DEF CON 23 – Shoshitaishvili and Wang – Angry Hacking: The next gen of binary analysis

>>Good afternoon how are we? We
can do better than that. Maybe get beer. So how many people
made it over to ctf? Go check it out. Look at it. It’s fun. And
we’ve heard a little bit ctf and you will talk more about this?
Good stuff. Let’s give these guys a big round of applause [
applause ]>>All right. I sound really loud. Welcome to our
talk. We are here to talk about some work we’ve been doing in
the context of ctf team and security research and in the
context of cdc and open-source. We are here to talk about
arraign and we will get to that later. First, we are we. I’m
Zidus and this is Fish. We are from shellfish. We are ctf team.
We are playing the ctf right now on the Defcon floor there. We
are fighting hard. As you will see so this talk is full of
these live demos. We are going to try some ctf challenges. Show
how to approach that challenge with this framework. You will
see everything melting down completely and a lot of fun
stuff. The point is, something is happening on the ctf floor.
We come bad ass and prepared and then the game starts. Any ways,
we are shellfish. And we are also from UC Santa Barbara and
there we have an awesome computer security lab and that’s
where anger was created. And major attributers, me and fish,
Andrew Dutcher. Amazing dude. Nezgor, aka John. He’s the
leadest one of us. And Chris, very creative. And Chris. Pose
dock. This is the anger team. As for me, I’ve been coming to
Defcon since Defcon 9. Back in the park. It’s awesome then and
now. It’s been a lifelong dream to come here speaking. And now
I’m here it’s awesome to be here in front of you guys. I’m a
student in Santa Barbara. And I’m actually there because of
ctf. Shellfish is mostly from Santa Barbara and I joined them
for Defcon qualifier and got pulled in and pulled into the
lab. That was pretty cool. And I let my fish here to introduce
himself.>>All right. You guys can hear me. Awesome. Thanks.
I’m fish obviously. This is not my real name. I don’t think you
guys can read my real name if you are not from china. Anyone
from china can read it. Probably not. You guys are honest. I’m a
ph.d. student from Santa Barbara. Super famous from
melting work.>>Super famous.>>And I’ve been playing Defcon
ctf, this is my 4th year. But I’ve been playing ctf for 6
years. I’m a reverser. Yesterday I just solved my first one.
First out of four years. So I’m very happy. So solve that
challenge I didn’t really sleep last night. And if I talk about
some none sense today…that’s a little bit about me and I will
hand it back to yan. So this is I tin narrow today. And we might
fail completely. Why we build it? Spoil alert releasing it.
Then we will talk about what we designed it to do. We will talk
about the different parts of our analysis system. We will talk
about application of it. Show off some ctf challenge, solving
or assisting ctf challenge and open-source release.>>Any of
you guys playing ctf right now? Raise your hand. Couple of them.
Okay. So you don’t want to leave before the talk ends.>>Unless
you are not shellfish then you should leave before we get to
the live example. Okay. Let’s jump into that. Why anger? Why
do we build the binary analysis platform mostly from scratch of
using the one available out there right now. In fact there
are tons of them out there. I went through and see what’s our
competition kind of. There are enough to fill a fire slide.
When we started anger two years ago there were not this many.
But now everyone staring binary in ida. It came out 2005 or so.
