Proceedings

More documents

Recommendations

Info

IV. UQBT MODIFICATIONS A. Summary Among all the binary file formats supported by UQBT, the ELF format is handled most exhaustively. In case of PE file format (the default format for executables and libraries on Windows OS), significant enhancements had to be added in order to capture the semantics of the code. Some of them are related to peculiarities of the compiler; other are forced by CBMC properties. The most important code additions are enumerated below. B. Library functions Certain library functions (for example LocalAlloc , wcslen ) are crucial in the assertion generation algorithm (described in the following section). As UQBT did not recognize the library function usage in PE files, appropriate support had to be added. In order to get the list of the imported functions, it is enough to locate in the PE file the data structure named ”import lookup table” and parse it (see [11]). For each library function F, in the address space of the Win32 process there exists a 32bit location (an import address table6 element) which is filled with the address of F by the library loader. The library function can be called in three different ways: 1) Direct call of the address stored in IAT entry: call ds:iat entry 2) Call to a ”thunk” function, which consists of a single jump instruction: jmp ds:iat entry 3) Assignment to a register, then call register: mov ebx,ds:iat entry; call ebx This convention saves space when more that one call to the same library function is made subsequently. In the first two cases, it is easy to determine whether a given instruction is in fact a library function call: just check whether the argument to the ”call” or ”jmp” instruction is within import address table range. However, because of the third case, for each ”call register” instruction, we have to find the instruction X which assigns the register. The instruction X can be quite far away from the place where the actual function call takes place. Therefore, a reliable algorithm to trace back the execution flow had to be implemented; particularly, jumps and conditional jumps have to be back-traced. C. Calling conventions The calling convention describes how parameters and return values are arranged for a function call. In case of ia32 architecture, the most commonly used convention (named ”cdecl”) is: 1) Parameters are passed on the stack 2) Parameters are removed from the stack by the caller UQBT supports only the above convention. However, Win32 binaries use the following conventions: | 18 6 IAT for short Conv name Args passed... Who removes args cdecl on the stack caller stdcall on the stack callee thiscall first arg in register ecx, the rest callee on the stack fastcall first two args in ecx, edx, the callee rest on the stack ”Fastcall” convention is used very rarely and can be ignored. ”Thiscall” convention is used for passing ”this” parameter to a class function; as currently we do not handle object code well for many other reasons7 , we choose to ignore it for now as well. This leaves us with the problem of distinguishing between cdecl and stdcall functions. The failure to do it properly results in incorrect view of the stack after the function has returned; it is particularly damaging when the analyzed procedure has not set a frame pointer. If a called function is implemented in the code we are analyzing, it is easy to find out its convention type: if the return from the function is implemented by a ret instruction, then it is a cdecl function; if retn N instruction is used, then it is a stdcall function, and its arguments occupy N bytes. However, in case of a library function, this method obviously does not work. The following solutions to the problem were considered: 1) Retrieve the calling convention information from header .h files shipped in WINDDK. Disadvantage: many Win32 library functions are undocumented (in header files or anywhere else). 2) Retrieve the calling convention from the debugging symbol file (.pdb). Imported functions honoring stdcall convention are represented as name@N, wherename is the function name, and N is the amount of space occupied by the arguments. Disadvantage: usually debugging symbols are not available (Windows OS binaries are an exception to this rule), so relying on them would limit the applications of the tool. 3) Assume that functions imported from MSVCRT.DLL use cdecl convention, and other functions use stdcall. Detect exceptions to this rule by observing ”stack type assumption violated” error messages in the logs, and then manually annotate offending functions. Disadvantage: for each analyzed binary, a few functions must be manually annotated. The last option was chosen, as it provides maximum flexibility with acceptable manual labor overhead. Nontrivial amount of code was written in order to determine the amount of parameters passed to each call to library function, as well to fix the stack pointer after the stdcall function return. D. Function prologue and epilogue patterns UQBT assumed that instructions which constitute a function prologue (or epilogue) are not intermixed with other 7 see the list of possible extensions in the last chapter
ACADEMIC TOOLS AND REAL-LIFE BUG FINDING IN WIN32 instructions. This assumption does not hold in case of binaries compiled with Visual C compiler; particularly ebx, esi and edi register saving is often delayed. This sometimes created a condition where registers save and restore were not paired, resulting in stack height inconsistencies. In order to solve this problem, register save/restore instructions were disassociated from prologue/epilogue patterns, and now they are decoded generically. E. Handling of ”finally” functions The ”finally” 8 construction is implemented by Visual C by creating functions which exhibit two anomalies: 1) They access the caller frame (do not save or set ebp register, and access unmodified ebp register) 2) Sometimes they perform unwind operation, returning directly into its caller’s callee. These functions are detected by examining the Structured Exception Handling setup code and extracting the appropriate pointers. Currently processing of such functions is disabled. F. Register overlap handling In ia32 architecture, there are instructions which operate on 8bit or 16bit parts of 32bit registers. In the C code generated by UQBT this feature is handled by defining each 32bit register as a union, consisting of a single 32bit location, two 16bit locations and four eight bit locations: union { int32 i24; struct { int16 h0; int16 dummy1; } h; struct { int8 b8; int8 b12; int8 dummy2; int8 dummy3; } b; } i24; 32bit register eax is modeled by i24.i24, 16bit register ax is modelled by i24.h.h0, and 8bit registers al and ah are modelled by i24.b.b8 and i24.b.b12, respectively. Obviously, any modification to e.g eax model automatically results in modification to ax model. Unfortunately, CBMC forbids access to a union member if the last operation on the union modified other member, the reason being that semantics of such operations is endiannessdependent and should be avoided. The solution is to abandon the above union trick and declare separate storage for each register. To minimize the code changes, it is enough to change the top ”union” keyword in the previous code fragment to ”struct”. Then we treat the 32bit register as the primary one, and we will update registers before or after the assignment: 8 a part of try-finally construction used with exceptions • before assignment - if a smaller register is in RHS, update this smaller register content with appropriate portion of the 32bit register • after assignment - if a smaller register is in LHS, update the appropriate portion of the 32bit register with this smaller register For instance, the instruction and al, 2 will be translated to /* 8bit regs in RHS update:*/ i24.b.b8 = ((unsigned int)i24.i24)%0x100; /* the original assignment */ i24.b.b8 = ((int32)i24.b.b8)&(2); /* 8bit reg LHS update */ i24.i24 -= ((unsigned int)i24.i24)%0x100; i24.i24 += (unsigned int)i24.b.b8; The rational assumption is that non-32bit operations are much less frequent than the 32bit operations, therefore the number of the above updates will be a fraction of the number of assignments. In the analyzed case of the NWWKS.DLL binary, out of 17049 generated assignments 394 were the ones related to overlapping registers handling. G. Inlined, optimized common functions In a compiled C code, probably all occurrences of the Pentium instructions with ”rep” prefix are generated by inlining an optimized version of one of the following functions: • strlen • memcpy • memset It is beneficial to replace code fragments implementing above functions with calls to an appropriate function. UQBT includes a few patterns of such constructions, however they did not match the code generated by VC compiler. Appropriate support has been added. V. ADDING CHECKS FOR INTEGER OVERFLOW IN MEMORY ALLOCATION The following algorithm was used to generate assertions which check for integer overflow in memory allocation: • locate all occurrences of calls to functions which allocate memory; LocalAlloc and GlobalAlloc functions are handled by default, other memory allocation functions can be specified in a config file • execute find and annotate algorithm with arguments: the function actual parameter determining the size of allocated memory, and the address of the code where the function is called The algorithm find and annotate(sem str, code address) performs the following steps: • if the sem str is a constant, exit • starting at the instruction with the address code address in the control flow graph, trace back through all execution paths looking for an assignment A whose left hand side is related (see the next two points) to sem str 19 |
Page 2 and 3: | 2
Page 5 and 6: 22. Chaos Communication Congress Pr
Page 7 and 8: REPORTS 7 5 Thesis on Informational
Page 9 and 10: 10 5 Thesis on Informational- Cogni
Page 11 and 12: 5 THESIS ON INFORMATIONAL-COGNITIVE
Page 17: 5 THESIS ON INFORMATIONAL-COGNITIVE
Page 20 and 21: UQBTng: a tool capable of automatic
Page 24 and 25: • if LHS of A is exactly sem str,
Page 27 and 28: Advanced Buffer Overflow Methods [o
Page 29 and 30: ADVANCED BUFFER OVERFLOW METHODS #i
Page 31 and 32: ADVANCED BUFFER OVERFLOW METHODS 0x
Page 33 and 34: ADVANCED BUFFER OVERFLOW METHODS in
Page 35: ADVANCED BUFFER OVERFLOW METHODS }
Page 38 and 39: | 34 Eine Führung in das europäis
Page 40 and 41: | 36 Die kryptische Kennung 10 eine
Page 42 and 43: | 38 senvertreter angewiesen. Die
Page 44 and 45: | 40 Anonymous Data Broadcasting by
Page 46 and 47: | 42 operate, consider the setting,
Page 48 and 49: | 44 Figure 1: Anonymous data broad
Page 51 and 52: Autodafé: An Act of Software Tortu
Page 53 and 54: AUTODAFE - AN ACT OF SOFTWARE TORTU
Page 61 and 62: Bad TRIPs What the WTO Treaty did i
Page 63 and 64: BAD TRIPS The TRIPS is especially h
Page 65: BAD TRIPS Extension of the transiti
Page 68 and 69: | 64 Collateral Damage Consequences
Page 70 and 71: | 66 If one considers a DNSBL listi
Page 72 and 73:
| 68 • A number of sites do not h
Page 74 and 75:
| 70 to use other mailing software.
Page 76 and 77:
| 72 These kinds of checks tend to
Page 79 and 80:
COMPLETE Hard Disk Encryption with
Page 81 and 82:
COMPLETE HARD DISK ENCRYPTION WITH
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105:
Page 108 and 109:
| 104 x86-64 buffer overflow exploi
Page 110 and 111:
| 106 3 ELF64 LAYOUT AND X86-64 EXE
Page 112 and 113:
| 108 4 THE BORROWED CODE CHUNKS TE
Page 114 and 115:
| 110 5 AND DOES THIS REALLY WORK?
Page 116 and 117:
| 112 6 SINGLE WRITE EXPLOITS 9 48
Page 118 and 119:
| 114 6 SINGLE WRITE EXPLOITS 11 34
Page 120 and 121:
| 116 7 AUTOMATED EXPLOITATION 13 A
Page 122 and 123:
| 118 7 AUTOMATED EXPLOITATION 15 W
Page 124 and 125:
| 120 8 RELATED WORK 17 32 read(soc
Page 126 and 127:
| 122 11 CREDITS 19 11 Credits Than
Page 129 and 130:
Developing Intelligent Search Engin
Page 131 and 132:
DEVELOPING INTELLIGENT SEARCH ENGIN
Page 133 and 134:
DEVELOPING INTELLIGENT SEARCH ENGIN
Page 135 and 136:
Digital Identity and the Ghost in t
Page 137 and 138:
DIGITAL IDENTITY AND THE GHOST IN T
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145:
Page 148 and 149:
| 144
Page 150 and 151:
| 146
Page 153 and 154:
Esperanto, die internationale Sprac
Page 155 and 156:
ESPERANTO, DIE INTERNATIONALE SPRAC
Page 157 and 158:
ESPERANTO, DIE INTERNATIONALE SPRAC
Page 159 and 160:
Fair Code Free/Open Source Software
Page 161 and 162:
FAIR CODE 2. Von Digital Divide zu
Page 163 and 164:
FAIR CODE ökonomisch schlecht gest
Page 165 and 166:
FAIR CODE menschliches Verhalten re
Page 167:
FAIR CODE gewährleistet, und nur d
Page 170 and 171:
��
Page 172 and 173:
| 168 ��
Page 174 and 175:
| 170 ��
Page 176 and 177:
| 172 ��
Page 178 and 179:
| 174 ��
Page 180 and 181:
| 176 ��
Page 183 and 184:
Fuzzing Breaking software in an aut
Page 185 and 186:
FUZZING or protocol and fuzzing fra
Page 187 and 188:
FUZZING #define SOME_MAX 4096 if (y
Page 189 and 190:
Geometrie ohne Punkte, Geraden & Eb
Page 191 and 192:
GEOMETRIE OHNE PUNKTE, GERADEN & EB
Page 193:
GEOMETRIE OHNE PUNKTE, GERADEN & EB
Page 196 and 197:
| 192
Page 198 and 199:
| 194
Page 200 and 201:
| 196
Page 203 and 204:
Hacking OpenWRT Felix Fietkau 199 |
Page 205 and 206:
HACKING OPENWRT 1 Introduction to O
Page 207 and 208:
HACKING OPENWRT 3.2 Makefile This f
Page 209 and 210:
HACKING OPENWRT If your package is
Page 211 and 212:
HACKING OPENWRT 4.2 toolchain/ tool
Page 213 and 214:
HACKING OPENWRT To add a new platfo
Page 215 and 216:
Hopalong Casualty On automated vide
Page 217 and 218:
HOPALONG CASUALTY 2 Intro to Visual
Page 219 and 220:
HOPALONG CASUALTY Appearance As hum
Page 221 and 222:
HOPALONG CASUALTY A thorough review
Page 223 and 224:
Hosting a Hacking Challenge - CTF-s
Page 225 and 226:
HOSTING A HACKING CHALLENGE - CTF-S
Page 227 and 228:
Page 229:
Page 232 and 233:
| 228 1 Introduction Intrusion Dete
Page 234 and 235:
| 230 • Changing file owner / gro
Page 236 and 237:
| 232 Figure 2: Simple correlation
Page 239 and 240:
Lyrical I Abschluss des CCC-Poesie-
Page 241 and 242:
Magnetic Stripe Technology Joseph B
Page 243 and 244:
MAGNETIC STRIPE TECHNOLOGY black re
Page 245 and 246:
MAGNETIC STRIPE TECHNOLOGY My curre
Page 247 and 248:
MAGNETIC STRIPE TECHNOLOGY MetroCar
Page 249 and 250:
��
Page 251 and 252:
Code Listing (dmsb.c) ��
Page 253 and 254:
Memory allocator security Yves Youn
Page 255 and 256:
MEMORY ALLOCATOR SECURITY 251 |
Page 257 and 258:
MEMORY ALLOCATOR SECURITY 253 |
Page 259 and 260:
Message generation at the info laye
Page 261 and 262:
MESSAGE GENERATION AT THE INFO LAYE
Page 263 and 264:
Page 265 and 266:
Page 267 and 268:
Page 269:
Page 272 and 273:
| 268 Abstract Open Source, EU Fund
Page 274 and 275:
| 270 lines of code x1e5 1.8 1.6 1.
Page 276 and 277:
| 272 cooperation. Getting the new
Page 278 and 279:
| 274 PyPy - The new Python Impleme
Page 280 and 281:
| 276 performs abstract interpretat
Page 282 and 283:
| 278 adding short cuts for some co
Page 284 and 285:
| 280
Page 286 and 287:
| 282
Page 288 and 289:
| 284
Page 290 and 291:
| 286
Page 292 and 293:
| 288
Page 294 and 295:
| 290
Page 296 and 297:
| 292
Page 298 and 299:
| 294 Die Risiken der Nanotechnik N
Page 300 and 301:
| 296 Neue Materialien, einer der P
Page 302 and 303:
| 298 wahrscheinlich nicht ausreich
Page 304 and 305:
| 300 „State of the Future 2005
Page 307 and 308:
The Web according to W3C How to tur
Page 309 and 310:
THE WEB ACCORDING TO W3C 305 |
Page 311 and 312:
THE WEB ACCORDING TO W3C 307 |
Page 313:
THE WEB ACCORDING TO W3C our proces
Page 316 and 317:
| 312 Transparenz der Verantwortung
Page 318 and 319:
| 314 Transparenz der Verantwortung
Page 320 and 321:
| 316 (6) Wird dem Betroffenen kein
Page 322 and 323:
| 318 „anonymes Staatshandeln“
Page 324 and 325:
| 320 Die Einschränkungen der Grun
Page 326 and 327:
| 322 11 wie es insbesondere an Hei
Page 328 and 329:
��
Page 330 and 331:
��
Page 332 and 333:
| 328 ��
Page 335 and 336:
Wargames - Hacker Spielen Männlich
Page 337 and 338:
WARGAMES - HACKER SPIELEN 333 |
Page 339 and 340:
Page 341 and 342:
Page 343 and 344:
Page 345 and 346:
Page 347 and 348:
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
Was ist technisches Wissen? Philoso
Page 357 and 358:
WAS IST TECHNISCHES WISSEN? ��
Page 359 and 360:
Page 361 and 362:
Page 363 and 364:
Page 365 and 366:
Page 367 and 368:
��
Page 369 and 370:
��
Page 371 and 372:
Page 373:
Page 376 and 377:
| 372 ��
Page 378 and 379:
��
Page 380 and 381:
��
Page 382 and 383:
| 378
Page 384 and 385:
| 380
Page 386 and 387:
| 382
Page 388 and 389:
| 384
Page 390 and 391:
| 386
Page 392 and 393:
| 388
Page 394:
| 390
show all

Proceedings

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?