Home

Here - files.dc9723.org Coming Soon!

image

Contents

1. MallocAddrs erase p Delete this from the allocated address list else We caught a Free of an un allocated address cout lt lt hex lt lt target lt lt endl Using cout is not a good practice I do it for the example only Summary of part 3 2 e It is relatively simple to write Pin Tools e Writing a tool to catch double free is very simple and takes less than 50 lines of actual code e Using simple tools we can catch vulnerabilities relatively easily e Did anyone notice the flaw in the tool Part 4 ADVANCED STUFF AND CLOSING NOTES Probe mode and JIT mode e JIT Mode Pin creates a modified copy of the application on the fly Original code never executes gt More flexible more common approach e Probe Mode Pin modifies the original application instructions nserts jumps to instrumentation code trampolines Lower overhead less flexible approach o Advanced Pin APIs e Transparent debugging and extending the debugge e Attaching and detaching e System call instrumentation e Managing Exceptions and Signals e Instrumenting a process tree e Accessing Decode API e CONTEXT and IARG CONST CONTEXT IARG CONTEXT e Fast buffering API e Pin Code Cache API Alternative instrumentation engines e DyanmoRIO e Valgrind e Dtrace e SystemTap based on kprobes e Frysk e GDB can also be seen as a DBI e Bistro EOL e Add your favorite DBI
2. What is Instrumentation Why should you care Potential usages e PIN A binary instrumentation engine About PIN Understanding PIN a case study in instruction counting e A practical example catching double free e Advanced stuff and closing notes Probe mode and JIT mode Advanced PIN capabilities Alternatives How to learn more Call for action Instrumentation d A technique that inserts code into a program to collect run time information Program analysis performance profiling error detection capture amp replay Architectural study processor and cache simulation trace collection e Source Code Instrumentation e Static Binary Instrumentation e Dynamic Binary Instrumentation Instrument code just before it runs Just In Time JIT No need to recompile or re link Discover code at runtime Handle dynamically generated code Attach to running processes intel Why should you care The previous slide didn t mention all potential usages e Potential security related usages Sandboxing amp Forcing security practices Behavior based security Pre patching Reversing unpacking amp de obfuscation SW analysis for example Parallel studio Thread checking Memory checking Taint analysis Anti viruses Automated vulnerability classification analysis Deterministic replay e Do you have tool ideas Let me know and I might help intel Pa
3. 2 Binary instrumentation for hackers and security professionals Gal Diskin Intel Special thanks to Tevi Devor from the PIN development team Legal Disclaimer ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY RELATING TO THIS INFORMATION INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE MERCHANTABILITY OR INFRINGEMENT OF ANY PATENT COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT Performance tests and ratings are measured using specific computer systems and or components and reflect the approximate performance of Intel products as measured by those tests Any difference in system hardware or software design or configuration may affect actual performance Buyers should consult other sources of information to evaluate the performance of systems or components they are considering purchasing For more information on performance tests and on the performance of Intel products reference www intel com software products Intel and the Intel logo are trademarks of Intel Corporation in the U S and other countries Other names and brands may be claimed as the property of others Copyright 2010 Intel Corporation All code in this presentation by the following BEGIN_LEGAL Intel Open Source License Copyright c 2002 2010 Intel Corporation All rights reserved Redistribution and use in so
4. PLE CATCHING DOUBLE FREE Main Includes include pin H include lt iostream gt include lt iomanip gt include lt algorithm gt include lt list gt int main int argc char argv Initialize pin amp symbol manager InitSymbols PIN Init argc argv Register Image to be called to instrument functions IMG AddInstrumentFunction Image 0 PIN StartProgram Never returns return 0 Instrumentation Routine VOID Image IMG img VOID v Find the malloc function and add our function after it RIN mallocRtn RIN FindByName img malloc if RTN_Valid mallocRtn Open mallocRtn RIN InsertCall mallocRtn IPOINT AFTER AFUNPTR MallocAfter IARG FUNCRET EXITPOINT VALUE IARG END RTN Close mallocRtn Find the free function and add our function before it RIN freeRtn RIN FindByName img free if RTN Valid freeRtn Open freeRtn InsertCall freeRtn IPOINT BEFORE AFUNPTR FreeBefore IARG ADDRINT free IARG FUNCARG ENTRYPOINT VALUE 0 IARG END Close freeRtn Analysis routines list ADDRINT MallocAddrs VOID MallocAfter ADDRINT ret Save teh address returned by malloc in our list MallocAddrs push_back ret VOID FreeBefore CHAR name ADDRINT target list ADDRINT iterator p pP find MallocAddrs begin MallocAddrs end target if MallocAddrs end p i