Ida kind of a defect toe binary analysis tool that everyone
uses. So, of course, our long-term goal is to, you know,
replace ida. Working with ida quite a lot it’s sometimes
frustrating. We have moments of why it’s doing this, why it’s
designed it that way. The truth is design analysis tool is
extremely difficult. They are nowhere near replacing ida but
there are things we do ida does not and the way we do them there
are no other software out there is capable. We will add one more
name on it and hopefully you will find it useful, at least we
do. So we are pretty excited. So let’s talk about the
fundamentals of anger. What did we design it to be like? The
idea is we are all python user mostly in the lab. Show of
hands. Who uses python as a primary hacking language. So
anger is written in python and for python working on binary
that gives us flexibility and explores analyses that are
powerful and unique way. We will show how to you anger to quickly
script symboliks executions, the finding of ropgadget and is so
forth. And, of course, a core component of any modern analysis
system is that it has to work on platform other than the nexus
86. By levering the station called vex, we support the
64-bit and 32-bit of all major architecture. And legitimate bs
we did spark troll twit. We spent couple of days to hack
spark four into this and it’s almost there. It’s pretty
extensible. This is what a user using anger might go see. You
just import it. Open up an example binary and then you will
go into all of analyses and all of the things that anger offers
later in the demo. Anger have several different components. A
binary loader that’s general. We can load pe files. We can’t do
much with pe files yet. But we can load them and start
executing until we hit some environmental interactions. We
are linux binary and so forth, and we even support [ inaudible
] so if you have dump off of iot device, anger will tell you
where you can load in memory and start analysis it. Fish will
talk and symboliks execution engine and the symboliks
execution engine is capable identifying unsafe situations
and reversing what inputs need to be drive a program down a
spect bat. So let’s dive in. We will start with symboliks
execution. Whoa. And we are done. [ laughter in the room ]
It’s been nice talking to you guys. I’m sure this is one of
many situations. Awesome. And now it’s no longer full screen.
Awesome. And okay. We are almost there. Boom! [applause] Thank
you. That was the first demo. Start with symboliks execution.
It’s a sub that has been around a little while and gaining more
prominence. I don’t know if you were at yesterday’s talk on
symboliks execution on another analysis system. This is kind of
analogous thing. What’s symboliks execution is. Answer
the question how do I trigger a certain path or a certain
condition. So you might imagine a binary that does something
when you give it a certain input like crack me ctf challenge
which we will look at later. And how would you interact with
that. Just give it input. You say, here’s a guess, is it good.
And it will tell you no. Most likely you are not going to
guess a flag. And you can do some sort of flag analysis. Do
ida randomly. Looking at binary and clicking here and there. And
you can do this way, it’s not going to give you an answer
because it’s not precise enough. We will talk about status
analysis later on. Now we need symboliks execution. We
interpret an application as we interpret it we track constraint
symboliks variables and required condition is trigger and see a
path that we like we conquertize the input, the variables to
identify possible concrete input. A quick example of this,
if you have a constraint on symboliks x. You can do
constraints solve. Come up with a number 42. In this case it’s
super trivial and in general it’s an empty problem and it’s
kind of pain in the ass. You start constraint solve and it
will never finish. That’s one of the challenge in symboliks
execution. Let’s go for example program. Anger analysis binary.
Not python. But python is more approachable. Bonus points if
you can catch the vulnerability in this program by the way.
First thing we do with symboliks execution is go line by line,
hit this input. You see blue and execute it. That input symboliks
variable x. X is unfounded. It does no known constraint on it.
Then we continue executing and we will hit this branch and what
it does is it splits into two possibilities. And so one of the
possibilities is when x was greater than ten and that branch
was taken otherwise it’s the inverse of that x is less than
ten. And so we continue executing. Now we have two
states. Keep that in mind. So my frustration there’s multiple
state and we will see why that’s the problem. So now we have two
states. And one branch, one state is not done yet. And it
splits as well according to the different possibilities. Then if
you want to answer the question of what does it take to print
two in this scenario. In order to print two we have our
constraint we have the state that path made it there and we
do constraint solve and constraint solve tell you you
can put 99 or 42 and so forth and give that dynamically to the
program, launch it and see the expected there. So let’s do a
demo of kind of very simply binary that have this tool
backdoor that we want to detect with symboliks execution. This
key come is from me because I stupidly get pulled right before
doing this and so I don’t think it works anymore. So we might
have to switch to fish’s laptop. Can everyone see that? Awesome.
So we launch it. Okay. We will switch to fish’s laptop for this
demo. This is what live demo is all about. Python exceptions.
