lectures.alex.balgavy.eu

Lecture notes from university.
git clone git://git.alex.balgavy.eu/lectures.alex.balgavy.eu.git
Log | Files | Refs | Submodules
commit 69f268ec1a4811475321127b5fa045bc0fd88ec3
parent 6f5b2ac7a5b3c0f197ab53d8b40adf18d5931f2e
Author: Alex Balgavy <alex@balgavy.eu>
Date:   Tue, 20 Apr 2021 11:10:11 +0200

Update BAMA notes

Diffstat:

Mcontent/binary-malware-analysis-notes/_index.md | 2++


Acontent/binary-malware-analysis-notes/dynamic-data-excavation.md | 26++++++++++++++++++++++++++


Acontent/binary-malware-analysis-notes/taint-analysis-in-practice.md | 16++++++++++++++++


3 files changed, 44 insertions(+), 0 deletions(-)

diff --git a/content/binary-malware-analysis-notes/_index.md b/content/binary-malware-analysis-notes/_index.md
@@ -12,3 +12,5 @@ title = 'Binary and Malware Analysis'
 7. [Packers](packers)
 8. [Dynamic Binary Instrumentation & Intel Pin](dynamic-binary-instrumentation-and-intel-pin)
 9. [Dynamic taint analysis](dynamic-taint-analysis)
+10. [Taint analysis in practice](taint-analysis-in-practice)
+11. [Dynamic data excavation](dynamic-data-excavation)
diff --git a/content/binary-malware-analysis-notes/dynamic-data-excavation.md b/content/binary-malware-analysis-notes/dynamic-data-excavation.md
@@ -0,0 +1,26 @@
++++
+title = 'Dynamic data excavation'
++++
+# Dynamic data excavation
+Data is apparently unstructured, but usage isn't.
+
+Track pointers -- root pointers, track how pointers derive from each other.
+
+For arrays, look for loop accessing.
+
+Type resolution points:
+- system calls: type parameter passing registers (ebx, ecx, edx, esi, edi, ebp), type return value in eax
+- standard library call: type corresponding argument and return value
+
+Data-flow tracking
+- use shadow memory to keep variable attributes and track propagation
+
+## BinArmor
+- find arrays in binary programs
+- find accesses to arrays
+- rewrite binary:
+    - assign color to each array
+    - check colors on every array access
+- if pointer that first pointed into an array later accesses an area outside the array, crash
+
+Can protect legacy binaries.
diff --git a/content/binary-malware-analysis-notes/taint-analysis-in-practice.md b/content/binary-malware-analysis-notes/taint-analysis-in-practice.md
@@ -0,0 +1,16 @@
++++
+title = 'Taint analysis in practice'
++++
+# Taint analysis in practice
+What to taint:
+- data coming from network for attack detection
+- program input for analysis
+
+How to propagate taint;
+- on move and arithmetic instructions
+- clean when you store a constant
+- don't propagate on implicit flows and tainted pointers
+
+How to use taint
+- for attack detection, check targets of control flow instructions
+- for program analysis, monitor syscalls/lib calls/cmp instructions