RevNIC. Reverse Engineering of Binary Device Drivers. Vitaly Chipounov and George Candea School of Computer & Communica3on Sciences

Transcription

1 RevNIC Reverse Engineering of Binary Device Drivers Vitaly Chipounov and George Candea School of Computer & Communica3on Sciences

2 Drivers: Hard to Write and Hard to Port Drivers are closed source Por3ng from exis3ng drivers is difficult Devices rarely come with an interface specificadon Hard to write a driver from scratch SpecificaDons are o@en incomplete and buggy Buggy driver implementa3on

3 ExisDng SoluDons EmulaDng source OS (VMs, NDISwrapper...) Run 3me overhead, hard to maintain Making drivers from specificadons (Termite) Requires formal specifica3ons Manual trace analysis, decompiladon Tedious, imprecise

4 Windows Windows Linux KitOS μc/os II x86 PC Virtual Machines FPGA

5 RevNIC Virtual Machine Guest OS Original Binary Driver Driver Exerciser Hardware interac3on traces RevNIC Code Synthesizer NIC Driver Template SyntheDc Driver

9 High Coverage Driver Exerciser Hand workload is not enough

10 int irq_handler(device_t *dev) { status = hw_read(status_reg); if (status == RX){ pkt_size = hw_read(rx_size_reg); if (pkt_size < 1514) { recv_packet(dev); else { drop_packet(dev); else if (status == TX) {...

11 int irq_handler(device_t *dev) { status = hw_read(status_reg); if (status == RX){ pkt_size = hw_read(rx_size_reg); if (pkt_size < 1514) { recv_packet(dev); else { drop_packet(dev); else if (status == TX) {... Boundary condidons Error recovery code

14 int irq_handler(device_t *dev) { status = hw_read(status_reg); if (status == RX){ pkt_size = hw_read(rx_size_reg); if (pkt_size < 1514) { recv_packet(dev); else { drop_packet(dev); else if (status == TX) {... status == TX status == RX F T drop packet pkt_size < 1514 receive packet

15 int irq_handler(device_t *dev) { status = hw_read(status_reg); if (status == RX){ pkt_size = hw_read(rx_size_reg); if (pkt_size < 1514) { recv_packet(dev); else { drop_packet(dev); else if (status == TX) {... status == TX status == RX F T drop packet pkt_size < 1514 receive packet High coverage automated driver exerciser

16 explorer.exe... advapi32.dll Applications and... libraries msvcrt.dll ntdll.dll user32.dll... Device Drivers Windows Kernel ndis.sys rtl8139.sys...

17 Exercising Windows NIC Drivers NICDRIVER.SYS IniDalize(...) QueryInformaDon(...)... SendPacket(...) HandleInterrupt(...) Unload(...)

18 Exercising Windows NIC Drivers NICDRIVER.SYS IniDalize(...) QueryInformaDon(...)... SendPacket(...) HandleInterrupt(...) Unload(...)

19 Exercising Windows NIC Drivers IniDalize(...)

22 IniDalize(...)

23 IniDalize(...) Send(..., Packet,...)

24 IniDalize(...) 001a706650e3... Send(..., Packet,...)

25 IniDalize(...) α β γ δ ε ϛ... Send(..., Packet,...)

26 α β γ δ ε ϛ... Send(..., Packet,...)

27 α β γ δ ε ϛ... Send(..., Packet,...) Interrupt

28 α β γ δ ε ϛ... Send(..., Packet,...) Interrupt HandleInterrupt(...)

29 (..., Packet,...) Interrupt dleinterrupt(...)

30 (..., Packet,...) Interrupt dleinterrupt(...) Unload(...)

32 RevNIC Virtual Machine Guest OS Original Binary Driver Driver Exerciser Hardware interac,on traces RevNIC Code Synthesizer NIC Driver Template SyntheDc Driver

33 Hardware InteracDon Traces Virtual Machine Guest OS Original Binary Driver Driver Exerciser ExecuDon tree Machine instrucdons Memory accesses Register values (Memory Mapped) I/O Trace Files

34 RevNIC Virtual Machine Guest OS Original Binary Driver Driver Exerciser Hardware interac,on traces RevNIC Code Synthesizer NIC Driver Template SyntheDc Driver

35 RevNIC Virtual Machine Guest OS Original Binary Driver Driver Exerciser Hardware interac3on traces RevNIC Code Synthesizer NIC Driver Template Traces C code SyntheDc Driver

