Dynamic Binary Analysis

Allows capturing the dynamic behaviour of some code.

• Behaviour that depends on external input.

• Data structures and even code are revealed during execution time.

Allows runtime validation/evaluation of binary code.

• A program, a firmware, part of a program, a sequence of instructions.

• Under a controlled context.

• On a different (more flexible, controllable, or safe) environment.

How

Load the binary and execute instructions of the target binary.

• The meaning of "execute" is broader than it may look.

Allow some interaction with the binary while it is running.

• Break the execution at some point.

• Inspect memory and process its content.

• Change memory, either variables or code.

• Execute code in a controlled manner: step by step, in chunks, until a given point.

Approaches

Analysis of an execution flow can either be passive or active. Choosing either one or the other has consequences on the soundness, coverage, etc. of the results.

Passive analysis: Observation

• register values: return value of functions (rax), program counter (pc), stack frame (brp, rsp), etc.

• stack inspection: local variables, input parameters (according to some calling conventions), return address, etc.

• heap inspections: the number of allocated blocks, their content, etc.

Caveats

Binary applications are more powerful and complex.

• May be written in multiple languages, and have code that runs in a VM.

• May consider code that changes the host system, or is modified in runtime.

Binary analysis of complex applications requires a different toolset.

• The principles will be the same, but the tools will allow fine-grained control and isolation.

• Side effects and execution impact may be subtle (remember Meltdown and Spectre).

• Host systems may be more complex.