Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Similar documents
language 1 (source) compiler language 2 (target) Figure 1: Compiling a program

Chapter 7D The Java Virtual Machine

CS61: Systems Programing and Machine Organization

02 B The Java Virtual Machine

Attacking Obfuscated Code with IDA Pro. Chris Eagle

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

Software Fingerprinting for Automated Malicious Code Analysis

Instruction Set Architecture

Lecture 26: Obfuscation

Off-by-One exploitation tutorial

Return-oriented programming without returns

Interpreters and virtual machines. Interpreters. Interpreters. Why interpreters? Tree-based interpreters. Text-based interpreters

Programming the Android Platform. Logistics

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Assembly Language: Function Calls" Jennifer Rexford!

An Introduction to Assembly Programming with the ARM 32-bit Processor Family

HOTPATH VM. An Effective JIT Compiler for Resource-constrained Devices

OPERATING SYSTEM SERVICES

Hotpatching and the Rise of Third-Party Patches

CSC 8505 Handout : JVM & Jasmin

Introduction. What is an Operating System?

INTRODUCTION TO MALWARE & MALWARE ANALYSIS

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

Identification and Removal of

Inside the Java Virtual Machine

Example of Standard API

Lecture 12: Software protection techniques. Software piracy protection Protection against reverse engineering of software

Jonathan Worthington Scarborough Linux User Group

Sage 50 Payroll 2012 Authentication Bypass

64-Bit NASM Notes. Invoking 64-Bit NASM

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

MACHINE ARCHITECTURE & LANGUAGE

Reverse Engineering and Computer Security

1. General function and functionality of the malware

esrever gnireenigne tfosorcim seiranib

For a 64-bit system. I - Presentation Of The Shellcode

Chapter 4 Lecture 5 The Microarchitecture Level Integer JAVA Virtual Machine

Inside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010

Introduction. Figure 1 Schema of DarunGrim2

Real-time Debugging using GDB Tracepoints and other Eclipse features

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

Chapter 3: Operating-System Structures. Common System Components

X86-64 Architecture Guide

Java Programming. Binnur Kurt Istanbul Technical University Computer Engineering Department. Java Programming. Version 0.0.

Bypassing Anti- Virus Scanners

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

System Structures. Services Interface Structure

Lecture 27 C and Assembly

CS3600 SYSTEMS AND NETWORKS

Inside the Binary Analysis Tool

ASSEMBLY PROGRAMMING ON A VIRTUAL COMPUTER

Software Vulnerabilities

A Tiny Guide to Programming in 32-bit x86 Assembly Language

Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

Monitoring, Tracing, Debugging (Under Construction)

Introduction to Reverse Engineering

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

Self Protection Techniques in Malware

Hacking your Droid ADITYA GUPTA

Jakstab: A Static Analysis Platform for Binaries

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

Objectives. Chapter 2: Operating-System Structures. Operating System Services (Cont.) Operating System Services. Operating System Services (Cont.

Advanced ANDROID & ios Hands-on Exploitation

Software Reversing Engineering (a.k.a. Reversing) Spiros Mancoridis. What is Reverse Engineering? Software Reverse Engineering: Reversing

Machine-Level Programming II: Arithmetic & Control

Bypassing Windows Hardware-enforced Data Execution Prevention

Advanced Computer Architecture-CS501. Computer Systems Design and Architecture 2.1, 2.2, 3.2

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

W4118 Operating Systems. Junfeng Yang

1 The Java Virtual Machine

ios applications reverse engineering Julien Bachmann

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering

Compilers I - Chapter 4: Generating Better Code

REpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas

Fine-grained covert debugging using hypervisors and analysis via visualization

CS420: Operating Systems OS Services & System Calls

Violating Database - Enforced Security Mechanisms

Instruction Set Architecture

Intel 8086 architecture

CSC 2405: Computer Systems II

Harnessing Intelligence from Malware Repositories

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Bypassing SSL Pinning on Android via Reverse Engineering

Faculty of Engineering Student Number:

What Happens In Windows 7 Stays In Windows 7

CS201: Architecture and Assembly Language

Custom Penetration Testing

picojava TM : A Hardware Implementation of the Java Virtual Machine

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Testing for Security

eggon SDK for ios 7 Integration Instructions

Keil C51 Cross Compiler

Transcription:

Introduction Application Security Tom Chothia Computer Security, Lecture 16 Compiled code is really just data which can be edit and inspected. By examining low level code protections can be removed and the function of programs altered. Good protection tends to slow down this process, not stop it. This lecture Java Byte code: High level overview Inspecting the byte code Decompiling back to Java x86 assembly: High level overview Inspecting and altering binaries in IDA Reasons For Reverse Engineering Analyse Malware Debug memory errors Analyse Legacy code Security Audit Java Program.java Compile Java to Byte Code Using javac.class Run Byte Code On using java Java compiles to. Type: javap -c <ClassName> to see the byte code. Windows Windows Computer Computer Phone Mobile Phone Every computer must have its own Java Virtual Machine () which runs the byte code. Every different OS must have it s own 1

