Avatar²: A multi-target orchestration platform

Muench, Marius; Nisi, Dario; Francillon, Aurélien; Balzarotti, Davide
BAR 2018, Workshop on Binary Analysis Research, colocated with NDSS Symposium, 18 February 2018, San Diego, USA

Dynamic binary analysis techniques play a central role to study the security of software systems and detect vulnerabilities in a broad range of devices and applications. Over the past decade, a variety of different techniques have been published, often alongside the release of prototype tools to demonstrate their effectiveness. Unfortunately, most of those techniques' implementations are deeply coupled with their dynamic analysis frameworks and are not easy to integrate in other frameworks. Those frameworks are not designed to expose their internal state or their results to other components. This prevents analysts from being able to combine together different tools to exploit their strengths and tackle complex problems which requires a combination of sophisticated techniques. Fragmentation and isolation are two important problems which too often results in duplicated efforts or in multiple equivalent solutions for the same problem - each based on a different programming language, abstraction model, or execution environment. In this paper, we present avatar2 , a dynamic multi-target orchestration framework designed to enable interoperability between different dynamic binary analysis frameworks, debuggers, emulators, and real physical devices. Avatar2 allows the analyst to organize different tools in a complex topology and then "move" the execution of binary code from one system to the other. The framework supports the automated transfer of the internal state of the device/application, as well as the configurable forwarding of input/output and memory accesses to physical peripherals or emulated targets. To demonstrate avatar2 usage and versatility, in this paper we present three very different use cases in which we replicate a PLC rootkit presented at NDSS 2017, we test Firefox combining Angr and GDB, and we record the execution of an embedded device firmware using PANDA and OpenOCD. All tools and the three use cases will be released as open source to help other researchers to replicate our experiments and perform their own analysis tasks with avatar2 .


Type:
Conference
City:
San Diego
Date:
2018-02-18
Department:
Digital Security
Eurecom Ref:
5437
Copyright:
© ISOC. Personal use of this material is permitted. The definitive version of this paper was published in BAR 2018, Workshop on Binary Analysis Research, colocated with NDSS Symposium, 18 February 2018, San Diego, USA
and is available at :

PERMALINK : https://www.eurecom.fr/publication/5437