Osprey: A fast and accurate patch presence test framework for binaries

Abstract With the rapid development of Internet of Things (IoT), a new paradigm named Mobile Edge Computing (MEC) is proposed to push the cloud computing to the edge devices. However the rapid growth of Internet-of-Things (IoT) and its inadvertent incorporation of vulnerable third-party code have created a massive amount of vulnerable IoT devices. Even worse, the majority of vulnerable devices are left unpatched due to the lack of easy upgrade routine and automated patch management. Thus, it is crucial to test the patch presence in IoT devices rapidly and accurately, for both defenders and attackers. In this paper, we present Osprey, a fast and accurate patch presence test framework for automatically identifying security patches in a firmware. Osprey identifies fine-grain semantic binary changes introduced by the patch in the binary by analyzing data flow slices across the basic blocks. It parses and analyzes these binary changes to extract patch signatures, which incorporate representative operators and the origins of operands. Then, patch presence can be identified by matching patch signatures through lexical comparison. Compared with the state-of-the-art patch presence test approach, Osprey extracts precise patch semantic information from data flow without expensive symbolic execution. We implement and evaluate Osprey against 45 patches and 8 versions of OpenSSL project, and the results show that Osprey is able to perform patch presence test 9.6 times faster than the state-of-the-art approach with high precision that exceeds 90%.

[1]  Yaniv David,et al.  Tracelet-based code search in executables , 2014, PLDI.

[2]  Eran Yahav,et al.  FirmUp: Precise Static Detection of Common Vulnerabilities in Firmware , 2018, ASPLOS.

[3]  Heng Yin,et al.  Scalable Graph-based Bug Search for Firmware Images , 2016, CCS.

[4]  David Brumley,et al.  Towards Automated Dynamic Analysis for Linux-based Embedded Firmware , 2016, NDSS.

[5]  Shouhuai Xu,et al.  SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities , 2018, IEEE Transactions on Dependable and Secure Computing.

[6]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[7]  Shahid Alam,et al.  DroidNative: Automating and optimizing detection of Android native code malware variants , 2017, Comput. Secur..

[8]  Nirwan Ansari,et al.  EdgeIoT: Mobile Edge Computing for the Internet of Things , 2016, IEEE Communications Magazine.

[9]  Aziz Mohaisen,et al.  Adversarial Learning Attacks on Graph-based IoT Malware Detection Systems , 2019, 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS).

[10]  Jian Wang,et al.  Learning Binary Representation for Automatic Patch Detection , 2019, 2019 16th IEEE Annual Consumer Communications & Networking Conference (CCNC).

[11]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[12]  Ke Zhang,et al.  Network representation based on the joint learning of three feature views , 2019, Big Data Min. Anal..

[13]  Shouling Ji,et al.  Spreading social influence with both positive and negative opinions in online networks , 2019, Big Data Min. Anal..

[14]  Lu Liu,et al.  Event detection and identification of influential spreaders in social media data streams , 2018, Big Data Min. Anal..

[15]  Mugen Peng,et al.  Edge computing technologies for Internet of Things: a primer , 2017, Digit. Commun. Networks.

[16]  Ahmed A. Abusnaina,et al.  Soteria: Detecting Adversarial Examples in Control Flow Graph-based Malware Classifiers , 2020, IEEE International Conference on Distributed Computing Systems.

[17]  Eran Yahav,et al.  Statistical similarity of binaries , 2016, PLDI.

[18]  Christian Rossow,et al.  Cross-Architecture Bug Search in Binary Executables , 2015, 2015 IEEE Symposium on Security and Privacy.

[19]  Yang Liu,et al.  SPAIN: Security Patch Analysis for Binaries towards Understanding the Pain and Pills , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[20]  Debin Gao,et al.  iBinHunt: Binary Hunting with Inter-procedural Control Flow , 2012, ICISC.

[21]  Le Song,et al.  Neural Network-based Graph Embedding for Cross-Platform Binary Code Similarity Detection , 2018 .

[22]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[23]  Hai Jin,et al.  Structure-augmented knowledge graph embedding for sparse data with rule learning , 2020, Comput. Commun..

[24]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[25]  Christian S. Collberg,et al.  K-gram based software birthmarks , 2005, SAC '05.

[26]  Zheng Qin,et al.  A feature-hybrid malware variants detection using CNN based opcode embedding and BPNN based API embedding , 2019, Comput. Secur..

[27]  Andy King,et al.  BinSlayer: accurate comparison of binary executables , 2013, PPREW '13.

[28]  Eran Yahav,et al.  Similarity of binaries through re-optimization , 2017, PLDI.

[29]  Debin Gao,et al.  BinHunt: Automatically Finding Semantic Differences in Binary Programs , 2008, ICICS.

[30]  Hang Zhang,et al.  Precise and Accurate Patch Presence Test for Binaries , 2018, USENIX Security Symposium.

[31]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.