ATOS: Adaptive Program Tracing With Online Control Flow Graph Support

Program tracing solutions (i.e., tracers) can faithfully record runtime information about a program’s execution and enable flexible and powerful offline analysis. Therefore, they have become fundamental techniques extensively utilized in software analysis applications. However, few tracers have paid attention to the size of traces and corresponding overheads introduced to offline analysis, as well as the Control Flow Graph (CFG) support. This paper presents ATOS, an efficient tracing solution, to address these issues. It adaptively adjusts the granularity of tracing while conservatively preserving the essential execution information. We implement a prototype of ATOS and evaluate it on several benchmarks. The results show that ATOS can greatly reduce the size of a trace and accelerate offline analysis, while preserving the execution states and supporting existing applications seamlessly. For example, using ATOS, the trace produced by the application CryptoHunt is reduced by 46 times, while the analysis time is reduced by 34 times.

[1]  Xu Zhou,et al.  PTfuzz: Guided Fuzzing With Processor Trace Feedback , 2018, IEEE Access.

[2]  Saumya Debray,et al.  Symbolic Execution of Obfuscated Code , 2015, CCS.

[3]  Donald B. Johnson,et al.  Finding All the Elementary Circuits of a Directed Graph , 1975, SIAM J. Comput..

[4]  Zhiqiang Lin,et al.  PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace , 2017, CODASPY.

[5]  Thorsten Holz,et al.  REDQUEEN: Fuzzing with Input-to-State Correspondence , 2019, NDSS.

[6]  Veeramani,et al.  Windows API based Malware Detection and Framework Analysis , 2012 .

[7]  Andres Charif Rubial,et al.  MIL: A language to build program analysis tools through static binary instrumentation , 2013, 20th Annual International Conference on High Performance Computing.

[8]  Zhao Gang,et al.  Dynamic Binary Translation and Instrumentation Based Function Call Tracing , 2019 .

[9]  Saumya Debray,et al.  A Generic Approach to Automatic Deobfuscation of Executable Code , 2015, 2015 IEEE Symposium on Security and Privacy.

[10]  R. K. Shyamasundar,et al.  Introduction to algorithms , 1996 .

[11]  Qinghua Zheng,et al.  Adaptive Unsupervised Feature Selection With Structure Regularization , 2018, IEEE Transactions on Neural Networks and Learning Systems.

[12]  Richard C. Wilson,et al.  Evaluating balance on social networks from their simple cycles , 2016, J. Complex Networks.

[13]  Chao Zhang,et al.  CollAFL: Path Sensitive Fuzzing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[14]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[15]  Sebastian Schinzel,et al.  kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels , 2017, USENIX Security Symposium.

[16]  Qinghua Zheng,et al.  An Adaptive Semisupervised Feature Analysis for Video Semantic Recognition , 2018, IEEE Transactions on Cybernetics.

[17]  Mohan S. Kankanhalli,et al.  MMALFM , 2018, ACM Trans. Inf. Syst..

[18]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[19]  Nguyen Minh Hai,et al.  Obfuscation Code Localization Based on CFG Generation of Malware , 2015, FPS.

[20]  Davide Balzarotti,et al.  SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers , 2015, 2015 IEEE Symposium on Security and Privacy.

[21]  Brendan Dolan-Gavitt,et al.  Tappan Zee (north) bridge: mining memory accesses for introspection , 2013, CCS.

[22]  Jiang Ming,et al.  Cryptographic Function Detection in Obfuscated Binaries via Bit-Precise Symbolic Loop Mapping , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[23]  Matthew Hicks,et al.  Full-Speed Fuzzing: Reducing Fuzzing Overhead through Coverage-Guided Tracing , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[24]  Guillaume Bonfante,et al.  CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions , 2015, CCS.

[25]  Yu Fu,et al.  VMHunt: A Verifiable Approach to Partially-Virtualized Binary Code Simplification , 2018, CCS.

[26]  Fei Peng,et al.  X-Force: Force-Executing Binary Programs for Security Applications , 2014, USENIX Security Symposium.

[27]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[28]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[29]  Robert Layton,et al.  Malware Detection Based on Structural and Behavioural Features of API Calls , 2010 .

[30]  Saumya Debray,et al.  Bit-Level Taint Analysis , 2014, 2014 IEEE 14th International Working Conference on Source Code Analysis and Manipulation.

[31]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[32]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2017, IEEE Trans. Software Eng..

[33]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[34]  Michael Laurenzano,et al.  PEBIL: Efficient static binary instrumentation for Linux , 2010, 2010 IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS).

[35]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[36]  Jean-Yves Marion,et al.  Backward-Bounded DSE: Targeting Infeasibility Questions on Obfuscated Codes , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[37]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.