BHUSA2015 Unicorn
BHUSA2015 Unicorn
BHUSA2015 Unicorn
www.unicorn-engine.org
1 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Self-introduction
2 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Agenda
1 CPU Emulator
Background
Problems of existing CPU emulators
3 Live demo
4 Conclusions
3 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
CPU Emulator
Definition
Emulate physical CPU - using software only.
Focus on CPU operations only, but ignore machine devices.
Applications
Emulate the code without needing to have a real CPU.
I Cross-architecture emulator for console game.
Safely analyze malware code, detect virus signature.
Verify code semantics in reversing.
4 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Example
Emulate to understand code semantics.
5 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Internals of CPU emulator
6 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Example of emulating X86 32bit instructions
7 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Challenges of building CPU emulator
8 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Good CPU emulator?
Multi-arch?
I X86, Arm, Arm64, Mips, PowerPC, Sparc, etc
Multi-platform?
I *nix, Windows, Android, iOS, etc
Updated?
I Keep up with latest CPU extensions
Independent?
I Support to build independent tools
Good performance?
I Just-In-Time (JIT) compiler technique vs Interpreter
9 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Existing CPU emulators
1
Possible by design, but nothing actually works
2
Focus only on detecting Windows shellcode
3
Python only
4
For IDA only
10 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Dream a good emulator
Multi-architectures
I Arm, Arm64, Mips, PowerPC, Sparc, X86 (+X86_64) + more
Multi-platform: *nix, Windows, Android, iOS, etc
Updated: latest extensions of all hardware architectures
Independent with multiple bindings
I Low-level framework to support all kind of OS and tools
I Core in pure C, and support multiple binding languages
Good performance with JIT compiler technique
I Dynamic compilation vs Interpreter
Allow instrumentation at various levels
I Single-step/isntruction/memory access
11 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Problems
12 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Unicorn == Next Generation CPU Emulator
13 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Goals of Unicorn
Multi-architectures
I Arm, Arm64, Mips, PowerPC, Sparc, X86 (+X86_64) + more
Multi-platform: *nix, Windows, Android, iOS, etc
Updated: latest extensions of all hardware architectures
Core in pure C, and support multiple binding languages
Good performance with JIT compiler technique
Allow instrumentation at various levels
I Single-step/instruction/memory access
14 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Unicorn vs others
15 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Challenges to build Unicorn engine
16 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Unicorn design
17 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Ambitions & ideas
18 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Introduction on Qemu
Qemu project
Open source project (GPL license) on system emulator:
http://www.qemu.org
Huge community & highly active
Multi-arch
I X86, Arm, Arm64, Mips, PowerPC, Sparc, etc (18 architectures)
Multi-platform
I Compile on *nix + cross-compile for Windows
19 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Qemu architecture
Courtesy of cmchao
20 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Why Qemu?
21 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Are we done?
22 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Challenges to build Unicorn (1)
Unicorn job
Keep only CPU emulation code & remove everything else (devices,
ROM/BIOS, migration, etc)
Keep supported subsystems like Qobject, Qom
Rewrites some components but keep CPU emulation code intact (so
easy to sync with Qemu in future)
23 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Challenges to build Unicorn (2)
Unicorn job
Isolated common variables & structures
I Ensured thread-safe by design
Refactored to allow multiple instances of Unicorn at the same time
Modified the build system to support multiple archs on demand
24 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Challenges to build Unicorn (3)
Unicorn job
Build dynamic fine-grained instrumentation layer from scratch
Support various levels of instrumentation
I Single-step or on particular instruction (TCG level)
I Intrumentation of memory accesses (TLB level)
I Dynamically read and write register or memory during emulation.
I Handle exception, interrupt, syscall (arch-level) through user provided
callback.
25 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Challenges to build Unicorn (4)
Unicorn job
Find and fix all the memory leak issues
Refactor various subsystems to keep track and cleanup dangling
pointers.
26 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Unicorn vs Qemu
27 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Qemu vulnerabilities
28 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Write applications with Unicorn
29 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Introduce Unicorn API
30 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Sample code in C
31 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Sample code in Python
32 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Live demo
33 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Status & future works
Status
Support Arm, Arm64, Mips, M68K, PowerPC, Sparc, X86 (+X86_64)
Python binding available
Based on Qemu 2.3
Future works
Support all the rest architectures of Qemu
(alpha/s360x/microblaze/sh4/etc - totally 18)
Stripping more ultility code from Qemu e.g. improve the disassembler
(with potential integration with Capstone).
More bindings promised by community!
Synchronize with Qemu 2.4 (released soon)
I Future of Unicorn is guaranteed by Qemu active development!
34 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Conclusions
35 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Call for beta testers
36 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Questions and answers
Unicorn: Next Generation CPU Emulator Framework
37 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
References
Qemu: http://www.qemu.org
libemu: http://libemu.carnivore.it
PyEmu: http://code.google.com/p/pyemu
libcpu: https://github.com/libcpu/libcpu
IDA-x86emu: http://www.idabook.com/x86emu/index.html
Unicorn engine
I Homepage: http://www.unicorn-engine.org
I Mailing list: http://www.freelists.org/list/unicorn-engine
I Twitter: @unicorn_engine
38 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework
Acknowledgement
39 / 39 NGUYEN Anh Quynh, DANG Hoang Vu Unicorn: Next Generation CPU Emulator Framework