36 ExecuDon Tree

37 ExecuDon Tree Sequences of basic blocks BB 1 BB 2 BB 3 BB 4 BB 5 BB 6 BB 7 Trace #1

38 ExecuDon Tree Sequences of basic blocks BB 1 BB 2 BB 3 BB 4 BB 5 BB 6 BB 7 BB 1 BB 2 BB 3 BB 4 BB 8 BB 9 BB 7 Trace #1 Trace #2

39 BB 1 BB 2 BB 3 BB 4 BB 5 BB 6 BB 7 BB 1 BB 2 BB 3 BB 4 BB 8 BB 9 BB 7 Trace #1 Trace #2

40 BB 1 BB 2 BB 3 BB 4 BB 5 BB 6 BB 7 BB 1 BB 2 BB 3 BB 4 BB 8 BB 9 BB 7 Trace #1 Trace #2

41 BB 1 BB 2 BB 3 BB 4 BB 1 BB 2 BB 3 BB 4 BB 1 BB 2 BB 3 BB 4 BB 5 BB 8 BB 6 BB 5 BB 8 BB 9 BB 7 BB 6 BB 9 BB 7 Trace #1 BB 7 Trace #2

42 CFG BB 1 BB 2 BB 3 BB 4 BB 1 BB 2 BB 3 BB 4 BB 1 BB 2 BB 3 BB 4 BB 5 BB 8 BB 6 BB 5 BB 8 BB 9 BB 7 BB 6 BB 9 BB 7 Trace #1 BB 7 Trace #2

43 CFG BB 1 BB 2 BB 3 BB 4 BB 5 BB 8 BB 6 BB 9 BB 7

44 CFG BB 1 BB 2 BB 3 BB 4 uint32_t function_0001(...) { BB1: BB2: BB3: BB4: BB 5 BB 6 BB 8 BB 9 BB5: BB6: BB8: BB9: BB 7 BB7:

45 BB 5 BB 6 CFG BB 1 BB 2 BB 3 BB 4 BB 7 BB 8 BB 9 uint32_t function_0001(uint32_t param1, uint32_t param2) { /*... */ BB1: goto BB2; BB2: v1 = read_port(param1); BB3: v2 = read_port(param2); BB4: if (v1 & 0x21) goto BB8; BB5: write_port(param2, 0x1234); BB6: goto BB7; BB8: write_port(param1, 0x4567); BB9: goto BB7; BB7:

46 RevNIC Virtual Machine Guest OS Original Binary Driver Driver Exerciser Hardware interac3on traces RevNIC Code Synthesizer NIC Driver Template Traces C code SyntheDc Driver

47 RevNIC Virtual Machine Guest OS Original Binary Driver Driver Exerciser Hardware interac3on traces RevNIC Code Synthesizer Traces C code NIC Driver Template C code driver SyntheDc Driver

48 Device Driver Structure Hardware facing funcdons Automa3cally synthesized by RevNIC OS facing funcdons Provided by the driver template

49 Hardware InteracDon Code Template Driver

50 Linux Network Driver Template Templates contain OSspecific boilerplate int pci_nic_init(...) { /* Allocate device resources */ i = pci_enable_device (pdev); if (i) {... ioaddr = pci_resource_start (pdev, 0); irq = pdev->irq; if (request_region (ioaddr, ADDR_RANGE, DRV_NAME) == NULL) {... /* * Insert device detection code here * */ /* Allocate private memory */ dev = alloc_netdev(...); if (!dev) {... /* Register entry points */...

51 Linux Network Driver Template Templates contain OSspecific boilerplate int pci_nic_init(...) { /* Allocate device resources */ i = pci_enable_device (pdev); if (i) {... ioaddr = pci_resource_start (pdev, 0); irq = pdev->irq; if (request_region (ioaddr, ADDR_RANGE, DRV_NAME) == NULL) {... /* * Insert device detection code here * */ /* Allocate private memory */ dev = alloc_netdev(...); if (!dev) {... /* Register entry points */...

52 int pci_nic_init(...) { /* Allocate device resources */ i = pci_enable_device (pdev); if (i) {... ioaddr = pci_resource_start (pdev, 0); irq = pdev->irq; if (request_region (ioaddr, ADDR_RANGE, DRV_NAME) == NULL) {... /* * Insert device detection code here * */ /* Allocate private memory */ dev = alloc_netdev(...); if (!dev) {... /* Register entry points */...

