JTR: A Binary Solution for Switch-Case Recovery

Most security solutions that rely on binary rewriting assume a clean separation between code and data. Unfortunately, jump tables violate this assumption. In particular, switch statements in binary code often appear as indirect jumps with jump tables that interleave with executable code—especially on ARM architectures. Most existing rewriters and disassemblers handle jump tables in a crude manner, by means of pattern matching. However, any deviation from the pattern (e.g. slightly different instructions) leads to a mismatch.

[1]  J. Gregory Morrisett,et al.  Combining control-flow integrity and static analysis for efficient and validated data sandboxing , 2011, CCS '11.

[2]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[3]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[4]  Helmut Veith,et al.  Jakstab: A Static Analysis Platform for Binaries , 2008, CAV.

[5]  James Newsome,et al.  MiniBox: A Two-Way Sandbox for x86 Native Code , 2014, USENIX ATC.

[6]  Thomas W. Reps,et al.  WYSINWYX: What you see is not what you eXecute , 2005, TOPL.

[7]  Helmut Veith,et al.  Precise static analysis of untrusted driver binaries , 2010, Formal Methods in Computer Aided Design.

[8]  Laurie A. Williams,et al.  An empirical model to predict security vulnerabilities using code complexity metrics , 2008, ESEM '08.

[9]  Alexander Aiken,et al.  Binary Translation Using Peephole Superoptimizers , 2008, OSDI.

[10]  Rajeev Barua,et al.  A compiler-level intermediate representation based binary analysis and rewriting system , 2013, EuroSys '13.

[11]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[12]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[13]  Cristina Cifuentes,et al.  Recovery of jump table case statements from binary code , 1999, Proceedings Seventh International Workshop on Program Comprehension.

[14]  Niklas Holsti Analysing Switch-Case Tables by Partial Evaluation , 2007, WCET.

[15]  Anas N. Al-Rabadi,et al.  A comparison of modified reconstructability analysis and Ashenhurst‐Curtis decomposition of Boolean functions , 2004 .

[16]  Dinghao Wu,et al.  Reassembleable Disassembling , 2015, USENIX Security Symposium.

[17]  Giovanni Agosta,et al.  rev.ng: a unified binary analysis framework to recover CFGs and function boundaries , 2017, CC.

[18]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[19]  Andrei Gedich,et al.  Improved algorithm for identification of switch tables in executable code , 2015, 2015 17th Conference of Open Innovations Association (FRUCT).

[20]  Wuu Yang,et al.  LLBT: an LLVM-based static binary translator , 2012, CASES '12.

[21]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[22]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[23]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[24]  David Brumley,et al.  Program-Adaptive Mutational Fuzzing , 2015, 2015 IEEE Symposium on Security and Privacy.

[25]  Jörg Brauer,et al.  Precise control flow reconstruction using Boolean logic , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[26]  Sencun Zhu,et al.  STILL: Exploit Code Detection via Static Taint and Initialization Analyses , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[27]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[28]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[29]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[30]  Herbert Bos,et al.  PIE: Parser Identification in Embedded Systems , 2015, ACSAC.

[31]  Philippe Herrmann,et al.  Refinement-Based CFG Reconstruction from Unstructured Programs , 2011, VMCAI.

[32]  Kim G. Larsen,et al.  Adaptable Value-Set Analysis for Low-Level Code , 2011, SSV.

[33]  Miguel Castro,et al.  Fast byte-granularity software fault isolation , 2009, SOSP '09.

[34]  Herbert Bos,et al.  Practical Context-Sensitive CFI , 2015, CCS.

[35]  David Brumley,et al.  BYTEWEIGHT: Learning to Recognize Functions in Binary Code , 2014, USENIX Security Symposium.

[36]  Angelos D. Keromytis,et al.  Retrofitting Security in COTS Software with Binary Rewriting , 2011, SEC.

[37]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[38]  Bryan Ford,et al.  Vx32: Lightweight User-level Sandboxing on the x86 , 2008, USENIX Annual Technical Conference.

[39]  Barton P. Miller,et al.  Practical analysis of stripped binary code , 2005, CARN.

[40]  Jun Wang,et al.  TaintPipe: Pipelined Symbolic Taint Analysis , 2015, USENIX Security Symposium.

[41]  David Brumley,et al.  Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring , 2013, USENIX Security Symposium.

[42]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[43]  Alexander Meduna,et al.  Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis , 2011, ISA.

[44]  Daniel Kästner,et al.  Generic control flow reconstruction from assembly code , 2002, LCTES/SCOPES '02.

[45]  Bennet S. Yee,et al.  Adapting Software Fault Isolation to Contemporary CPU Architectures , 2010, USENIX Security Symposium.

[46]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[47]  Barton P. Miller,et al.  Binary code is not easy , 2016, ISSTA.