Recon MTL 2017 Bincat

BinCAT
Purrfecting binary static analysis
June 16th 2017 - REcon
Philippe Biondi, Raphal Rigo, Sarah Zennou, Xavier Mehrenberger

Plan
Introduction
Demo
Under the hood
Conclusion
Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 2

Plan
Introduction
Demo
Under the hood
Conclusion

BinCAT (Binary Code Analysis Toolkit)
...
taint
values
analysis
extensible x86
CFG
with ...
indirect computed x86
jumps
properties ...
types
... Binary
analyzer
forward /
static
backward
analysis
IDA in- theory

tegration backed

...
taint
values
analysis
extensible x86
CFG
with ...
jumps
properties ...
types
... Binary
analyzer
forward /
static
backward
analysis
IDA in- theory

tegration backed

...
taint
values
analysis
extensible x86
CFG
with ...
jumps
properties ...
types
... Binary
analyzer
forward /
static
backward
analysis
IDA in- theory

tegration backed

...
taint
values
analysis
extensible x86
CFG
with ...
jumps
properties ...
types
... Binary
analyzer
forward /
static
backward
analysis
IDA in- theory

tegration backed

...
taint
values
analysis
extensible x86
CFG
with ...
jumps
properties ...
types
... Binary
analyzer
forward /
static
backward
analysis
IDA in- theory

tegration backed

...
taint
values
analysis
extensible x86
CFG
with ...
jumps
properties ...
types
... Binary
analyzer
forward /
static
backward
analysis
IDA in- theory

tegration backed

...
taint
values
analysis
extensible x86
CFG
with ...
jumps
properties ...
types
... Binary
analyzer
forward /
static
backward
analysis
IDA in- theory

tegration backed

...
taint
values
analysis
extensible x86
CFG
with ...
jumps
properties ...
types
... Binary
analyzer
forward /
static
backward
analysis
IDA in- theory

tegration backed

...
taint
values
analysis
extensible x86
CFG
with ... inter-
indirect computed mediate
jumps
properties language ...
types
... Binary
analyzer
forward /
static
backward
analysis
IDA in- theory

tegration backed

...
taint
values
analysis
extensible x86
CFG
with ... inter-
indirect computed mediate
jumps
properties language ...
types
... Binary
analyzer
forward /
static
backward
analysis
IDA in- theory

tegration backed

Plan
Introduction
Demo
Under the hood
Conclusion

Example: keygenme
$ ./get_key
Usage: ./get_key company department name licence

Example: keygenme
$ ./get_key
$ ./get_key company department name wrong_serial

Example: keygenme
$ ./get_key

Licence=>[025E60CB08F00A1A23F236CC78FC819CE6590DD7]
Invalid serial wrong_serial

Example: keygenme
$ ./get_key

$ ./get_key company department name 025E60CB0[...]

Example: keygenme
$ ./get_key

$ ./get_key company department name 025E60CB0[...]

Thank you for registering !

Keygenme: data flow
argv[0] department company name
CRC CRC CRC CRC

Keygenme: data flow
CRC CRC CRC CRC
mul

Keygenme: data flow
CRC CRC CRC CRC
mul
sprintf

Keygenme: data flow
CRC CRC CRC CRC
mul
sprintf

Keygenme: data flow
CRC CRC CRC CRC
mul
sprintf
SHA-1

Keygenme: data flow
CRC CRC CRC CRC
mul
sprintf
SHA-1
hex encode

Keygenme: data flow
CRC CRC CRC CRC
mul
sprintf
SHA-1
hex encode
license

Demo 1: BinCAT usage

Demo 2: Tainting

Plan
Introduction
Demo
Under the hood
Conclusion

Architecture
IDA
IDA plugin

Architecture
IDA
IDA plugin bincat binary

Architecture
IDA config, binary...

Architecture
local mode
IDA config, binary...
results, logs

Architecture
remote mode
IDA
IDA plugin REST Web server bincat binary
REST

Architecture
remote mode
IDA
IDA plugin REST Web server bincat binary
REST

Control flow graph reconstruction
state1
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
state3
IP=0x0804143D state2
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|

state4
state1
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
state3
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
EIP=0x0804123C
IP=0x0804123A
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|

Decoder
ts
m en
state1
seg
t,
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
n tex
state3 , co
IP=0x0804143D
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
state2
IP=0x08041238 PC
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|

Decoder
state1 inc eax

IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
intermediate language eax (eax + 0x1);

zf eax=0 ? 1: 0;
sf (eax >> 0x1f)=1 ? 1: 0;
...
state3
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|

ax Control flow graph reconstruction
Decoder
state1 inc eax

IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|

zf eax=0 ? 1: 0;
sf (eax >> 0x1f)=1 ? 1: 0;
...
state3
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
age
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
eax (eax + 0x1);

zf eax=0 ? 1: 0;
sf (eax >> 0x1f)=1 ? 1: 0;
...

