Mach-O Runtime Architecture for Mac OS X Version 10.3
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
A Type Inference on Executables
A Type Inference on Executables Juan Caballero, IMDEA Software Institute Zhiqiang Lin, University of Texas at Dallas In many applications source code and debugging symbols of a target program are not available, and what we can only access is the program executable. A fundamental challenge with executables is that during compilation critical information such as variables and types is lost. Given that typed variables provide fundamental semantics of a program, for the last 16 years a large amount of research has been carried out on binary code type inference, a challenging task that aims to infer typed variables from executables (also referred to as binary code). In this article we systematize the area of binary code type inference according to its most important dimensions: the applications that motivate its importance, the approaches used, the types that those approaches infer, the implementation of those approaches, and how the inference results are evaluated. We also discuss limitations, point to underdeveloped problems and open challenges, and propose further applications. Categories and Subject Descriptors: D.3.3 [Language Constructs and Features]: Data types and struc- tures; D.4.6 [Operating Systems]: Security and Protection General Terms: Languages, Security Additional Key Words and Phrases: type inference, program executables, binary code analysis ACM Reference Format: Juan Caballero and Zhiqiang Lin, 2015. Type Inference on Executables. ACM Comput. Surv. V, N, Article A (January YYYY), 35 pages. DOI:http://dx.doi.org/10.1145/0000000.0000000 1. INTRODUCTION Being the final deliverable of software, executables (or binary code, as we use both terms interchangeably) are everywhere. They contain the final code that runs on a system and truly represent the program behavior. -
A Case Against the GOT' O William a . Wulf, Carnegie-Mellon Universit Y
A Case Against the GOT' O William A . Wulf, Carnegie-Mellon Universit y ABSTRAC T suggestion to ban the goto appears to have been a part of the computing folklore for several years , It has been proposed, by E . W . Dijkstra and others , to this author's knowledge the suggestion wa s that the goto statement in programming language i s first made in print by Professor E . W . Dijkstra i n a principal culprit in programs which are diffi- a letter to the editor of the _Communications o f cult to understand, modify, and debug . More cor- the ACM in 1968 (1) . rectly, the argument is that it is possible t o In this paper we shall examine the rational e use the goto to synthesize program structures wit h for the elimination of the Soto in programin g these undesirable properties . Not all uses of th e languages, and some of the theoretical and practi- goto are to be considered harmful ; however, it i s cal implications of its (total) elimination . further argued that the "good" uses of the got o fall into one of a small number of specific case s RATIONAL E which may be handled by specific language con- structs . This paper summarizes the arguments i n At one level, the rationale for eliminatin g favor of eliminating the goto statement and som e the poto has already been given in the introduc- of the theoretical and practical implications o f tion . Namely, it is possible to use the goto in a the proposal . manner which obscures the logical structure of a program to a point where it becomes virtually im- KEY WORDS AND PHRASES : programming, programmin g possible to understand (1,3,4), It is not claimed languages, goto-less programming, structured pro- that every use of the goto obscures the logica l grammin g structure of a program ; it is only claimed that i t CR CATEGORIES : 4 .2, 4 .22, 5 .2 4 is possible to use the Soto to fabricate a "rat' s nest" of control flow which has the undesirabl e INTRODUCTION properties mentioned above . -
Xilinx XAPP545 Statistical Profiler for Embedded IBM Powerpc, Application Note
Product Not Recommended for New Designs Application Note: Virtex-II Pro R Statistical Profiler for Embedded IBM PowerPC XAPP545 (v1.0) September 15, 2004 Author: Njuguna Njoroge Summary This application note describes how to generate statistical profiling information from the IBM PowerPC 405D, which is embedded in some Virtex-II Pro™ FPGAs. Specifically, the application note details how to convert trace output files generated from the Agilent Technologies Trace Port Analyzer into a gprof (GNU profiler) readable format. The gprof tool is capable of generating a histogram of a program's functions and a call-graph table of those functions. Introduction Profiling allows a programmer to assess where a program is spending most of its time and how frequently functions are being called. With this information, a programmer can gain insight as to what optimizations to make. In some cases, a programmer can identify bugs that would be otherwise undetectable. Using the RISCWatch application is a first step in profiling a program. Nonetheless, manually mulling through approximately 350 MB (or 8 million cycles) of trace data to discern the run-time profile of the program is a fruitless endeavor. In fact, the designers of RISCWatch realized this, so they standardized the trace output format to enable post processing of the trace. The regular format of the trace files allows scripts to parse through the trace and convert it to the gprof format. By converting the trace files into the gprof format, the widespread use of gprof in the profiling community -
The “Stabs” Debug Format
The \stabs" debug format Julia Menapace, Jim Kingdon, David MacKenzie Cygnus Support Cygnus Support Revision TEXinfo 2017-08-23.19 Copyright c 1992{2021 Free Software Foundation, Inc. Contributed by Cygnus Support. Written by Julia Menapace, Jim Kingdon, and David MacKenzie. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled \GNU Free Documentation License". i Table of Contents 1 Overview of Stabs ::::::::::::::::::::::::::::::: 1 1.1 Overview of Debugging Information Flow ::::::::::::::::::::::: 1 1.2 Overview of Stab Format ::::::::::::::::::::::::::::::::::::::: 1 1.3 The String Field :::::::::::::::::::::::::::::::::::::::::::::::: 2 1.4 A Simple Example in C Source ::::::::::::::::::::::::::::::::: 3 1.5 The Simple Example at the Assembly Level ::::::::::::::::::::: 4 2 Encoding the Structure of the Program ::::::: 7 2.1 Main Program :::::::::::::::::::::::::::::::::::::::::::::::::: 7 2.2 Paths and Names of the Source Files :::::::::::::::::::::::::::: 7 2.3 Names of Include Files:::::::::::::::::::::::::::::::::::::::::: 8 2.4 Line Numbers :::::::::::::::::::::::::::::::::::::::::::::::::: 9 2.5 Procedures ::::::::::::::::::::::::::::::::::::::::::::::::::::: 9 2.6 Nested Procedures::::::::::::::::::::::::::::::::::::::::::::: 11 2.7 Block Structure -
Automatic Classifying of Mac OS X Samples
Automatic Classifying of Mac OS X Samples Spencer Hsieh, Pin Wu and Haoping Liu Trend Micro Inc., Taiwan TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information Contents and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted 4 upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing Introduction herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy 6 is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to Mac OS X Samples Dataset the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. 10 Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as Classification of Mach-O Files to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. 11 Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, Malware Families indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content 15 thereof. -
Doin' the Eagle Rock
VIRUS BULLETIN www.virusbtn.com MALWARE ANALYSIS 1 DOIN’ THE EAGLE ROCK this RNG in every virus for which he requires a source of random numbers. Peter Ferrie Microsoft, USA The virus then allocates two blocks of memory: one to hold the intermediate encoding of the virus body, and the other to hold the fully encoded virus body. The virus decompresses If a fi le contains no code, can it be executed? Can arithmetic a fi le header into the second block. The fi le header is operations be malicious? Here we have a fi le that contains compressed using a simple Run-Length Encoder algorithm. no code, and no data in any meaningful sense. All it The header is for a Windows Portable Executable fi le, and it contains is a block of relocation items, and all relocation seems as though the intention was to produce the smallest items do is cause a value to be added to locations in the possible header that can still be executed on Windows. There image. So, nothing but relocation items – and yet it also are overlapping sections, and ‘unnecessary’ fi elds have been contains W32/Lerock. removed. The virus then allocates a third block of memory, Lerock is written by the same virus author as W32/Fooper which will hold a copy of the unencoded virus body. (see VB, January 2010, p.4), and behaves in the same way at a The virus searches for zeroes within the unencoded memory high level, but at a lower level it differs in an interesting way. -
706 What's New in Security 07 FINAL.Key
