BISTRO: Binary Component Extraction and Embedding for Software Security Applications

In software security and malware analysis, researchers often need to directly manipulate binary program – benign or malicious – without source code. A useful pair of binary manipulation primitives are binary functional component extraction and embedding, for extracting a functional component from a binary program and for embedding a functional component in a binary program, respectively. Such primitives are applicable to a wide range of security scenarios such as legacy program hardening, binary semantic patching, and malware function analysis. Unfortunately, existing binary rewriting techniques are inadequate to support binary function carving and embedding. In this paper, we present bistro, a system that supports these primitives without symbolic information, relocation information, or compiler support. Bistro preserves functional correctness of both the extracted functional component and the stretched binary program (with the component embedded) by patching them in a systematic fashion. We have implemented an IDA Pro-based prototype of Bistro and evaluated it using real-world Windows software. Our results show the effectiveness of Bistro, with each stretched binary incurring low time and space overhead. Furthermore, we demonstrate Bistro’s capabilities in various security applications.

[1]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[2]  Derek Bruening,et al.  Efficient, transparent, and comprehensive runtime code manipulation , 2004 .

[3]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[4]  Gregory R. Andrews,et al.  Binary Obfuscation Using Signals , 2007, USENIX Security Symposium.

[5]  Christopher Krügel,et al.  Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries , 2010, 2010 IEEE Symposium on Security and Privacy.

[6]  Halvar Flake,et al.  Structural Comparison of Executable Objects , 2004, DIMVA.

[7]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[8]  Amitabh Srivastava,et al.  Vulcan Binary transformation in a distributed environment , 2001 .

[9]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[10]  Angelos D. Keromytis,et al.  Retrofitting Security in COTS Software with Binary Rewriting , 2011, SEC.

[11]  Robert Muth,et al.  alto: a link‐time optimizer for the Compaq Alpha , 2001 .

[12]  Michael Laurenzano,et al.  PEBIL: Efficient static binary instrumentation for Linux , 2010, 2010 IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS).

[13]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[14]  Mary Lou Soffa,et al.  Retargetable and reconfigurable software dynamic translation , 2003, International Symposium on Code Generation and Optimization, 2003. CGO 2003..

[15]  Amitabh Srivastava,et al.  Analysis Tools , 2019, Public Transportation Systems.

[16]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[17]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[18]  Koen De Bosschere,et al.  Link-time binary rewriting techniques for program compaction , 2005, TOPL.

[19]  Yuko Murayama,et al.  Future Challenges in Security and Privacy for Academia and Industry , 2011 .

[20]  Stephen McCamant,et al.  Differential Slicing: Identifying Causal Execution Differences for Security Applications , 2011, 2011 IEEE Symposium on Security and Privacy.

[21]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[22]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[23]  Tzi-cker Chiueh,et al.  A Binary Rewriting Defense Against Stack based Buffer Overflow Attacks , 2003, USENIX Annual Technical Conference, General Track.

[24]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.

[25]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[26]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[27]  David Brumley,et al.  TIE: Principled Reverse Engineering of Types in Binary Programs , 2011, NDSS.

[28]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[29]  Douglas C. Schmidt,et al.  GPERF: A Perfect Hash Function Generator , 1990, C++ Conference.

[30]  Xiangyu Zhang,et al.  Reuse-oriented camouflaging trojan: Vulnerability detection and attack construction , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[31]  Jeffrey K. Hollingsworth,et al.  An API for Runtime Code Patching , 2000, Int. J. High Perform. Comput. Appl..

[32]  R. Stephenson A and V , 1962, The British journal of ophthalmology.

[33]  Herbert Bos,et al.  Howard: A Dynamic Excavator for Reverse Engineering Data Structures , 2011, NDSS.

[34]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[35]  Alec Wolman,et al.  Instrumentation and optimization of Win32/intel executables using Etch , 1997 .

[36]  Tzi-cker Chiueh,et al.  BIRD: binary interpretation using runtime disassembly , 2006, International Symposium on Code Generation and Optimization (CGO'06).

[37]  Stephen McCamant,et al.  Binary Code Extraction and Interface Identification for Security Applications , 2009, NDSS.

[38]  Kevin W. Hamlen,et al.  Securing untrusted code via compiler-agnostic binary rewriting , 2012, ACSAC '12.