Home

Awesome

PwIN - Pwning Intel piN

This repository contains supporting material for my master thesis Security Evaluation of Dynamic Binary Instrumentation Engines supervised by Julian Kirsch (@kirschju).

DBI Engines Detection Tool jitmenot

Utilising different artefacts introduced by the instrumentation process in the program's execution, one can detect the underlying Dynamic Binary Instrumentation (DBI) engine. The developed tool called jitmenot employs 13 different DBI detection mechanisms and can be built with the provided Makefile. The resulting binary (build/jitmenot) is then ready to be executed in the context of any DBI framework. A red POSITIVE next to a detection mechanism indicates that it has revealed DBI engine's presence, while a green NEGATIVE signals that no instrumentation was detected.

In order to execute the fsbase test, one has to load a kernel module (jitmenot/fsgsbase-mod) using make start which allows the execution of the rdfsbase instruction in userspace, available only for Intel processors newer than Ivy Bridge. Finally, starting jitmenot with -v parameter prints additional information for each test case.

Functionality was tested on Linux x86-64 with Intel Pin, DynamoRIO, QBDI, and Valgrind. Pull requests regarding new detection mechanisms are always welcome.

jitmenot

Sandbox Escaping when Controlling Code and Data

escape-0 escape-1

Sandbox Escape when Controlling only Data

Further Information

More information about the core concepts can be found in the thesis. To experiment with the examples, one can build a Docker image using the provided Dockerfile. Alternatively, you can download an already built image from https://hub.docker.com/r/zhechkoz/pwin.

To create a container use:

docker run --privileged -i -t zhechkoz/pwin /bin/bash