Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Platform Independent Programs

Platform Independent Programs

My thesis presentation

Bogwonch

June 13, 2012
Tweet

Other Decks in Research

Transcript

  1. WHAT ARE THEY? • Programs that run on multiple architectures

    from one binary • Plus a bit of steganography • Exploit overlaps in instruction set binary formats • First work done by DJB Research team at Carnegie Mellon University Wednesday, 13 June 12
  2. HOW DO YOU DO IT • For each architecture: •

    Compile list of semantic NOP instructions • Instructions which are semantically equivalent to a sequence of NOP instructions • Get list of jump instructions Wednesday, 13 June 12
  3. HOW DO YOU DO IT? • Find sequences of the

    form semantic NOP then jump • Find their binary form • Find the ones which match between architectures • Focussed on safe sequences • No modification of state Wednesday, 13 June 12
  4. WHY WOULD YOU WANT TO DO THIS? • Execution based

    steganography • Platform independent shell code • Obfuscation • Exfiltration protection • Kinda cool Wednesday, 13 June 12
  5. PROBLEMS? • No public lists of semantic NOPs • Problems

    of scale • Space • Time • Problems with toolchains • Liveness analysis would help Wednesday, 13 June 12
  6. WHAT DID I DO? • Found semantic NOPs for ARM,

    MIPS, X86 and XS1 • XS1 is novel • Recreated part of the existing PIP research • Created new PIP headers • Looked at steganographic effectiveness Wednesday, 13 June 12
  7. NOVELTY? • Publicly available list of semantic NOPs • Started

    bringing PIPs to XS1 • Improved on existing results for the MIPS architecture • Looked at steganographic effectiveness Wednesday, 13 June 12
  8. PIP HEADERS • Key to writing PIPs • Have the

    form do nothing then jump on multiple architectures • Use semantic NOPs to do nothing • More of them than NOP instructions Wednesday, 13 June 12
  9. 90EB202A90EB203A24770104 • A PIP header for ARM, X86 and MIPS

    • The canonical example • Will use the Radare2 reverse engineering framework to show how this is a PIP Wednesday, 13 June 12
  10. 90EB202A90EB203A24770104 • rasm2 -d -a mips 90eb202a90eb203a24770104 • slti zero,s1,-5232

    • xori zero,s1,0xeb90 • b 0x10001dc9c Wednesday, 13 June 12
  11. 8 BYTE ARM LE, MIPS BE, X86 • 7a..7b086a...... •

    7a..7b096a...... • 7a..7b0a6a...... • 7a..7b0b6a...... • 81a08008ea...... • 81a08008e3a0f... • 81a08008e28ff... • 81a08008e24ff... Wednesday, 13 June 12
  12. WHAT ARE THE DOTS? • Dots indicate that we do

    not care about what value that nibble contains • If we do not use don’t care symbols complexities get horrific • KB becomes MB becomes GB • Hours become days Wednesday, 13 June 12
  13. • xori rt,rs,immediate 㱺 rt ← rs ⨁ immediate •

    If we make rt register zero this is always a semantic NOP • If we enumerated each we’d have 2,097,152 semantic NOPs • Or we use don’t cares and this becomes 16 • 2 bits in second nibble • 3 bits in third nibble Wednesday, 13 June 12
  14. 7A..7B0886A... • rasm2 -d -a x86 $(sed 's/\./0/g' <<< 7a..7b086a......)

    jp 0x100000002 jnp 0x10000000c push 0x0 add [eax], al • rasm2 -d -a mips $(sed 's/\./0/g' <<< 7a..7b086a......) j 0x101ec01e8 0x6a • rasm2 -d -a arm -e $(sed 's/\./0/g' <<< 7a..7b086a......) bvc 0x10001ec28 bvs 0x10000000c Wednesday, 13 June 12
  15. SEMANTIC NOPS • Instructions that don’t do anything • Used

    in: • Obfuscation (dead code addition) • Polymorphic malware (and anti-malware) • Assemblers (GAS) • No publicly available database • Now there is one on Github Wednesday, 13 June 12
  16. DETECTION • PIPs can be used for steganography • No

    previous research into how easy PIPs are to detect • Looked at how often they turn up in non-PIP code for X86, and ARM Wednesday, 13 June 12
  17. PIPS ARE EASY TO DETECT • PIP headers turn up

    very rarely in the wild • No more than random code • If a program were constructed from repeated gadgets it would stick out • Detector counts PIP headers • If significant number suspect program is PIP Wednesday, 13 June 12
  18. PIPS ARE EASY TO DETECT... MAYBE • In this project

    I always used safe PIPs • No modification of state • But if you were to allow modifying state you would get more PIPs • Should be harder to write a detector • Requires static analysis Wednesday, 13 June 12
  19. OTHER APPROACHES • Self-modifying code • Encryption • Microcode updates

    • Alter how CPU expands CISC instructions into RISC microcode Wednesday, 13 June 12
  20. CONCLUSION • Found PIPs for ARM, MIPS, X86 and XS1

    • Created database of semantic NOPs • Looked at steganographic properties • PIPs should be detectable • Suggested work arounds Wednesday, 13 June 12