Dongwoo Kim : Hyeon-jeong Lee s Husband

Similar documents
ios applications reverse engineering Julien Bachmann

The ARM Architecture. With a focus on v7a and Cortex-A8

A Choices Hypervisor on the ARM architecture

Real-time Debugging using GDB Tracepoints and other Eclipse features

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

An Introduction to the ARM 7 Architecture

Automatic Logging of Operating System Effects to Guide Application-Level Architecture Simulation

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Exception and Interrupt Handling in ARM

THUMB Instruction Set

Instruction Set Architecture

x86 ISA Modifications to support Virtual Machines

Eloquence Training What s new in Eloquence B.08.00

Cortex-A9 MPCore Software Development

Computer Organization and Architecture

Fine-grained covert debugging using hypervisors and analysis via visualization

Linux. Reverse Debugging. Target Communication Framework. Nexus. Intel Trace Hub GDB. PIL Simulation CONTENTS

FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

Custom Penetration Testing

SierraVMI Sizing Guide

COS 318: Operating Systems

Interpreters and virtual machines. Interpreters. Interpreters. Why interpreters? Tree-based interpreters. Text-based interpreters

StrongARM** SA-110 Microprocessor Instruction Timing

CHAPTER 7: The CPU and Memory

Sequential Performance Analysis with Callgrind and KCachegrind

Instruction Set Design

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Example of Standard API

Advanced ANDROID & ios Hands-on Exploitation

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

ELEC 377. Operating Systems. Week 1 Class 3

High-Performance Processing of Large Data Sets via Memory Mapping A Case Study in R and C++

4.1 Introduction 4.2 Explain the purpose of an operating system Describe characteristics of modern operating systems Control Hardware Access

BEAGLEBONE BLACK ARCHITECTURE MADELEINE DAIGNEAU MICHELLE ADVENA

General Introduction

COS 318: Operating Systems. Virtual Machine Monitors

Return-oriented programming without returns

CHAPTER FIVE RESULT ANALYSIS

Central Processing Unit (CPU)

Operating System Structures

CSC 2405: Computer Systems II

Sequential Performance Analysis with Callgrind and KCachegrind

ARM Microprocessor and ARM-Based Microcontrollers

Software based Finite State Machine (FSM) with general purpose processors

Figure 1: RotemNet Main Screen

GIVE WINGS TO YOUR IDEAS TOOLS MANUAL

ASSEMBLY PROGRAMMING ON A VIRTUAL COMPUTER

CSE 141L Computer Architecture Lab Fall Lecture 2

OfficeServ Application Suite

Gigabit Ethernet Packet Capture. User s Guide

Attacking Obfuscated Code with IDA Pro. Chris Eagle

Xen and the Art of. Virtualization. Ian Pratt

PARALLELS SERVER 4 BARE METAL README

nfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH

ARM VIRTUALIZATION FOR THE MASSES. Christoffer Dall

Tizen SDK Annual Report Key Improvements. Changseok Oh (Samsung), Yeongkyoon Lee (S-Core)

OpenFlow with Intel Voravit Tanyingyong, Markus Hidell, Peter Sjödin

ADVANCED PROCESSOR ARCHITECTURES AND MEMORY ORGANISATION Lesson-12: ARM

l C-Programming l A real computer language l Data Representation l Everything goes down to bits and bytes l Machine representation Language

Webinar Information. Title: Websense Remote Filtering Audio information: Dial-in numbers:

System Requirements for Microsoft Dynamics NAV 2016

Rethinking SIMD Vectorization for In-Memory Databases

İSTANBUL AYDIN UNIVERSITY

Embedded Linux RADAR device

Virtualization. Dr. Yingwu Zhu

Instruction Set Architecture (ISA)

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

Live und in Farbe Live Migration. André Przywara CLT 2010

System Requirements for Microsoft Dynamics NAV 2016

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

Getting Started with Tizen SDK : How to develop a Web app. Hong Gyungpyo 洪 競 杓 Samsung Electronics Co., Ltd

