COMP3703 WK1 Monday

Table of Contents

• Slides Used
• Assessment
• Course Organisation
• Course Outline
• Introduction to Binary Analysis
• Outline
• Why Binary Analysis
• Scope
• Binary Analysis
• Static Analysis
• Dynamic Analysis
• Challenges
• Loading and Executing a Binary
• The Interpreter

---

Slides Used

• Overview
• Introduction to Binary Analysis

---

Assessment

• 1 Quiz (5%)
• 3 Assignments: (CTF style) 15% + 20% (Advanced binary + stack exploitation) + 20% (Heap exploitation and file rediscovery, more programming required + fuzzying and symbolic execution)
  • Problem solving + report writing
• Final CTF (40%)
  • Take home CTF style final exam
• No hurdle

Course Organisation

• Office hours Tuesday 11am to 12pm
• Office inside CSIT

Course Outline

• Fundamentals of binary Analysis
  • Binary format, disassembly, code injection
• Exploitation techniques
  • Stack + heap exploitation
• Vulnerability discovery
  • binary instrumentation, fuzzing, symbolic execution

---

Introduction to Binary Analysis

Outline

• Loading and executing binary, virtual memory layout
• Compilation process
• Intro to x86
• Basic disassembly and reverse-engineering tools

Why Binary Analysis

• Gap between code, machine code and a binary -> All programs must be compiled to machine code
• What do you think (high-level) vs what it actually does (binary level)

Scope

• Focus on Linux binary (ELF), similar principles apply to Windows binary (PE)
  • Focus on x86 instruction set only

Binary Analysis

Static Analysis

• Don't need to actually execute it, can analyse it anywhere or with any appropriate tools

• Disadvantage is it's less accurate and precise

  • No runtime state or undecidable

Dynamic Analysis

• At runtime, only one execution path is run, but can miss other paths that are not triggered

• Fuzzing, throw different inputs and observe which paths get triggered

  • Coverage check fuzzing, check as many paths as possible

Challenges

• No symbolic, type info
• No high-level abstraction
  • Compilers can remove or inline code, making it hard or impossible to reverse engineer or return to the original state
• Mixed code and data
• Location dependent data and code
  • Can potentially shift or change code
  • Pulling in code/files from all over the place

Loading and Executing a Binary

• First, setup virtual memory space (isolation mechanism)
• OS maps interpreter into the virtual memory
• OS transfers control to the interpreter
  • interpreter -> Shared library: Ld-linux.so
• When trying to exploit binaries we want to figure out what libraries are being used so we can look, and potentially exploit them

The Interpreter

• Loads binary into the virtual memory
• Maps required dynamic libraries into the virutal memory
• Performs required relocations, usually with lazy-binding