The document discusses automatic program analysis using dynamic binary instrumentation. It describes using the Pin tool to instrument binaries at runtime in order to analyze their dynamic behavior. Key points covered include how Pin works, its instrumentation capabilities at different levels of granularity, and an example Pin tool called Puncture that is used to generate behavior logs and reports on instrumented programs.

1. Automatic Program Analysis
with
Dynamic Binary Instrumentation
Sunil Kumar
(sunil.kumar@ivizsecurity.com)
http://null.co.in/ http://nullcon.net/

2. #whoami
• Research Associate @ iViZ Techno Solutions
• MCA(007) from Goa University i.e. GUMCA07.
• http://www.linkedin.com/in/sunilkr86
• Twitter @_skare; @_ice_22
http://null.co.in/ http://nullcon.net/

3. Sections
• .program analysis
• .dynamic behavior
• .dynamic binary instrumentation
• .Pin
• .puncture
• .conclusion
http://null.co.in/ http://nullcon.net/

4. program analysis
• In computer science, program analysis is the
process of automatically analysing the
behaviour of computer programs.
» http://en.wikipedia.org/wiki/Program_analysis
• Two approaches:
– Static Program Analysis.
– Dynamic Program Analysis.
http://null.co.in/ http://nullcon.net/

5. program analysis::Static Analysis
• Static Properties
– Hash
– Signature/Byte Patterns
– Strings
• Code Analysis
• Safe because we did not run it?
– Mostly.
• Match against known data.
http://null.co.in/ http://nullcon.net/

6. program analysis::Static Analysis
• One side of the coin.
• May fail if
– Obfuscated strings.
– Variants.
– Code in non-standard sections {.data,…}
– Self modifying code.
– Brand new.
http://null.co.in/ http://nullcon.net/

7. program analysis::Dynamic Analysis
• a.k.a. Behavior Analysis
• Let Us C (“see”)
• Dynamic Properties
– File Operations
– Registry Operations
– Network Operations
– Interaction with other processes…
• Dangerous unless run in controlled
environment / sandbox.
http://null.co.in/ http://nullcon.net/

8. instrumentation
• Instruments that record , analyze, summarize,
organize, debate in explained information that
are illustrative, non illustrative hard bound,
paper bag, jacketed, non jacketed with
forward introduction, table of content, index,
that are intended for the enlightenment,
understanding, enrichment, enhancement,
education of human brain through sensory
route of vision...sometimes touch!
http://null.co.in/ http://nullcon.net/

9. Dynamic Binary Instrumentation
• Instrument code just before it runs (Just In
Time)
• No need to re-link.
• Discover code at runtime
• Handle dynamically generated code.
• Attach to running process.
• [cgo_2010_final.ppt]
http://null.co.in/ http://nullcon.net/

10. • A Dynamic Binary Instrumentation engine
based on Post-Link Optimizer “Spike”.
• Developed by Intel Corporation.
• Oldest available release Pin-2.6-24110 dated
13/01/2009.
• Latest release Pin-2.8-39028 dated
02/02/2011.
• Alternatives: DynamoRIO, Valgrind
http://null.co.in/ http://nullcon.net/

11. Advantages of Pin
• Provides rich set of APIs in C/C++/Assembly for creating
instrumentation tools a.k.a PinTools.
• Multiplatform:
– Supports IA-32, IA64, Intel64
– Supports Windows, Linux MacOS
• Robust:
– If you can run it, you can Pin it.
– Multithreaded applications
– Self modifying code
– Support signals and exceptions
• Efficient
– Compiler optimization and code inlining.
http://null.co.in/ http://nullcon.net/

12. Advantages of Pin
• Provides rich set of APIs in C/C++/Assembly for creating
instrumentation tools a.k.a PinTools.
• Multiplatform:
– Supports IA-32, IA64, Intel64
– Supports Windows, Linux MacOS
• Robust:
– If you can run it, you can Pin it.
– Multithreaded applications
– Self modifying code
– Support signals and exceptions
• Efficient
– Compiler optimization and code inlining.
• Bypass Debug-Protection. (DEMO)
http://null.co.in/ http://nullcon.net/

13. Pin Capabilities
• Inert code at arbitrary places in executable
code.
• Just-In-Time compilation
• Automatic save/restore registers to avoid
interference.
• Dynamic code discovery.
• Instrument anything ever executed*.
http://null.co.in/ http://nullcon.net/

14. Pin Capabilities
• Inert code at arbitrary places in executable
code.
• Just-In-Time compilation
• Automatic save/restore registers to avoid
interference.
• Dynamic code discovery.
• Instrument anything ever executed*.
• (*User Mode)
http://null.co.in/ http://nullcon.net/

15. Pin Capabilities
• Inert code at arbitrary places in executable
code.
• Just-In-Time compilation
• Automatic save/restore registers to avoid
interference.
• Dynamic code discovery.
• Instrument anything ever executed*.
If Pin doesn’t have it, you don’t want it
http://null.co.in/ http://nullcon.net/

16. but I do want these too…
• Kernel Mode
• Isolated I/O.
• Handling exceptions of PinTools.
http://null.co.in/ http://nullcon.net/

17. What for me but?
Read Write
 Instructions  Instructions
 Operands  Operands
 Operations  Operations
 Methods  Methods
 Parameters  Parameters
 Return Values  Return Values
 Modules
http://null.co.in/ http://nullcon.net/

18. Pin Design
http://null.co.in/ http://nullcon.net/

19. Pin Workflow
http://null.co.in/ http://nullcon.net/

20. Pin Instrumentation
Modes
• JIT
– Using Code-Cache
– All Instrumentation granularities
– Flexible
• Probe
– Binary modified in place.
– Limited to Routine level instrumentation.
– Less flexible.
– Faster than JIT in some cases.
http://null.co.in/ http://nullcon.net/

21. Pin Instrumentation
Granularities
• INS
• BBL
• Trace
• RTN
– Requires symbol support- dbghelp.dll v6.11.1.404.
• IMG
http://null.co.in/ http://nullcon.net/

22. a Simple PinTool
#include “pin.H”
int main(int argc, char *argv[])
{
if(PIN_Init(argc,argv))
return -1;
IMG_AddInstrumentFunction(Image, 0);
PIN_AddFiniFunction(Fini,0);
PIN_StartProgram();
return 0;
}
http://null.co.in/ http://nullcon.net/

23. .puncture
• A PinTool for behavior analysis.
• 3 Stage:
– A text file of call logs.
– XML of categorized events.
– HTML Report = XML+XSL+CSS
• Instrumentation Methods
– Instrumentation at boundary
– ReplaceSignature
http://null.co.in/ http://nullcon.net/

24. Instrumentation at Boundary
• UnPinned
FOO BAAR
BAAR(x,x) retn
*Conceptual View
http://null.co.in/ http://nullcon.net/

25. Instrumentation at Boundary
• Pinned
FOO BAAR
b4BAAR
b4BAAR(W,x,Z) afterBAAR
afterBAAR(X,Y,Z)
BAAR(x,x)
return
*Conceptual View
http://null.co.in/ http://nullcon.net/

26. ReplaceSignature
• UnPinned
FOO BAAR
call BAAR retn
*Conceptual View
http://null.co.in/ http://nullcon.net/

27. ReplaceSignature
• Pinned
FOO wrappedBAAR BAAR
call BAAR PIN_CallApplicationFunction
retn
*Conceptual View
http://null.co.in/ http://nullcon.net/

28. Logger Requirements
• 3 Modules
– Registry Logger (ADVAPI32.DLL)
– File Logger (KERNEL32.DLL)
– Network Logger (WS2_32.DLL)
• Final Output
– A PinTool : Call Log in plain text.
– PinParser : RawText => XML}
– XSLT+CSS+JS for Visualization
• [DEMO]
http://null.co.in/ http://nullcon.net/

29. .conclusion
• Although DBI Frameworks like Pin are not
primarily developed to test and optimize
performance, code coverage etc., they have
enough capabilities to be used as software
security research tool too.
http://null.co.in/ http://nullcon.net/

30. Contacts
• Pin http://www.pintool.org
• Pin user group pinheades@yahoo-groups
• Me: badboy16a@gmail.com
http://null.co.in/ http://nullcon.net/

31. Thanks…
http://null.co.in/ http://nullcon.net/