Augmenting Static Analysis Using Pintool: Ablation

Black Hat USA 2016

Presented by: Paul Mehta
Date: Wednesday August 03, 2016
Time: 10:20 - 11:10
Location: South Seas IJ

Ablation is a tool built to extract information from a process as it executes. This information is then imported into the disassembly environment where it used to resolve virtual calls, highlight regions of code executed, or visually diff samples. The goal of Ablation is to augment static analysis with minimal overhead or user interaction.

C++ binaries can be a real pain to audit sometimes due to virtual calls. Instead of having to reverse class, object, and inheritance relationships, Ablation can resolve any observed virtual calls, and create fully interactive x-refs in IDA; Disassembled C++ reads like C!

When augmenting analysis by importing runtime data, much of the information is displayed using a color scheme. This allows the info to be passively absorbed making it useful, rather than obtrusive.

Ablation makes it simple to diff samples by and highlight where the samples diverge. This is achieved by comparing the code executed rather than just comparing data. Consider comparing a heavily mutated crash sample, and the source sample. The root cause of the crash is normally tedious and unrewarding. Using Ablation, the root cause can often be determined simply by running each sample, and using the appropriate color scheme. This also means that visualizing the code coverage of a sample set becomes as simple as running each.

Recent findings have indicated that highly traversed code is not particularly interesting, and code infrequently executed or adjacent is more interesting. Ablation could be used to identify undocumented features in a product given a sample set.

Vulnerability research is all about the details. Having this information passively displayed could be the difference between confusion and discovery. Ablation will be made open source at BH2016.

Paul Mehta

Paul Mehta is a Senior Research Scientist with Cylance. His focus is originalresearch in the areas of static analysis, anti-exploitation, and reverseengineering. Mehta previously worked at Accuvant Labs, and Google where hedeveloped exploitation techniques and advanced memory protections. His latestresearch is focused on future proofing against exploitation, and augmentingstatic analysis.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats