/Ponce

IDA 2016 plugin contest winner! Symbolic Execution just one-click away!

Primary LanguageC++OtherNOASSERTION

Build for Windows Build for OSX Build for Linux

Ponce

Ponce (pronounced [ 'poN θe ] pon-they ) is an IDA Pro plugin that provides users the ability to perform taint analysis and symbolic execution over binaries in an easy and intuitive fashion. With Ponce you are one click away from getting all the power from cutting edge symbolic execution. Entirely written in C/C++.

Why?

Symbolic execution is not a new concept in the security community. It has been around for many years but it is not until around 2015 that open source projects like Triton and Angr have been created to address this need. Despite the availability of these projects, end users are often left to implement specific use cases themselves.

We addressed these needs by creating Ponce, an IDA plugin that implements symbolic execution and taint analysis within the most used disassembler/debugger for reverse engineers.

Installation

Ponce works with both x86 and x64 binaries in any IDA version >= 7.0. Installing the plugin is as simple as copying the appropiate files from the latest builds to the plugins\ folder in your IDA installation directory.

Make sure you use the Ponce binary compiled for your IDA version to avoid any incompatibilities.

OS Support

Ponce works on Windows, Linux and OSX natively!

Use cases

  • Exploit development: Ponce can help you create an exploit in a far more efficient manner as the exploit developer may easily see what parts of memory and which registers you control, as well as possible addresses which can be leveraged as ROP gadgets.
  • Malware Analysis: Another use of Ponce is related to malware code. Analyzing the commands a particular family of malware supports is easily determined by symbolizing a simple known command and negating all the conditions where the command is being checked.
  • Protocol Reversing: One of the most interesting Ponce uses is the possibility of recognizing required magic numbers, headers or even entire protocols for controlled user input. For instance, Ponce can help you to list all the accepted arguments for a given command line binary or extract the file format required for a specific file parser.
  • CTF: Ponce speeds up the process of reverse engineer binaries during CTFs. As Ponce is totally integrated into IDA you don't need to worry about setup timing. It's ready to be used!

The plugin will automatically run, guiding you through the initial configuration the first time it is run. The configuration will be saved to a configuration file so you won't have to worry about the config window again.

Use modes

  • Tainting engine: This engine is used to determine at every step of the binary's execution which parts of memory and registers are controllable by the user input.
  • Symbolic engine: This engine maintains a symbolic state of registers and part of memory at each step in a binary's execution path.

Examples

Negate and inject a condition

In the next gif we can see the use of automatic tainting and how we can negate a condition and inject it in memory while debugging:

  • We select the symbolic engine and set the option to symbolize argv.
  • We identify the condition that needs to be satisfied to win the crackMe.
  • We negate an inject the solution everytime a byte of our input is checked against the key.
  • Finally we get the key elite that has been injected in memory and therefore reach the Win code.

The crackme source code can be found here

crackmexor_negate_and_inject

Using the tainting engine to track user controlled input

In this example we can see the use of the tainting engine with cmake. We are:

  • Passing a file as argument to cmake to have him parsing it.
  • We select we want to use the tainting engine
  • We taint the buffer that ```fread()```` reads from the file.
  • We resume the execution under the debugger control to see where the taint input is moved to.
  • Ponce will rename the tainted functions. These are the functions that somehow the user has influence on, not the simply executed functions.

cmake_tainting_fread

Use Negate, Inject & Restore

In the next example we are using the snapshot engine:

  • Passing a file as argument.
  • We select we want to use the symbolic engine.
  • We taint the buffer that ```fread()```` reads from the file.
  • We create a snapshot in the function that parses the buffer read from the file.
  • When a condition is evaluated we negate it, inject the solution in memory and restore the snapshot with it.
  • The solution will be "valid" so we will satisfy the existent conditions.

fread_test_negate_restore_inject The example source code can be found here

Usage

In this section we will list the different Ponce options as well as keyboard shortcuts:

  • Access the configuration and taint/symbolic windows: Edit > Ponce > Show Config (Ctl+Shift+P and Ctl+Alt+T)

2016-09-15 11_39_08-configuracion

  • Enable/Disable Ponce tracing (Ctl+Shift+E)

2016-09-15 11_31_34-

  • Symbolize/taint a register (Ctl+Shift+R)

2016-09-15 11_32_32-

  • Symbolize/taint memory. Can be done from the IDA View or the Hex View (Ctl+Shift+M)

2016-09-15 11_32_52-ida - testproject idb testproject exe c__users_default default-pc_documents_vi2016-09-15 11_33_10-taint _ symbolize memory range

2016-09-15 12_09_11-inicio

  • Solve formula (Ctl+Shift+S)

2016-09-15 11_35_11-

  • Negate & Inject (Ctl+Shift+N)

2016-09-15 11_34_44-

  • Negate, Inject & Restore Snaphot (Ctl+Shift+I)

2016-09-15 11_47_19-

  • Create Execution Snapshot (Ctl+Shift+C)

2016-09-15 11_37_40-

  • Restore Execution Snapshot (Ctl+Shift+S)

2016-09-15 11_38_10-

  • Delete Execution Snapshot (Ctl+Shift+D)

2016-09-15 11_38_23-

  • Execute Native (Ctl+Shift+F9)

2016-09-15 12_07_10-

Triton

Ponce relies on the Triton framework to provide semantics, taint analysis and symbolic execution. Triton is an awesome Open Source project sponsored by Quarkslab and maintained mainly by Jonathan Salwan with a rich library. We would like to thank and endorse Jonathan's work with Triton. You rock! :)

Building

Since Ponce v0.3 we have moved the building compilation process to use CMake. Doing this we unify the way that configuration and building happens for Linux, Windows and OSX. We now support providing feedback on the pseudocode about symbolic or taint instructions. For this feature to work you need to add hexrays.hpp to your IDA SDK include folder. hexrays.hpp can be found on plugins/hexrays_sdk/ on your IDA installation path. If you have not purchased the hex-rays decompiler you can still build Pnce by using -DBUILD_HEXRAYS_SUPPORT=OFF. We use Github actions as our CI environment. Check the action files if you want to understand how the building process happens.

FAQ

Why the name of Ponce?

Juan Ponce de León (1474 – July 1521) was a Spanish explorer and conquistador. He discovered Florida in the United States. The IDA plugin will help you discover, explore and hopefully conquer the different paths in a binary.

Can Ponce be used to analyze Windows, OS X and Linux binaries?

Yes, you can natively use Ponce in IDA for Windows or remotely attach to a Linux or OS X box and use it. In the next Ponce version we will natively support Ponce for Linux and OS X IDA versions.

How many instructions per second can handle Ponce?

In our tests we reach to process 3000 instructions per second. We plan to use the PIN tracer IDA offers to increase the speed.

Something is not working!

Open an issue, we will solve it ASAP ;)

I love your project! Can I collaborate?

Sure! Please do pull requests and work in the opened issues. We will pay you in beers for help ;)

Limitations

Concolic execution and Ponce have some problems:

  • Symbolic memory load/write: When the index used to read a memory value is symbolic like in x = aray[symbolic_index] some problems arise that could lead on the loose of track of the tainted/symbolized user controled input.

  • Triton doesn't work very well with floating point instructions.

  • Concolic execution only analyzed the executed instructions. That means that symbolic tracking is lost in cases like the following:

    int check(char myinput)  // Input is symbolic/tainted
    {
    int flag = 0;
    if (myinput == 'A')  //This condition is symbolic/tainted
      flag = 1
    else
      flag =- 1;
    return flag; // flag is not symbolic/tainted!
    }

Authors