Towards Extracting Control Flow Abstraction with Static Disassembly for Binary Code

Disassembly is the preparative and crucial phase in reverse engineering and it helps people obtain the high-level semantics of binaries. However, considerable obfuscation technologies are presented to prevent the binary from the disassembler for the benefit and safety consideration. Unfortunately, hackers also could disguise their malware with obfuscation to escape the detection. Therefore, substantial literatures are published to thwart the obfuscation. Without discussing which side is legitimate conceptually, the paper proposed a measure to improving the disassembly result especially for the obfuscated binaries. By adopting some brilliant thought from the preceding publications, the paper presented several solutions to improve the result. A novel technique of verification stack pointer which is utilized to distinguish the bounds of functions, moreover, bytes-based pattern matching assist the disassembler to construct intra-procedural control flow graph dramatically. An implementation is designed and developed with the technology and considerable evaluations were taken on it. An example was provided in the evaluation section and it turned out that our disassembler could perform effectively and accurately.

[1]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[2]  R. Sekar,et al.  On the Limits of Information Flow Techniques for Malware Analysis and Containment , 2008, DIMVA.

[3]  David Brumley,et al.  TIE: Principled Reverse Engineering of Types in Binary Programs , 2011, NDSS.

[4]  Tzi-cker Chiueh,et al.  BIRD: binary interpretation using runtime disassembly , 2006, International Symposium on Code Generation and Optimization (CGO'06).

[5]  Gregory R. Andrews,et al.  Disassembly of executable code revisited , 2002, Ninth Working Conference on Reverse Engineering, 2002. Proceedings..

[6]  Henrik Theiling,et al.  Extracting safe and precise control flow from binaries , 2000, Proceedings Seventh International Conference on Real-Time Computing Systems and Applications.

[7]  Thomas W. Reps,et al.  Analyzing Stripped Device-Driver Executables , 2008, TACAS.

[8]  Saumya K. Debray,et al.  Static Detection of Disassembly Errors , 2009, 2009 16th Working Conference on Reverse Engineering.

[9]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[10]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[11]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[12]  Gregory R. Andrews,et al.  Binary Obfuscation Using Signals , 2007, USENIX Security Symposium.

[13]  Gregory Wroblewski,et al.  General Method of Program Code Obfuscation , 2002 .

[14]  Cristina Cifuentes,et al.  Recovery of jump table case statements from binary code , 1999, Proceedings Seventh International Workshop on Program Comprehension.