Binary rewriting without control flow recovery

Static binary rewriting has many important applications in software security and systems, such as hardening, repair, patching, instrumentation, and debugging. While many different static binary rewriting tools have been proposed, most rely on recovering control flow information from the input binary. The recovery step is necessary since the rewriting process may move instructions, meaning that the set of jump targets in the rewritten binary needs to be adjusted accordingly. Since the static recovery of control flow information is a hard problem in general, most tools rely on a set of simplifying heuristics or assumptions, such as specific compilers, specific source languages, or binary file meta information. However, the reliance on assumptions or heuristics tends to scale poorly in practice, and most state-of-the-art static binary rewriting tools cannot handle very large/complex programs such as web browsers. In this paper we present E9Patch, a tool that can statically rewrite x86_64 binaries without any knowledge of control flow information. To do so, E9Patch develops a suite of binary rewriting methodologies---such as instruction punning, padding, and eviction---that can insert jumps to trampolines without the need to move other instructions. Since this preserves the set of jump targets, the need for control flow recovery and related heuristics is eliminated. As such, E9Patch is robust by design, and can scale to very large (>100MB) stripped binaries including the Google Chrome and FireFox web browsers. We also evaluate the effectiveness of E9Patch against realistic applications such as binary instrumentation, hardening and repair.

[1]  Dawu Gu,et al.  Automatically Patching Vulnerabilities of Binary Programs via Code Transfer From Correct Versions , 2019, IEEE Access.

[2]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[3]  Barton P. Miller,et al.  Binary code is not easy , 2016, ISSTA.

[4]  Rajeev Barua,et al.  Static binary rewriting without supplemental information: Overcoming the tradeoff between coverage and correctness , 2013, 2013 20th Working Conference on Reverse Engineering (WCRE).

[5]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[6]  Westley Weimer,et al.  Automated repair of binary and assembly programs for cooperating embedded devices , 2013, ASPLOS '13.

[7]  Jeffrey K. Hollingsworth,et al.  An API for Runtime Code Patching , 2000, Int. J. High Perform. Comput. Appl..

[8]  Koen De Bosschere,et al.  Link-time binary rewriting techniques for program compaction , 2005, TOPL.

[9]  Xi Chen,et al.  An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries , 2016, USENIX Security Symposium.

[10]  Mingwei Zhang,et al.  A platform for secure static binary instrumentation , 2014, VEE '14.

[11]  Qin Zhao,et al.  Practical memory checking with Dr. Memory , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[12]  Roland H. C. Yap,et al.  Heap bounds protection with low fat pointers , 2016, CC.

[13]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[14]  Kevin W. Hamlen,et al.  Securing untrusted code via compiler-agnostic binary rewriting , 2012, ACSAC '12.

[15]  Tzi-cker Chiueh,et al.  BIRD: binary interpretation using runtime disassembly , 2006, International Symposium on Code Generation and Optimization (CGO'06).

[16]  Roland H. C. Yap,et al.  Stack Bounds Protection with Low Fat Pointers , 2017, NDSS.

[17]  David Williams-King,et al.  Egalito: Layout-Agnostic Binary Recompilation , 2020, ASPLOS.

[18]  Dinghao Wu,et al.  UROBOROS: Instrumenting Stripped Binaries with Static Reassembling , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[19]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[20]  Yi Sun,et al.  Probabilistic Disassembly , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[21]  Koen De Bosschere,et al.  alto: a link-time optimizer for the Compaq Alpha , 2001, Softw. Pract. Exp..

[22]  Dinghao Wu,et al.  Reassembleable Disassembling , 2015, USENIX Security Symposium.

[23]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[24]  Kevin W. Hamlen,et al.  Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics , 2018, NDSS.

[25]  Mathias Payer,et al.  RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[26]  Barton P. Miller,et al.  Anywhere, any-time binary instrumentation , 2011, PASTE '11.

[27]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[28]  Derek Bruening,et al.  Efficient, transparent, and comprehensive runtime code manipulation , 2004 .

[29]  Johanna Ullrich,et al.  From Hack to Elaborate Technique—A Survey on Binary Rewriting , 2019, ACM Comput. Surv..

[30]  Amitabh Srivastava,et al.  Vulcan Binary transformation in a distributed environment , 2001 .

[31]  Angelos D. Keromytis,et al.  Retrofitting Security in COTS Software with Binary Rewriting , 2011, SEC.

[32]  Jack W. Davidson,et al.  Zipr++: Exceptional Binary Rewriting , 2017, FEAST@CCS.

[33]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[34]  Bo Joel Svensson,et al.  Instruction punning: lightweight instrumentation for x86-64 , 2017, PLDI.

[35]  Matthew Hicks,et al.  Full-Speed Fuzzing: Reducing Fuzzing Overhead through Coverage-Guided Tracing , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[36]  Michael Laurenzano,et al.  PEBIL: Efficient static binary instrumentation for Linux , 2010, 2010 IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS).