Pharos Static Analysis Framework
|
|
- Rudolph Stevens
- 5 years ago
- Views:
Transcription
1 Pharos Static Analysis Framework Cory F. Cohen Senior Malware Analysis Researcher [DISTRIBUTION 2017 Carnegie Mellon STATEMENT University A] This 1 [DISTRIBUTION release and unlimited STATEMENT distribution A] This material has been approved for public
2 Copyright 2017 Carnegie Mellon University. All Rights Reserved. This material is based upon work funded and supported by the Department of Defense under Contract No. FA D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.. Please see Copyright notice for non-us Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. DM
3 XKCD 1831 Here To Help Copyright XKCD, Licensed CC BY-NC 2.5 This experience resonates with malware analysts! Don t try to solve their problems for them, help them solve their problems! 3
4 Vision for the Pharos Infrastructure Pharos is a static binary analysis framework that: Extends the LLNL ROSE compiler infrastructure DOE sensitive to DoD needs Targets malware specific challenges Pushes the boundaries of automated static analysis Exception handlers, obfuscated code, inter-procedural analysis Addresses binary software assurance problems Facilitates the development of tools for specific challenges Analyzing malware design Advanced static emulation Recovering data types Control flow analyses Defeating obfuscations ApiAnalyzer CallAnalyzer ObjDigger Pharos ROSE 4
5 Pharos Automated Static Analysis Components Components needed for binary analysis framework File format parsing Disassembler Function partitioner Instruction semantics Emulation framework Use-def chains SMT solver integration Type analysis We chose to build on the ROSE compiler platform Provides binary analysis capabilities Close partnership to grow binary features Developed by LLNL BSD Licensed Implemented as C++ Library Highly extensible 5
6 Object-Oriented Class Recovery with OOAnalyzer The goal is to recover high-level object oriented data structures from binary code: MyObject* obj = new MyObject(); Constructor Object size push 1730h call??2@yapaxi@z add esp, 4 mov [esp+8], eax test eax, eax mov [esp+4], 0 jz failed mov ecx, eax call ctor Thiscall New() method class Object2: Object1 { int32 var04; int8[32] var08; Object3 var0c; int16 var18; virtual void method1(); int32 method2(int16, int8); int8* method3(int32); } 6
7 OOAnalyzer Now Uses XSB Prolog for Reasoning Prolog Evaluated multiple Prolog implementations Selected XSB Prolog for tabling features Lots of bugs and crashes before success Rules Represents human knowledge clearly Arbitrary ordering (Thanks Prolog!) Guessing Too few facts for forward reasoning alone Guess facts using weaker rules as needed Backtrack using custom constraint system Constructor(Method) :- VFTableWrite(Method, _VFT, _), NOTDestructor(Method). DerivedClass(Ctor1, Ctor2, Offset) :- Constructor(Ctor1), Constructor(Ctor2), Calls(Ctor1, Ctor2), VFTableWrite(Ctor1, VFT1, Offset), VFTableWrite(Ctor2, VFT2, Offset), Ctor1 \= Ctor1, VFT1 \= VFT2. Giving better results than the old approach! 7
8 Recent OOAnalyzer Advancements & Challenges Support for Visual Studio decorated names of imported functions (aka demangling ) Required because real software links external classes into inheritance hierarchy Support for RTTI data structures (Useful, but not as magical as expected) Includes validation logic to detect malicious alteration of RTTI data Inheritance support much more robust, including multiple and virtual inheritance Generally supporting fairly complex inheritance relationships (e.g., STL) Virtual function table overwrite optimizations handled more correctly now Inlined constructors & destructors overwrite tables in unexpected places Compiler link time optimizations can result in multiple methods at the same address Difficult to handle in rules because violates fundamental assumptions about methods Beginning to utilize new type analysis techniques to generate more complete facts Key to supporting whole program optimization 8
9 OOAnalyzer IDA Plugin User Interface for Malware Analysts We ve also built a IDA Pro Plugin in IDA Python that displays the classes, updates the disassembly, and more. Not the most important part of our research, but an important part of our transition efforts. Sadly, the latest Prolog code is not correctly integrated, so do as I say, not as I do! 9
