Pharos Static Analysis Framework

Transcription

1 Pharos Static Analysis Framework Cory F. Cohen Senior Malware Analysis Researcher [DISTRIBUTION 2017 Carnegie Mellon STATEMENT University A] This 1 [DISTRIBUTION release and unlimited STATEMENT distribution A] This material has been approved for public

2 Copyright 2017 Carnegie Mellon University. All Rights Reserved. This material is based upon work funded and supported by the Department of Defense under Contract No. FA D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.. Please see Copyright notice for non-us Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. DM

3 XKCD 1831 Here To Help Copyright XKCD, Licensed CC BY-NC 2.5 This experience resonates with malware analysts! Don t try to solve their problems for them, help them solve their problems! 3

4 Vision for the Pharos Infrastructure Pharos is a static binary analysis framework that: Extends the LLNL ROSE compiler infrastructure DOE sensitive to DoD needs Targets malware specific challenges Pushes the boundaries of automated static analysis Exception handlers, obfuscated code, inter-procedural analysis Addresses binary software assurance problems Facilitates the development of tools for specific challenges Analyzing malware design Advanced static emulation Recovering data types Control flow analyses Defeating obfuscations ApiAnalyzer CallAnalyzer ObjDigger Pharos ROSE 4

5 Pharos Automated Static Analysis Components Components needed for binary analysis framework File format parsing Disassembler Function partitioner Instruction semantics Emulation framework Use-def chains SMT solver integration Type analysis We chose to build on the ROSE compiler platform Provides binary analysis capabilities Close partnership to grow binary features Developed by LLNL BSD Licensed Implemented as C++ Library Highly extensible 5

6 Object-Oriented Class Recovery with OOAnalyzer The goal is to recover high-level object oriented data structures from binary code: MyObject* obj = new MyObject(); Constructor Object size push 1730h call??2@yapaxi@z add esp, 4 mov [esp+8], eax test eax, eax mov [esp+4], 0 jz failed mov ecx, eax call ctor Thiscall New() method class Object2: Object1 { int32 var04; int8[32] var08; Object3 var0c; int16 var18; virtual void method1(); int32 method2(int16, int8); int8* method3(int32); } 6

7 OOAnalyzer Now Uses XSB Prolog for Reasoning Prolog Evaluated multiple Prolog implementations Selected XSB Prolog for tabling features Lots of bugs and crashes before success Rules Represents human knowledge clearly Arbitrary ordering (Thanks Prolog!) Guessing Too few facts for forward reasoning alone Guess facts using weaker rules as needed Backtrack using custom constraint system Constructor(Method) :- VFTableWrite(Method, _VFT, _), NOTDestructor(Method). DerivedClass(Ctor1, Ctor2, Offset) :- Constructor(Ctor1), Constructor(Ctor2), Calls(Ctor1, Ctor2), VFTableWrite(Ctor1, VFT1, Offset), VFTableWrite(Ctor2, VFT2, Offset), Ctor1 \= Ctor1, VFT1 \= VFT2. Giving better results than the old approach! 7

8 Recent OOAnalyzer Advancements & Challenges Support for Visual Studio decorated names of imported functions (aka demangling ) Required because real software links external classes into inheritance hierarchy Support for RTTI data structures (Useful, but not as magical as expected) Includes validation logic to detect malicious alteration of RTTI data Inheritance support much more robust, including multiple and virtual inheritance Generally supporting fairly complex inheritance relationships (e.g., STL) Virtual function table overwrite optimizations handled more correctly now Inlined constructors & destructors overwrite tables in unexpected places Compiler link time optimizations can result in multiple methods at the same address Difficult to handle in rules because violates fundamental assumptions about methods Beginning to utilize new type analysis techniques to generate more complete facts Key to supporting whole program optimization 8

9 OOAnalyzer IDA Plugin User Interface for Malware Analysts We ve also built a IDA Pro Plugin in IDA Python that displays the classes, updates the disassembly, and more. Not the most important part of our research, but an important part of our transition efforts. Sadly, the latest Prolog code is not correctly integrated, so do as I say, not as I do! 9

10 Call Analyzer: A Tool for Binary Analysis of Function Calls Can filter selected functions Each call site is analyzed Symbolic values Call: CreateMutexW (0x004117A4) Param: lpmutexattributes Value: {(LPSECURITY_ATTRIBUTES) (add esp_0-56) -> {(SECURITY_ATTRIBUTES){ nlength: {(DWORD)12}, lpsecuritydescriptor: {(LPVOID) (RC_of_0x411775)}, binherithandle: {(BOOL)0}}}} Constant values Param: binitialowner Value: {(BOOL)1} Param: lpname Value: {(LPCTSTR) URPWNED"} Follows pointers Inspects memory inside structures Symbolic values can connect data flow to other parts of program Name of parameter provides context Parameter type identified for analyst The name of the mutex is often indicative of a specific malware family 10

