TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley

Transcription

1 TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley

2 Reverse engineering on binary programs! 1.Code structure 2.Data abstractions TIE 2

3 Goal: Reconstruct data abstractions conservatively and accurately 3

4 Goal: Reconstruct data abstractions conservatively and accurately 4

5 All types are lost. 5

6 Compilation Source code unsigned int foo(!!char *buf,!!unsigned int *out)! {! unsigned int c;! c = 0;!! if (buf) {! *out = strlen(buf);! c = *out - 1;! }! return c;! }! Type checking Ree types Assign variables to memory slots Translate into machine code Binary code push sub l cmpl je call sub leave! ret! %ebp! %esp,%ebp! $0x28,%esp! $0x0,-0xc(%ebp)! $0x0,0x8(%ebp)! d <foo+0x2e>! 0x8(%ebp),%eax! %eax,(%esp)!? c <strlen@plt>! 0xc(%ebp),%edx! %eax,(%edx)! 0xc(%ebp),%eax! (%eax),%eax! $0x1,%eax! %eax,-0xc(%ebp)! -0xc(%ebp),%eax! 6

7 Source code unsigned int foo(!!char *buf,!!unsigned int *out)! {! unsigned int c;! c = 0;!! if (buf) {! *out = strlen(buf);! c = *out - 1;! }! return c;! }! Type checking Ree types Assign variables to memory slots Translate into machine code unsigned 32-bit! int foo(! 32-bit!!char *buf,!!unsigned 32-bit! int *out)! {! unsigned 32-bit! int c;! c = 0;!! if (buf) {! *out = strlen(buf);! c = *out - 1;! }! return c;! }! Binary code 7

8 Source code unsigned 32-bit! int foo(! 32-bit!!char *buf,!!unsigned 32-bit! int *out)! {! unsigned 32-bit! int c;! c = 0;!! if (buf) {! *out = strlen(buf);! c = *out - 1;! }! return c;! }! Type checking Ree out [+12] types buf [+8] Assign variables c to memory [- 12] slots Translate into machine code unsigned 32-bit! int foo(! 32-bit!!char *[+8],!!unsigned 32-bit! int *[+12])! {! unsigned 32-bit! int [-12];! [-12] = 0;!! if ([+8]) {! *[+12] = strlen([+8]);! [-12] = *[+12] - 1;! }! return [-12];! }! Binary code 8

9 Source code unsigned 32-bit! int foo(! 32-bit!!char *[+8],!!unsigned 32-bit! int *[+12])! {! unsigned 32-bit! int [-12];! [-12] = 0;!! if ([+8]) {! *[+12] = strlen([+8]);! [-12] = *[+12] - 1;! }! return [-12];! }! Type checking Ree types Assign variables to memory slots Translate into machine code Binary code push sub l cmpl je call sub leave! ret! %ebp! %esp,%ebp! $0x28,%esp! $0x0,-0xc(%ebp)! $0x0,0x8(%ebp)! d <foo+0x2e>! 0x8(%ebp),%eax! %eax,(%esp)! c <strlen@plt>! 0xc(%ebp),%edx! %eax,(%edx)! 0xc(%ebp),%eax! (%eax),%eax! $0x1,%eax! %eax,-0xc(%ebp)! -0xc(%ebp),%eax! 9

10 Make a stackframe c = 0 if (buf) FuncPon call strlen subtracpon return push sub l cmpl je call sub leave! ret! %ebp! %esp,%ebp! $0x28,%esp! $0x0,-0xc(%ebp)! $0x0,0x8(%ebp)! d <foo+0x2e>! 0x8(%ebp),%eax! %eax,(%esp)! c <strlen@plt>! 0xc(%ebp),%edx! %eax,(%edx)! 0xc(%ebp),%eax! (%eax),%eax! $0x1,%eax! %eax,-0xc(%ebp)! -0xc(%ebp),%eax! No types, no variables 10

11 TIE! 1 Variable recovery Ree types 2 Type inference Assign variables to memory slots 11

12 1. Variable Recovery! Binary Program read %eax = - 0x4(%ebp) write - 0x8(%ebp) = 0x1 read %edx = - 0x8(%ebp) memory Analyze the value of addresses A variant of VSA (Value Set Analysis) [Balakrishnan, 2007] 12

13 push %ebp %esp,%ebp sub $0x28,%esp l $0x0,- 0xc(%ebp) cmpl $0x0,0x8(%ebp) je d <foo+0x2e> 0x8(%ebp),%eax %eax,(%esp) call c <strlen@plt> 0xc(%ebp),%edx %eax,(%edx) 0xc(%ebp),%eax (%eax),%eax sub $0x1,%eax %eax,- 0xc(%ebp) - 0xc(%ebp),%eax leave ret 1. Variable Recovery! A B 13