10 Call Analyzer: A Tool for Binary Analysis of Function Calls Can filter selected functions Each call site is analyzed Symbolic values Call: CreateMutexW (0x004117A4) Param: lpmutexattributes Value: {(LPSECURITY_ATTRIBUTES) (add esp_0-56) -> {(SECURITY_ATTRIBUTES){ nlength: {(DWORD)12}, lpsecuritydescriptor: {(LPVOID) (RC_of_0x411775)}, binherithandle: {(BOOL)0}}}} Constant values Param: binitialowner Value: {(BOOL)1} Param: lpname Value: {(LPCTSTR) URPWNED"} Follows pointers Inspects memory inside structures Symbolic values can connect data flow to other parts of program Name of parameter provides context Parameter type identified for analyst The name of the mutex is often indicative of a specific malware family 10
11 How Pharos Recover Types Using Constraints Types in source code are fairly clear: int x = 0; int y = *p; char *z = func(x, y) Types are less clear in assembly: mov eax, [ebx] shl eax, 2 push eax mov [ebp-c], 0 push [ebp-c] call func EBX is a pointer EAX is not a pointer Zero could be a bool, an integer or a null pointer An API database can assign types through data flow Express as constraints and solve for solution Is a pointer * Top represents a lack of information Bottom represents conflicting types Not a pointer 11
12 Constraints from Known Parameter Types IDA knows the type of eax (hmodule) and acorexitprocess (LPCSTR) from the import: Requires a database of imports, their parameters and return values. Constraints (including actual type names) are combined with the instruction constraints. Features of our implementation include: Solving for both instruction and parameter constraints simultaneously. Propagation of type names and lattice properties through data flow paths. Typing of return values and globals in addition to parameters Propagation of implied types (*char becomes char when read from memory) Inter procedural propagation of types 12
13 Stack Frame Analysis (Stack Local Variable Detection) IDA knows which offsets are local variables (and their types): Algorithm Overview: Find all reads and writes to negative stack offsets (relative to initial value of ESP) Eliminate saved registers, call parameters, and a few other unusual cases Use previously described type analysis to recover types Because the type system uses lattices we can detect contradictory types Working on validation of no overlapping reads and writes, etc. We re not yet identifying register local variables. 13
14 API Analyzer Statically searches for API sequences Name and description makes signature accessible to analyst List of API calls defines what the sequence is that we re looking for Sig : { Name : WriteProgramResourceToFile, Description : Load a program resource and write it to disk, Category : MALWARE, Pattern : [ { API : Kernel32.dll!FindResourceA, Retn : { Name : HRSRC } }, { API : Kernel32.dll!LoadResource, Args : [{ Name : HRSRC, Index : 1, Type : IN }], Retn : {"Name": HANDLE } }, { API : Kernel32.dll!LockResource, Args : [{ Name : HANDLE, Index : 0, Type : IN }], Retn : { Name : RES } }, { API : Kernel32.dll!WriteFile, Args : [{ Name : RES, Index : 1, Type : IN }] } ]} Reused variable names describe how calls are connected via data flow API parameters are now stored in an SQLite database, but the APIAnalyzer is not using it yet 14
15 FN2Yara Automated Signature Generation Analyst uses the function address on each rule to understand what s being matched. Each non-contiguous chunk has a separate match string. YARA can match a percentage of the function chunks. rule Function_1004C610 { strings: // File 0x1004C610 ( ) $Match_1004c610 = { 55 8b ec 83 ec d fc 8b 7d 08 8b 4d 0c c1 e f ef c0 eb????????} $Match_1004c730 = { 66 0f 7f f 7f f 7f ???????? 66 0f 7f f 7f f 7f f 7f d bf???????? d0 8b 7d fc 8b e5 5d c3 } } condition: all of them Bytes of function chunks have relocatable addresses wild carded. Matching the bytes doesn t require disassembly at matching time, but the signatures have semantic meaning if the analyst knows the significance of the function. 15
16 FN2Hash: A Tool to Generate Function Facts (Without IDA) FN2Hash generates CSV-format structural data for each function, including: The MD5 hash of the executable file and the address of the function The number of basic blocks (in and not in the control flow) The number of bytes and instructions in the function A hash of all the bytes in the function (with and without zeroing relocatable addresses) A composite hash which is less sensitive to the relocation of code chunks Counts of the instruction mnemonics and categories of mnemonics Hashes based on the mnemonics, mnemonic categories, and the counts of each Goals: Permit automated disassembly & structural analysis without licensing problems Empower other analyses (e.g., malfaces or machine learning) 16
