LLMでバイナリ解析支援

Transcript

1. LLMͰόΠφϦղੳࢧԉ 2023/01/25 LTձ Akira Moroo (@retrage)

2. Large Language Model (LLM)ͱ͸ • ChatGPTΈ͍ͨͳ΍ͭ; ಛผͳ༻ҙͳ͘͞·͟·ͳλεΫ͕Ͱ͖Δ

3. LLMΛόΠφϦղੳͷิॿʹ ࢖͑ͳ͍͔ʁ

4. ࠓճͷ͓୊: LLMʹόΠφϦղੳͤͯ͞Έͨ

5. ࣮ݧ֓ཁ: ίʔυΛ༩͑ͯ՝୊Λ౴͑ͤ͞Δ • هड़໰୊ͷΠϝʔδͰOK • ͞·͟·ͳܗࣜͰؔ਺ͷίʔυΛLLMʹೖྗ • ܗࣜ: σίϯύΠϧ/σΟεΞηϯϒϧ •

   ώϯτ: ͋Γ/ͳ͠ • ίʔυʹ͍ͭͯͷ໰୊Λೖྗ

6. ՝୊: ͪΌΜͱίʔυΛղऍ͍ͯ͠Δ͔ • ࠓ·Ͱ͸ਓखʹΑΔղऍ͕ඞཁͩͬͨ࡞ۀΛ՝୊ͱͯ͠ೖྗ • ՝୊: 1. ༩͑ΒΕͨίʔυΛઆ໌ͤΑ 2. ؔ਺ʹద੾ͳ໊લΛ͚ͭΑ

   3. ม਺ͱҾ਺ʹద੾ͳ໊લΛ͚ͭΑ

7. ίʔυ: ద౓ʹෳࡶͳ΋ͷ • ίʔυͷ৚݅ 1. ͋Δఔ౓ෳࡶ • ؆୯͗͢ΔͱͪΌΜͱʮղऍʯ͍ͯ͠Δ͔൑அͰ͖ͳ͍ 2. υϝΠϯ஌͕ࣝඞཁ

   • ͜Ε͕Ͱ͖Ε͹ਓؒʹΑΔܦݧΛஔ͖׵͑Δ͜ͱ͕Ͱ͖Δ • fuzzuf/exifutil:jpeg_walk()Λར༻

8. ࣮ݧઃఆ • OpenAI Completion API • Ϟσϧ: text-davinci-003 (ChatGPTੈ୅) •

   ૊Έ߹Θͤ: 6௨Γ • GhidraσίϯύΠϧίʔυ: γϯϘϧ৘ใ: ͋Γ/ͳ͠, ώϯτ: ͋Γ/ͳ͠ • GhidraσΟεΞηϯϒϧίʔυ: ώϯτ: ͋Γ/ͳ͠ • ώϯτ: “This is a part of the EXIF parser”

9. ࣮ݧ݁Ռ: ओ؍ධՁ decompiled γϯϘϧ: ͋Γ ώϯτ: ͋Γ decompiled γϯϘϧ: ͋Γ

   ώϯτ: ͳ͠ decompiled γϯϘϧ: ͳ͠ ώϯτ: ͋Γ decompiled γϯϘϧ: ͳ͠ ώϯτ: ͳ͠ disassembled ώϯτ: ͋Γ disassembled ώϯτ: ͳ͠ ίʔυΛઆ໌ ˚ ϩδοΫؒҧ͍ ˚ ൺֱ஋ؒҧ͍ ⭕ ※1 ⭕ ˚ ˚ ※2 ؔ਺Λ໊લ͚ͮ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ม਺Λ໊લ͚ͮ ❌ ໊લͷճ౴ͳ͠ ⭕ ❌ ໊લͷճ౴ͳ͠ ⭕ ˚ ؤுͬͨͰ৆ ˚ ؤுͬͨͰ৆ ೉қ౓ ೉ қ

10. ※1: decompiled, γϯϘϧ: ͳ͠, ώϯτ: ͋Γ LLM͔Βͷճ౴ͷҰ෦: • ▪: ίʔυʹ͸ͳ͍SOI΍EOI͕Կͷུ͔͕ఏࣔ͞Ε͍ͯΔ

    • ▪: ίʔυΛਖ਼͘͠ղऍͯ͠ϚʔΧʔͷ༗ޮͳൣғΛఏࣔͰ͖͍ͯΔ • ▪: SOI΍EOIͷظ଴͢Δॱ൪ʹ͍ͭͯॻ͔Ε͍ͯΔ 1. This code is a part of an EXIF parser. It reads a file from a given parameter (`param_1`) and checks for a valid JPEG file. It checks for the Start of Image (SOI) marker (`0xFFD8`) and the End of Image (EOI) marker (`0xFFD9`). It also checks for any valid markers (`0xFF00` to `0xFFFF`) and calls the corresponding function (stored in `param_1[2]->_flags`) if it exists. If the SOI marker is found, it will check if the EOI marker is found. If the EOI marker is not found, it will print an error message. If the SOI marker is not found, it will print an error message. If the EOI marker is found, it will return 0.

11. ※2: disassembled, ώϯτ: ͳ͠ LLM͔Βͷճ౴ͷҰ෦: • ▪: ίʔυʹ͸ͳ͍EOI͕Կͷུ͔ͷ஌͕ࣝఏࣔ͞Ε͍ͯΔ • ▪:

    Ϧςϥϧ͔ΒJPEGʹؔ࿈͢ΔॲཧͰ͋Δ͜ͱΛਪଌ͍ͯ͠Δ • ※1ͷճ౴ͱൺֱ͢ΔͱॲཧΛେ·͔ʹ͔͠௥͍͑ͯͳ͍ 1. This code is a function that checks whether a given file is a valid JPEG file. It does this by reading the first two bytes of the file and comparing them to the expected values for a valid JPEG file. If the bytes match, the function continues to read the file until it finds the End Of Image (EOI) marker. If the EOI marker is not found, the function prints an error message indicating that the file is truncated. If the bytes do not match the expected values, the function prints an error message indicating that the file is corrupted.

12. ·ͱΊ • ಛผͳ༻ҙΛ͍ͯ͠ͳ͍LLMͰ΋ͦΕͬΆ͍ճ౴͕ग़ͤΔ • decompiledͷํ͕disassembledΑΓ΋ҙຯΛਖ਼͘͠ଊ͑ΒΕΔ܏޲ • ҰํͰඞͣ͠΋৘ใ͕ଟ͍΄Ͳਖ਼֬ͳճ౴͕ಘΒΕΔΘ͚Ͱ΋ͳ͍ • ໰୊఺: ग़ྗʹϒϨ͕͋Δ

    • ࢦࣔͨ͠՝୊ʹճ౴͍ͯ͠ͳ͍৔߹͕͋ͬͨ • ग़ྗϑΥʔϚοτ͕౷Ұ͞Ε͍ͯͳ͍

13. ͓·͚: վળํ๏ ൃදʹೖΕ͔͚ͨͬͨͲೖΒͳ͔ͬͨ΋ͷ • ೖྗํ๏Λվળ͢Δ:ϓϩϯϓτΤϯδχΞϦϯά • Chain-of-ThoughtͳͲ • LLM׆༻ͷͨΊͷϥΠϒϥϦ: LangChain

    (࢖ͬͨ͜ͱͳ͠) • Fine-Tuning·Ͱͤͣͱ΋ࣄલʹ༻ҙͨ͠σʔλϕʔεʹج͍ͮͨճ౴͕Ͱ ͖Δ (Β͍͠)

14. Appendix

15. } else if (!encount_soi) { /* Abort if the first

    segment is not SOI */ fputs("Not a valid JPEG file\n", stderr); return false; } else if (marker[1] == JPEG_MARKER_EOI) { /* End of image segment */ return true; } /* Call handler for each segment */ if (jpeg->ops[marker[1]]) { if (!jpeg->ops[marker[1]](jpeg)) return false; } } /* Reached end of file before EOI segment */ fputs("Truncated file (EOI not found)\n", stderr); return true; } /** * Parse JPEG file and call handler for each segment */ bool jpeg_walk (jpeg_file_t *jpeg) { bool encount_soi; u8 marker[2]; fseek(jpeg->file, 0, SEEK_SET); /* Read every segment */ encount_soi = false; while (!feof(jpeg->file)) { /* Read marker */ if (fread(marker, sizeof(marker), 1, jpeg->file) != 1) { fputs("Truncated file (broken marker)\n", stderr); return encount_soi; /* Return false only if it's not JPEG */ } if (marker[0] != 0xFF) { fputs("Invalid marker (Corrupted JPEG)\n", stderr); return encount_soi; /* Return false only if it's not JPEG */ } /* Handle special markers */ if (marker[1] == JPEG_MARKER_SOI) { /* Start of image segment */ if (encount_soi) /* Skip the segment if we encounter SOI at invalid position */ fputs("SOI at invalid position\n", stderr); else encount_soi = true; continue;

16. ϓϩϯϓτ {intro} ``` {snippet} ``` Carefully read the code and

    answer the following questions in Markdown format. 1. Describe what this code does in detail. 2. Suggest a suitable name for this function. 3. Enumerate variables and offer a more informative name and type for each variable and parameter. HINT: {hint}