59
BinProxy A New Paradigm for Binary Analysis Dongjoo Ha (NSHC) Hyunwoo Choi (KAIST) Sunyoung Sim (AhnLab) Joobong Cho (RaonWhitehat) Jisun Kim (AhnLab) Gyeongik Jang (NSHC)

BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Embed Size (px)

DESCRIPTION

With the rapid development of information technology, the attackers have become interested in not only normal applications but also various systems such as web, mobile and embedded system. Consequently, there is an evergrowing number of applications that should be analyzed, and the lack of time and manpower has been one of the biggest problems for the defenders. To this end, we present “BinProxy”, an application analysis framework that makes an easy environment for dynamic analysis of applications. Our approach provides web proxylike analysis environments for an easy analysis, and does not required any analysis tools such as debugger, decompiler and other reversing tools. Furthermore, BinProxy can be applied to Windows, Linux, Mac or other kinds of mobile platforms including Android and iOS. In this presentation, we show several techniques for implementing BinProxy and demonstrate some use cases by using BinProxy. We believe that our framework solves the lack of time and manpower problem and presents a new paradigm for program analysis. # PoC - Basic : http://youtu.be/ZjKEGEzYvJw - Android(monitor) : http://youtu.be/xS8lcn0plrU - Android(modify) : http://youtu.be/az-jsx8apgw - iOS(monitor) : http://youtu.be/Eq3I21O3EhE

Citation preview

Page 1: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

BinProxy A New Paradigm for Binary Analysis

Dongjoo Ha (NSHC) Hyunwoo Choi (KAIST) Sunyoung Sim (AhnLab) Joobong Cho (RaonWhitehat) Jisun Kim (AhnLab) Gyeongik Jang (NSHC)

Page 2: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Objective

We have to defeat the enemies and save the earth!!

Page 3: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Our contributions

●  Introduce a new concept of analysis framework to use easily o  perform analysis of normal application by using web

proxy

●  Introduce methodologies for implementing

our concept o  pros and cons of the methodologies

●  Demonstrate use cases

Page 4: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Define Keyword

●  Web Application o  consist of usually script languages o  operate based on web server/client

●  Normal Application o  executable binary except for web applicaton o  PE, ELF, etc.

●  Web Proxy o  a tool for web application analysis o  Burp suite, paros, fiddler, etc.

Page 5: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

What’s wrong? Background

Page 6: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Existing methodologies/tools for application analysis

Web Application analysis

●  easy to use and operate using a web proxy (burp, paros, fiddler, etc.)

●  monitor and modify the contents without difficulty

Page 7: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Existing methodologies/tools (cont’d)

Normal Application(excutables) analysis

●  much harder and complex than web application(GDB, IDA, Ollydbg, windbg, etc.)

●  In secure channel, how can we check the contents?

Page 8: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Challenges for application analysis

We cannot save the earth using our resources

Lack of time and manpower

Page 9: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to solve a problem?

Need a EASY tool

Page 10: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

So what?? BinProxy : A New Paradigm for Binary Analysis

Page 11: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Let’s get started with Demo!

Page 12: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Key Features

We do not need gdb and ollydbg to analyze applications any more.

Page 13: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Key Features (cont’d)

2. modify return value

1. original return value

3. Click Forward Button

Should we use the difficult tools for simple analysis? You can monitor and control the normal applications

with your favorite web proxy

Page 14: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Key Features (cont’d)

We do not want to use difficult IDA tool to analyze applications any more.

Page 15: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Key Features (cont’d)

You can know what functions are existed in target apps and what functions can be monitored.

Page 16: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Overall Achitecture

Page 17: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Components ●  Target application

o  smart phone apps, excutable program based on Windows, OSX and etc. ●  Web Proxy

o  A user-friendly proxy to be used for analysis (ex. burp, paros, ..)

●  BinProxy Client o  is Operated in the target application is installed o  communication module : communicate with BinProxy server

o  hooking module : modify the flow of functions. ●  BinProxy Server

o  is Operated in the web proxy is installed o  communication module : communicate with BinProxy client and web

proxy

Page 18: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

What You Need Need things to make BinProxy

Page 19: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Intercept function call & Forward it to a Web proxy

Main techniques for implementation

how to control function calls by using web proxy

Convert Functions

Page 20: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Function monitoring and Function Controlling

Main techniques for implementation (cont’d)

API / User-defined function

Hooking

Page 21: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Function monitoring and Function Controlling

Main techniques for implementation (cont’d)

Dynamic function Hooking No need a pre-compiled hooking code Dynamic target function selection

Page 22: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Function monitoring and Function Controlling

Main techniques for implementation (cont’d)

Return value,

primitive / refernce type arguments

Page 23: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Target function selection Main techniques for implementation (cont’d)

Extraction API lists

Page 24: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Target function selection (cont’d)

Main techniques for implementation (cont’d)

Extracting user-defined fuctions and Finding out Args and Types

Page 25: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Target function selection (cont’d)

Main techniques for implementation (cont’d)

Monitoring function calls and statistics -> Selecting target functions easily

Page 26: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to make? the way of building BinProxy

Page 27: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to interwork with a web proxy - BinProxy Client

* hooked_func send before_call message to BinProxy Server through communication module. * before_call message = function name + the value of arguments * After sending a before_call message, the hooked_func will be blocked until getting response from BinProxy Server.

Page 28: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to interwork with a web proxy - BinProxy Server

BinProxy Server convert a before_call message into HTTP request format for delivering the message to Web Proxy.