There you go. So fish uses window, I know it’s
embarrassing. Bare with us.>>You know like in this kind of
situation window is never [ inaudible ] [ laughter in the
room ]>>At least it’s a linux vn.>>Anger currently support
linux. In the future it will be run on windows.>>Allegedly. So
this is an anger management. Anger’s gui to do symboliks
analysis and static analysis. So we will look at this tool binary
we have that’s nice for testing and explain what symboliks
execution mean and let’s look at ida first. As I said, of course,
everyone uses ida, oh, the source code. Yeah. We do. Great.
All right. So we will just look at it. The, this binary is a
binary that asks…we do have the source code. All right. So
here is….>>Is it readable?>>Awesome. All right. Guys, if
you can’t read this, then we are screwed. So it’s a very simple
binary. It has user name password. It takes the user name
password as input. And it cause authenticate function return one
and says you’ve been accepted. Authenticate function has a
backdoor. If you pass string compare, then you will
authenticate automatically. So it’s possible to detect this
automatically in anger management. So here’s the gui.
Over here we have the display of what paths are currently active
in the analysis. We can run multiply analyses at the same
time and never run just one. We can stub these paths and we can
look at what’s present currently in their registers. Is there a
way you can scroll somehow? So this is what’s currently on the
stack. So then, we can take that and stop it. Let’s execute until
it branches. So here we have a path that branched. And it
branched for some reason and that reason is because there’s
user that’s symboliks variable that can be compromise to
anything. And here we can actually look at it. You can
look at user input and we see that…fisher I can’t use your
mouse. Oh, I’m touching…but you can see that on one hand the
user can input any password and it does one thing and if the
user input sneaky it does another. If you look at standard
output instead and we keep stepping, there. You’ll see that
here when the user input so sneaky it immediately trusted
him and let him in so this is an example how symboliks execution
can help us analysis binary and we will go into more complexed
one for ctf challenges. So let’s…there. Oh, come on.
Great. That was my temporary Defcon password. It’s gone!
Great. Yeah. Let’s keep going on yours. People tell me not to use
linux for presentation but I don’t believe them. I think it’s
just fine. But it’s dark magic. So oh, well it’s you. So along
with that, status analyses.>>I just figure out has taken too
much of my time so I will keep it simple so I will talk a
little bit it. If you are interested you should come to my
lab and become ph.d. student. So let’s start. Before we know
binary we all need to know control flow. The first thing
you see is a property box. You click okay. You will see control
flow. We also do the same. In anger management that’s our gui.
We will show you the graph of every single function very to
ida. What’s the difference? It’s more accurate, more adjustment,
the result is it’s much slower. That is because we support
multiple options like contact activity level support like
backward sleazing, et cetera. To automatically resolve some stuff
that’s hard to resolve normally or statically. For example jump
target or virtual pointer tables. In comparing that cfg is
faster. This is how we create cfg in anger. First line input,
second line create, the binary name, third line you see.cfg.
Press enter and it will give you cfg. We want to see how many
basic blocks there are. There are 78. So if you want a faster
cfg and you don’t want to buy ida you can check this out. It’s
a fast mode of cfg generation that doesn’t do any symboliks
solving. There’s also boy scott. All right. Another static
analysis routine in anger is value set analysis. This is a
kind of abstract interpretation. In case some people haven’t
heard of that is kind of static analysis to execute part of the
program. There’s a loop, in that it will loop three times. Then
we figure out the semantics of the program and execute part of
the program. So that gives us the possibility if enumerating
the state space because we are not executing all the program.
We are exhausting the state space. On top of that we can
have variable recovery. And on top that we can build memory and
type inference. Credit goes to the author of this paper. I
tried so hard to read your name. He’s the creator of vsa value
set analysis. Here’s an example of what the value set analysis
looks like. Here’s a piece of x 64 assembly. You have 5 seconds
to read it. Okay. Great. I think if you know this, you will
understand this program. So what is that in the yellow square?
It’s symboliks execution, it will just keep executing it. The
problem is at every of the loop it will branch out. Zero acts 25
thousand different states. If you are using this, rbi will do
anything. Because we are not following every single branch.
