Reverse Debugging with radare2

Transcript

1. Reverse Debugging with radare2 Ren Kimura (@RKX1209)

2. whoami? - @RKX1209 • University student in Japan • Mainly

   focused on Kernel Exploitation and Jailbreak BTW: There are some cool Japanese words in r2-related projects:) 居合刀 (Iaito) 解体 (Kaitai)

3. GSoC works “Add Reverse Debugging support to r2” What’s Reverse

   Debugging? In short, Enable to seek program counter backward. 0x00400536 push rbp 0x00400537 mov rbp, rsp 0x0040053a mov edi, str.Hello_World 0x0040053f call sym.imp.puts ① ② ③ ④ Step back, Step back, Step back, Step back….. Reverse Need to restore %edi and %rbp to previous value. And also stack state.

4. Approaches There are some approaches to implement Reverse Debugging. •

   Timeless Debugging ◦ Original GSoC Project title is “Timeless Debugging support”. • Record and Replay

5. Timeless Debugging Records all operations like, load/store memory, regsiters… geohot’s

   qira uses QEMU for recording. 0x00400536 push rbp 0x00400537 mov rbp, rsp 0x0040053a mov edi, str.Hello_World 0x0040053f call sym.imp.puts [stack_addr] <= %rbp %rbp <= %rsp %edi <= [str_addr] Records per operations This approach is not suitable for radare2...

6. Record and Replay(RnR) Record Initial program state and some events,

   then replay from it. 0x00400536 push rbp 0x00400537 mov rbp, rsp 0x0040053a mov edi, str.Hello_World 0x0040053f call sym.imp.puts Initial State Save Initial program state by ptrace(2) Replay until desired point It looks nice for r2 architecture!

7. r2 recorder In r2, program record is called as “Trace

   Session”. You can use dts (debug trace session) command. dts List all trace sessions dts+/- Add/Delete trace session dtst/f [file] Read/Save trace session dtsC <id> <comment> Add comment for given trace session More detail. Let’s type “dts?” in your own r2 debugger console.

8. Record and Replay for r2 Firstly you need to record

   Initial program state by “dts+”. 0x00400536 push rbp 0x00400537 mov rbp, rsp 0x0040053a mov edi, str.Hello_World 0x0040053f call sym.imp.puts Trace Session Save current program state by “dts+” Current PC

9. Record and Replay for r2 Then, you can step out

   or continue as usual. 0x00400536 push rbp 0x00400537 mov rbp, rsp 0x0040053a mov edi, str.Hello_World 0x0040053f call sym.imp.puts Current PC Go forward by dso, dc or dcu…. Trace Session

10. Record and Replay for r2 OK. Let’s back one step

    by “dsb” (debug step back) command. 0x00400536 push rbp 0x00400537 mov rbp, rsp 0x0040053a mov edi, str.Hello_World 0x0040053f call sym.imp.puts Current PC Currently, pc is at 40053f and you want to step back to 40053a. Trace Session

11. Record and Replay for r2 Reverse debugging commands firstly, restore

    program state to previous Trace Session. 0x00400536 push rbp 0x00400537 mov rbp, rsp 0x0040053a mov edi, str.Hello_World 0x0040053f call sym.imp.puts Trace Session Restore state Current PC

12. Record and Replay for r2 Then, replay until previous address.(i.e.

    0x40053a) 0x00400536 push rbp 0x00400537 mov rbp, rsp 0x0040053a mov edi, str.Hello_World 0x0040053f call sym.imp.puts Current PC Trace Session Replay

13. Reverse Debugging for r2 You can also continue back(dcb) that

    seeks program counter backward until hit the breakpoint. 0x00400536 push rbp 0x00400537 mov rbp, rsp 0x0040053a mov edi, str.Hello_World 0x0040053f call sym.imp.puts Current PC Trace Session one step back(dsb) continue back(dcb)

14. DEMO Reverse Debugging with radare2

15. Performance problem(Execution time) When you run reverse debug commands at

    several time, r2 always replay from previous Trace Session. ex. Long loop iterations, Heavy memory operations...

16. Checkpoint optimization Reverse Debugger puts some checkpoints automatically at first

    replaying time. Then, replayer can use nearest one. (very long operations) ……. 0x00400536 push rbp 0x00400537 mov rbp, rsp 0x0040053a mov edi, str.Hello_World 0x0040053f call sym.imp.puts Current PC Trace Session Save sessions at replaying time Trace Session Trace Session checkpoint 1 checkpoint 2 checkpoint 3

17. Memory size problem There are many trace sessions(by checkpoint system

    or ‘dts+’s by user) Each trace session has entire program state, like all memory and register dump. XD

18. Trace Session optimization Trace session should have only changed parts

    in memory from a previous trace session. (like diff snapshot) (very long operations) ……. 0x00400536 push rbp 0x00400537 mov rbp, rsp 0x0040053a mov edi, str.Hello_World 0x0040053f call sym.imp.puts Current PC Trace Session (base) Each session has only diff pages Trace Session (diff1) Trace Session (diff2) base session has entire dump only changed parts from base only changed parts from diff1

19. Trace Session optimization Entire dump(before) 0x40000-0x40100 s -r-x /bin/ls /bin/ls

    .r_w_ 0x60000-0x60100 s -r-- /bin/ls /bin/ls .r_w_ 0xfe800-0x109000 s -rw [heap] [heap] 0x7fb000-0x7ff100 s -r-x /lib/libc-2.23.so ・ ・ ・ ・ Session 1 0x40000-0x40100 s -r-x /bin/ls /bin/ls .r_w_ 0x60000-0x60100 s -r-- /bin/ls /bin/ls .r_w_ 0xfe800-0x109000 s -rw [heap] [heap] 0x7fb000-0x7ff100 s -r-x /lib/libc-2.23.so ・ ・ ・ ・ Session 2 0x40000-0x40100 s -r-x /bin/ls /bin/ls .r_w_ 0x60000-0x60100 s -r-- /bin/ls /bin/ls .r_w_ 0xfe800-0x109000 s -rw [heap] [heap] 0x7fb000-0x7ff100 s -r-x /lib/libc-2.23.so ・ ・ ・ ・ Session 3 ・・・・・・・・

20. Trace Session optimization Diff style session chain(after) 0x40000-0x42000 s -rw

    /bin/ls /bin/ls .r_w_ 0x60000-0x61000 s -r-- /bin/ls /bin/ls .r_w_ 0xfe800-0x109000 s -rw [heap] [heap] 0x7fb000-0x7ff100 s -rw /lib/libc-2.23.so ・ ・ ・ ・ Session 1 Session 2 Session 3 ・・・・・・・・ 0x40000-0x40100(page 0) 0x40400-0x40500(page 4) 0xfea00-0xfeb00(page 2) 0x7fb00-0x7fc00(page 0) Each session have only changed pages

21. DEMO List diff sessions

22. Reverse Debugging for ESIL Not only debugger mode but, you

    can also do reverse debugging for ESIL mode. What is ESIL? Evaluable Strings Intermediate Language sub rsp, 0x648 1608,rsp,-=,$c,cf,=,$z,zf,=,$s,sf,=,$o,of,= Application: Code Emulation, Decompile, VM Emulation….

23. Reverse Debugging for ESIL Not only debugger mode but, you

    can also reverse debugging for ESIL mode. 0x00400536 ebp,4,esp,-=,esp,=[4] 0x00400537 esp,ebp,= 0x0040053a 0x0040053f call sym.imp.puts Current PC Trace Session one step back(aesb) Architecture independent Reverse Debugging! Save current ESIL state by “aets+”

24. DEMO Reverse Debugging for ESIL

25. Future work r2 Reverse Debugger is not supporting non deterministic

    events.(like syscall results, signal….) (very long operations) ……. 0x00400536 push rbp 0x00400537 mov rbp, rsp 0x0040053a mov edi, str.Hello_World 0x0040053f call sym.imp.puts Current PC Trace Session These events should be replayed! Non deterministic events Signal Syscall result Timer

26. Thank you! r2 reverse debugger document: https://radare.gitbooks.io/radare2book/content/debugger/revdebug.html My blog post:

    https://rkx1209.github.io/