BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of...
Transcript of BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of...
![Page 1: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/1.jpg)
BAPBinary Analysis Platform
A Modern Toolkit For Binary Analysis and Reverse Engineering
http://bap.ece.cmu.edu
![Page 2: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/2.jpg)
What is BAP?
• BAP is a framework for modular analysis of binary programs–an extensible set of interoperable tools and
analyses–a set of high-quality libraries
![Page 3: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/3.jpg)
Why BAP?
• BAP is for writing analyses that are–Reproducible–Scalable–Cross-architectural –Practical
• The “write once run many” approach
![Page 4: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/4.jpg)
What BAP is not?
• Not an interactive RE tool• Not a CTF tool• Not (only) for academic purpose• Not (only) for sound analysis• Not (only) for static analysis• Not dead
![Page 5: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/5.jpg)
Why not BAP?
• No OCaml programmers–Limited support for Python–C-bindings–Rust bindings–Facebook Reason, Flow, Javascript
• No Java, C#, or source (script) code analysis• Not all architectures are supported• No support for floating points
![Page 6: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/6.jpg)
BAP Architecture (key points)
• Translates a program to BIL• Extensible Plugin Architecture• Different kinds of plugins:
–Analysis–Disassemblers–Architecture support–ABI, OS, Language support– ...
![Page 7: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/7.jpg)
BAP Architecture (pipeline)Binary
Loader
Image
Disassembler
CFG
Reconstructor
Program ABI API ... p1 ...
![Page 8: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/8.jpg)
BAP Architecture (pipeline)Binary
Loader
Image
Disassembler
CFG
Reconstructor
Program ABI API ... p1 ...
![Page 9: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/9.jpg)
BAP Architecture (pipeline)Binary
Loader
Image
Disassembler
CFG
Reconstructor
Program ABI API ... p1 ... pN dump
![Page 10: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/10.jpg)
Batteries Included
• WUR - warn unused results• Beagle - string deobfuscator• Primus - emulation and microexecution• Saluki - fast policy checker• Static and Dynamic Taint Analysis• UAF, ROP, strings, callsites, …
![Page 11: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/11.jpg)
BAP in action
Much more on tomorrow’s workshop
![Page 12: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/12.jpg)
$ bap arm-linux-gnueabi-echo -dasm | grep main -A16
00008534: <main>
00008534:
00008534: f0 4d 2d e9 push {r4, r5, r6, r7, r8, r10, r11, lr}
00008538: 1c b0 8d e2 add r11, sp, #0x1c
0000853c: 18 d0 4d e2 sub sp, sp, #0x18
00008540: 30 00 0b e5 str r0, [r11, #-48]
00008544: 34 10 0b e5 str r1, [r11, #-52]
00008548: 0d 30 a0 e1 mov r3, sp
0000854c: 03 a0 a0 e1 mov r10, r3
00008550: 30 30 1b e5 ldr r3, [r11, #-48]
00008554: 01 20 83 e2 add r2, r3, #0x1
00008558: 01 30 42 e2 sub r3, r2, #0x1
0000855c: 24 30 0b e5 str r3, [r11, #-36]
00008560: 02 10 a0 e1 mov r1, r2
00008564: 01 30 a0 e1 mov r3, r1
00008568: 00 40 a0 e3 mov r4, #0x0
Disassembling
![Page 13: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/13.jpg)
$ bap arm-linux-gnueabi-echo -d | grep main -A16
000000ca: sub main(main_argc, main_argv, main_result)
00000164: main_argc :: in u32 = R0
00000165: main_argv :: in out u32 = R1
00000166: main_result :: out u32 = R0
00000050:
00000051: v618 := SP
00000052: mem := mem with [v618 - 0x4:32, el]:u32 <- LR
00000053: mem := mem with [v618 - 0x8:32, el]:u32 <- R11
00000054: mem := mem with [v618 - 0xC:32, el]:u32 <- R10
00000055: mem := mem with [v618 - 0x10:32, el]:u32 <- R8
00000056: mem := mem with [v618 - 0x14:32, el]:u32 <- R7
00000057: mem := mem with [v618 - 0x18:32, el]:u32 <- R6
00000058: mem := mem with [v618 - 0x1C:32, el]:u32 <- R5
00000059: mem := mem with [v618 - 0x20:32, el]:u32 <- R4
0000005a: SP := SP - 0x20:32
0000005b: R11 := SP + 0x1C:32
Displaying IR
![Page 14: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/14.jpg)
Displaying Cfg$ bap arm-linux-gnueabi-echo -dcfg --print-symbol=main | xdot
![Page 15: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/15.jpg)
open Core_kernel.Std
open Bap.Std
let counter = object
inherit [int * int] Term.visitor
method! enter_term _ _ (jmps,total) = jmps,total+1
method! enter_jmp _ (jmps,total) = jmps+1,total
end
let main proj =
let jmps,total = counter#run (Project.program proj) (0,0) in
printf "ratio = %d/%d = %g\n" jmps total (float jmps /. float total)
let () = Project.register_pass' main
Write a plugin
![Page 16: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/16.jpg)
$ bapbuild jmp.plugin
$ bapbundle install jmp.plugin
$ bap /bin/true --pass=jmp
ratio = 974/7514 = 0.129625
Building and running
![Page 17: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/17.jpg)
import bap
from bap.adt import Visitor
class Counter(Visitor) :
def __init__(self):
self.jmps = 0
self.total = 0
def enter_Jmp(self,jmp):
self.jmps += 1
def enter_Term(self,t):
self.total += 1
proj = bap.run('/bin/true')
count = Counter()
count.run(proj.program)
print("ratio = {0}/{1} = {2}".format(count.jmps, count.total,
count.jmps/float(count.total)))
Same in Python
![Page 18: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/18.jpg)
BAP Workshop
• Wednesday, September 27 (tomorrow)• Time: 9:00 - 11:30• Location: GHC 6115 (here)• Learn how to use BAP• Learn how to extend BAP using
–OCaml–Python
![Page 19: BAP Binary Analysis Platform - CyLab · What is BAP? •BAP is a frameworkfor modular analysis of binary programs –an extensible set of interoperable tools and analyses –a set](https://reader030.fdocuments.net/reader030/viewer/2022012405/5cdb173488c993a0658c035c/html5/thumbnails/19.jpg)
Be prepared!
• Either install BAP from opam manually• Or use Vagrant to install a provisioned VM:$ wget http://tiny.cc/Vagrantfile
$ vagrant up$ vagrant ssh$ bap --version