Software Analysis Tools

Transcription

1 CSCE 790 Introduction to Software Analysis Software Analysis Tools Professor Lisa Luo Fall 2018

2 Overview Source code CFG generator Binary code analysis Code obfuscation Symbolic Execution Dynamic analysis tool 2

3 Source Code CFG Generator 3

4 Eclipse CFG Generator Install the CFG generator plugin: Eclipse Help > Software updates > Available Software > Add Site > this site: 4

5 Examples If graph 5

6 Binary Code Analysis 6

7 Test Program #include<stdio.h> #include<stdlib.h> int fib(int n) { int a = 1; int b = 1; int i; for (i = 3; i <= n; i++) { int c = a + b; a = b; b = c; }; return b; } int main(int argc, char** argv) { if (argc!= 2) { printf("give one argument!\n"); abort(); }; long n = strtol(argv[1],null,10); int f = fib(n); printf("fib(%li)=%i\n",n,f); } 7

8 BAP: Binary Analysis Platform BAP is the newest framework for binary analysis BAP comes with a variety of algorithms and features to make analysis easier 8

9 Download & Installation Download: Installation: opam init --comp= eval `opam config env opam depext --install bap 9

10 Compiler-like Design 10

11 Static & Dynamic Analysis 11

12 Extensible Program Analysis SSA code representations CFG representations Dataflow analysis Symbolic execution 12

13 Many Applications in Security Do not redo the engineering. Do the science. 13

14 Excise 1: Disassembly IR bap./fib -d $ bap --list-formats adt (1.0.0) print program IR in ADT format asm (1.0.0) print assembly instructions asm.adt (1.0.0) print assembly instruction endcoded in ADT format asm.decoded (1.0.0) print assembly instructions as it was decoded asm.sexp (1.0.0) print assembly instructions as it was decoded bil (1.0.0) print BIL instructions bil.adt (1.0.0) print BIL instructions in ADT format bil.sexp (1.0.0) print BIL instructions in Sexp format bir (1.0.0) print program in IR callgraph (1.0.0) print program callgraph in DOT format cfg (1.0.0) print rich CFG for each procedure marshal (1.0.0) OCaml standard marshaling format symbols (1.0.0) print symbol table 14

15 Excise 2: Disassembly Assembly Code bap./fib -dasm 15

16 Excise 3: Callgraph Representation bap./fib -dcallgraph > fib.callgraph xdot fib.callgraph 16

17 Excise 4: CFG Representation bap fib -dcfg --print-symbol=fib > fib.cfg xdot fib.cfg o bap fib -dcfg --print-symbol=main > main.cfg o xdot main.cfg 17

18 Excise 5: SSA Representation --ssa is another plugin that transfer a program into SSA form bap./fib -d --ssa bap./fib -dcfg --ssa o bap fib -dcfg --print-symbol=fib --ssa > fib_ssa.cfg o xdot fib_ssa.cfg 18

19 Code Obfuscation 19

20 Tigress: Code Obfuscator The Tigress Obfuscator is a obfuscator for the C language that supports many novel defenses against both static and dynamic reverse engineering. Source code-based obfuscator 20

21 21

22 Install Tigress: Get the test program: 22

23 Exercise 1: Opaque Predicate tigress --Seed=0 \ --Transform=InitEntropy --Transform=InitOpaque \ --Functions=main \ --InitOpaqueStructs=list,array \ --Transform=AddOpaque \ --Functions=fib \ --AddOpaqueCount=10 \ --AddOpaqueKinds=question \ fib.c --out=fib_out.c Checking the changes: bap./a.out -dcallgraph > a.out.callgraph xdot a.out.callgraph 23

24 Excise 2: Control Flow Flattening tigress --Seed=42 \ --Transform=Flatten \ --FlattenDispatch=switch \ --FlattenOpaqueStructs=array \ --FlattenObfuscateNext=false \ --FlattenSplitBasicBlocks=false \ --Functions=fib \ fib.c --out=fib1.c Checking the changes: bap./a.out -dcfg --print-symbol=fib > a_out.cfg xdot a.out.callgraph 24

25 Other Transformations Function Splitting and Merging Data encoding Arithmetic encoding Details: 25

26 Binary Code-Based Obfuscator Diablo Loco 26

27 Symbolic Execution 27

28 SPF: Symbolic PathFinder SPF combines symbolic execution with constraint solving to perform symbolic execution Used mainly for automated test-case generation Generates an optimized test suite that exercise all the behavior of the program under test Reports code coverage During test generation process, checks for errors Uses Java PathFinder (JPF) engine 28

29 SPF: Symbolic PathFinder JPF-core s search engine used To generate and explore the symbolic execution tree The symbolic search space may be infinite due to loops, recursion SPF put a limit on the search depth Support many constraint solving: CVC3 STP Z3 29

30 Download & Installation o Java PathFinder: o Symbolic PathFinder: o Build: Test,-Run 30

31 Example Java file 31

32 Example jpf file target=test classpath=${jpf-symbc}/build/examples sourcepath=${jpf-symbc}/src/examples symbolic.method = Test.test(sym#sym) symbolic.min_int=-100 symbolic.max_int=100 symbolic.dp=choco listener =.symbc.symboliclistener 32

33 Result 33

34 Dynamic Analysis 34

35 Valgrind: Dynamic Analysis Tool Valgrind is an instrumentation framework It comes with a set of tools for debugging, profiling and other tasks that help you improve your program It can also be used to building other customerdefined dynamic analysis tools 35

36 Exercise 1: Memcheck Memcheck detects many memory-related errors that are common in C/C++ programs that can lead to crashes and unpredictable behavior. The program under test should be compiled with g to include debugging information, so that Memcheck can provide you the exact line numbers for locating the original code. 36

37 Running Program Under Memcheck $ valgrind --leak-check=yes myprog arg1 arg2 37

38 Testing Program 1. #include <stdlib.h> void f(void) { 4. int* x = malloc(10 * sizeof(int)); 5. x[10] = 0; 6. } int main(void) { 9. f(); 10. return 0; 11. } // problem 1: heap block overrun // problem 2: memory leak -- x not freed 38

39 The error is heap block overrun Where the problem occurred The error is memory leak Where the problem occurred 39

40 Other Useful Tools Memcheck is a memory error detector. It helps you make your programs, particularly those written in C and C++, more correct. SGcheck is an tool that can detect overruns of stack and global arrays. Its functionality is complementary to that of Memcheck. Helgrind is a thread error detector. It helps you make your multithreaded programs more correct. DRD is a thread error detector. It is similar to Helgrind but uses different analysis techniques and so may find different problems. Massif is a heap profiler. It helps programs use less memory. DHAT is a heap profiler. It helps you understand issues of block lifetimes, block utilisation, and layout inefficiencies. Cachegrind is a cache and branch-prediction profiler. It helps you make your programs run faster. Callgrind is a call-graph generating cache profiler. BBV is is useful for computer architecture research. 40

41 Summary Eclipse CFG generator based on source code BAP: Binary Analysis Platform CFG representation Call graph representation SSA code representation Symbolic execution & theorem proving Tigress: Code obfuscation Opaque predicate Control flow flattening Function splitting and merging Data and arithmetic encoding SPF: Symbolic PathFinder Test case generation Valgrind: Dynamic analysis tool Memcheck; SGcheck; Helgrind; DRD; Massif 41