Reuse-oriented reverse engineering of functional components from x86 binaries

Locating, extracting, and reusing the implementation of a feature within an existing binary program is challenging. This paper proposes a novel algorithm to identify modular functions corresponding to such features and to provide usable interfaces for the extracted functions. We provide a way to represent a desired feature with two executions that both execute the feature but with different inputs. Instead of reverse engineering the interface of a function, we wrap the existing interface and provide a simpler and more intuitive interface for the function through concretization and redirection. Experiments show that our technique can be applied to extract varied features from several real world applications including a malicious application.

[1]  Xiangyu Zhang,et al.  Precise dynamic slicing algorithms , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[2]  Xiangyu Zhang,et al.  Analyzing concurrency bugs using dual slicing , 2010, ISSTA '10.

[3]  Xiangyu Zhang,et al.  Cost effective dynamic program slicing , 2004, PLDI '04.

[4]  Yann-Gaël Guéhéneuc,et al.  Feature identification: a novel approach and a case study , 2005, 21st IEEE International Conference on Software Maintenance (ICSM'05).

[5]  Wenke Lee,et al.  K-Tracer: A System for Extracting Kernel Malware Behavior , 2009, NDSS.

[6]  Stephen McCamant,et al.  Binary Code Extraction and Interface Identification for Security Applications , 2009, NDSS.

[7]  Katsuhisa Maruyama,et al.  Automated method-extraction refactoring by using block-based slicing , 2001, SSR '01.

[8]  Rainer Koschke,et al.  Locating Features in Source Code , 2003, IEEE Trans. Software Eng..

[9]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[10]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[11]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[12]  Norman Wilde,et al.  Software reconnaissance: Mapping program features to code , 1995, J. Softw. Maintenance Res. Pract..

[13]  Xiangyu Zhang,et al.  BISTRO: Binary Component Extraction and Embedding for Software Security Applications , 2013, ESORICS.

[14]  Andrew David Eisenberg,et al.  Dynamic feature traces: finding features in unfamiliar code , 2005, 21st IEEE International Conference on Software Maintenance (ICSM'05).

[15]  Giuseppe Visaggio,et al.  Extracting Reusable Funtions by Flow Graph-Based Program Slicing , 1997, IEEE Trans. Software Eng..

[16]  Zhenchang Xing,et al.  Improving feature location practice with multi-faceted interactive exploration , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[17]  Susan Horwitz,et al.  Effective, automatic procedure extraction , 2003, 11th IEEE International Workshop on Program Comprehension, 2003..

[18]  J.A. Gomez,et al.  Locating user functionality in old code , 1992, Proceedings Conference on Software Maintenance 1992.

[19]  Swapna S. Gokhale,et al.  Locating program features using execution slices , 1999, Proceedings 1999 IEEE Symposium on Application-Specific Systems and Software Engineering and Technology. ASSET'99 (Cat. No.PR00122).

[20]  Ran Ettinger,et al.  Program Sliding , 2012, ECOOP.

[21]  Xiangyu Zhang,et al.  Efficient program execution indexing , 2008, PLDI '08.

[22]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .

[23]  Daniel Jackson,et al.  Chopping: A Generalization of Slicing , 1994 .

[24]  William B. Frakes,et al.  Software reuse research: status and future , 2005, IEEE Transactions on Software Engineering.

[25]  Hassen Saïdi,et al.  A Foray into Conficker's Logic and Rendezvous Points , 2009, LEET.

[26]  Bogdan Dit,et al.  Feature location in source code: a taxonomy and survey , 2013, J. Softw. Evol. Process..

[27]  Giuseppe Visaggio,et al.  Extracting application domain functions from old code: a real experience , 1993, [1993] IEEE Second Workshop on Program Comprehension.

[28]  Christopher Krügel,et al.  Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries , 2010, 2010 IEEE Symposium on Security and Privacy.

[29]  Václav Rajlich,et al.  Concept location using program dependencies and information retrieval (DepIR) , 2013, Inf. Softw. Technol..

[30]  Swapna S. Gokhale,et al.  Quantifying the closeness between program components and features , 2000, J. Syst. Softw..

[31]  Stephen Taylor,et al.  Software Protection through Anti-Debugging , 2007, IEEE Security & Privacy.

[32]  Norman Wilde,et al.  An approach to feature location in distributed systems , 2006, J. Syst. Softw..

[33]  Aniello Cimitile,et al.  Decomposing legacy programs: a first step towards migrating to client-server platforms , 1998, Proceedings. 6th International Workshop on Program Comprehension. IWPC'98 (Cat. No.98TB100242).

[34]  Ran Ettinger,et al.  Untangling: a slice extraction refactoring , 2004, AOSD '04.

[35]  Arun Lakhotia,et al.  Restructuring programs by tucking statements into functions , 1998, Inf. Softw. Technol..

[36]  Ziming Zhao,et al.  Automatic Extraction of Secrets from Malware , 2011, 2011 18th Working Conference on Reverse Engineering.

[37]  Yann-Gaël Guéhéneuc,et al.  Feature Location Using Probabilistic Ranking of Methods Based on Execution Scenarios and Information Retrieval , 2007, IEEE Transactions on Software Engineering.

[38]  Xiangyu Zhang,et al.  Pruning dynamic slices with confidence , 2006, PLDI '06.

[39]  Václav Rajlich,et al.  RIPPLES: tool for change in legacy software , 2001, Proceedings IEEE International Conference on Software Maintenance. ICSM 2001.

[40]  Xiangyu Zhang,et al.  Reuse-oriented camouflaging trojan: Vulnerability detection and attack construction , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).