OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Monday, August 9 2010 11:27.15 CDT

Modified: Monday, August 9 2010 14:14.19 CDT

Printer Friendly ...

Data Flow Analysis - Dynamic/Static Taint Analysis

Author: Amrojex

# Views: 9963

I am currently building a tool �ZeroTracer� that performs data flow analysis for user supplied inputs/tainted inputs. ZeroTracer propagates tainted bytes: memory-to-registers, registers-to-registers, registers-to-memory and memory-to-memory, using a combination of dynamic/static analysis. Dynamic analysis using Pin �a dynamic binary instrumentation tool� to collect a trace log for all memory read/write and registers changes. And static analysis that takes place on the logged trace to perform taint propagation analysis. The name ZeroTracer came from the lessons learned in building older versions of the tool �0xtracer�: Whenever performing taint propagation someone should focus on the smallest unit of data being processed, which I wish would be a BIT but unfortunately it is so complicated to propagate BITs rather than BYTEs. However, its better to use the byte unit cause in most register/memory propagation cases the smallest unit is one byte, for example: MOV to �al, ah, cl�. But thats not the case when it comes to setting the flags in the eflags register, or when rotating or shifting a register. Also its easier to address tainted memory bytes rather than bits. Imagine a tainted byte at address [0x11122388], if we wanna taint it based on bits we have to address it something like [0x11122388(.0)(.1)(.2)(.3)(.4)(.5)(.6)(.7)].

Before getting into details about ZeroTracer�s design, implementation, and features which am planning to do in future posts, lets take an overview about its older version �0xtracer� which is a PaiMei module that relies on pydbg. In 0xtracer I�ve been using memory breakpoints heap/stack to spot any code blocks touching the tainted memory bytes, then perform static taint propagation analysis using pydasm to analyze the basic block that is touching the tainted memory. 0xtracer been using different techniques to tune the propagation analysis. Here is a list of all the techniques I�ve been using in 0xtracer:

1- Memory Break Points �Page Guard/NoAccess�.
2- PyEmu �to emulate registers read/write�.
3- Harware Break Walking �A technique that I invented to taint/propagate a single byte in a single dynamic execution trace�.
4- Code Block(s) Signature �The tool learns from the outputs of the above methods and fingerprints propagation patterns for future use�.

0xtracer first consults its knowledge database to see if the basic code touching the tainted memory is defined in its knowledge, if not, it performs static taint propagation analysis using pyDasm, then emulated dynamic analysis useing pyEmu. Once it recognizes a new pattern it adds it to its knowledge, etc.

Blog Comments

frozenrain	Posted: Monday, August 9 2010 19:49.30 CDT
good��Attention��

tosanjay

Posted: Tuesday, August 10 2010 03:30.54 CDT

This sounds very interesting. A question about your choice of using PIN: you want to use instrumentation only for knowing read/write operations. This is also possible with Pydbg by inserting BP. Of course, you compromise on speed. Apart from that, is there any other reason for using Pin?
Another thing, I could not get any references to 0xtracer. Can you please mention where can I find it? I am too trying to do data-flow analysis on binaries and looking for tools.
thanks

Amrojex

Posted: Tuesday, August 10 2010 11:42.05 CDT

0xtracer is not released yet, and I doubt if I will ever release it. But am planning to release parts of its newer version "ZeroTracer".

There are a lot of advantages in using dynamic binary instrumentation tools rather than using debuggers. It is not only Pin's speed that motivated me to rewrite everything from scratch to use Pin instead of pydbg. However, With Pin I've been able to instrument and log around 10,000,000 instructions in just 3 minutes!, such result is impossible when relaying on debuggers.

In Pin's instrumentation am logging the following info:

0- Thread ID
1- Module
2- IP
3- Instruction Disassembly
4- Instruction Category
5- Opcode
6- Number of Operands
7- Operand1, Operand2, Operand3
8- Memory Access type "R,W,X,RW,WR,RR"
9- Number of Read Registers
10- Read Registers
11- Number of Written Registers
12- Written Registers

And in the analysis routines am logging the following:

1- Memory Read Address / Read Size / Read Value
2- Memory Written Address / Size / Written Value
3- Written Register / Value Written

Before using Pin, I had to prepare a lot of analysis routines in 0xtracer "using pydbg, pydasm, pyemu" to give me the same results listed above. With Pin's rich API, my code been reduced almost 80%, giving the same results and with no false positives.

dyjakan	Posted: Tuesday, August 10 2010 15:34.27 CDT
What motivated you to choose PIN over DynamoRIO? I ask because I'm going to start little project and I'm standing before decision PIN or DynamoRIO.

Amrojex	Posted: Thursday, August 12 2010 12:48.05 CDT
I Choosed Pin for its cross platform support.

archies50	Posted: Wednesday, October 31 2012 19:05.48 CDT
can you give the details of zero tracer ! especially the part where you taint eflag register.

There are 31,323 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit