1 / 20

Static Slicing of Binary Executables with DynInst

This document explores static slicing techniques for binary executables using DynInst. It discusses the motivation behind slicing, including debugging, maintenance, parallelization, and identifying malicious code. The text contrasts static backward slicing with static forward slicing and dynamic slicing. It details constructing Program Dependence Graphs, identifying data and control dependencies, and challenges faced, particularly with indirect jump instructions. The dynamics of the implementation process, such as building data and control dependency graphs, are examined to illustrate the effectiveness of static analysis.

benny
Télécharger la présentation

Static Slicing of Binary Executables with DynInst

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Static Slicing ofBinary Executableswith DynInst Tuğrul İnce

  2. Slicing int method=SET; int number = 0; int x = 1, y = 2; if(method == SET) { number = 42; printf(“Just set the number to 42”); } else { x = y = 4; printf(“Not setting variable number”); } printf(“Final Value %d\n“, number);

  3. Motivation • Slicing is historically used for: • Debugging • Software Maintenance • Parallelization • Generally on the source code • Binary executables • Moving dynamic analysis to static • Function pointers • Improve code generation • Identifying malicious code • Reverse-engineering viruses

  4. Slicing • Weiser’s original definition • identifying all program code that can in any way affect the value of a given variable • This is now called “static backward slicing” • Static Forward Slicing • Identifying all statements and control predicates dependent on the variable in the slicing criterion • Dynamic Slicing • Identifying program code that actually changes the value of a given variable, determined at runtime.

  5. 1. a:=3 • 2. b:=a • 1. if a=true then • 2. b:=1 • 3. else • 4. c:=0 How to Determine a Slice • Construct a Program Dependence Graph • A Combination of Data Dependency Graph and Control Dependency Graph • Identify Data Dependency • b depends on a • Identify Control Dependency • Both assignments depend on if statement

  6. How to Determine a Slice <main+9>: mov $0x0,%eax <main+14>: sub %eax,%esp <main+16>: movl $0x0,0xfffffff8(%ebp) <main+23>: cmpl $0x0,0xfffffff8(%ebp) <main+27>: jne 0x8048475 <main+49> <main+29>: movl $0x1,0xfffffffc(%ebp) <main+36>: mov $0x5,%eax <main+41>: sub 0xfffffffc(%ebp),%eax <main+44>: mov %eax,0xfffffff4(%ebp) <main+47>: jmp 0x8048485 <main+65> <main+49>: movl $0x7,0xfffffffc(%ebp) <main+56>: mov 0xfffffffc(%ebp),%eax <main+59>: sub $0x5,%eax <main+62>: mov %eax,0xfffffff4(%ebp) <main+65>: mov 0xfffffffc(%ebp),%eax <main+68>: mov %eax,0xfffffff8(%ebp) <main+71>: mov 0xfffffffc(%ebp),%eax <main+74>: mov %eax,0xc(%esp) <main+78>: mov 0xfffffff4(%ebp),%eax <main+81>: mov %eax,0x8(%esp) <main+85>: mov 0xfffffff8(%ebp),%eax <main+88>: mov %eax,0x4(%esp) <main+92>: movl $0x8048594,(%esp) <main+99>: call 0x8048368 <printf@plt> int main() { register int k=0; register int i=0; register int j=0; if(i==0) { k=1; j=5-k; } else { k=7; j=k-5; } i=k; printf("Printing i, j and k %d %d %d\n", i, j , k); return 0; } <main+16>: movl $0x0,0xfffffff8(%ebp) <main+23>: cmpl $0x0,0xfffffff8(%ebp) <main+27>: jne 0x8048475 <main+49> <main+29>: movl $0x1,0xfffffffc(%ebp) <main+36>: mov $0x5,%eax <main+41>: sub 0xfffffffc(%ebp),%eax <main+44>: mov %eax,0xfffffff4(%ebp) <main+47>: jmp 0x8048485 <main+65> <main+49>: movl $0x7,0xfffffffc(%ebp) <main+56>: mov 0xfffffffc(%ebp),%eax <main+59>: sub $0x5,%eax <main+62>: mov %eax,0xfffffff4(%ebp) <main+65>: mov 0xfffffffc(%ebp),%eax <main+68>: mov %eax,0xfffffff8(%ebp)