14 2. Type Inference! Source Binary Program code signed division add a + 3, %eax dereferencing addipon idiv a /%eax - 3 a : int32_t bit signed idiv, b /%edx - 3 division *b 4, = (%edx) 3 Behavior has not changed! b 32 : char bit * 14

15 ANALYZE the behavior on variables COLLECT the clues INFER the type of variables 15

16 Goal: Reconstruct data abstractions conservatively and accurately 16

17 No single answer (vs. general types) 17

18 Multiple types are possible! int sum(int a, int b)! {! int c;! c = a + b;! return c;! }! char * advance(char * str,!!unsigned int m)! {! char * tmp;! tmp = str + m;! return tmp;! }! Make a stackframe 1 st arg + 2 nd arg Return the result push %ebp! %esp,%ebp! sub $0x10,%esp! 0xc(%ebp),%eax! 0x8(%ebp),%edx! add %edx,%eax! %eax,-0x4(%ebp)! -0x4(%ebp),%eax! leave! ret! int, uint, pointer of 18

19 GUESS! int uint pointer 19

20 Tell the type as it is TIE uint int pointer Expressive type system Type interval 20

21 TIE type system! allows us to express the type of variables as they are used reg32 num32 C-types int32 uint32 pointer 21

22 Type lattice! Basic types reg32_t reg16_t reg8_t reg1_t num32_t ptr(α) code_t num16_t num8_t int32_t uint32_t int16_t uint16_t int8_t uint8_t 22

23 Type specificity! A <: B A is a subtype of B A is more specific than B Ex) int32 <: num32 23

24 Type interval! How much does a binary program tell us about a variable? reg32 reg32 num32 uint32 uint32 24

25 Type interval! T reg32 reg32 num32 num32 uint32 uint32 [, T] [,reg32] [uint32,num32] [uint32,uint32] refined as we know more about the variable 25

26 Conservativeness of result! Is the real type within the inferred type interval? Conservative Inferred type: [uint32_t, reg32_t] reg32_t reg16_t reg8_t num32_t ptr(α) code_t num16_t num8_t int32_t uint32_t int16_t uint16_t int8_t Real type: uint32_t 26

27 Goal: Reconstruct data abstractions conservatively and accurately 27

28 ANALYZE the behavior on variables COLLECT every clue INFER the type of variables 28

29 ANALYZE the behavior on variables COLLECT Type constraints every clue generation rules GENERATE type constraints SOLVE type constraints 29

30 Type Constraints from Usage Clues! l (e 1 ), e 2 Usage clue value = load(index,s) Memory load Type Constraint index is a pointer of value and the size of value is s. type variable for e 1 e 2 = load( e 1,32) [e 1 ] = ptr([e 2 ]) [e 2 ] <: reg32 t Equality Subtype relaponship conjuncpve 30

31 Type Constraints from Usage Clues! Usage clue c = a + 32 b 32- bit addipon Type constraint ( a : number, b : number, c :number) or ( a : pointer, b : number, c :pointer) or ( a : number, b : pointer, c :pointer) disjuncpve e 3 = e e 2 ([e 1 ] <: ptr(α) [e 2 ] <: num32 t ptr(β) <: [e 3 ]) ([e 1 ] <: num32 t [e 2 ] <: ptr(α) ptr(β) <: [e 3 ]) conjuncpve 31

32 Inter-procedural Type Inference! Type of passing arguments = Type of passed arguments FuncPon f1 () var2 = var3 call f2 (var1, var2) FuncPon f2 (arg1, arg2) var4 = arg2 [var1] = [arg1] [var2] = [arg2] 32

33 Type Constraints from Well-known Functions! a = strlen(b) uint32_t char * [a] = uint32_t [b] = char * strcpy(d, s) char * [d] = char * [s] = char * 33

34 ANALYZE the behavior on variables COLLECT every clue GENERATE type constraints SOLVE type constraints 34

35 Solving type constraints! Equality, A = B Unification Subtype relationship, A <: B Closure algorithm Conjunctive, A B Solve all Disjunctive, A B Merge compatible terms 35

36 Equality constraints! (unification)! [a] = ptr( uint32 [c] [b] ) uint32 [b] [c] = uint32 [c] uint32 [c] = uint32 36

37 Subtype relationship constraints! (closure alg.)! int32_t <: [a] <: [b] <: num32_t T T reg32 num32 [a] [b] int32 37

38 Subtype relationship constraints! (closure alg.)! int32_t <: [a] <: [b] <: num32_t [a] <: [b] <: num32_t reg32 num32 num32 num32 int32 [a] [b] 38

39 Subtype relationship constraints! (closure alg.)! int32_t <: [a] <: [b] [a] <: [b] int32_t <: [a] <: [b] <: num32_t <: num32_t reg32 num32 int32 num32 [a] int32 num32 [b] int32 39

40 Rest of the talk! Limitations Related work Evaluation 40

41 Limitations! Works on regular programs compiled from C code Not very informative for irregular programs Infers types as what is in the TIE type system only Extendable 41

42 Related work! Hex- Rays? TIE Principled reverse engineering - Well defined process - Type theory - - REWARDS Dynamic analysis only Type propagapon from type sinks (unificapon) - - TIE StaPc + dynamic Type inference with more expressive type system (unificapon + closure alg.) Boomerang [RE2005] Laika[OSDI2008] Tupni[CCS2008] 42

43 Evaluation 43

44 Hex-Rays! push sub l cmpl je call sub leave! ret! %ebp! Make a %esp,%ebp! $0x28,%esp! stackframe $0x0,-0xc(%ebp)! c = 0 $0x0,0x8(%ebp)! d <foo+0x2e>! IF (buf) 0x8(%ebp),%eax! %eax,(%esp)! c <strlen@plt>! call 0xc(%ebp),%edx! strlen %eax,(%edx)! 0xc(%ebp),%eax! (%eax),%eax! $0x1,%eax! subtraction %eax,-0xc(%ebp)! -0xc(%ebp),%eax! return? Source types Hex- Rays buf char * char * out c unsigned int * unsigned int int int 44

45 REWARDS! push sub l cmpl je call sub leave! ret! %ebp! Make a %esp,%ebp! $0x28,%esp! stackframe $0x0,-0xc(%ebp)! c = 0 $0x0,0x8(%ebp)! d <foo+0x2e>! IF (buf) 0x8(%ebp),%eax! %eax,(%esp)! c <strlen@plt>! call 0xc(%ebp),%edx! strlen %eax,(%edx)! 0xc(%ebp),%eax! (%eax),%eax! $0x1,%eax! subtraction %eax,-0xc(%ebp)! -0xc(%ebp),%eax! buf = 0 return Source types buf char * out c unsigned int * unsigned int REWARDS (buf=0) unsigned int unsigned int unsigned int 45

46 TIE! push sub l cmpl je call sub leave! ret! %ebp! Make a %esp,%ebp! $0x28,%esp! stackframe $0x0,-0xc(%ebp)! c = 0 $0x0,0x8(%ebp)! d <foo+0x2e>! IF (buf) 0x8(%ebp),%eax! %eax,(%esp)! c <strlen@plt>! call 0xc(%ebp),%edx! strlen %eax,(%edx)! 0xc(%ebp),%eax! (%eax),%eax! $0x1,%eax! subtraction %eax,-0xc(%ebp)! -0xc(%ebp),%eax! return Source types TIE buf char * char * out c unsigned int * unsigned int unsigned int * unsigned int 46

47 % of variables conservatively typed! Static Rate of conservatively inferred types Hex-Rays on 87 programs in coreutil % 100% 90% TIE 90% 80% 80% 70% 40%+ 70% 60% 60% 50% 50% Hex-Rays 40% 40% 30% 30% 20% 20% 10% 10% 0% Hex-Rays TIE 0% (Higher is better) Dynamic REWARDS TIE REWARDS on single execute trace chroot df groups hostid users 47

48 Accuracy! Distance to real types Difference of level between a real type and an inferred type (selected form type interval) Inferred type reg32_t reg16_t reg8_t reg distance = 2 num32_t ptr(α) code_t num16_t num8_t int32_t uint32_t int16_t uint16_t int8_t uint8_t Real type 48

49 Distance to real types! Static Difference in levels to real types Hex-Rays on 87 programs in coreutil Hex-Rays % TIE Hex-Rays TIE 0.25 (Lower is better) Dynamic REWARDS TIE REWARDS on single execute trace chroot df groups hostid users 49

50 REWARDS-c! (Special thanks to Zhiqiang Lin, Dongyan Xu) 100% 90% 80% 70% REWARDS-c TIE % % % 30% 20% REWARDS-c TIE 10% % chroot df groups hostid users 0.25 chroot df groups hostid users Conservativeness Distance 50

51 Structural types! {l i : T i } Record types Conservativeness 100% 90% 80% 70% 60% 50% 40% 30% 20% Hex-Rays TIE struct {!!int a;!!int* b;!!short c;!!short d;! }! 0 4 int32 int32 * 8 int16 int16 10% 0% Hex-Rays {0 : int32, 4 : int32 *,! 8 : int16, 10 : int16}! Distance TIE 0 51

52 Conclusion! Type inference with a rich type system Well-defined process, Theoretical foundation Static and dynamic binary analysis TIE: Principled! Reverse Engineering of Types! in Binary Programs 52

53 Thank you! Questions?! 53