RecoveryVault Express Client User Manual

Chapter 3. Hardware and software requirements

Dynamic Behavior Analysis Using Binary Instrumentation

Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis

Lecture 26: Obfuscation

Performance Monitoring of the Software Frameworks for LHC Experiments

Storage Class Memory Support in the Windows Operating System Neal Christiansen Principal Development Lead Microsoft

Efficient and Large-Scale Infrastructure Monitoring with Tracing

Eliminate Memory Errors and Improve Program Stability

Eddy Integrated Development Environment, LemonIDE for Embedded Software System Development

Overview of the Cortex-M3

Understanding the Benefits of IBM SPSS Statistics Server

Windows Vista (DARC) Matthew Cook

Introduction. Application Performance in the QLinux Multimedia Operating System. Solution: QLinux. Introduction. Outline. QLinux Design Principles

Virtual Machines. COMP 3361: Operating Systems I Winter


MICROPROCESSOR AND MICROCOMPUTER BASICS

Online Backup Linux Client User Manual

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

FRONT FLYLEAF PAGE. This page has been intentionally left blank

Online Backup Client User Manual

Lecture 11: Multi-Core and GPU. Multithreading. Integration of multiple processor cores on a single chip.

System Requirements for Microsoft Dynamics NAV 2016

Transcription:

2/ 32

Who we are Dongwoo Kim : Hyeon-jeong Lee s Husband Ph.D. Candidate at Chungnam National University in South Korea Majoring in Computer Communications & Security Interested in mobile hacking, digital forensics Sangwho Kim : Hye-ji Heo s Boyfriend Master s course at the same school Interested in mobile hacking, vulnerability analysis 3/ 32

Our purpose We want to find remote code execution vulnerabilities of real-world Android apps. Our targets are apps that consume file data like office file browser. We re especially interested in their native libraries that can cause crashes. It s not a big deal to make targets get crashed using simple fuzzing. The problem is that it s a very time-consuming task to analyze crashes to determine exploitability. 4/ 32

How to determine exploitability We have to MANUALLY figure out that the operand at crash point is affected by the user input. User Input Data LDR R4, [R5, #20]... LDR R2, [R4, #4] Crash... LDR R1, [R2] LDR R3, [R1] BL R3 Shellcode 5/ 32

Our goal 1 / 2 We need something that can let us know whether the operand is affected by the input in an automated manner. (Time is precious!) We tried to take advantage of any tools for it. However, there is nothing that we can use for our purpose on ARM architecture. We have decided to write our own tools using taint analysis based on dynamic binary instrumentation. 6/ 32

Our goal 2 / 2 Our tools should be easy to use on both Android emulator and device for practical use. We want our tools to answer the following questions. Q. Operand at crash point is affected by input? A. Yes or No! Q. If yes, where is exactly coming from? A. Offset 0x1004 in the input file 7/ 32

VDT (Visual Data Tracer) 1 / 3 presented by Julio Auto at Source 2009 conference For crash analysis of user level applications on Windows OS (x86) Using taint analysis to determine exploitability Input data 1 Leave trace log 2 Backward taint analysis using the trace log Crash Point 8/ 32

VDT (Visual Data Tracer) 2 / 3 VDT-Tracer : Leave trace log (Extension of WinDBG) trace.log 9/ 32

VDT (Visual Data Tracer) 3 / 3 VDT-GUI : Backward taint analysis Instruction chain engaged in data flow 10 / 32

TREE (Tainted-enabled Reverse Engineering Environment) 1 / 2 by Lixin Li and Chao Wang in 2013 For crash analysis of user level applications on various architectures based on debugging feature of IDA Pro Using taint analysis to determine exploitability. 11 / 32

TREE (Tainted-enabled Reverse Engineering Environment) 2 / 2 IDA Pro TREE-Tracer TREE-Analyzer TREE-Visualizer Trace_log.idb 12 / 32