17 Future Research: Automated Executable Program Transformation Path Finder 1 Starting Vertex Rewriter 1 Original Executable Selected path Informs Target Vertex Rewritten Executable Analyst 17
18 Additional Future Research Improved object detection using type analysis to identify object pointers Limited source code generation based on type analysis Function prototypes, class declarations and local variable declarations Malware Design Matcher application to high-profile malware family Source code for most of Pharos is available at: Now compiles against recent versions of ROSE, much more robust! Pharos may be able to help with your static analysis problems. 18
19 Cory Cohen U.S. Mail Software Engineering Institute 4500 Fifth Avenue Pittsburgh, PA USA Website 19 [DISTRIBUTION material has been STATEMENT approved for A] public This material has been approved release and for public unlimited release distribution and unlimited distribution
Design Pattern Recovery from Malware Binaries
Design Pattern Recovery from Malware Binaries Cory F. Cohen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright 2015 Carnegie Mellon University This material is based
More informationInference of Memory Bounds
Research Review 2017 Will Klieber, software security researcher Joint work with Will Snavely public release and unlimited distribution. 1 Copyright 2017 Carnegie Mellon University. All Rights Reserved.
More informationARINC653 AADL Annex Update
ARINC653 AADL Annex Update Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Julien Delange AADL Meeting February 15 Report Documentation Page Form Approved OMB No. 0704-0188
More informationSEI/CMU Efforts on Assured Systems
Unclassified//For Official Use Only SEI/CMU Efforts on Assured Systems 15 November 2018 *** Greg Shannon CERT Division Chief Scientist Software Engineering Institute Carnegie Mellon University Pittsburgh,
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationStatic Analysis Alert Audits Lexicon And Rules David Svoboda, CERT Lori Flynn, CERT Presenter: Will Snavely, CERT
Static Analysis Alert Audits Lexicon And Rules David Svoboda, CERT Lori Flynn, CERT Presenter: Will Snavely, CERT Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 2016 Carnegie
More informationARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013
ARINC653 AADL Annex Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Julien Delange 07/08/2013 Context, Rationale ARINC653 Avionics standard Standardized API (called APEX
More informationPanel: Future of Cloud Computing
Panel: Future of Cloud Computing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Grace Lewis Advanced Mobile Systems (AMS) Initiative July 9, 2014 Mobile Device Trends Smartphones
More informationSoftware, Security, and Resiliency. Paul Nielsen SEI Director and CEO
Software, Security, and Resiliency Paul Nielsen SEI Director and CEO Dr. Paul D. Nielsen is the Director and CEO of Carnegie Mellon University's Software Engineering Institute. Under Dr. Nielsen s leadership,
More informationEncounter Complexes For Clustering Network Flow
Encounter Complexes For Clustering Network Flow. Leigh Metcalf, lbmetcalf@cert.org Flocon 2015 Date 2015 Carnegie Mellon University Copyright 2014 Carnegie Mellon University This material is based upon
More informationModeling the Implementation of Stated-Based System Architectures
Modeling the Implementation of Stated-Based System Architectures Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Peter H Feiler June 2009 Are Everywhere What is a state-based
More informationAnalyzing 24 Years of CVD
public release and unlimited distribution. Allen Householder adh@cert.org Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright. All Rights Reserved. This material is
More informationCyber Hygiene: A Baseline Set of Practices
[DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright
More informationModel-Driven Verifying Compilation of Synchronous Distributed Applications
Model-Driven Verifying Compilation of Synchronous Distributed Applications Sagar Chaki, James Edmondson October 1, 2014 MODELS 14, Valencia, Spain Copyright 2014 Carnegie Mellon University This material
More informationDefining Computer Security Incident Response Teams
Defining Computer Security Incident Response Teams Robin Ruefle January 2007 ABSTRACT: A computer security incident response team (CSIRT) is a concrete organizational entity (i.e., one or more staff) that
More informationThe CERT Top 10 List for Winning the Battle Against Insider Threats
The CERT Top 10 List for Winning the Battle Against Insider Threats Dawn Cappelli CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University Session ID: STAR-203 Session Classification:
More informationBe Like Water: Applying Analytical Adaptability to Cyber Intelligence
SESSION ID: HUM-W01 Be Like Water: Applying Analytical Adaptability to Cyber Intelligence Jay McAllister Senior Analyst Software Engineering Institute Carnegie Mellon University @sei_etc Scuttlebutt Communications
More informationThe IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 2 Important Registers used with the Stack EIP: ESP: EBP: 3 Important Registers used with the Stack EIP:
More informationOSATE Analysis Support
OSATE Analysis Support Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Julien Delange/Peter Feiler 07/08/2013 Overview of OSATE2 Eclipse-based AADL editor Support for AADLv2.1,
More informationRoles and Responsibilities on DevOps Adoption
Roles and Responsibilities on DevOps Adoption Hasan Yasar Technical Manager, Adjunct Faculty Member Secure Lifecycle Solutions CERT SEI CMU Software Engineering Institute Carnegie Mellon University Pittsburgh,
More informationAutomated Provisioning of Cloud and Cloudlet Applications
Automated Provisioning of Cloud and Cloudlet Applications Secure and Assured Mobile Computing Components Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Jeff Boleng, PhD
More informationCausal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs
use Causal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs Bob Stoddard Mike Konrad SEMA SEMA November 17, 2015 Public Release; Distribution is Copyright 2015 Carnegie
More informationFlow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University
Flow Analysis for Network Situational Awareness Tim Shimeall January 2010 NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN AS-IS" BASIS.
More informationFall 2014 SEI Research Review Verifying Evolving Software
Fall 2014 SEI Research Review Verifying Evolving Software Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel October 28, 2014 Report Documentation Page Form Approved
More informationAdvancing Cyber Intelligence Practices Through the SEI s Consortium
Advancing Cyber Intelligence Practices Through the SEI s Consortium SEI Emerging Technology Center Jay McAllister Melissa Kasan Ludwick Copyright 2015 Carnegie Mellon University This material is based
More informationJulia Allen Principal Researcher, CERT Division
Improving the Security and Resilience of U.S. Postal Service Mail Products and Services Using CERT -RMM (Case Study) Julia Allen Principal Researcher, CERT Division Julia Allen is a principal researcher
More informationMemory corruption vulnerability exposure can be mitigated through memory hardening practices
Memory corruption vulnerability exposure can be mitigated through memory hardening practices OS vendors have a unique opportunity to fight memory corruption vulnerabilities through hardening the memory
More informationPrioritizing Alerts from Static Analysis with Classification Models
Prioritizing Alerts from Static Analysis with Classification Models PI: Lori Flynn, PhD Team: Will Snavely, David Svoboda, Dr. David Zubrow, Bob Stoddard, Dr. Nathan VanHoudnos, Dr. Elli Kanal, Richard
More informationOverview. Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading
How C++ Works 1 Overview Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading Motivation There are lot of myths about C++
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationInformation Security Is a Business
Information Security Is a Business Continuity Issue: Are You Ready? Dr. Nader Mehravari Cyber Risk and Resilience Management Team CERT Division Software Engineering Institute Carnegie Mellon University
More informationSemantic Importance Sampling for Statistical Model Checking
Semantic Importance Sampling for Statistical Model Checking Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Jeffery Hansen, Lutz Wrage, Sagar Chaki, Dionisio de Niz, Mark
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"
More informationFoundations for Summarizing and Learning Latent Structure in Video
Foundations for Summarizing and Learning Latent Structure in Video Presenter: Kevin Pitstick, MTS Engineer PI: Ed Morris, MTS Senior Engineer Copyright 2017 Carnegie Mellon University. All Rights Reserved.
