BAP Binary Analysis Platform A Modern Toolkit For Binary Analysis and Reverse Engineering http://bap.ece.cmu.edu
BAPBinary Analysis Platform
A Modern Toolkit For Binary Analysis and Reverse Engineering
http://bap.ece.cmu.edu
What is BAP?
• BAP is a framework for modular analysis of binary programs–an extensible set of interoperable tools and
analyses–a set of high-quality libraries
Why BAP?
• BAP is for writing analyses that are–Reproducible–Scalable–Cross-architectural –Practical
• The “write once run many” approach
What BAP is not?
• Not an interactive RE tool• Not a CTF tool• Not (only) for academic purpose• Not (only) for sound analysis• Not (only) for static analysis• Not dead
Why not BAP?
• No OCaml programmers–Limited support for Python–C-bindings–Rust bindings–Facebook Reason, Flow, Javascript
• No Java, C#, or source (script) code analysis• Not all architectures are supported• No support for floating points
BAP Architecture (key points)
• Translates a program to BIL• Extensible Plugin Architecture• Different kinds of plugins:
–Analysis–Disassemblers–Architecture support–ABI, OS, Language support– ...
BAP Architecture (pipeline)Binary
Loader
Image
Disassembler
CFG
Reconstructor
Program ABI API ... p1 ...
BAP Architecture (pipeline)Binary
Loader
Image
Disassembler
CFG
Reconstructor
Program ABI API ... p1 ...
BAP Architecture (pipeline)Binary
Loader
Image
Disassembler
CFG
Reconstructor
Program ABI API ... p1 ... pN dump
Batteries Included
• WUR - warn unused results• Beagle - string deobfuscator• Primus - emulation and microexecution• Saluki - fast policy checker• Static and Dynamic Taint Analysis• UAF, ROP, strings, callsites, …
BAP in action
Much more on tomorrow’s workshop
$ bap arm-linux-gnueabi-echo -dasm | grep main -A16
00008534: <main>
00008534:
00008534: f0 4d 2d e9 push {r4, r5, r6, r7, r8, r10, r11, lr}
00008538: 1c b0 8d e2 add r11, sp, #0x1c
0000853c: 18 d0 4d e2 sub sp, sp, #0x18
00008540: 30 00 0b e5 str r0, [r11, #-48]
00008544: 34 10 0b e5 str r1, [r11, #-52]
00008548: 0d 30 a0 e1 mov r3, sp
0000854c: 03 a0 a0 e1 mov r10, r3
00008550: 30 30 1b e5 ldr r3, [r11, #-48]
00008554: 01 20 83 e2 add r2, r3, #0x1
00008558: 01 30 42 e2 sub r3, r2, #0x1
0000855c: 24 30 0b e5 str r3, [r11, #-36]
00008560: 02 10 a0 e1 mov r1, r2
00008564: 01 30 a0 e1 mov r3, r1
00008568: 00 40 a0 e3 mov r4, #0x0
Disassembling
$ bap arm-linux-gnueabi-echo -d | grep main -A16
000000ca: sub main(main_argc, main_argv, main_result)
00000164: main_argc :: in u32 = R0
00000165: main_argv :: in out u32 = R1
00000166: main_result :: out u32 = R0
00000050:
00000051: v618 := SP
00000052: mem := mem with [v618 - 0x4:32, el]:u32 <- LR
00000053: mem := mem with [v618 - 0x8:32, el]:u32 <- R11
00000054: mem := mem with [v618 - 0xC:32, el]:u32 <- R10
00000055: mem := mem with [v618 - 0x10:32, el]:u32 <- R8
00000056: mem := mem with [v618 - 0x14:32, el]:u32 <- R7
00000057: mem := mem with [v618 - 0x18:32, el]:u32 <- R6
00000058: mem := mem with [v618 - 0x1C:32, el]:u32 <- R5
00000059: mem := mem with [v618 - 0x20:32, el]:u32 <- R4
0000005a: SP := SP - 0x20:32
0000005b: R11 := SP + 0x1C:32
Displaying IR
Displaying Cfg$ bap arm-linux-gnueabi-echo -dcfg --print-symbol=main | xdot
open Core_kernel.Std
open Bap.Std
let counter = object
inherit [int * int] Term.visitor
method! enter_term _ _ (jmps,total) = jmps,total+1
method! enter_jmp _ (jmps,total) = jmps+1,total
end
let main proj =
let jmps,total = counter#run (Project.program proj) (0,0) in
printf "ratio = %d/%d = %g\n" jmps total (float jmps /. float total)
let () = Project.register_pass' main
Write a plugin
$ bapbuild jmp.plugin
$ bapbundle install jmp.plugin
$ bap /bin/true --pass=jmp
ratio = 974/7514 = 0.129625
Building and running
import bap
from bap.adt import Visitor
class Counter(Visitor) :
def __init__(self):
self.jmps = 0
self.total = 0
def enter_Jmp(self,jmp):
self.jmps += 1
def enter_Term(self,t):
self.total += 1
proj = bap.run('/bin/true')
count = Counter()
count.run(proj.program)
print("ratio = {0}/{1} = {2}".format(count.jmps, count.total,
count.jmps/float(count.total)))
Same in Python
BAP Workshop
• Wednesday, September 27 (tomorrow)• Time: 9:00 - 11:30• Location: GHC 6115 (here)• Learn how to use BAP• Learn how to extend BAP using
–OCaml–Python
Be prepared!
• Either install BAP from opam manually• Or use Vagrant to install a provisioned VM:$ wget http://tiny.cc/Vagrantfile
$ vagrant up$ vagrant ssh$ bap --version