Labeling Library Functions in Stripped Binaries

Transcription

1 Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller Computer Sciences Department University of Wisconsin - Madison PASTE 2011 Szeged, Hungary September 5, 2011

2 Why Binary Code? o Source code isn t available o Source code isn t the right representation 2

3 Binary Tools Need Symbol Tables o Debugging Tools o GDB, IDA Pro o Instrumentation Tools o PIN, Dyninst, o Static Analysis Tools o CodeSurfer/x86, o Security Analysis Tools o IDA Pro, 3

4 Restoring Information Function locations program binary targ80c3bd0 targ80c3df4 targ80c3df4 Complicated by: o Missing symbol information o Variability in function layout (e.g. code sharing, outlined basic blocks) o High degree of indirect control flow 4

5 Restoring Information targ80c3bd0 targ80c3df4 targ80c3df4 What about semantic information? o Program s interaction with the operating system (system calls) encapsulated by wrapper functions program binary Library fingerprinting: identify functions based on patterns learned from exemplar libraries 5

6 unstrip stripped binary parsing + library fingerprinting + binary rewriting targ80c3bd0 getpid targ80c3df4 targ80c3df4 accept 6

7 Save registers Invoke a system call <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 mov %edx, %ebx cmp %0xffffff83,%eax jae syscall_error ret Set up system call arguments Error check and return

8 <accept>: mov %ebx, ret %edx push %esi mov %0x66,%eax call enable_asyncancel mov $0x5,%ebx mov %eax,%esi mov %ebx,%edx glibc on RHEL with GCC lea 0x4(%esp),%ecx int $0x80 glibc 2.5 on RHEL with GCC mov %edx, %ebx mov $0x66,%eax cmp mov $0x5,%ebx %0xffffff83,%eax lea jae 0x8(%esp),%ecx syscall_error call *0x ret <accept>: cmpl $0x0,%gs:0xc jne 80f669c mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx call *0x814e93c mov %edx, %ebx cmp %0xffffff83,%eax jae syscall_error ret push %esi call enable_asyncancel mov %eax,%esi mov %ebx,%edx <accept>: cmpl $0x0,%gs:0xc jne 80f669c mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 mov %edx, %ebx cmp %0xffffff83,%eax jae syscall_error mov %edx, %ebx xchg %eax,%esi call disable_acynancel mov %esi,%eax pop %esi cmp $0xffffff83,%eax jae syscall_error ret glibc 2.5 on RHEL with GCC mov $0x66,%eax mov $0x5,%ebx lea 0x8(%esp),%ecx int $0x80 mov %edx, %ebx xchg %eax,%esi call disable_acynancel mov %esi,%eax pop %esi cmp $0xffffff83,%eax jae syscall_error ret The same function can be realized in a variety of ways in the binary

9 Binary-level Code Variations o Function inlining o Code reordering o Minor code changes o Alternative code sequences 9

10 Semantic Descriptors o Rather than recording byte patterns, we take a semantic approach o Record information that is likely to be invariant across multiple versions of the function <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 mov %edx, %ebx cmp %0xffffff83,%eax jae ret mov %esi,%esi {<socketcall, 5 >} 10

11 Building Semantic Descriptors binary reboot: push %ebp mov %esp,%ebp sub $0x10,%esp push %edi push %ebx mov 0x8(%ebp),%edx mov $0xfee1dead,%edi mov $0x ,%ecx push %ebx mov %edi,%ebx mov $0x58,%eax int $0x80 0xfee1dead (reboot) 0x58 %edi 0x EAX EBX ECX SYSTEM CALL {<reboot, 0xfee1dead, 0x >} We parse an input binary, locate system calls and wrapper function calls, and employ dataflow analysis. 11

12 Building Semantic Descriptors Recursively open: mov $0x5, eax int $0x80 {<open, /etc/hostid, 577, 420>} sethostid: call open call write mov $0x6, eax int $0x80 { <close>} write: mov $0x4, eax int $0x80 {<write,?,?,4>} { <close>, <open, /etc/hostid, 577,420>, <write,?,?,4>} 12

