How to Grow a TREE (Taint-enabled Reverse Engineering Environment) From CBASS (Cross-platform Binary Automated Symbolic-execution System)

Presented at Black Hat USA 2013, July 31, 2013, 3:30 p.m. (60 minutes)

Binary analysis techniques from academic research have been introduced into the reverse engineering community as well as research labs that are equipped with lots of computing power. Some program analyses using these techniques have even begun to show up in hacker conferences. But significant limitations remain: No practical toolset delivers analyses of binary programs across multiple platforms (like x86, ARM, MIPS, PowerPC etc.); No practical toolset scales to real-world large programs and automates all aspects of highly sophisticated tasks like vulnerability analysis and exploit generation; No practical toolset runs on a typical engineer's laptop or integrates seamlessly with any popular reverse engineering environment. Interested reverse engineers must switch back and forth between their familiar tool environment and some Dynamic Binary Instrumentation (DBI) environment (like PIN) or full system emulator (like QEMU). In this talk, we will present our solution to these limitations. We will explain the Cross-platform Binary Automated Symbolic-execution System (CBASS) that we developed and demonstrate one of its interactive applications: an IDA based Taint-enabled Reverse Engineering Environment (TREE). TREE can deliver program analysis techniques (taint analysis, dynamic slicing, symbolic execution and constraint solving) into the reverse engineer's hands now. Binary analysis and its security applications have been extensively researched, mainly in the context of a single instruction set architecture (predominantly x86) and popular desktop operating systems (Linux or Windows). CBASS performs its binary analysis on a common Intermediate Representation (IR) rather than on the native Instruction Set Architecture (ISA) of any program. This thin layer allows our powerful analysis tools to work on cross-platform binary applications.

While CBASS supports both automated and interactive security applications, TREE supports a subset of these capabilities but from with an IDA Pro plug-in. TREE provides useful interactive visualizations of the results of on-demand binary analysis. Symbolic execution and concolic execution (concrete-symbolic execution) are fundamental techniques used in binary analysis; but they are plagued by the exponential path explosion problem. Solving this problem requires vigorous path pruning algorithms and highly parallel computing infrastructure (like clouds). Neither of these is typically available to a reverse engineer. TREE solves this problem by helping the reverse engineer prioritize path execution through an interactive and intuitive visual representation of the results of on-demand analysis of what inputs and instruction sequences led to the crash site or other suspicious path, leverage path constraints and SMT solver to negate tainted branch condition for a new, unexplored path. The details of the taint analysis, dynamic slicing and path constraint solving mechanisms are transparent to reverse engineer.

Utilizing the existing IDA Pro debugging infrastructure, TREE can automate trace generation from diversified target platforms, including kernel mode tracing for Windows. To our surprise, despite the fact that IDA Pro debugging API has been around for a long time, there has been no serious effort to automate trace collection for extensible binary analysis, particularly for kernel mode tracing. Our work has directly contributed to two bug fixes in the latest IDA Pro patches (IDA 6.4.130206). Our presentation will feature several case studies of using TREE to analyze real world vulnerabilities.


Presenters:

  • James Just
    James Just is experienced with most topics and technologies relating to current and advanced cyber security.
  • Xing Li - Battelle Memorial Institute
    Xing Li CISSP is a Cyber Research Scientist at Battelle Memorial Institute, where he is responsible for developing cross-platform binary analysis tools for Windows, Linux, Mac OSX, and Android mobile devices. He spends most of his time researching Android Internals, where he looks for ways to automate instrumentation and monitoring both native and Dalvik processes. His work includes extending IDA Pro to generate custom trace files and monitoring processes with IDA Pro's debugger. He also served as the lead integrator for the Advance Malware APT Detection System for Battelle. Xing's past experience includes developing user mode and kernel mode rootkits for Mac OSX Snow Leopard and Windows, live forensics on Windows systems, and Windows Media and Registry forensics tools. He has worked on many vulnerability research projects for Windows and Mac OSX. Xing holds a Master of Computer Forensics from George Mason University. He also holds a Bachelor of Electrical Engineering from the University of Maryland, College Park.
  • Loc Nguyen - Battelle Memorial Institute
    Junior-level reverse engineer with working research experience in obfuscation and metamorphism. Strong focus on programming language semantics and binary analysis. Currently working at the Battelle Memorial Institute as a Cyber Computer Scientist.
  • Nathan Li - Battelle Memorial Institute
    Lixin (Nathan) Li is a senior security research lead at the Cyber Innovation Unit of Battelle. Mr. Li focuses on bridging the gaps from academic research to hacking practice. He leads applied research of cross-platform binary analysis and development of automated security applications including vulnerability analysis, exploit generation automation, and automated reverse engineering environment and malware analysis. His most recent work includes research and developing a Cross-platform Binary Automated Symbolic-execution System (CBASS) using heavyweight taint analysis and concrete-symbolic execution, an interactive IDA-Pro visualization based Taint-enabled Reverse Engineering Environment (TREE) and COncurrent pRogram Reverse Engineering Cross-platform Toolset (CORRECT). His extensive research and implementation experiences covered software defense, offense and analytics, spanned layers from Web application, OS to micro-processor, and crossed platforms from x86-based desktop and PowerPC/MIPS-based router/switch to ARM-based mobile devices. Mr. Li has 16 years of research and engineering experience across architectures, operating systems, and network layers, with the past 8 years focusing on security research and practical binary hacking and defensive techniques. He researched and implemented an ASLR solution on Windows binary from kernel to provide host protection, years before ASLR found its way into the Windows OS. Mr. Li serves as technical lead in multiple security projects. He is an inventor and principal developer of techniques that resulted in numerous publications.

Links:

Similar Presentations: