SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis

Finding and exploiting vulnerabilities in binary code is a challenging task. The lack of high-level, semantically rich information about data structures and control constructs makes the analysis of program properties harder to scale. However, the importance of binary analysis is on the rise. In many situations binary analysis is the only possible way to prove (or disprove) properties about the code that is actually executed. In this paper, we present a binary analysis framework that implements a number of analysis techniques that have been proposed in the past. We present a systematized implementation of these techniques, which allows other researchers to compose them and develop new approaches. In addition, the implementation of these techniques in a unifying framework allows for the direct comparison of these apporaches and the identification of their advantages and disadvantages. The evaluation included in this paper is performed using a recent dataset created by DARPA for evaluating the effectiveness of binary vulnerability analysis techniques. Our framework has been open-sourced and is available to the security community.

[1]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[2]  K. Thompson Reflections on trusting trust , 1984, CACM.

[3]  Cristina Cifuentes,et al.  Recovery of jump table case statements from binary code , 1999, Proceedings Seventh International Workshop on Program Comprehension.

[4]  Cristina Cifuentes,et al.  Analysis of virtual method invocation for binary translation , 2002, Ninth Working Conference on Reverse Engineering, 2002. Proceedings..

[5]  Gregory R. Andrews,et al.  Disassembly of executable code revisited , 2002, Ninth Working Conference on Reverse Engineering, 2002. Proceedings..

[6]  SeidlHelmut,et al.  Precise interprocedural analysis through linear algebra , 2004 .

[7]  Helmut Seidl,et al.  Precise interprocedural analysis through linear algebra , 2004, POPL.

[8]  Christopher Krügel,et al.  Static Disassembly of Obfuscated Binaries , 2004, USENIX Security Symposium.

[9]  Aaron Stump,et al.  SMT-COMP: Satisfiability Modulo Theories Competition , 2005, CAV.

[10]  Thomas W. Reps,et al.  WYSINWYX: What You See Is Not What You eXecute , 2005, VSTTE.

[11]  David Brumley,et al.  Replayer: automatic protocol replay by binary analysis , 2006, CCS '06.

[12]  Dawson R. Engler,et al.  Under-constrained execution: making automatic code destruction easy and scalable , 2007, ISSTA '07.

[13]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[14]  Brian E. Granger,et al.  IPython: A System for Interactive Scientific Computing , 2007, Computing in Science & Engineering.

[15]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[16]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[17]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[18]  Helmut Veith,et al.  Jakstab: A Static Analysis Platform for Binaries , 2008, CAV.

[19]  Dawson R. Engler,et al.  RWset: Attacking Path Explosion in Constraint-Based Test Generation , 2008, TACAS.

[20]  Stephen McCamant,et al.  Loop-extended symbolic execution on binary programs , 2009, ISSTA.

[21]  Vitaly Chipounov,et al.  Selective Symbolic Execution , 2009 .

[22]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[23]  Daniel Kroening,et al.  MSc Computer Science Dissertation Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities , 2009 .

[24]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[25]  Zhendong Su,et al.  Constructing Precise Control Flow Graphs from Binaries , 2010 .

[26]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[27]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[28]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[29]  Bing Mao,et al.  Automatic construction of jump-oriented programming shellcode (on the x86) , 2011, ASIACCS '11.

[30]  David Brumley,et al.  TIE: Principled Reverse Engineering of Types in Binary Programs , 2011, NDSS.

[31]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[32]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[33]  Jorge A. Navas,et al.  Signedness-Agnostic Program Analysis: Precise Integer Bounds for Low-Level Code , 2012, APLAS.

[34]  Roland Groz,et al.  A Taint Based Approach for Smart Fuzzing , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[35]  Shih-Kun Huang,et al.  CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability.

[36]  SAGE: whitebox fuzzing for security testing , 2012, Commun. ACM.

[37]  Stephen McCamant,et al.  Transformation-aware Exploit Generation using a HI-CFG , 2013 .

[38]  Herbert Bos,et al.  Dowser: A Guided Fuzzer for Finding Buffer Overflow Vulnerabilities , 2013, login Usenix Mag..

[39]  Zhendong Su,et al.  Steering symbolic execution to less traveled paths , 2013, OOPSLA.

[40]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[41]  Konrad Rieck,et al.  Modeling and Discovering Vulnerabilities with Code Property Graphs , 2014, 2014 IEEE Symposium on Security and Privacy.

[42]  R. Sekar,et al.  Eternal War in Memory , 2014, IEEE Security & Privacy.

[43]  David Brumley,et al.  BYTEWEIGHT: Learning to Recognize Functions in Binary Code , 2014, USENIX Security Symposium.

[44]  George Candea,et al.  Efficient state merging in symbolic execution , 2012, Software Engineering.

[45]  David Brumley,et al.  Enhancing symbolic execution with veritesting , 2014, ICSE.

[46]  Christian Rossow,et al.  Cross-Architecture Bug Search in Binary Executables , 2015, 2015 IEEE Symposium on Security and Privacy.

[47]  Herbert Bos,et al.  The BORG: Nanoprobing Binaries for Buffer Overreads , 2015, CODASPY.

[48]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[49]  David Brumley,et al.  Program-Adaptive Mutational Fuzzing , 2015, 2015 IEEE Symposium on Security and Privacy.

[50]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[51]  Konrad Rieck,et al.  Automatic Inference of Search Patterns for Taint-Style Vulnerabilities , 2015, 2015 IEEE Symposium on Security and Privacy.

[52]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.