13 Building a Descriptor Database glibc reference library <accept>: mov %ebx, %edx mov %0x66,%eax mov $0x5,%ebx lea 0x4(%esp),%ecx int $0x80 Locate wrapper functions Build semantic descriptors {<socketcall, 5>}: accept {<socketcall, 4>}: listen {<getpid>}: getpid Descriptor Database unstrip 13

14 Building a Descriptor Database glibc reference glibc reference library glibc reference library glibc reference library library <accept>: <accept>: mov %ebx, %edx <accept>: mov 1 mov %ebx, %0x66,%eax %edx <accept>: 1 mov mov mov %ebx, %0x66,%eax $0x5,%ebx %edx 1 mov mov mov %ebx, lea %0x66,%eax $0x5,%ebx 0x4(%esp),%ecx %edx 1 mov mov lea %0x66,%eax int $0x5,%ebx 0x4(%esp),%ecx $0x80 mov lea int $0x5,%ebx 0x4(%esp),%ecx $0x80 lea int 0x4(%esp),%ecx $0x80 int $0x80 Locate wrapper functions Build semantic descriptors {<socketcall, 5>}: accept {<socketcall, 5>}: accept {<socketcall, 5>}: accept {<socketcall, 5>}: accept {<socketcall, 4>}: listen {<socketcall, 4>}: listen {<socketcall, 4>}: listen {<socketcall, 4>}: listen {<getpid>}: getpid {<getpid>}: getpid {<getpid>}: getpid {<getpid>}: getpid unstrip Descriptor Database 14

15 Pattern Matching Criteria o Two stages 1) Exact matches 2) Best match based on coverage criterion o Handle minor code variations by allowing flexible matches 15

16 Pattern Matching Criteria fingerprint from the database A: {<socketcall,5>} B: {<socketcall,5>, <socketcall,5>, <futex>} semantic descriptor from the code coverage(a,b) = A B B A B = { b B b A } coverage(a,b) =

17 Multiple Matches o It s possible that two or more functions are indistinguishable o Policy decision: return set of potential matches o In practice, we ve observed 8% of functions have multiple matches, but the size of the match set is small ( 3) 17

18 Identifying Functions in a Stripped Binary stripped binary Descriptor Database For each wrapper function { } 1. Build the semantic descriptor. 2. Search the database for a match (apply twostage matching process). 3. Add label to symbol table. unstripped binary unstrip 18

19 Implementation stripped binary parsing + library fingerprinting + binary rewriting 19

20 Evaluation o To evaluate across three dimensions of variation, we constructed three data sets: o GCC version o glibc version o distribution vendor o In each set, compile statically-linked binaries, build a DDB, compare unstrip to IDA Pro s FLIRT o Evaluation measure is accuracy 20

21 accuracy Evaluation Results: GCC Version Study unstrip IDA Pro GCC Patterns Predicting Each Library 21

22 accuracy Evaluation Results: glibc Version Study unstrip IDA Pro glibc Patterns Predicting Each Library 22

23 accuracy Evaluation Results: Distribution Study unstrip IDA Pro Fedora Mandrivia OpenSuse Ubuntu Fedora Patterns Predicting Each Library 23

24 unstrip is available at 24

25 Backup slides follow

26 accuracy Evaluation Results: GCC Version Study (Temporal: backwards) unstrip IDA Pro GCC Patterns Predicting Each Library 26

27 accuracy Evaluation Results: glibc Version Study (Temporal: backwards) unstrip IDA Pro glibc Patterns Predicting Each Library 27

28 accuracy Evaluation Results: Distribution Study (one predicts the rest) unstrip IDA Pro Fedora Mandrivia OpenSuse Ubuntu Mandrivia Patterns Predicting Each Library 28

29 Accuracy Evaluation Results: GCC Version Study (one predicts the rest) unstrip IDA Pro GNU C Compiler Version 29

30 Accuracy Evaluation Results: glibc Version Study (one predicts the rest) unstrip IDA Pro glibc version 30

31 Accuracy Evaluation Results: Distribution Study (one predicts the rest) unstrip IDA Pro Fedora Mandrivia OpenSuse Ubuntu Distribution Vendor 31