  7. movl $0x0,0xfffffff8(%ebp) Control Dependence Graph Data Dependence Graph cmpl $0x0,0xfffffff8(%ebp) jne 0x8048475 <main+49> movl $0x1,0xfffffffc(%ebp) mov $0x5,%eax sub 0xfffffffc(%ebp),%eax mov %eax,0xfffffff4(%ebp) jmp 0x8048485 <main+65> movl $0x7,0xfffffffc(%ebp) mov 0xfffffffc(%ebp),%eax sub $0x5,%eax mov %eax,0xfffffff4(%ebp) mov 0xfffffffc(%ebp),%eax mov %eax,0xfffffff8(%ebp)

  8. movl $0x0,0xfffffff8(%ebp) cmpl $0x0,0xfffffff8(%ebp) jne 0x8048475 <main+49> movl $0x1,0xfffffffc(%ebp) mov $0x5,%eax sub 0xfffffffc(%ebp),%eax mov %eax,0xfffffff4(%ebp) jmp 0x8048485 <main+65> movl $0x7,0xfffffffc(%ebp) mov 0xfffffffc(%ebp),%eax sub $0x5,%eax mov %eax,0xfffffff4(%ebp) mov 0xfffffffc(%ebp),%eax mov %eax,0xfffffff8(%ebp)

  9. movl $0x0,0xfffffff8(%ebp) cmpl $0x0,0xfffffff8(%ebp) jne 0x8048475 <main+49> movl $0x1,0xfffffffc(%ebp) jmp 0x8048485 <main+65> movl $0x7,0xfffffffc(%ebp) mov 0xfffffffc(%ebp),%eax Dependency Graph Node mov %eax,0xfffffff8(%ebp)

  10. Implementation • Static Analysis • DynInst loads executable in stopped state • Building Data Dependency Graph • For each instruction in a basic block, determine registers/variables that are read/written • Not so easy, large instruction set • When an instruction reads a register/variable, mark it as dependent on the one that recently modified that reg/var

  11. Building Control Dependency Graph • A node V is post-dominated by a node W if every directed path from V to Stop contains W • An instruction Y is control dependent on another instruction X iff • There exists a directed path P from X to Y with another instruction Z in P, post-dominated by Y • X is not post-dominated by Y STOP A Post Dominator Tree D CFG B C A B C D

  12. Challenges • Indirect Jump Instructions • Hard to create control flow graph • Very common in switch statements • Follows a pattern • Aliasing • Currently not handled • Pointers • Treat all memory as a single object • Overly Conservative • Kiss et al.* use this approach • EEL’s approach: terminate prematurely * Kiss, A., Jasz, J., Lehotai, G., Gyimothy, T. Interprocedural static slicing of binary executables. Third IEEE International Workshop on Source Code Analysis and Manipulation, 2003. Proceedings. 26-27 Sept. 2003.

  13. On-demand Computation • Generation of Data and Control Dependency Graph is costly, so is Slicing • Since it is static, it is enough to compute these graphs only once • Therefore, they are computed only on-demand and stored until the execution finishes

  14. Annotation Framework • Many analyses generate data while examining instructions/functions etc. • Generally costly operations • Store the result ! • New analysis means new variable(s) added to class definition • Error prone • API changes • Requires rebuild

  15. Annotation Framework • Create a unified Annotation Framework instead • Use a well-defined interface for each object that needs to be annotated • Has to be extensible • Add new annotation types at runtime • Support for storing metadata along with data

  16. BPatch_function BPatch_instruction Register readSet[] Register writeSet[] Annotation Framework Example • Requires development effort • Not desirable • Error-prone • Tedious Graph* CFG Graph* dataDependenceGraph Graph* controlDependenceGraph Graph* programDependenceGraph Graph* slicingGraph

  17. Annotatable createAnnotationType(String) findAnnotationType(String) createMetadata(String) findMetadata(String) insertAnnotation(AnnotationType, Annotation*) findAnnotation(AnnotationType, Annotation*, int=0) BPatch_Instruction BPatch_Function Annotation Framework

  18. Annotation void* value setValue(void*) getValue() AnnotationWithSource source getSource() AnnotationWithConfidence confidenceValue getConfidence() Annotation Framework

  19. Example BPatch_function function = … ; AnnotationType type = function.createAnnotationType(“Slice”); Graph* slicingGraph = … ; function.insertAnnotation(type, new Annotation(slicingGraph)); …… function.findAnnotation(type,fillMe);

  20. Summary • Slicing • Status • Intra-procedural Slicing implemented for x86 Linux and Solaris 2.9 • Inter-procedural Slicing is on the way • Aliasing not supported yet • Annotation Framework • Status: Designed, at implementation stage • Unifies the way objects are annotated • Slicing will be the first user

More Related