montyly / gueb

https://tel.archives-ouvertes.fr/tel-01681707v2/document
MIT License
236 stars 50 forks source link

GUEB Static analyzer detecting Use-After-Free on binary

Presentation

GUEB is a static analyzer performing use-after-free detection on binary. The tool is still under development, any commentary / help are welcome.

In summary, GUEB performs a value analysis on binary code, which tracks pointers and the states of the heap objects. When GUEB detects the use of a freed pointer, it extracts the sub-graph representation of the use-after-free.

If you want to try GUEB easily (and skip the compilation part): here you will find a virtual machine with everything installed (login/pass: gueb/gueb) (md5 : 53458b32fee721717455902920b3c6f7), (note that you still need to provide IDA pro and to configure BinNAvi with it).

How to compile

How to use

Use Case

Limitations

Troubleshooting

Vulnerabilities found

Author

Thanks

How to compile


GUEB will not work on a 32 bits machine (for now). It was tested on a Ubuntu 14.04 64 bits. You need ocaml in version 4.02 installed.

On Ubuntu 14.04:

add-apt-repository ppa:avsm/ppa
apt-get update
apt-get install ocaml m4 opam
opam init
eval `opam config env`

You also need to install piqi:

opam update
opam install piqi

Then you can compile the code

cd src
export PATH=$PATH:~/.opam/system/bin/ && make

Be sure that you have Java 8 installed, if not: (tested on Ubuntu)

add-apt-repository ppa:webupd8team/java
apt-get update
apt-get install oracle-java8-installer

Note that if you have differents version of Java installed, you can set the default version of Java to be used with:

update-alternatives --config java

Finally you need jython in version 2.7.0. Jython works better when installed that with the standalone .jar version.

How to use


GUEB uses REIL as intermediate representation (see BinNavi) : Architecture

First, you need to extract the REIL representation of the binary, from the BinNavi database to a protobuf file. A jython script is provided in export/gui.py.

You need to modify the first lines of export/export_probotuf.py with the right path of instalation and your BinNavi database information.

Then run

cd export
jython gui.py

Chosse the proper module on the first windows.

First windows

The second and the third windows allow you to specify all the wrappers to malloc and free.

Second windows

Two files will be create, the first one is the protobuf file, the second one is the list of functions with no caller (that you can use as entry points on GUEB).

Then you can launch GUEB:

gueb -reil reil_file -func func_name -output-dir results 

If a use-after-free is found, results of the analysis will be located in results/func_name/ (as a dot file)

Use Case : Gnome-nettool


In ./example there are two file :

You can launch GUEB on all the possible entry points:

gueb -reil gnome-nettool -funcs-file gnome-nettool-entry-points -output-dir results -type 2

-type 2 launches the analysis on a set of entry points and is needed with -funcs-file. Be sure to create the directory results prio GUEB execution.

GUEB will detect 5 use-afte-free (4 false positives, 1 true positive). The real one is located in info_nic_changed :

First windows

From this tree, we can suspect that the root of the use-after-free is located in the function info_get_nic_information. We can export the sub-graph of info_get_nic_information leading to the use-after-free:

gueb -reil gnome-nettool -func info_get_nic_information -flow-graph-dot

A second dot file will be created : Second window

You can create a representation that do not include any arc between the ret instructions of the functions and their callers, with :

gueb -reil gnome-nettool -func info_get_nic_information -flow-graph-dot -flow-graph-call-disjoint

Third window This representation can be easier to understand.

You can find more options with

gueb -help

Limitations

Troubleshooting

piqilib :

Some user reported a trouble to build piqilib. During piqi installation, piqilib can be installed in version 0.6.6 with opam. If so, please update your piqilib at the version 0.6.12.

Vulnerabilities found by GUEB


Author


Feist Josselin (josselin.feist [SPAM] gmail.com)

This tool is a part of my thesis: Finding the needle in the heap : combining binary analysis techniques to trigger use-after-free

Thanks


Benjamin Farinier (CEA) for this advice in Ocaml.