System Frameworks #WWDC16 What’s New in Security Session 706 Lucia Ballard Secure Transports Engineering Manager Simon Cooper Trusted Execution Engineering Manager © 2016 Apple Inc. All rights reserved. Redistribution or public display not permitted without written permission from Apple. What’s New in Security? What’s New in Security? Network Security What’s New in Security? Network Security Cryptography APIs What’s New in Security? Network Security Cryptography APIs Platform Security on macOS What’s New in Network Security Lucia Ballard Secure Transports Engineering Manager Secure Communications Secure Communications HTTPS is the new HTTP • Confidentiality • Data integrity Secure Communications HTTPS is the new HTTP • Confidentiality • Data integrity Not all HTTPS is created equal App Transport Security Current standards App Transport Security Current standards For NSURLSession and NSURLConnection APIs App Transport Security Current standards For NSURLSession and NSURLConnection APIs • TLS v1.2 App Transport Security Current standards For NSURLSession and NSURLConnection APIs • TLS v1.2 • Strong crypto—AES-128 and SHA-2 App Transport Security Current standards For NSURLSession and NSURLConnection APIs • TLS v1.2 • Strong crypto—AES-128 and SHA-2 • Forward secrecy—ECDHE App Transport Security Current standards For NSURLSession and NSURLConnection APIs • TLS v1.2 • Strong crypto—AES-128 and SHA-2 • Forward secrecy—ECDHE Exceptions—global or for particular domains App Transport Security Enforcement App Transport Security Enforcement Enforced -
Clangjit: Enhancing C++ with Just-In-Time Compilation
ClangJIT: Enhancing C++ with Just-in-Time Compilation Hal Finkel David Poliakoff David F. Richards Lead, Compiler Technology and Lawrence Livermore National Lawrence Livermore National Programming Languages Laboratory Laboratory Leadership Computing Facility Livermore, CA, USA Livermore, CA, USA Argonne National Laboratory [email protected] [email protected] Lemont, IL, USA [email protected] ABSTRACT body of C++ code, but critically, defer the generation and optimiza- The C++ programming language is not only a keystone of the tion of template specializations until runtime using a relatively- high-performance-computing ecosystem but has proven to be a natural extension to the core C++ programming language. successful base for portable parallel-programming frameworks. As A significant design requirement for ClangJIT is that the runtime- is well known, C++ programmers use templates to specialize al- compilation process not explicitly access the file system - only gorithms, thus allowing the compiler to generate highly-efficient loading data from the running binary is permitted - which allows code for specific parameters, data structures, and so on. This capa- for deployment within environments where file-system access is bility has been limited to those specializations that can be identi- either unavailable or prohibitively expensive. In addition, this re- fied when the application is compiled, and in many critical cases, quirement maintains the redistributibility of the binaries using the compiling all potentially-relevant specializations is not practical. JIT-compilation features (i.e., they can run on systems where the ClangJIT provides a well-integrated C++ language extension allow- source code is unavailable). For example, on large HPC deploy- ing template-based specialization to occur during program execu- ments, especially on supercomputers with distributed file systems, tion. -
Tanium™ Client Deployment Guide
Tanium™ Client Deployment Guide Version 6.0.314.XXXX February 05, 2018 The information in this document is subject to change without notice. Further, the information provided in this document is provided “as is” and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium’s customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc. has been advised of the possibility of such damages. Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Please visit https://docs.tanium.com for the most current Tanium product documentation. Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property of their respective owners. © 2018 Tanium Inc. All rights reserved. © 2018 Tanium Inc. All Rights Reserved Page 2 Table of contents Overview 8 What is the Tanium Client? 8 Registration 9 Client peering 9 File distribution 11 Prerequisites 14 Host system requirements 14 Admin account 15 Network connectivity and firewall 16 Host system security exceptions 16 Deployment options summary 18 Using the Tanium Client Deployment Tool 21 Methods 21 Before you begin 21 Install the Client Deployment Tool 23 Deploy the Tanium Client 25 Check for Tanium Client updates 32 Troubleshooting 33 Logs 34 Advanced settings 34 Deploying the Tanium Client to Windows endpoints 36 Step 1: Create the installer 36 Step 2: Execute the installer 37 © 2018 Tanium Inc. -
Targeting Embedded Powerpc
Freescale Semiconductor, Inc. EPPC.book Page 1 Monday, March 28, 2005 9:22 AM CodeWarrior™ Development Studio PowerPC™ ISA Communications Processors Edition Targeting Manual Revised: 28 March 2005 For More Information: www.freescale.com Freescale Semiconductor, Inc. EPPC.book Page 2 Monday, March 28, 2005 9:22 AM Metrowerks, the Metrowerks logo, and CodeWarrior are trademarks or registered trademarks of Metrowerks Corpora- tion in the United States and/or other countries. All other trade names and trademarks are the property of their respective owners. Copyright © 2005 by Metrowerks, a Freescale Semiconductor company. All rights reserved. No portion of this document may be reproduced or transmitted in any form or by any means, electronic or me- chanical, without prior written permission from Metrowerks. Use of this document and related materials are governed by the license agreement that accompanied the product to which this manual pertains. This document may be printed for non-commercial personal use only in accordance with the aforementioned license agreement. If you do not have a copy of the license agreement, contact your Metrowerks representative or call 1-800-377- 5416 (if outside the U.S., call +1-512-996-5300). Metrowerks reserves the right to make changes to any product described or referred to in this document without further notice. Metrowerks makes no warranty, representation or guarantee regarding the merchantability or fitness of its prod- ucts for any particular purpose, nor does Metrowerks assume any liability arising -
Program-Library-HOWTO.Pdf
Program Library HOWTO David A. Wheeler version 1.20, 11 April 2003 This HOWTO for programmers discusses how to create and use program libraries on Linux. This includes static libraries, shared libraries, and dynamically loaded libraries. Program Library HOWTO Table of Contents 1. Introduction.....................................................................................................................................................1 2. Static Libraries................................................................................................................................................2 3. Shared Libraries.............................................................................................................................................3 3.1. Conventions......................................................................................................................................3 3.1.1. Shared Library Names.............................................................................................................3 3.1.2. Filesystem Placement..............................................................................................................4 3.2. How Libraries are Used....................................................................................................................4 3.3. Environment Variables.....................................................................................................................5 3.3.1. LD_LIBRARY_PATH............................................................................................................5 -
Intelligent OS X Malware Threat Detection with Code Inspection
This is a repository copy of Intelligent OS X malware threat detection with code inspection. White Rose Research Online URL for this paper: http://eprints.whiterose.ac.uk/128371/ Version: Published Version Article: Pajouh, H.H., Dehghantanha, A. orcid.org/0000-0002-9294-7554, Khayami, R. et al. (1 more author) (2018) Intelligent OS X malware threat detection with code inspection. Journal of Computer Virology and Hacking Techniques, 14 (3). pp. 213-223. ISSN 2274-2042 https://doi.org/10.1007/s11416-017-0307-5 Reuse This article is distributed under the terms of the Creative Commons Attribution (CC BY) licence. This licence allows you to distribute, remix, tweak, and build upon the work, even commercially, as long as you credit the authors for the original work. More information and the full terms of the licence here: https://creativecommons.org/licenses/ Takedown If you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing [email protected] including the URL of the record and the reason for the withdrawal request. [email protected] https://eprints.whiterose.ac.uk/ J Comput Virol Hack Tech DOI 10.1007/s11416-017-0307-5 ORIGINAL PAPER Intelligent OS X malware threat detection with code inspection Hamed Haddad Pajouh1 · Ali Dehghantanha2 · Raouf Khayami1 · Kim-Kwang Raymond Choo3,4 Received: 31 July 2017 / Accepted: 27 September 2017 © The Author(s) 2017. This article is an open access publication Abstract With the increasing market share of Mac OS X over 91% detection accuracy with 3.9% false alarm rate.