Decoder
state1
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|

zf eax=0 ? 1: 0;
sf (eax >> 0x1f)=1 ? 1: 0;
...
state3
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
State generator
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|

Decoder
state1
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
state3
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
State generator
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
state5
EIP=0x0804123D
EAX=0x00080000
ZF=0
mem[0x1000]=|303132|

Decoder
state
state1
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
state5
4
state3
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
State generator
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
state5
EIP=0x0804123C
IP=0x0804123A EIP=0x0804123D
EAX=0x00080000
ZF=0
mem[0x1000]=|303132|
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132| EIP=0x0804123D
EAX=0x00080000
ZF=0
mem[0x1000]=|303132|

Decoder
state1
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
state3
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
State generator
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
state5
state5
EIP=0x0804123D
EAX=0x00080000
if new
ZF=0
mem[0x1000]=|303132|
EIP=0x0804123D
EAX=0x00800000
ZF=0
mem[0x1000]=|303132|

Formal correctness: static analysis by abstract interpretation
operations on values/taint/types are done on abstract objects which
represent sets of values/taint/types
ex: 0 {0}, ? {integers}, Struct {C structs}
abstract computations are always an overapproximation of actual ones
approximation example: loop widening ()

s1 : esi = 0x1000, uint32* while esi < 0x8000

esi = esi + 4


esi = esi + 4
Idea:
s2 : esi = 0x1004, uint32*
what is stable is kept
s20 = s1 s2
Ex: type
esi = 0x????????, uint32* what changes is
overapproximated
Ex: value


esi = esi + 4
Idea:
s2 : esi = 0x1004, uint32*
s20 = s1 s2
Ex: type
overapproximated
Ex: value
s3 : esi = 0x????????, uint32*
s30 = s20 s3
esi = 0x????????, uint32*


esi = esi + 4
Idea:
s2 : esi = 0x1004, uint32*
s2 s20 = s1 s2
Ex: type
v overapproximated
Ex: value
s3 : esi = 0x????????, uint32* Theorem 1: (si0 ) sequence is
s3 s30 = s20 s3 ultimately stationary
v
esi = 0x????????, uint32*
Theorem 2: fixpoint sf0 is an
overapproximation of the real
execution trace
sn
v


esi = esi + 4
Idea:
s2 : esi = 0x1004, uint32*
s2 s20 = s1 s2
Ex: type
v overapproximated
Ex: value
s3 : esi = 0x????????, uint32* Theorem 1: (si0 ) sequence is
s3 s30 = s20 s3 ultimately stationary
v
esi = 0x????????, uint32*
Theorem 2: fixpoint sf0 is an
overapproximation of the real
execution trace
sn
v some techniques allow for precision
recovery
Empirical testing
Theory is correct.

Empirical testing
Theory is correct.
In theory, the implementation too.

Empirical testing
Theory is correct.
In practice, a lot of things are complex and bug prone: the decoder,
abstract operations, etc.

Empirical testing
Theory is correct.
= lots of unit tests

Empirical testing
Theory is correct.
BinCAT vs CPU: > 67.000 tests for ' 55 instructions

Empirical testing
Theory is correct.
BinCAT vs QEMU test-i386: 87% test coverage over ' 105 instructions

Empirical testing
Theory is correct.
BinCAT vs QEMU test-i386: 87% test coverage over ' 105 instructions
P
A
W
SO
ME
!!!

Analyzers performance
Example: keygenme
6407 instructions analyzed
RAM usage: 90 MiB
running time: 6s
average: ' 1060 insn/s
QEMU tests:
209 120 instructions analyzed
RAM usage: 2.3 GiB
running time: 23 min 30 s
average: ' 150 insn/s
Intel Core i7-6700K CPU @ 4,00GHz

Plan
Introduction
Demo
Under the hood
Conclusion

Conclusion
x86
values
extensible
taint
analysis computed intermediate
properties language
CFG
with
indirect
jumsp
types Binary
analyzer
forward /
static
backward
analysis
IDA in- theory

tegration backed

Current features improvements (planned)
x86
valeurs
extensible
better type reconstruction

taint inter-
computed mediate new types from heuristics. Ex:
properties language structures detection on stack
several distinct taint sources
types reconstruction
du CFG more precise computations in
avec
sauts BinCAT backward analysis
indirects
forwardrsolus
/ more standard library functions
statique
backward models
analysis
type and value override in IDA
memory definition directly in IDA
IDA in- base

tegration thorique

Future features
object
recon- x86
taint struc-
analysis tion extensible x86-64
(C++)
values intermediate
computed
properties language
ARM
reconstruction
reconstruction
de types
du CFG
avec
sauts BinCAT
indirects
analyses
rsolus statique
avan-
t/arrire
intgr base
finer approximations in values
IDA computation by using intervals
thorique
complex objects reconstruction (C++)
x86-64 and ARM decoders

Thanks!
Full paper (link in README):

https://www.sstic.org/media/SSTIC2017/SSTIC-actes/bincat_purrfecting_
binary_static_analysis/SSTIC2017-Article-bincat_purrfecting_binary_
static_analysis-biondi_rigo_zennou_mehrenberger.pdf
project was partially financed by DGA-MI

Get it! (AGPL licence)
https://github.com/airbus-seclab/bincat
docker run -p 5000:5000 airbusseclab/bincat
tutorial in doc/tutorial.md

x86 coverage
ADD PUSHES POPES OR PUSHCS 2bytes
ADC PUSHSS POPSS SBB PUSHDS POPDS
AND ES: DAA SUB CS: DAS
XOR SS: AAA CMP DS: AAS
INC DEC
PUSH POP
PUSHA POPA BOUND ARPL FS: GS: OPSIZE: ADSIZE: PUSH IMUL PUSH IMUL INSB INSW OUTSB OUTSW
JNO JNO JB JNB JZ JNZ JBE JA JS JNS JP JNP JL JNL JLE JNLE
Grp1 Grp1 Grp1 TEST XCHG MOV LEA MOV POP
NOP XCHG EAX CWD CDQ CALL WAIT PUSHF POPF SAHF LAHF
MOV EAX MOVS CMPS TEST STOS LODS SCAS
MOV
SHIFT RETN LES LDS MOV ENTER LEAVE RETF INT3 INT INTO IRETD
Grp2 AAM AAD SALC XLAT FPU
LOOPNZ LOOPZ LOOP JCXZ IN OUT CALL JMP JMPF JMPS IN OUT
LOCK: INT1 REPNE: REP: HLT CMC Grp3 CLC STC CLI STI CLD STD Grp4 Grp5
x86 coverage - Second table
Grp6 Grp7 LAR LSL CLTS INVD WBINVD UD2 NOP
SSE Prefetch S E1 HINT NOP
MOV CR DR SSE
WRMSR RDTSC RDMSR RDPMC SYSENTER SYSEXIT GETSEC SMX MOVBE SSE
CMOV
SSE
MMX SSE
MMX SSE VMX MMX SSE
JNO JNO JB JNB JZ JNZ JBE JA JS JNS JP JNP JL JNL JLE JNLE
SETNO SETNO SETB SETNB SETZ SETNZ SETBE SETA SETS SETNS SETP SETNP SETL SETNL SETLE SETNLE
PUSHFS POPFS CPUID BT SHLD PUSHGS POPGS RSM BTS SHRD FENCE IMUL
CMPXCHG LSS BTR LFS LGS MOVZX POPCNT UD BTx BTC BSF BSR MOVSX
XADD SSE CMPXCHG BSWAP
MMX SSE
MMX SSE
MMX SSE
Currently implemented lattices
less precise >

>
v ... -4 ... 7 . . . untainted tainted
very precise

less precise >
... int struct ...
v
int32 uint32
very precise

Recon MTL 2017 Bincat

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Recon MTL 2017 Bincat

Uploaded by

Copyright:

Available Formats

BinCAT

Purrfecting binary static analysis

June 16th 2017 - REcon

Philippe Biondi, Raphal Rigo, Sarah Zennou, Xavier Mehrenberger

Under the hood

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 2

Under the hood

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 3

IDA in- theory

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 4

IDA in- theory

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 5

IDA in- theory

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 6

IDA in- theory

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 7

IDA in- theory

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 8

IDA in- theory

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 9

IDA in- theory

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 10

IDA in- theory

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 11

IDA in- theory

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 12

IDA in- theory

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 13

Under the hood

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 14

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 15

$ ./get_key company department name wrong_serial

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 16

$ ./get_key company department name wrong_serial

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 17

$ ./get_key company department name wrong_serial

$ ./get_key company department name 025E60CB0[...]

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 18

$ ./get_key company department name wrong_serial

$ ./get_key company department name 025E60CB0[...]

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 19

argv[0] department company name

CRC CRC CRC CRC

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 20

argv[0] department company name

CRC CRC CRC CRC

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 21

argv[0] department company name

CRC CRC CRC CRC

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 22

argv[0] department company name

CRC CRC CRC CRC

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 23

argv[0] department company name

CRC CRC CRC CRC

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 24

argv[0] department company name

CRC CRC CRC CRC

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 25

argv[0] department company name

CRC CRC CRC CRC

Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 26