More informationRamblr. Making Reassembly Great Again
Ramblr Making Reassembly Great Again Ruoyu Fish Wang, Yan Shoshitaishvili, Antonio Bianchi, Aravind Machiry, John Grosen, Paul Grosen, Christopher Kruegel, Giovanni Vigna Motivation Available Solutions
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationEngineering Improvement in Software Assurance: A Landscape Framework
Engineering Improvement in Software Assurance: A Landscape Framework Lisa Brownsword (presenter) Carol C. Woody, PhD Christopher J. Alberts Andrew P. Moore Agenda Terminology and Problem Scope Modeling
More information2013 US State of Cybercrime Survey
2013 US State of Cybercrime Survey Unknown How 24 % Bad is the Insider Threat? Insiders 51% 2007-2013 Carnegie Mellon University Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting
More information10 Years of FloCon. Prepared for FloCon George Warnagiris - CERT/CC #GeoWarnagiris Carnegie Mellon University
10 Years of FloCon Prepared for FloCon 2014 George Warnagiris - CERT/CC gwarnagi@cert.org #GeoWarnagiris 2014 Carnegie Mellon University Disclaimer NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY
More informationInvestigating APT1. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Deana Shick and Angela Horneman
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Deana Shick and Angela Horneman Copyright 2013 Carnegie Mellon University This material is based upon work funded and supported
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationCyber Threat Prioritization
Cyber Threat Prioritization FSSCC Threat and Vulnerability Assessment Committee Jay McAllister Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information
More informationAutodesk AutoCAD DWG-AC1021 Heap Corruption
security research Autodesk AutoCAD DWG-AC1021 Heap Corruption Mar 2013 AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the worlds leading CAD design tools.
More informationAssembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference
More informationSecure Coding Initiative
Secure Coding Initiative Robert C. Seacord 2010 Carnegie Mellon University NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN AS-IS" BASIS.
More informationSituational Awareness Metrics from Flow and Other Data Sources
Situational Awareness Metrics from Flow and Other Data Sources SEI CERT NetSA 2011 Carnegie Mellon University NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationDenial of Service Attacks
Denial of Service Attacks CERT Division http://www.sei.cmu.edu REV-03.18.2016.0 Copyright 2017 Carnegie Mellon University. All Rights Reserved. This material is based upon work funded and supported by
More informationSA31675 / CVE
Generated by Secunia 10 September, 2008 5 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 4 Characteristics 4 Tested Versions 4 Fixed Versions 5 References 5 Generated by Secunia
More informationSmart Grid Maturity Model
Smart Grid Maturity Model Austin Montgomery Software Engineering Institute Carnegie Mellon University Software Engineering Institute Carnegie Mellon University 2 SEI is a federally-funded research and
More informationUsing Logic Programming to Recover C++ Classes and Methods from Compiled Executables
Using Logic Programming to Recover C++ Classes and Methods from Compiled Executables Edward J. Schwartz Carnegie Mellon University Software Engineering Institute eschwartz@cert.org Jeffrey Gennari Carnegie
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationPassive Detection of Misbehaving Name Servers
Passive Detection of Misbehaving Name Servers Based on CMU/SEI-2013-TR-010 Jonathan Spring, Leigh Metcalf netsa-contact (AT) cert.org Flocon 2014, Charleston SC 2014 Carnegie Mellon University Copyright
More informationOverview. Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading
HOW C++ WORKS Overview Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading Motivation There are lot of myths about C++
More informationComputer Systems Organization V Fall 2009
Computer Systems Organization V22.0201 Fall 2009 Sample Midterm Exam ANSWERS 1. True/False. Circle the appropriate choice. (a) T (b) F At most one operand of an x86 assembly instruction can be an memory
More informationModeling, Verifying, and Generating Software for Distributed Cyber- Physical Systems using DMPL and AADL
Modeling, Verifying, and Generating Software for Distributed Cyber- Physical Systems using DMPL and AADL Sagar Chaki, Dionisio de Niz, Joseph Seibel Software Engineering Institute Carnegie Mellon University
More informationReverse Engineering Microsoft Binaries
Reverse Engineering Microsoft Binaries Alexander Sotirov asotirov@determina.com Recon 2006 Overview In the next one hour, we will cover: Setting up a scalable reverse engineering environment getting binaries
More informationOverview REWARDS TIE HOWARD Summary CS 6V Data Structure Reverse Engineering. Zhiqiang Lin
CS 6V81-05 Data Structure Reverse Engineering Zhiqiang Lin Department of Computer Science The University of Texas at Dallas September 2 nd, 2011 Outline 1 Overview 2 REWARDS 3 TIE 4 HOWARD 5 Summary Outline
More informationSoftware Assurance Education Overview
Software Assurance Education Overview Nancy Mead June 2011 ABSTRACT: Complex software systems affect nearly every aspect of our lives, in areas such as defense, government, energy, communication, transportation,
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationStack -- Memory which holds register contents. Will keep the EIP of the next address after the call
Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next
More informationVerifying Periodic Programs with Priority Inheritance Locks
Verifying Periodic Programs with Priority Inheritance Locks Sagar Chaki, Arie Gurfinkel, Ofer Strichman FMCAD, October, 03 Software Engineering Institute, CMU Technion, Israel Institute of Technology Copyright
More informationCS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE
CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE The purpose of this exercise is to learn Intel assembly language by disassembling a small piece of code and extensively commenting the resulting instructions.
