Professional Documents
Culture Documents
Recon MTL 2017 Bincat
Recon MTL 2017 Bincat
Introduction
Demo
Conclusion
Introduction
Demo
Conclusion
types
... Binary
analyzer
forward /
static
backward
analysis
types
... Binary
analyzer
forward /
static
backward
analysis
types
... Binary
analyzer
forward /
static
backward
analysis
types
... Binary
analyzer
forward /
static
backward
analysis
types
... Binary
analyzer
forward /
static
backward
analysis
types
... Binary
analyzer
forward /
static
backward
analysis
types
... Binary
analyzer
forward /
static
backward
analysis
types
... Binary
analyzer
forward /
static
backward
analysis
types
... Binary
analyzer
forward /
static
backward
analysis
types
... Binary
analyzer
forward /
static
backward
analysis
Introduction
Demo
Conclusion
$ ./get_key
Usage: ./get_key company department name licence
$ ./get_key
Usage: ./get_key company department name licence
$ ./get_key
Usage: ./get_key company department name licence
$ ./get_key
Usage: ./get_key company department name licence
$ ./get_key
Usage: ./get_key company department name licence
mul
mul
sprintf
mul
sprintf
mul
sprintf
SHA-1
mul
sprintf
SHA-1
hex encode
mul
sprintf
SHA-1
hex encode
license
Introduction
Demo
Conclusion
IDA
IDA plugin
IDA
local mode
results, logs
remote mode
IDA
REST
remote mode
IDA
REST
state1
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
state3
IP=0x0804143D state2
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
state4
state1
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
state3
IP=0x0804143D state2
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
EIP=0x0804123C
IP=0x0804123A
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
Decoder
ts
m en
state1
seg
t,
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
n tex
state3 , co
IP=0x0804143D
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
state2
IP=0x08041238 PC
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
Decoder
state3
IP=0x0804143D state2
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
Decoder
state3
IP=0x0804143D state2
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
age
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
Decoder
state1
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
state3
IP=0x0804143D state2
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
State generator
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
Decoder
state1
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
state3
IP=0x0804143D state2
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
State generator
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
state5
EIP=0x0804123D
EAX=0x00080000
ZF=0
mem[0x1000]=|303132|
Decoder
state
state1
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
state5
4
state3
IP=0x0804143D state2
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
State generator
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
state5
EIP=0x0804123C
IP=0x0804123A EIP=0x0804123D
EAX=0x00080000
ZF=0
mem[0x1000]=|303132|
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132| EIP=0x0804123D
EAX=0x00080000
ZF=0
mem[0x1000]=|303132|
Decoder
state1
IP=0x08041236
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|323130|
state3
IP=0x0804143D state2
EAX=0x12345678
EBX=0x8765432?
mem[0x1000]=|303132|
IP=0x08041238
EAX=0x00000000
EBX=0x87654321
mem[0x1000]=|303132|
State generator
state4
IP=0x0804123A
EIP=0x0804123C
EAX=0x12345678
EAX=0x0007FFFF
EBX=0x87654321
ZF=1
mem[0x1000]=|303132|
state5
state5
EIP=0x0804123D
EAX=0x00080000
if new
ZF=0
mem[0x1000]=|303132|
EIP=0x0804123D
EAX=0x00800000
ZF=0
mem[0x1000]=|303132|
Idea:
s2 : esi = 0x1004, uint32*
what is stable is kept
s20 = s1 s2
Ex: type
esi = 0x????????, uint32* what changes is
overapproximated
Ex: value
Idea:
s2 : esi = 0x1004, uint32*
what is stable is kept
s20 = s1 s2
Ex: type
esi = 0x????????, uint32* what changes is
overapproximated
Ex: value
s3 : esi = 0x????????, uint32*
s30 = s20 s3
esi = 0x????????, uint32*
Idea:
s2 : esi = 0x1004, uint32*
what is stable is kept
s2 s20 = s1 s2
Ex: type
esi = 0x????????, uint32* what changes is
v overapproximated
Ex: value
s3 : esi = 0x????????, uint32* Theorem 1: (si0 ) sequence is
s3 s30 = s20 s3 ultimately stationary
v
esi = 0x????????, uint32*
Theorem 2: fixpoint sf0 is an
overapproximation of the real
execution trace
sn
v
Idea:
s2 : esi = 0x1004, uint32*
what is stable is kept
s2 s20 = s1 s2
Ex: type
esi = 0x????????, uint32* what changes is
v overapproximated
Ex: value
s3 : esi = 0x????????, uint32* Theorem 1: (si0 ) sequence is
s3 s30 = s20 s3 ultimately stationary
v
esi = 0x????????, uint32*
Theorem 2: fixpoint sf0 is an
overapproximation of the real
execution trace
sn
v some techniques allow for precision
recovery
Biondi, Mehrenberger, Rigo, Zennou :: BinCAT 50
Empirical testing
Theory is correct.
Theory is correct.
In theory, the implementation too.
Theory is correct.
In theory, the implementation too.
In practice, a lot of things are complex and bug prone: the decoder,
abstract operations, etc.
Theory is correct.
In theory, the implementation too.
In practice, a lot of things are complex and bug prone: the decoder,
abstract operations, etc.
= lots of unit tests
Theory is correct.
In theory, the implementation too.
In practice, a lot of things are complex and bug prone: the decoder,
abstract operations, etc.
= lots of unit tests
BinCAT vs CPU: > 67.000 tests for ' 55 instructions
Theory is correct.
In theory, the implementation too.
In practice, a lot of things are complex and bug prone: the decoder,
abstract operations, etc.
= lots of unit tests
BinCAT vs CPU: > 67.000 tests for ' 55 instructions
BinCAT vs QEMU test-i386: 87% test coverage over ' 105 instructions
Theory is correct.
In theory, the implementation too.
In practice, a lot of things are complex and bug prone: the decoder,
abstract operations, etc.
= lots of unit tests
BinCAT vs CPU: > 67.000 tests for ' 55 instructions
BinCAT vs QEMU test-i386: 87% test coverage over ' 105 instructions
P
A
W
SO
ME
!!!
Example: keygenme
6407 instructions analyzed
RAM usage: 90 MiB
running time: 6s
average: ' 1060 insn/s
QEMU tests:
209 120 instructions analyzed
RAM usage: 2.3 GiB
running time: 23 min 30 s
average: ' 150 insn/s
Introduction
Demo
Conclusion
taint
analysis computed intermediate
properties language
CFG
with
indirect
jumsp
types Binary
analyzer
forward /
static
backward
analysis
x86
valeurs
extensible
values intermediate
computed
properties language
ARM
reconstruction
reconstruction
de types
du CFG
avec
sauts BinCAT
indirects
analyses
rsolus statique
avan-
t/arrire
intgr base
finer approximations in values
IDA computation by using intervals
thorique
complex objects reconstruction (C++)
x86-64 and ARM decoders
https://github.com/airbus-seclab/bincat
tutorial in doc/tutorial.md
very precise
v
int32 uint32
very precise