Pwning Intel PIN: Reconsidering Intel Pin in Context of Security

Presented at REcon 2018, June 15, 2018, 6 p.m. (30 minutes)

Binary instrumentation is a robust and powerful technique which facilitates binary code modification of computer programs in order to better analyze their behavior and characteristics even when no source code is available. This is achieved either statically by rewriting the binary instructions of the program and then executing the altered program or dynamically, by changing the code at run-time right before it is executed. The design of most Dynamic Binary Instrumentation frameworks puts emphasis on ease-of-use, portability, and efficiency, offering the possibility to execute inspecting analysis code from an interpositioned perspective maintaining full access to the instrumented program. This has established DBI as a powerful tool utilized for analysis tasks such as profiling, performance evaluation, and prototyping.

Moreover, the interest of employing DBI tools for binary hardening techniques (e.g. Program Shepherding) and malware analysis is constantly increasing among researchers. However, the usage of DBI for security related tasks is questionable, as in such scenarios it is important that analysis code runs isolated from the instrumented program in a stealthy way. This inspired us to look more closely at how DBI frameworks influence (impair) the security characteristics of an instrumented binary.

In this talk, we show (1) that a plethora of work implicitly seems to assume isolation and stealthiness of DBI frameworks and strongly challenge these assumptions. We use Intel Pin running on x86-64 Linux as an example to show that when a program is running in context of a DBI framework (2) the presence thereof can be detected, (3) policies introduced by binary hardening mechanisms can be circumvented (i.e. it is possible to break out of Pin's virtual machine), and (4) otherwise hard-to-exploit CVEs in existing applications can be escalated to full code execution when run in Intel Pin.

To follow good non-scientific practice, we will publish source code, proof of concepts, a technical writeup, our demos, and slides after the presentation.

Presenters:

• Zhechko Zhechev
  Zhechko is a student at Technical University of Munich. For his master thesis he developed attacks on Intel PIN, the de-facto standard tool used for dynamic binary instrumentation. Zhechko is an active part of the CTF community where he plays for the H4x0rPsch0rr/hxp team taking part in every major CTF competition.
• Julian Kirsch
  Julian Kirsch is a researcher at Technical University of Munich. His research focuses on anything related to compiled machine code, ranging from reverse engineering to exploitation. He is an active member of the capture the flag community where he plays for the 4x0rPsch0rr/hxp team (which just qualified for this year's DEF CON finals) taking part in every major CTF competition. He occasionally publishes write-ups on interesting CTF challenges on https://hxp.io. Julian teaches practical hands-on courses at Technical University of Munich where students learn about state of the art reverse engineering and exploitation techniques.

Links:

• https://recon.cx/2018/montreal/schedule/events/145.html

Similar Presentations:

• Black Hat Asia 2016 / Break Out of the Truman Show: Active Detection and Escape of Dynamic Binary Instrumentation
• Black Hat USA 2014 / Defeating the Transparency Feature of DBI
• REcon 2012 / Dynamic Binary Instrumentation Frameworks: I know you're there spying on me