With random analysis we can actually tell rbx is less than
1025. Is that good enough? Try to do better. Value set
analysis, this is one of the type of values that the value
set analysis is using. It’s called strident intervals. A set
of number can describe in upper bound and must strike between
each single value and their size. So here the interval can
be computerize and be it means nine different values. Between
zero x 100, zero x 4. That’s what stripe mean. What is rbx in
the little square? We take the loop, rbx can be from zero to 4.
Second interaction it can be from z to 8. And next z to —
and after the loop is not terminating. What do we do? If
it’s looping forever if we continue? No. Rbx go to
infinite. After that zero to infinite is not accurate enough.
We perform a narrate. It becomes zero 1024 with that. In this
case it’s pretty accurate. We extended the original random set
analysis following two different improvements. The first one we
name it limited related analysis. In this case. Normal
vsa will be able to tell the bound of rex should be 5, rcx
they don’t do any relation tracking. They don’t know that.
We are doing some limited amount of variable relation tracking
and in this case we are able to tell rcx equals r plus 1 and rcx
36. That improvement we made our vsa agnostic. We included
another analysis called rapt interval analysis. The credit
goes to this guy published in 2012. With that the precision is
quickly improved. And now I’ll give back to yan, and we will
talk about application and reel demo.>>All that technical talk
or theoretical talk maybe a little boring but it’s necessary
to get us into the actual anger application. Here we will demo
off the thing that we do and you can do with anger. First we will
demo off ropgadget finder. Ropgadget or x rub that will
tell you there’s the gadget and the instructions. This tells you
what the gadget does and you can filter it down later. And, of
course, implemented in anger and it’s super easy to use. So
here’s the example. So we load ctf binary called nuclear. I’m
not from this Defcon ctf but different ctf in the past and we
analyze it. We want all ropgadget find them and print
them out. So let’s do that. Because it does semantic
analysis. It’s a little bit slow. So it takes 20 seconds
maybe a little bit more for this guy. So right now anger is
analyzing every basic block and figuring out semantics. What
register to touch, how much change the stack by and where it
writes to in relation to the variation registers that it
uses. So here’s an example gadget. It’s a gadget at ox 4040
c and binary changes the stack by ox 14 it pops rbx and rbv and
it does a memory write to this address. So this is actually on
the stack. It doesn’t memory write onto the stack. And the
memory read from address that depends on rvp. This gives of
information. In fact our next step is to implement rop
compiler based on this. We were hoping to have this but not
quite ready but stay tuned. Another thing that I’ll demo off
is a how to solve a crypto challenge in anger. This is more
of a crack me. But it’s a cool little demo of anger’s ability.
The challenge is from a white hat ctf. It’s a ctf that
happened last month and then I was looking at the challenge
later to see some crypto. And found this. Figured it would be
a good example for you guys. This challenge takes input on
the command-line and standard crack me fax. It tells you if
you are right or wrong. In general we try to guess, we are
wrong. Let’s open up an ida. We start looking around and the
binary is really big. So, of course, we can start drilling
down into parts of the binary. Figuring out what it might do.
We can did he come pile it and try to figure out. One of the
first things we see immediately is it does something. And if
this return zero, it says please check again. All right. Let’s
look at it. And it does some complicated stuff. But there are
equals equals eight. This is part of the process for solving
the challenge. So I went, quit out of ida. Went to anger. I
wrote a little…whoa a little bit of code. So it just heavily
commented in our example repository. We opened the
binary. Anger, symboliks execution have trouble with
certain kinds of code especially in static binary. I hook with
python replacement to help them along. And then basically I ran
it. I said, I created a path gui which is a single entry point of
symboliks execution engine and I told it to go and find this
point. And this is the point where it says it passes this
stage and it says the input is okay. And it does some more
processing and this is the pain in the butt to get through. So
let’s look at where we are at this point. It turns out at that
point the key space is much reduced the possible key space
to make that point in and after that is root forcible. So here I
get the possible value from anger. And, of course, how to do
this is all not docs. Or look at this example. With the very
fancy practicing bar and test every possible value until I get
the right now. Allowing me to solve this crypto challenge. So
let’s see how this goes. Run it here. Here anger stepping
through the binary, it’s at this point where the input was is
tested again. I guess at this point. And now it’s just trying
to reduce the set of possibilities which found from 8
bytes to 6 thousand more possibilities. This is an
example guess debugging iterating through the possible
keys that can even make it through this point and try to
find one that says success. It should find it at the 80% mark.