Type of DBI (Dynamic Binary Instrumentation) DBI Tool DBI Tool Target Target vs. Attach Type - Same process - Separate process Our choice! Pros Cons - OS support NOT required (Low overhead) - NOT appropriate for crash analysis - Appropriate for crash analysis - OS support required (High overhead) 13 / 32

Overview of our tools trace.log 1 ARM-Tracer (Online) - CLI Interface - Working on 32bit ARM-based Linux (Android emulator and real device) - Extracting context of every instruction until the target gets crashed 2 ARM-Analyzer (Offline) - GUI Interface - Working on Desktop for efficiency - Parsing trace.log and show the list of executed instructions - Allowing a user to choose an object for backward taint analysis 14 / 32

Challenges in ARM-Tracer No hardware support for single-stepping whereas Intel x86 provides it known for trap flag. We can implement it with DBM (Debug Breakpoint Mechanism). It requires various considerations which are not necessary in x86. Such as calculating Next PC, handling signals in multithreaded environment, handling atomic instruction sequence. 15 / 32

Challenges in ARM-Analyzer Not a simple task to identify semantic of ARM instructions in terms of data propagation, and distinguish their syntax. SIMD (Single Instruction Multiple Data) instruction set is very annoying! SIMD is for multimedia like SSE (Streaming SIMD Extensions) in x86 which has its own register bank that size is 256 bytes in total. 16 / 32

ARM-Tracer 1 / 8 Instruction tracing with DBM single-stepping using system call Breakpoint instruction differentiate according to the instruction state [Step 1] Determine Next PC [Step 2] Set BP [Step 3] Restore Instr. 0x1004 01 10 C0 24 0x1008 01 00 BD E8 0x100C 1E FF 2F E1 0x1004 01 10 C0 24 0x1008 Breakpoint 0x100C 1E FF 2F E1 0x1004 01 10 C0 24 0x1008 01 00 BD E8 0x100C 1E FF 2F E1 1. Analyze current instr. 0x1004 01 10 C0 24 2. Determine Next PC Next PC = 0x1008 3. Backup instr. at Next PC 0x1008 01 00 BD E8 4. Set BP at Next PC 0x1008 Breakpoint 5. Execute 0x1004 01 10 C0 24 6. Restore Instr. 0x1008 01 00 BD E8 17 / 32

ARM-Tracer 2 / 8 Instruction state State Instruction Size ARM state ARM instruction 32 Thumb state Thumb instruction 16 Thumb2 instruction 16/32 Instruction state change (interworking) can happen by BX/BLX instructions. 18 / 32

ARM-Tracer 3 / 8 Considerations on calculating Next PC We have to identify opcode of instructions according to instruction state. (based on GDB) ARM (32bit) Thumb (16bit) Thumb2 (16/32bit) BLX #Offset BLX <Reg> BX <Reg> LDR PC, [<Reg>] LDM <Reg>, {(RegList,) PC} B #Offset BL #Offset POP {(RegList,) PC} B #Offset BX <Reg> BLX <Reg> MOV PC, <Reg> CBZ <Reg>, #Offset CBNZ <Reg>, #Offset B #Offset BL #Offset BLX #Offset SUBS PC, LR, #Offset LDMIA <Reg>, {(RegList)} LDMDB <Reg>, {(RegList)} RFEIA <Reg> RFEDB <Reg> MOV PC, <Reg> LDR PC, [<Reg>] TBB [<RegA>, <RegB>] TBH [<RegA>, <RegB>] 19 / 32

ARM-Tracer 4 / 8 Addressing interference by other threads Caused by code sharing Thread Thread Thread Target Thread Thread Thread Thread Target Thread Breakpoint Breakpoint We have to guarantee all the threads run properly. 20 / 32

ARM-Tracer 5 / 8 Handling instruction sequence for atomic operation ARM does not provide atomic instruction. Instead, it provides sequence for it. (LDREX/STREX) We should not intervene the sequence otherwise, it may cause infinite loop. infinite loop 21 / 32

