Course detail

Binary Code Analysis

FIT-IANAcad. year: 2023/2024

This course deepens the knowledge and skill obtained in the course of Machine level programming (ISU) and in the course of Operating systems (IOS) with the main goal of allowing the students to understand the image of a crashed system (the so-called crash dump). Knowledge of programming on the level of assembler and application binary interfaces (ABI) is applied on a real Unix operating system. Within the course, various binary files used in the system are discussed, including their structure and their disassembled contents. The course involves a detailed study of compiler output from the point of view of linkage and run of system code as well as a discussion of differences and relations among various processor architectures, compilers, and application binary interfaces. Next, the course presents selected concepts typical for kernel-level programming whose deep knowledge is necessary for analysing the functionality of an operating system kernel. These concepts include, among others, details of interrupt processing, task queues, process/thread synchronisation and memory management inside the kernel, i.e., the so-called SLAB allocator. Knowledge obtained in this way is used as a basis for presenting possibilities of monitoring the behaviour of an operating system on the binary level during its run as well as analysis of images of system memory after a system crash (crash dump analysis). In both cases, usage of tools shipped within common Unix distributions is accented.

Language of instruction

Czech

Number of ECTS credits

4

Mode of study

Not applicable.

Entry knowledge

Proficiency in C language, x86 assembly code, understanding of operating system principles, practical experience with Unix systems.

Rules for evaluation and completion of the course

  • Individual project assignments (4x 15 points)
  • Final test (40 points)

The obtained knowledge of students is examined through four projects focused on low-level programming and on discovering the roots causing problems in an operating system from a provided crash dump (4x 15 points) and through a final written test (40 points). 

Aims

The goal is to acquaint students with the operation of modern Unix operating systems on a level close to the binary code and with available tools for observing the behaviour of such systems, including, in particular, their post-mortem analysis.
Practical experience with analysing the image of system memory after a system crash (crash dump analysis). Knowledge of the structure of binary files used in Unix systems (ELF). Understanding differences and relations between processors architectures, compilers, and ABI standards. Students who successfully pass the course will further be able to monitor the run of an operating system on a binary level during its runtime too. Improved knowledge in the areas of operating systems, machine languages, and debugging and analysis.

Study aids

Not applicable.

Prerequisites and corequisites

Basic literature

Ljubuncic, I.: Linux Kernel Crash Book, 2011.
Drake, C., Brown, K.: Panic! UNIX System Crash Dump Analysis, Prentice Hall, 1995.
Platforms, Crashdump Analysis, Operating System Internals, 2005.Hofmann, F.: The Solaris Operating System on x86

Recommended reading

Course slides: https://github.com/skozina/cda-slides
Intel Corporation: Intel 64 and IA-32 Architectures Software Developer Manuals, 2015.
Matz, M., Hubicka, J., Mitchell, M.: System V Application Binary Interface, AMD64 Architecture Processor Supplement, 2013.

Elearning

Classification of course in study plans

  • Programme BIT Bachelor's 2 year of study, summer semester, elective
  • Programme BIT Bachelor's 2 year of study, summer semester, elective

  • Programme IT-BC-3 Bachelor's

    branch BIT , 2 year of study, summer semester, elective

Type of course unit

 

Lecture

14 hod., optionally

Teacher / Lecturer

Syllabus

  1. Introduction. Code compilation and linking. Understanding the ELF file format.
  2. Dynamic linking and running code. Dynamic relocations and interpreter. PIC, ASLR, PIE, linker script. DWARF debug symbols.
  3. Computer architectures in general, registers, stack operations. Memory segmentation, paging.
  4. The x86 and x86_64 architectures. System V ABI. Compiler and stack optimizations. The ARM architecture.
  5. Live kernel tracing: strace, ltrace, SystemTap, ftrace, perf.
  6. BPF (Berkeley Packet Filter), eBPF and its usage in kernel tracing. BCC, bpftrace.

Exercise in computer lab

12 hod., compulsory

Teacher / Lecturer

Syllabus

  1. Decomposition of an ELF binary file, decoding its sections, and code disassembling.
  2. Program execution tracing using strace, ltrace, gdb.
  3. Using the crash(1) tool on Linux.
  4. Crash dump analysis of a Linux system.
  5. System tracing using SystemTap and ftrace.
  6. Tracing and analysis of system deadlocks.

Project

13 hod., compulsory

Teacher / Lecturer

Syllabus

  1. ELF file analysis.
  2. Analysis of a crash dump.
  3. Analysis of a crash dump.
  4. Monitoring of a running system using SystemTap.

Elearning