More informationCollaborative Autonomy with Group Autonomy for Mobile Systems (GAMS)
Collaborative Autonomy with Group Autonomy for Mobile Systems (GAMS) Presenter: (jredmondson@sei.cmu.edu) Date: August 19, 2014 Copyright 2014 Carnegie Mellon University This material is based upon work
More informationUsing DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps
Using DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps Will Klieber*, Lori Flynn*, Amar Bhosale, Limin Jia, and Lujo Bauer *presenting June 2015 Copyright 2015 Carnegie Mellon University
More informationAssembly Language: Function Calls. Goals of this Lecture. Function Call Problems
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning
More informationFLARE-On 4: Challenge 3 Solution greek_to_me.exe
FLARE-On 4: Challenge 3 Solution greek_to_me.exe Challenge Author: Matt Williams (@0xmwilliams) greek_to_me.exe is a Windows x86 executable whose strings reveal what is likely the desired state of the
More informationModel-Driven Verifying Compilation of Synchronous Distributed Applications
Model-Driven Verifying Compilation of Synchronous Distributed Applications Sagar Chaki, James Edmondson October 1, 2014 MODELS 14, Valencia, Spain Report Documentation Page Form Approved OMB No. 0704-0188
More informationComputer Systems Lecture 9
Computer Systems Lecture 9 CPU Registers in x86 CPU status flags EFLAG: The Flag register holds the CPU status flags The status flags are separate bits in EFLAG where information on important conditions
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationAS08-C++ and Assembly Calling and Returning. CS220 Logic Design AS08-C++ and Assembly. AS08-C++ and Assembly Calling Conventions
CS220 Logic Design Outline Calling Conventions Multi-module Programs 1 Calling and Returning We have already seen how the call instruction is used to execute a subprogram. call pushes the address of the
More informationW4118: PC Hardware and x86. Junfeng Yang
W4118: PC Hardware and x86 Junfeng Yang A PC How to make it do something useful? 2 Outline PC organization x86 instruction set gcc calling conventions PC emulation 3 PC board 4 PC organization One or more
More informationCSC 2400: Computer Systems. Using the Stack for Function Calls
CSC 24: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing
More informationCloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative
Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative SEI Webinar November 12, 2009 Polling Question 1 How did you hear about this webinar?
More informationRev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs
More informationInside VMProtect. Introduction. Internal. Analysis. VM Logic. Inside VMProtect. Conclusion. Samuel Chevet. 16 January 2015.