ARM-Tracer 6 / 8 The good starting point We designate a specific thread as the target thread which opens the input file. We can know memory address where the input file is loaded by checking and functions. Target starts Target crashes! Input file is loaded! (We start tracing here. ) 22 / 32

ARM-Tracer 7 / 8 Before logging, filter out instructions not executed (ARM) [ CPSR ] [ ARM Instruction ] 23 / 32

ARM-Tracer 8 / 8 Before logging, filter out instructions not executed (Thumb2) [ Thumb2 IT Instruction ] [ CPSR ] 24 / 32

ARM-Analyzer 1 / 3 Parsing each entry from the trace log file Identify instruction syntax based on disassembly Identify object : register, memory address (byte level) 25 / 32

ARM-Analyzer 2 / 3 Classification of instructions ARM Architecture Reference Manual ARMv7-A Edition Group Mnemonic Target Syntax Impl. Memory access 16 8 39 54 General data processing 32 27 37 70 Multiply 25 22 22 28 Saturating 6 6 6 10 Parallel 4 4 4 5 Packing and unpacking 10 10 10 28 Branch and control 10 0 0 0 Coprocessor 14 0 0 0 Total 117 77 118 195 We have also considered some SIMD instructions (vld, vst). 26 / 32

ARM-Analyzer 3 / 3 How it works Backward taint analysis View for user Crash Inside of ARM-Analyzer 2 1 Dst : r6 / Src : r0 Dst : r3 / Src : r1, *0x2224 Dst : r5 / Src : r1 Dst : r4 / Src : r0 Dst : r0 / Src : r1 Dst : r1 / Src : r6 Dst : r3 / Src : r3, *0x1018 Enqueue Queue r3 27 / 32

Experiment 1 / 3 We generated crashes against Polaris Office 6.0.1. Among them, we chose 7 crashes that look cool! Such as.. Crash LDR BLX R3, [R3, #0x18] R3 Let s try to put them into our tools! 28 / 32

Experiment 2 / 3 Tested on GalasxyS4 2.3 GHz Quad-core, 2GB RAM, Android 4.4.2, Kernel 3.4.0 ARM-Tracer Crash 1 Crash 2 Crash 3 Crash 4 Crash 5 Crash 6 Crash 7 # of instructions executed # of instructions filtered out # of atomic handler Taken time (sec) Dump file size (MB) 6,804,072 6,830,983 7,008,764 7,048,261 10,000,000+ 10,000,000+ 10,000,000+ 585,093 584,841 601,177 607,208 900,000+ 900,000+ 900,000+ 2,600 2,600 2,662 2,630 3,800+ 3,800+ 3,800+ 1,563 1,562 1,616 1,673 2,300+ 2,300+ 2,300+ 1,038 1,042 1,069 1,075 1,500+ 1,500+ 1,500+ 29 / 32

Experiment 3 / 3 Tested on Desktop 3.3 GHz Quad-core, 16GB RAM, Windows 7 ARM-Analyzer Crash 1 Crash 2 Crash 3 Crash 4 Probably Exploitable X O X O # of instructions executed 6,804,072 6,830,983 7,008,764 7,048,261 Taken time to full scan Fast Mode Normal Mode 10 ~ 15 sec A couple of days... Fast Mode enqueues only effective address of source into the search queue. ex) LDR R1, [R2, R3] *(R2+R3) // 0x1004 0x1000 0x4 30 / 32

31 / 32

We have developed tools for crash analysis of userlevel applications on ARM architecture. It can avoid non-deterministic behavior. We can efficiently analyze crashes in a limited time. We have tested it with real-world app on Android device. As a result, we got two exploitable crashes after short testing our tools with crash samples that we have already generated. Before long, we re going to release our tools with source code after some revisions for those who are interested in them. Please participate in improving our tools. 32 / 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information