpg)
Symbolic Execution Example
x = int (input())if x ≤ 10: if x < 100: print “Two!” else: print “Lots!”else: print “One!”
![Page 21: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/21.jpg)
Symbolic Execution Example
x = int (input())if x ≤ 10: if x < 100: print “Two!” else: print “Lots!”else: print “One!”
![Page 22: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/22.jpg)
Symbolic Execution Example
x = int (input())if x ≤ 10: if x < 100: print “Two!” else: print “Lots!”else: print “One!”
![Page 23: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/23.jpg)
Demo: crackme
• Available at https://github.com/bendenton/2018_NCS
![Page 24: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/24.jpg)
Demo: crackme2
• Available at https://github.com/bendenton/2018_NCS
![Page 25: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/25.jpg)
Demo: crackme3
• Available at https://github.com/bendenton/2018_NCS
![Page 26: U Mad? Binary Analysis with the Angr...What is Binary Analysis? •Software bugs have taken down spaceships1, caused nuclear centrifuges to spin out of control 2, and forced the recall](https://reader030.vdocument.in/reader030/viewer/2022041119/5f3266c15a5832327664d3be/html5/thumbnails/26.jpg)
Questions?
https://github.com/bendenton/2018_NCS
https://www.linkedin.com/in/ben-denton/