POST http://127.0.0.1:53388/function_name Host: target_app_name User-Agent: BinProxy 01_414141

Page 29: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to interwork with a web proxy - Web Proxy

Page 30: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to interwork with a web proxy - BinProxy Client

execute an original function

After sending an after_call message, hooked_func will be blocked until getting response from BinProxy Server.

Page 31: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to interwork with a web proxy - BinProxy Server

BinProxy Server convert a after_call message into HTTP response format for delivering the message to Web Proxy. HTTP/1.1 200 OK Date: Mon, 04 Aug 2014 17:22:59 GMT Server: BinProxy Content-Length: 1 Connection: close Content-Type: application/return 0

Page 32: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to interwork with a web proxy - Web Proxy

Page 33: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to interwork with a web proxy - BinProxy Client

return the value

Page 34: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to make? Ways of build android client & PoC

Page 35: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Key Requirements

Function What����������� ������������������  &����������� ������������������  How����������� ������������������  ����������� ������������������  

To����������� ������������������  Extract����������� ������������������  ???����������� ������������������  

How����������� ������������������  to����������� ������������������  Hook����������� ������������������  ???����������� ������������������  

Page 36: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Key Requirements - What & How To extract ..

Page 37: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

We can use for hooking in Android : •  Cydia substrate for Android

•  Introspy-Android (GUI Interface + Cydia Substrate )

•  AndHook(Android Hooking Framework)

•  ADBI(Android Dynamic Binary Instrumentation Toolkit)

•  [Paper] Hooking on Android -2014 CodeEngn Conference

….

Key Requirements - What & How To extract ..

Page 38: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

ADBI (Android Binary Instrumentation Toolkit)

Intercept/Use DVM Methods on Dalvik VM Library

(libdvm.so)

Dynamic Dalvik Instrumentation Framework for Android (old) - Collin Mulliner, SummerCon 2013. https://github.com/crmulliner/adbi (current)

Page 39: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Binproxy Client modules for Android

TARGET (App.)

HOOKY (shared library)

Binproxy Server (Users)

COMMUNICATOR (user interaction)

INJECTOR

HOOKY (shared library)

COMM. (user interaction)

Page 40: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

●  INJECTOR : Inject the HOOKER(.so) into Target App.(running process)

●  HOOKER

: Hook the java/Android standard API for analysis. : loaded as the shared library(so) developed using JNI

●  COMMUNICATOR

: Interactive interface for communication with user : Send/receive values for Hooking, Monitoring, Modifying

Binproxy Client modules … (cont’d)

Page 41: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to implement Android Client

Implemented using JNI(Java Native Interface)

����������� ������������������  

-  Get the method Information loaded -  Define/Prototype new function(native) for target

function(method)

-  Call Original Method from new function. -  Monitor/Modify a argument/return value

Page 42: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

DVM

Original method

New(JNI)

Find����������� ������������������  Class/Method����������� ������������������  (dvmFindXXXX)����������� ������������������  1

����������� ������������������  Replace����������� ������������������  the����������� ������������������  original����������� ������������������  method����������� ������������������  ����������� ������������������  ����������� ������������������  with����������� ������������������  a����������� ������������������  new����������� ������������������  native����������� ������������������  function����������� ������������������  (dvmUseJNIBridge)����������� ������������������  

3 ����������� ������������������  Define����������� ������������������  new����������� ������������������  native����������� ������������������  function����������� ������������������  2

Call����������� ������������������  the����������� ������������������  original����������� ������������������  function����������� ������������������  ����������� ������������������  from����������� ������������������  new����������� ������������������  native����������� ������������������  function����������� ������������������  (callback)����������� ������������������  

4

How to implement … (Cont’d)

Monitor/Modify

Page 43: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to implement .. (Cont’d)

Call <return type> Method!

Page 44: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

DEMO - PoC for Android App

DEMO

Page 45: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy
Page 46: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy
Page 47: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to make? Ways of build iOS client & PoC

Page 48: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Key Requirements - How To hook .. ●  We can use for hooking in iOS:

a. Cydia Substrate for iOS b. fishhook c. Mach-O-Hook

Page 49: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to implement iOS client

●  Use a CydiaSubstrate a. Why CydiaSubstrate?

-> verified stability ●  Most of Apps in Cydia are use a

CydiaSubstrate! ●  Component of CydiaSubstrate

a. MobileHooker b. MobileLoader c. Safe Mode

Page 50: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Key Requirements - What & How extract... ●  Mach-O File Format

Page 51: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Key Requirements - What & How extract... ●  API

LC_SYMTAB

Symbol Table

String Table

Page 52: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Key Requirements - What & How extract... ●  Objective-C and User Function Address

LC_FUNCTION_STARTS

Function Starts

Page 53: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

How to implement iOS client

●  Target API and method selection a. Extracting Objective C classes &

methods b. Extracting API lists c. Finding out user-defined function’s

args and types ●  Monitoring an entire method and API by

using hooking (Logging?) (Logging?)

Page 54: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

DEMO - PoC for iOS App

DEMO

Page 55: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy
Page 56: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Anything else? Future Works

Page 57: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Implementation Methods

●  How to obtain a target application’s function list and detail informations of the function

●  How to utilize database information to distinct functions

Page 58: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

Additional Functions

●  arbitrary function execution ●  arbitrary code execution ●  memory scan and patch ●  function control based on script

languages ●  disassemble and decompilation And… ●  Performance Improvement ●  Additional OS Support

Page 59: BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy

谢谢 Any Other Questions or Comments?

email : [email protected]