This talk will explore program analysis on compiled code, where source is not available. Many static program analysis tools, such as LLVM passes, depend on the ability to compile source to bytecode, and cannot operate on binaries. A solution to this problem will be explained and demonstrated using the new Intermediate Language (IL) in Binary Ninja. Binary Ninja IL will be described, providing a basic understanding of how to write analyses using it. This talk will describe and release a tool in Binary Ninja IL for automated discovery of a simple memory corruption vulnerability and demonstrate it on a CTF binary. The concepts of variable analysis, abstract interpretation, and integer range analysis will be discussed in the context of vulnerability discovery. --- Sophia D'Antoine Sophia D’Antoine is a security engineer at Trail of Bits in NYC and a graduate of Rensselaer Polytechnic Institute. She is a regular speaker at security conferences around the world, including RECon, HITB, and CanSecWest. Her present work includes techniques for automated software exploitation and software obfuscation using LLVM. She spends too much time playing CTF and going to noise concerts.

1. Be a Binary Rockst r
An Introduction to Program Analysis with
Binary Ninja

2. What this talk
is not about

3. What this talk
is about

4. Fuzzing…
.
Current state of the art.
Binary.Source
Code.
Problem
Reading/
scripting
disassembly
Reading
code
Analysis
of Bitcode
Static Analysis with
Bindead, REIL,
BAP.
Dynamic
Instrumentation
Static and
Dynamic
Analysis
Compilers
Source
code
analyzer
McSem
a

5. IDA isn’t perfect

6. Problems.
Binary.Source
Code.
Problem
● Lack of robust tooling options
● Reading code continues to be
useful
● Increase in compiler
strength and LLVM
tooling (lots of cool
projects in this area!)
● Most tools lack semantic reasoning
● Decompilers widely used but difficult
to automatically reason over
● Majority of program analysis
frameworks are hard to use - they
lack usable frameworks for
interaction with your own analysis
● No really good options to lift binaries
to interactive, workable IL
frameworks

7. Binary,
interactive IL
frameworks.

8. Binary Ninja & Binja IL

9. Binja: Tree Based
Structure● Binary Ninja IL Organized
into expressions:
LowLevelILInstruction
● LLILI’s are infinite length tree-based
instructions
● Infix notation. Destination operand is the left
hand operand
(e.g. x86 ``mov eax, 0`` vs. LLIL ``eax = 0``)
● Side effect free
● Recursive descent analysis

10. Binja: Tree Based
Structure
● Symbolic analysis (abstract interpretation) to
find bounds of a jump table
● Determine function ends, aborts, etc using
disassembly and their own IL.

11. binja_memcpy.py: IL
/bin/bash

12. binja_memcpy.py: IL
/bin/bash

13. binja_memcpy.py: IL
/bin/bash
Register States!

14. binja_memcpy.py: API

15. binja_memcpy.py: API

16. binja_memcpy.py: API

17. binja_memcpy.py: API

18. binja_memcpy.py: Output

19. Binja API● Python, C and C++ API (idiomatic!)
● Missing some analysis features, built into LLVM
(i.e. integrated CFG traversal, Uses, SSA, reg/ var distinction)
● Branches: Basic block/ Function edges (outgoing)
● Get the register states, some naive range analysis
● api.binary.ninja/search.html

20. Symbolic Execution● Very accurate
● Takes time, data, and memory, often not feasible
● IDEA! Reasoning only about what we can about
● Apply complex data to abstract domains !
● Domains: type, sign, range, color etc….

21. Practical(Academia) & Program Analysis
● Sets of concrete
values are
abstracted
imprecisely
● Galois Connection
formalizes
Concrete <-> Abstract

22. Abstraction!int x = 5
int y = argc + x
int z
a

23. Abstract
Interpretation
int x = 5
int y = argc + x
int z
aint
Abstract domain:
Type

24. Abstraction
Interpretation
int x = 5
int y = argc + x
a
int z
int
= +
= +
Sign Analysis

25. Practical(Academia) & Program Analysis
● X ‘s value is imprecise
● Compilers perform
imprecise abstraction
int x;
int[] a = new int[10];
a[2 * x] = 3;
1. Add precision - i.e. declare
abstract value [0, 9]
1. Symbolically execute with
abstract domain/ values
● Requires control-flow analysis

26. Abstract Domains & Sign Analysis
int a,b,c;
a = 42;
b = 87;
if (input) {
c = a
+ b;
} else {
c = a
- b;
}
● Map variables to an
abstract value

27. Abstract Domains & Sign Analysis
● Binary Ninja plugin
● Path sensitive -
construct lattices of
abstract values
● Under approximate
● One abstract state per
CFG node
● Avoid loss in precision
for fractions.

28. Demo!
● Analyze example
program
● PHP CVE-2016-6289

29. Scripts!
● memcpy, headless
python API script
● depth-first-search,
path sensitive CFG
template
● sign analysis, abstract
domain plugin
https://github.com/q
uend/
abstractanalysis

30. Contact me
● Sophia d’Antoine
○ IRC: @quend
○ smdantoine@gmail.com
○ Binary Ninja Slack

31. Conclusion
● Thanks!
○ Vector35
○ Trail of Bits
○ Ryan Stortz (@withzombies)
● Resources
○ binary.ninja/
○ github.com/quend/abstractanalysis
○ santos.cs.ksu.edu/schmidt/Escuela03/WSSA/talk1p.pdf
○ Static Program Analysis Book!
cs.au.dk/~amoeller/spa/spa.pdf
remember:
prune this
before
analysing

32. Agenda
1) IDA isn’t perfect
2) Binary Ninja IL
3) Practical(Academia) and program analysis
a) Abstract Interpretation
4) Binary Ninja plugin demo
5) Conclusion