11 How Pharos Recover Types Using Constraints Types in source code are fairly clear: int x = 0; int y = *p; char *z = func(x, y) Types are less clear in assembly: mov eax, [ebx] shl eax, 2 push eax mov [ebp-c], 0 push [ebp-c] call func EBX is a pointer EAX is not a pointer Zero could be a bool, an integer or a null pointer An API database can assign types through data flow Express as constraints and solve for solution Is a pointer * Top represents a lack of information Bottom represents conflicting types Not a pointer 11

12 Constraints from Known Parameter Types IDA knows the type of eax (hmodule) and acorexitprocess (LPCSTR) from the import: Requires a database of imports, their parameters and return values. Constraints (including actual type names) are combined with the instruction constraints. Features of our implementation include: Solving for both instruction and parameter constraints simultaneously. Propagation of type names and lattice properties through data flow paths. Typing of return values and globals in addition to parameters Propagation of implied types (*char becomes char when read from memory) Inter procedural propagation of types 12

13 Stack Frame Analysis (Stack Local Variable Detection) IDA knows which offsets are local variables (and their types): Algorithm Overview: Find all reads and writes to negative stack offsets (relative to initial value of ESP) Eliminate saved registers, call parameters, and a few other unusual cases Use previously described type analysis to recover types Because the type system uses lattices we can detect contradictory types Working on validation of no overlapping reads and writes, etc. We re not yet identifying register local variables. 13

14 API Analyzer Statically searches for API sequences Name and description makes signature accessible to analyst List of API calls defines what the sequence is that we re looking for Sig : { Name : WriteProgramResourceToFile, Description : Load a program resource and write it to disk, Category : MALWARE, Pattern : [ { API : Kernel32.dll!FindResourceA, Retn : { Name : HRSRC } }, { API : Kernel32.dll!LoadResource, Args : [{ Name : HRSRC, Index : 1, Type : IN }], Retn : {"Name": HANDLE } }, { API : Kernel32.dll!LockResource, Args : [{ Name : HANDLE, Index : 0, Type : IN }], Retn : { Name : RES } }, { API : Kernel32.dll!WriteFile, Args : [{ Name : RES, Index : 1, Type : IN }] } ]} Reused variable names describe how calls are connected via data flow API parameters are now stored in an SQLite database, but the APIAnalyzer is not using it yet 14

15 FN2Yara Automated Signature Generation Analyst uses the function address on each rule to understand what s being matched. Each non-contiguous chunk has a separate match string. YARA can match a percentage of the function chunks. rule Function_1004C610 { strings: // File 0x1004C610 ( ) $Match_1004c610 = { 55 8b ec 83 ec d fc 8b 7d 08 8b 4d 0c c1 e f ef c0 eb????????} $Match_1004c730 = { 66 0f 7f f 7f f 7f ???????? 66 0f 7f f 7f f 7f f 7f d bf???????? d0 8b 7d fc 8b e5 5d c3 } } condition: all of them Bytes of function chunks have relocatable addresses wild carded. Matching the bytes doesn t require disassembly at matching time, but the signatures have semantic meaning if the analyst knows the significance of the function. 15

16 FN2Hash: A Tool to Generate Function Facts (Without IDA) FN2Hash generates CSV-format structural data for each function, including: The MD5 hash of the executable file and the address of the function The number of basic blocks (in and not in the control flow) The number of bytes and instructions in the function A hash of all the bytes in the function (with and without zeroing relocatable addresses) A composite hash which is less sensitive to the relocation of code chunks Counts of the instruction mnemonics and categories of mnemonics Hashes based on the mnemonics, mnemonic categories, and the counts of each Goals: Permit automated disassembly & structural analysis without licensing problems Empower other analyses (e.g., malfaces or machine learning) 16

17 Future Research: Automated Executable Program Transformation Path Finder 1 Starting Vertex Rewriter 1 Original Executable Selected path Informs Target Vertex Rewritten Executable Analyst 17

18 Additional Future Research Improved object detection using type analysis to identify object pointers Limited source code generation based on type analysis Function prototypes, class declarations and local variable declarations Malware Design Matcher application to high-profile malware family Source code for most of Pharos is available at: Now compiles against recent versions of ROSE, much more robust! Pharos may be able to help with your static analysis problems. 18

19 Cory Cohen U.S. Mail Software Engineering Institute 4500 Fifth Avenue Pittsburgh, PA USA Website 19 [DISTRIBUTION material has been STATEMENT approved for A] public This material has been approved release and for public unlimited release distribution and unlimited distribution