16 January 2015 Agenda Describe what VMProtect is Introduce code virtualization in software protection Methods for circumvention VM logic Warning Some assumptions are made in this presentation Only few
More informationIA-32 Architecture. CS 4440/7440 Malware Analysis and Defense
IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code
More informationCSC 2400: Computer Systems. Using the Stack for Function Calls
CSC 24: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing
More informationMcSema: Static Translation of X86 Instructions to LLVM
McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM ANDREW RUEF, ANDREW@TRAILOFBITS.COM About Us Artem Security Researcher blog.dinaburg.org Andrew PhD Student,
More informationProviding Information Superiority to Small Tactical Units
Providing Information Superiority to Small Tactical Units Jeff Boleng, PhD Principal Member of the Technical Staff Software Solutions Conference 2015 November 16 18, 2015 Copyright 2015 Carnegie Mellon
More informationU23 - Binary Exploitation
U23 - Binary Exploitation Stratum Auhuur robbje@aachen.ccc.de November 21, 2016 Context OS: Linux Context OS: Linux CPU: x86 (32 bit) Context OS: Linux CPU: x86 (32 bit) Address Space Layout Randomization:
More informationCSC 8400: Computer Systems. Using the Stack for Function Calls
CSC 84: Computer Systems Using the Stack for Function Calls Lecture Goals Challenges of supporting functions! Providing information for the called function Function arguments and local variables! Allowing
More informationRepresentation of Information
Representation of Information CS61, Lecture 2 Prof. Stephen Chong September 6, 2011 Announcements Assignment 1 released Posted on http://cs61.seas.harvard.edu/ Due one week from today, Tuesday 13 Sept
More informationIntroduction to Computer Systems , fall th Lecture, Sep. 28 th
Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0
More informationMachine Programming 3: Procedures
Machine Programming 3: Procedures CS61, Lecture 5 Prof. Stephen Chong September 15, 2011 Announcements Assignment 2 (Binary bomb) due next week If you haven t yet please create a VM to make sure the infrastructure
More informationSemantics of C++ Hauptseminar im Wintersemester 2009/10 Templates
Semantics of C++ Hauptseminar im Wintersemester 2009/10 Templates Sebastian Wild Technische Universität München 11.01.2010 Abstract In this work we will discuss about templates in C++, especially their
More informationNO WARRANTY. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder.
NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED
More informationBinary Code Extraction and Interface Identification for Security Applications
Binary Code Extraction and Interface Identification for Security Applications Juan Caballero Noah M. Johnson Stephen McCamant Dawn Song Electrical Engineering and Computer Sciences University of California
More informationIdentifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis
Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis Mingwei Zhang ( ) Aravind Prakash ( ) Xiaolei Li ( ) Zhenkai Liang ( ) Heng Yin ( ) ( ) School of Computing,
More informationReport Writer and Security Requirements Finder: User and Admin Manuals
Report Writer and Security Requirements Finder: User and Admin Manuals Nancy R. Mead CMU MSE Studio Team Sankalp Anand Anurag Gupta Swati Priyam Yaobin Wen Walid El Baroni June 2016 SPECIAL REPORT CMU/SEI-2016-SR-002
More informationCS , Fall 2004 Exam 1
Andrew login ID: Full Name: CS 15-213, Fall 2004 Exam 1 Tuesday October 12, 2004 Instructions: Make sure that your exam is not missing any sheets, then write your full name and Andrew login ID on the front.
More informationIBM Global Services. Reversing C++ Paul Vincent Sabanal X-Force R&D Mark Vincent Yason X-Force R&D. IBM Internet Security Systems Ahead of the threat.
IBM Global Services Reversing C++ Paul Vincent Sabanal X-Force R&D Mark Vincent Yason X-Force R&D IBM Internet Security Systems Ahead of the threat. IBM Global Services Reversing C++ Part I. Introduction
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More informationCVE EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK
CVE-2017-11882 EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK First words of thank to Embedy Company to discover the initial exploit and POC of 44 bytes máximum, Ridter
More informationSubprograms: Arguments
Subprograms: Arguments ICS312 Machine-Level and Systems Programming Henri Casanova (henric@hawaii.edu) Activation Records The stack is useful to store and rieve urn addresses, transparently managed via
More informationPierre-Marc Bureau Joan Calvet - UNDERSTANDING SWIZZOR S OBFUSCATION
Pierre-Marc Bureau bureau@eset.sk Joan Calvet - j04n.calvet@gmail.com UNDERSTANDING SWIZZOR S OBFUSCATION 1 Swizzor Present since 2002! AV companies receive hundreds of new binaries daily. Nice icons :
More informationRecovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis
Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis Wesley Jin CMU wesleyj@andrew.cmu.edu Cory Cohen CERT cfc@cert.org Jeffrey Gennari CERT jsg@cert.org Charles Hines CERT hines@cert.org
More information