A Machine A stack machine has a stack to hold data and a small number of registers. Data pushed onto the stack or popped off. The registers are fast, but there are only a few of them. 1: 2: 3: iconst_0 : push 0 onto the stack istore_1: pop the top of the stack as variable 1 goto: jump to line: iload_1: push variable 1 onto the stack iadd: add the top two numbers on the stack. if_icmpge: if 1 st item on stack =< 2 nd jump Ifeq: if 1 st item on stack > 2 nd jump to line The loop continues:... : iload_2 5: iconst_ 6: if_icmpge 26 20: iinc 2, 1 23: goto 26: return A Machine 1: 71 2: 3 3: Decompilation Wouldn t it be much easier to work with the source code, rather than the byte code? JD-GUI is a Java de-compiler, it transforms into Java Code. Not perfect, e.g. confuses 0,1 and true, false. Bypassing the password check. De-compilation makes it much easier to understand what a program is doing. It also makes it easy to alter and recompile the code. All code that is used to protect the code can be removed. Binaries Binaries are written in assembly Much lower level than Java byte code, compiled for one type of machine won t run on another. But the same techniques apply. 2

C program gcc on linux C program X6 mac gcc gcc on Mac gcc on windows Window Mac Windows OS Mac OS OS type: Mac: drivers & libs Windows: drivers & libs : drivers & libs OS CPU type: ARM x86 x6 IDA pro Some x86 Commands IDA pro is an Interactive DisAssembler. It helps a human understand binaries. This is the best tool for malware binary analysis, security analysis of firmware and reverse engineering. There is are free & demo versions: http://www.hex-rays.com/ PUSH: add to top of stack CALL: execute a function RET, RETN, RETF: end a function and restart calling code. POP: read and remove from top of stack JMP: jump to some code (like writing to EIP) MOV: move value between registers MOV r1,r2 = PUSH r1 POP r2 The Screen shot, IDA You write to the stack with push You read and remove an item from the stack with pop EAX: 67825 EIP: 7797F9CF ESP: 0018F9B1 PUSH 1235 PUSH 67825 POP EAX. Data 12356 Free Memory 3

Common Pattern 1 Data is moved to a register, operation is called, result stored in memory location or register. Value at [esp+1ch] is moved to register eax, It is added to the value at [esp+18h] The result is stored at [esp+18h] Flags After an arithmetic operation flags are set. ZF: Zero flag Set to 1 if result is 0 SF: Sign flag Set to 1 if result is negative OF: Overflow flag: Set to 1 if operation overflowed. Compare and Test Compare and tests will set these flags, with no other affect. CMP a b calculates a-b then sets flags TEST a b does a bitwise and : a /\ b then sets flags Jump Commands Jump if equal, Jump if zero JE,JZ address Jumps to address if ZF = 1 Jump if not equal, Jump if not zero JNE,JNZ address Jumps to address if ZF =/= 0 Jump if less than JL address Jump to address if SF=1 and OF=/=1 Common Pattern 2 Data is compared using cmp or test, then a jump is made based on the result. Common Pattern 3 Data is loaded onto the stack Function is called that uses these values, The result will be pointed to by eax Value [esp+1ch] 3 is calculated (not stored) If it is less than or equal to zero, the program jumps to location loc_8083df Otherwise it continues to the next command. Value in eax is moved to [esp+] exit is put on top of the stack String compare is called on these. The result will be returned in the eax register

Function preamble: sets up the stack space Set I & j to 1: i is at stack location: exp+18 j is at stack location: exp+1c Common Techniques Look for strings. For loop check: Compare i to 3, Add i to j Print j Add 1 to i End Identify key tests and check the values in the register using a debugger. Swap JEQ and JNEQ. Jump over the instructions that perform checks. Defenses Dynamically construct the key Attacker can run code. Encrypt the binary, Your program must include the key in plain text, so the attacker can find it. Obfuscate the code, e.g. mix data and code, so it s not clear which is which Can slow down attacks by months or years! (e.g. Skype). Defense Require online activation. Activation can be completely disabled, users don t like this. Require online content, e.g. WoW, BlueRay Hardware based protection, i.e., store part of the code in tamper restritant hardware. Summary Machine code can be inspected and edited. Many tools exist to inspect, debug and decompile code. Most software protection can be removed. But slowing this down by months or years can save a business. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information