53 int pci_nic_init(...) { /* Allocate device resources */ i = pci_enable_device (pdev); if (i) {... ioaddr = pci_resource_start (pdev, 0); irq = pdev->irq; if (request_region (ioaddr, ADDR_RANGE, DRV_NAME) == NULL) {... /* * Insert device detection code here * */ Placeholders for hardware interacdon /* Allocate private memory */ dev = alloc_netdev(...); if (!dev) {... /* Register entry points */...

54 int pci_nic_init(...) { /* Allocate device resources */ i = pci_enable_device (pdev); if (i) {... ioaddr = pci_resource_start (pdev, 0); irq = pdev->irq; if (request_region (ioaddr, ADDR_RANGE, DRV_NAME) == NULL) {... /* * Insert device detection code here * */ if (hw_checkdevice(ioaddr) < 0) { v1 = read_port(ioaddr); if (!(v1 & 1)) { goto lbl0; write_port(ioaddr, 0); lbl0: write_port(ioaddr, 1); /* Allocate private memory */ dev = alloc_netdev(...); if (!dev) {... /* Register entry points */...

56 RevNIC Virtual Machine Guest OS Original Binary Driver Driver Exerciser Hardware interac3on traces RevNIC Code Synthesizer NIC Driver Template SyntheDc Driver insmod revnic_driver.ko

57 ImplementaDon QEMU virtual machine 1 x86 to LLVM translator KLEE symbolic execudon engine 2 1 F. Bellard. QEMU, a Fast and Portable Dynamic Translator. In USENIX C. Cadar et al. KLEE: Unassisted and automa3c genera3on of high coverage tests for complex systems programs. In OSDI 2008.

58 EvaluaDon RevNIC can port network drivers between different OS plaiorms different hardware architectures SyntheDc drivers have good performance

59 Reverse Engineered Drivers Driver Size 1 AMD PCNet Realtek RTL8139 SMSC 91C111 Realtek RTL8029 (NE2000) 35 KB 20 KB 19 KB 18 KB 1 80% of Linux NIC drivers are smaller than 35KB

60 Target Plaiorms Windows Windows Linux KitOS μc/os II

61 Target Plaiorms Windows Windows Linux KitOS μc/os II x86 PC RTL8139

62 Target Plaiorms Windows Windows Linux KitOS μc/os II x86 PC VMware QEMU RTL8139 PCnet, NE2000

63 Target Plaiorms Windows Windows Linux KitOS μc/os II x86 PC RTL8139 VMware QEMU PCnet, NE2000 FPGA4U SMSC 91C111

64 EffecDveness RevNIC reverse engineers all relevant funcdonality IniDalizaDon, sending, recepdon, shutdown, DMA, etc.

65 Performance Throughput (Mbps) Windows KitOS Windows Windows Linux Original Windows Linux Windows Original UDP Packet Size (Bytes)

69 PorDng Effort

70 PorDng Effort Virtual Machine Guest OS Original Binary Driver 80% basic block coverage ~20 min Zero manual effort Driver Exerciser

71 PorDng Effort Virtual Machine Guest OS Original Binary Driver 80% basic block coverage ~20 min Zero manual effort Driver Exerciser ~1 min RevNIC Code Synthesizer Zero manual effort

72 PorDng Effort Virtual Machine Guest OS Original Binary Driver Driver Exerciser 80% basic block coverage ~20 min Zero manual effort Few hours 5 days ~1 min RevNIC Code Synthesizer One Dme effort NIC Driver Template Zero manual effort

73 PorDng Effort Virtual Machine Guest OS Original Binary Driver Driver Exerciser 80% basic block coverage ~20 min Zero manual effort Few hours 5 days ~1 min RevNIC Code Synthesizer One Dme effort NIC Driver Template Zero manual effort SyntheDc Driver (e.g., Linux)

74 PorDng Effort RevNIC speeds up driver development Device Manual (Linux) RevNIC Persons Span Persons Span RTL years 1 1 week 91C years 1 4 days NE years 1 5 days PCNet 3 4 years 1 1 week

76 PorDng Effort RevNIC speeds up driver development Device Manual (Linux) RevNIC Persons Span Persons Span RTL years 1 1 week Mostly fixing undocumented quirks 91C years 1 4 days NE years 1 5 days PCNet 3 4 years 1 1 week

78 RevNIC Reverse engineering of driver s state machine from interacdon traces High coverage reverse engineering through symbolic execudon Using symbolic hardware for reverse engineering without access to original devices

79 RevNIC Reverse engineering of driver s state machine from interacdon traces High coverage reverse engineering through symbolic execudon Using symbolic hardware for reverse engineering without access to original devices