BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
BinRec: Attack Surface Reduction Through Dynamic Binary Recovery
Taddeus Kroes, Anil Altinay, Joseph Nash,Yeoul Na, Stijn Volckaert, Herbert Bos,
Michael Franz, Cristiano Giuffrida
October 19, 2018
Attack Surface Reduction
x = getenv(“SET_ME”);
if (x)
cold_code();
hot_code();
2
Attack Surface Reduction
x = getenv(“SET_ME”);
if (x)
cold_code();
hot_code();
3
Buggy features
ROP gadgets
Attack Surface Reduction
x = getenv(“SET_ME”);
if (x)
cold_code();
hot_code();
4
Remove unwanted features
Attack surface reduced
to well-tested code
Attack Surface Reduction
5
setme_str: .asciz: “SET_ME”
push setme_str
call getenv
cmp eax, 0
je main
call cold_code
main:
call hot_code
Want to work on COTS binaries
Static approach
Input binary
Transformed binary
6
Transform
Static approach
Input binary
Transformed binary
7
incompletedisassemblyPIC?obfuscated?
Transform
Static approach
Input binary
Transformed binary
8
incompletedisassembly
contains coldcode
PIC?obfuscated?
which code is reached?
Transform
Dynamic approach by BinRec
TransformInput binary
9
Transformed binary
precisedisassembly
only hot code
Execute
Recovery
Dynamic approach by BinRec
Input binary
Recovered binary
10
TransformExecute
Recovery
Dynamic approach by BinRec
Input binary
Recovered binary
11
TransformExecute
can we make this more generic?
BinRec goal: complex binary transformation
Attack Surface Reduction
/Binary
rejuvenation/
Profile-guided optimization
/(De)obfuscation
/ISA retargeting
Input binary
Recovered binary
12
many applications
Execute
BinRec goal: complex binary transformation
Attack Surface Reduction
/Binary
rejuvenation/
Profile-guided optimization
/(De)obfuscation
/ISA retargeting
Input binary
Recovered binary
13
many applications
requires
high-level
code!
Execute
BinRec design
Input binary
Recovered binary
Compiler IR
MachineCode
14
Execute
Transform
BinRec design
Lift
Input binary
Recovered binary
Compiler IR
MachineCode
15
Execute
Transform
Lower
BinRec design
Lift
Input binary
Recovered binary
Compiler IR
MachineCode
16
Execute
Transform
Lower
Sometimes we want more code coverage than a single code path
BinRec design
Lift
Input binary
Recovered binary
Compiler IR
MachineCode
17
Symbolic execution
Transform
Lower
Run with “symbolic” input and follow both sides of a branch
BinRec design
Lift
Input binary
Recovered binary
Compiler IR
MachineCode
18
Symbolic execution
Transform
Lower
Need to observe each instruction
Want to support
multiple architectures
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
19
Symbolic execution
Transform
Lower
Emulate in VM,
translate instructions to IR
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
20
Symbolic execution
Transform
Lower
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
21
Symbolic execution
Transform
Compile
Just use the compiler
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
22
Symbolic execution
Transform
Compile
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
23
Symbolic execution
Transform
Compile
What about unlifted code paths?
...if (getenv(“SET_ME”)) { puts(“thanks!”); // not recovered!}...
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
24
Symbolic execution
Transform
Compile
What about unlifted code paths?
1. do nothing (breaks conservative behavior)
...getenv(“SET_ME”);...
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
25
Symbolic execution
Transform
What about unlifted code paths?
2. yield error
...if (getenv(“SET_ME”)) { abort();}...
Compile
Add errors
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
26
Symbolic execution
Transform
What about unlifted code paths?
3. fallback to old code
...if (getenv(“SET_ME”)) { goto old_code_address;}...