5. T_BEFORE IPOINT_AFTER IPOINT ANYWHERE IPOINT TAKEN BRANCH Insert a call before an instruction or routine Insert a call on the fall thorugh path of an instruction or return path of a routine Insert a call anywhere inside a trace or a bbl Insert a call on the taken edge of branch the side effects of the branch are visible A Better Instruction Counting Tool include pin H UINT64 icount 0 void PIN FAST ANALYSIS CALL docount INT32 c icount c void Trace TRACE trace void v Pin Callback for BBL bbl TRACE BblHead trace BBL Valid bbl bbl BBL Next bb1 BBL InsertCall bbl IPOINT ANYWHERE AFUNPTR docount IARG FAST ANALYSIS CALL IARG UINT32 BBL NumIns bbl IARG END void Fini INT32 code void v Pin Callback fprintf stderr Count 11dWMn icount int main int argc char argv PIN Init argc argv TRACE AddInstrumentFunction Trace 0 PIN AddFiniFunction Fini 0 PIN StartProgram return 0 Summary of Part 2 d e Pin is a dynamic binary instrumentation engine e Pin is available freely for non commercial purposes e Pin is the engine Pin Tools are programs controlling the engine e Instrumentation routines are called once analysis routines are called every time e There are many levels of granularity You should try to use the lowest answering your needs e You can change instrumentation points Part 3 A PRACTICAL EXAM
6. engine here Learning more about Pin e Website www pintool org Free Pin kit downloads Many open source Pin Tool examples An extensive manual Links to papers and extensive tutorials given in conferences e PinHeads Mailing list newsgroup http tech groups yahoo com group pinheads Call for action 2 e Start learning and using binary instrumentation e Create your own Pin Tools and share with the DC9723 community and all the security community e Did anybody come up with a tool idea Feel free to contact me QUESTIONS Contact details gal diskin intel com www diskin org
7. pin h UINT64 icount 0 void docount icount void Instruction INS ins void v INS InsertCall ins IPOINT BEFORE AFUNPTR docount IARG END void Fini INT32 code void v std cerr lt lt Count lt lt icount lt lt endl int main int argc char argv PIN Init argc argv INS AddInstrumentFunction Instruction 0 PIN AddFiniFunction Fini 0 PIN StartProgram Never returns return 0 Instrumentation vs Analysis eInstrumentation routines define where instrumentation is inserted e g before instruction c Occurs first time an instruction is executed eAnalysis routines define what to do when instrumentation is activated e g increment counter c Occurs every time an instruction is executed Instruction Counting Tool include pin h UINT64 icount 0 void docount icount void Instruction INS ins void v INS InsertCall ins IPOINT BEFORE AFUNPTR docount IARG END void Fini INT32 code void v std cerr lt lt Count lt lt icount lt lt endl int main int argc char argv PIN Init argc argv INS AddInstrumentFunction Instruction 0 PIN AddFiniFunction Fini 0 PIN StartProgram Never returns return 0 Instrumentation Granularity e Instruction e Basic Block e Trace e Routine e Section e Image e Process e Thread e Exception 2 Instrumentation Points IPOIN
8. rt 1 Summary y e Instrumentation a technique to inject code into a program e Dynamic binary instrumentation what we will focus on today e Instrumentation has tons of uber kwel usages for offense and defense Part 2 PIN A DYNAMIC BINARY INSTRUMENTATION ENGINE What Does Pin Stand For e Three Letter Acronyms Intel TLAS 26 possible TLAs 26 1 are in use at Intel Only 1 is not approved for use at Intel Guess which one e Pin Is Not an acronym Pin Instrumentation 2 e Multi platform Linux Windows OS X not supported anymore e Multi architecture A32 x86 64 aka Intel64 AMD64 tanium aka IA64 only Linux ARM not supported anymore e Robust amp Efficient Pin availability d e Popular and well supported 40 0004 downloads 400 citatio e Free Download www pintool org Free for non commercial use Includes Detailed user manu Pin tools e Pin User Group PinHeads http tech groups yahoo com grou inheads Pin users and Pin developers answer questions Pin and Pin Tools e Pin the instrumentation engine e Pin Tool the instrumentation program e Pin provides a framework the Pin Tool uses the framework to do something meaningful e Pin Tools Written in C C using Pin APIs Many open source examples provided with the Pin kit Certain do s and dont s apply Instruction Counting Tool include
9. urce and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution Neither the name of the Intel Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE INTEL OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE END_LEGAL is covered Part 1 INTRODUCTION Agenda e Introduction

Download Pdf Manuals

image

Related Search

Related Contents

  MANUEL D`UTILISATION ET D`ENTRETIEN - Débitmètre -  uso e manutenzione / parti di ricambio use and maintenance  施工・取扱説明書 - やっさんの一押し  Cartilha Mulher Cidadã  マックス レーザ罪種声  

Copyright © All rights reserved.
Failed to retrieve file