I’m surprised that it hasn’t crashed yet. Boom. We found it.
The flag is this. If we run a crypto, actually this is the
input. If you run the binary, boom. So anger is very useful
for these sorts of challenges. I’ll pass it onto fish to look
at real world or ctf that’s happening now and how to use
anger for that.>>So one of the anger’s ability is load up
binary, execute arbitrary part of the code in it. I had some
demos for it before and prepared Defcon but yesterday when I was
playing ctf Defcon there was a challenge for another. This is a
good one to talk about for anger.>>Cover your ears,
please.>>Rxc is 64-bit binary. It’s big reverse is hard. We
spend a long time reversing it. Before that we got some
suspected rob chain. What does rob chain do? I mean we can
definitely hire a bunch of monkey to figure out but we have
anger.>>The monkey we hire would be ourselves.>>So this
is our rop chain execution program called derop. You pass
the rop chain load the binary rfc and dump all our stack.
Create a state. I dump that on our stack, and then I execute
it. I use explorer, execute and return. Let’s run this program.
Python rop chain to pi. We return the first rop chain.
Bummer. It’s called r.>>Very descriptive variable name.>>
There’s an unconstraint path.>>Of course, this is all.>>Fie
rows.>>This is technical. You can read the documentation to
see what’s going on.>>This is the exact path that rop chain is
following. And now, of course, you have the ability to read
every single state and every point in the chain. The next
example for the same binary, in this binary there’s a really
interesting function. It does some encryption. And later on we
figure out it’s t. We don’t want to implement out when we were
writing exploits — (inaudible) — what do we do about it?
Luckily we have python. Great. So there’s another program I
wrote it’s small called collarbone. What it does is it
takes in a data live and encrypted with the exact
program, srd exact function in that rxe program with the exact
encryption function. So it has 30 something lines of code and
then you don’t understand to encryption function anymore. You
spot python and automatically encryption for you. Let’s try
it. Python. Call it pi. 8 bytes. And then you get encrypted data
that it all works.>>Whoa. Binary dipping but interest of
time you can check this out on your own and we will briefly
talk about cdc. You know it’s a cyber grand challenge. That’s
the machine, one of the machines that will be running the finals
where machines will battle each other for hacking some premises
next Defcon. Shelf fish accept this challenge and we manage to
qualify. There has been a lot of presenting. Go back. This is a
very clever sets of slides. Shellfish participated in this
challenge. And we qualify putting from just another ctf
into the richest ctf teams in the world along with others who
qualify. With the cdc we use the cyber link system exploits from
binary and patch them. It is complex and anger actually sat
at the core of every component. Which is pretty cool. So check
out the system. It’s real world system with real world uses and
we love it. And it’s open-source. With special thanks
to our professor darpa with two different project anger was
developed for. And, of course, all of, the contributors to
anger that we’ve gone over. You can pull it at get hub. Anger
dot o scribe to our mailing list and we welcome questions. We
were hoping to make this next generation binary analysis tool
and we hope to work with you to do it. Anger is two years old
now with almost 60 thousand code about 6 thousand commits and we
love all of you working with it with us. Any questions? I guess
no questions. [ applause ]
Thanks.>>Thank you guys.

9 thoughts on “DEF CON 23 – Shoshitaishvili and Wang – Angry Hacking: The next gen of binary analysis

Leave a Reply

Your email address will not be published. Required fields are marked *