Compile
Add errors / fallbacks
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
27
Symbolic execution
Transform
References data from input binary
Compile
Add errors / fallbacks
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
28
Symbolic execution
Transform
Compile
Add errors / fallbacks
Link data sections
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
29
Symbolic execution
Transform
Compile
Add errors / fallbacks
Link data sections
IR interacts with VM runtime
// Lifted code
emit_event(BASIC_BLOCK_START)
cpu_state.pc = 0x1000
ebx = &cpu_state.registers[R_EBX]
*ebx = *ebx + 1
cpu_state.icount++
cpu_state.pc = 0x1234
emit_event(BASIC_BLOCK_END)
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
30
Symbolic execution
Transform
Compile
Add errors / fallbacks
Link data sections
// machine code
0x1000:
add ebx, 1
jmp 0x1234
IR interacts with VM runtime
// Lifted code
emit_event(BASIC_BLOCK_START)
cpu_state.pc = 0x1000
ebx = &cpu_state.registers[R_EBX]
*ebx = *ebx + 1
cpu_state.icount++
cpu_state.pc = 0x1234
emit_event(BASIC_BLOCK_END)
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
31
Symbolic execution
Transform
Compile
Add errors / fallbacks
Link data sections
events, counters
// machine code
0x1000:
add ebx, 1
jmp 0x1234
// Lifted code
emit_event(BASIC_BLOCK_START)
cpu_state.pc = 0x1000
ebx = &cpu_state.registers[R_EBX]
*ebx = *ebx + 1
cpu_state.icount++
cpu_state.pc = 0x1234
emit_event(BASIC_BLOCK_END)
BinRec design
Input binary
Recovered binary
Compiler IR
MachineCode
32
Symbolic execution
Transform
Compile
Add errors / fallbacks
Link data sections
// machine code
0x1000:
add ebx, 1
jmp 0x1234
registers in CPU state
control flow through virtual program counter
Lift in VMStrip emulation
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
33
Symbolic execution
Transform
Compile
Add errors / fallbacks
Link data sections
// stripped code
global ebx
lifted_1000:
ebx = ebx + 1
goto lifted_1234
// machine code
0x1000:
add ebx, 1
jmp 0x1234
// Lifted code
emit_event(BASIC_BLOCK_START)
cpu_state.pc = 0x1000
ebx = &cpu_state.registers[R_EBX]
*ebx = *ebx + 1
cpu_state.icount++
cpu_state.pc = 0x1234
emit_event(BASIC_BLOCK_END)
Strip emulation
BinRec design
Lift in VM
Input binary
Recovered binary
Compiler IR
MachineCode
34
Symbolic execution
Transform
Compile
Add errors / fallbacks
Link data sections
Strip emulationPre-process Post-process
Needed to prevent over-optimization during transformations (details in paper)
This is quite bit of code
35
Implementation
Lift in VM
Input binary
Recovered binary
36
Symbolic execution
Transform
Compile
Add errors / fallbacks
Link data sections
Strip emulationPre-process Post-process
Implementation
Input binary
Recovered binary
37
Symbolic execution
Transform
Compile
Add errors / fallbacks
Link data sections
Strip emulationPre-process Post-process
S2ELift in VM
Implementation
Input binary
Recovered binary
38
Symbolic execution
Transform
Compile
Add errors / fallbacks
Link data sections
Strip emulationPre-process Post-process
S2ELift in VM
LLVM
Implementation
Input binary
Recovered binary
39
Symbolic execution
Transform
Compile
Add errors / fallbacks
Link data sections
Strip emulationPre-process Post-process
S2ELift in VM
LLVM
Bash +Python
Binutils
Case study
40
Lift in VM
Input binary
Recovered binary
41
Symbolic execution
Transform
CompileAdd errors / fallbacks
Link data sections
Strip emulationPre-process Post-process
// ab.cint main(int argc, char **argv) { char a = argv[1][0]; char b = argv[1][1]; if (a == 'a') {
if (b == 'b') { puts("You entered \"ab\"");
} } return 0;}
Lift in VM
Input binary
Recovered binary
42
Symbolic execution
Transform
CompileAdd errors / fallbacks
Link data sections
Strip emulationPre-process Post-process
Input binary
Recovered binary
43
Symbolic execution
Transform
CompileAdd errors / fallbacks
Link data sections
Strip emulationPre-process Post-process
Raw code is heavily instrumented
- event triggers- instruction counter- program counter, registers, flags, etc. stored in CPU state in memory
Lift in VM
Input binary
Recovered binary
44
Symbolic execution
Transform
CompileAdd errors / fallbacks
Link data sections
Strip emulationPre-process Post-process
Lift in VM
cmp eax, 1
jle label
“heavily” instrumented
Input binary
Recovered binary
45
Symbolic execution
Transform
CompileAdd errors / fallbacks
Link data sections
Pre-process Post-process
Lift in VM
Raw
Pruned
Strip emulation
Input binary
Recovered binary
46
Symbolic execution
Transform
CompileAdd errors / fallbacks
Link data sections
Pre-process Post-process
Lift in VM
Pruned
OptimizedRaw
Strip emulation
Input binary
Recovered binary
47
Symbolic execution
Transform
CompileAdd errors / fallbacks
Link data sections
Pre-process Post-process
Lift in VMStrip emulation
Cascading optimizations
Input binary
Recovered binary
48
Symbolic execution
Transform
Add errors / fallbacks
Link data sections
Pre-process Post-process
Lift in VMStrip emulation
Compile
.text
Recovered code
...
Input binary
Recovered binary
49
Symbolic execution
Transform
Add errors / fallbacks
Pre-process Post-process
Lift in VMStrip emulation
Compile
.text
.rodata
.data
Old binary
.got
.plt
...
.text
Recovered code
...
.text
.rodata
.data
Recovered binary
.got
.plt
.text.new
=+
...
Link data sections
entry
entry
Input binary
Recovered binary
50
Symbolic execution
Transform
Add errors / fallbacks
Pre-process Post-process
Lift in VMStrip emulation
Compile
.text
.rodata
.data
Old binary
.got
.plt
...
.text
Recovered code
...
.text
.rodata
.data
Recovered binary
.got
.plt
.text.new
=+
...
Link data sections
Remove for error,
Keep for fallback
entry
entry
Input binary
Recovered binary
51
Symbolic execution
Transform
CompileAdd errors / fallbacks
Link data sections
Pre-process Post-process
Lift in VMStrip emulation
Original C
Recovered LLVM
Input binary
Recovered binary
52
Symbolic execution
Transform
CompileAdd errors / fallbacks
Link data sections
Pre-process Post-process
Lift in VMStrip emulation
Original LLVM
Recovered LLVM
Experiments
53
Experiments
- Correctness
- Attack Surface Reduction: ROP gadgets
- Performance
54
Experiment: correctness
Do our transformations preserve semantics?
- Yield errors for unknown code paths
- Check that recovered binary has same output as input binary
55
Experiment: correctness
Do our transformations preserve semantics?
- Yield errors for unknown code paths
- Check that recovered binary has same output as input binary
24 input binaries from SPEC-CPU2006 (x86)
- 15 succeeded, 9 failed (unexpected fallback / crash)
56
Experiment: ROP gadget reduction
Is the attack surface actually smaller?
- 72% fewer instructions- 48% fewer ROP gadgets
(both numbers are geomean)
57
Experiment: performance
- -O3 input binaries: expect similar performance
- -O0 input binaries: expect speedup
- Disable fallback errors: maybe expect speedup
58~44% overhead
- -O3 input binaries: expect similar performance
- -O0 input binaries: expect speedup
- Disable fallback errors: maybe expect speedup
Experiment: performance
59~2% overhead
- -O3 input binaries: expect similar performance
- -O0 input binaries: expect speedup
- Disable fallback errors: maybe expect speedup
Experiment: performance
60~5% performance gain
Wish list / future work
- Gadget-aware compiler backend
- Improve performance
- Do aggressive profile-guided optimization
- Deobfuscation
61
- BinRec successfully transforms binaries at compiler IR level
- … and halves the ROP attack surface in the process
Also
- Binary lifting is hard
Conclusion
62
Related Documents
![BinRec: Dynamic Binary Lifting and Recompilationsuch as LLVM bitcode [4, 25, 26]. Binary lifting has the po-tential to capitalize on powerful compiler-level analysis and transformations](https://static.cupdf.com/doc/110x72/5ed1666ac835620c41322882/binrec-dynamic-binary-lifting-and-recompilation-such-as-llvm-bitcode-4-25-26.jpg)
