Software composition analysis (SCA) is essential for understanding and optimizing complex C programs, ensuring system reliability and efficiency. Analyzing programs at the binary level provides insights into behavior,...
详细信息
Software composition analysis (SCA) is essential for understanding and optimizing complex C programs, ensuring system reliability and efficiency. Analyzing programs at the binary level provides insights into behavior, performance, and security. However, comprehensive evaluations of both academic and commercialized SCA tools are lacking. To this end, this paper presents a comprehensive evaluation of software composition analysis techniques for accurately identifying components in C/C++ binaryprograms. The study examines different analysis techniques in terms of accuracy, performance, domain-specific capabilities, and additional abilities such as detecting security vulnerabilities and code reuse potential. The results show that SCA tools reach over 70% accuracy in detecting general libraries and the accuracy drops to less than 45% for libraries in domain-specific software. Commercialized tools exhibit better efficiency and practicalness than academic tools. The evaluation provides insights into the strengths and limitations of various approaches, offering suggestions for SCA development and the selection of the most suitable tools.
programs and services relying on weak hash algorithms as part of their hash table implementations are vulnerable to hash-collision denial-of-service attacks. In the context of such an attack, the attacker sends a seri...
详细信息
ISBN:
(纸本)9781450397049
programs and services relying on weak hash algorithms as part of their hash table implementations are vulnerable to hash-collision denial-of-service attacks. In the context of such an attack, the attacker sends a series of program inputs leading to hash collisions. In the best case, this slows down the execution and processing for all requests, and in the worst case it renders the program or service unavailable. We propose a new binary program analysis approach to automatically detect weak hash functions and patch vulnerable binaryprograms, by replacing the weak hash function with a secure alternative. To verify that our mitigation strategy does not break program functionality, we design and leverage multiple stages of static analysis and symbolic execution, which demonstrate that the patched code performs equivalently to the original code, but does not suffer from the same vulnerability. We analyze 105, 831 real-world programs and confirm the use of 796 weak hash functions in the same number of programs. We successfully replace 759 of these in a non-disruptive manner. The entire process is automated. Among the real-world programs analyzed, we discovered, disclosed and mitigated a zero-day hash-collision vulnerability in Reddit.
Tackling binary program analysis problems has traditionally implied manually defining rules and heuristics,a tedious and time consuming task for human *** order to improve automation and scalability,we propose an alte...
详细信息
Tackling binary program analysis problems has traditionally implied manually defining rules and heuristics,a tedious and time consuming task for human *** order to improve automation and scalability,we propose an alternative direction based on distributed representations of binaryprograms with applicability to a number of downstream *** introduce Bin2vec,a new approach leveraging Graph Convolutional Networks(GCN)along with computational program graphs in order to learn a high dimensional representation of binary executable *** demonstrate the versatility of this approach by using our representations to solve two semantically different binaryanalysis tasks–functional algorithm classification and vulnerability *** compare the proposed approach to our own strong baseline as well as published results,and demonstrate improvement over state-of-the-art methods for both *** evaluated Bin2vec on 49191 binaries for the functional algorithm classification task,and on 30 different CWE-IDs including at least 100 CVE entries each for the vulnerability discovery *** set a new state-of-the-art result by reducing the classification error by 40%compared to the source-code based inst2vec approach,while working on binary *** almost every vulnerability class in our dataset,our prediction accuracy is over 80%(and over 90%in multiple classes).
In this paper, we address the problem of finding a correspondence, or matching, between the functions of two programs in binary form, which is one of the most common task in binary diffing We introduce a new formulati...
详细信息
ISBN:
(纸本)9781665403375
In this paper, we address the problem of finding a correspondence, or matching, between the functions of two programs in binary form, which is one of the most common task in binary diffing We introduce a new formulation of this problem as a particular instance of a graph edit problem over the call graphs of the programs. In this formulation, the quality of a mapping is evaluated simultaneously with respect to both function content and call graph similarities. We show that this formulation is equivalent to a network alignment problem. We propose a solving strategy for this problem based on max-product belief propagation. Finally, we implement a prototype of our method, called QBinDiff, and propose an extensive evaluation which shows that our approach outperforms state of the art diffing tools.
In recent years, malware has grown faster than ever in volume, form and harmfulness. While existing static or dynamic analysis techniques can meet the common user needs for malware detection, ana -lysts desire a more ...
详细信息
In recent years, malware has grown faster than ever in volume, form and harmfulness. While existing static or dynamic analysis techniques can meet the common user needs for malware detection, ana -lysts desire a more detailed overview to uncover the program architecture. Malware often force research into difficulties due to their complex anti-analysis techniques, which call for a quick analysis of program structure and components to clarify malware functional semantics. In this paper, we use community dis-covery methods to automate the malware program components analysis from the intuition of modular programing principles. Specifically, we design and implement DeMal, a solution to the malware module decomposition problem. It achieves remodularization by recovering program call relationships, extract-ing structure-related attributes, and applying an ensemble model of multiple community discovery algo-rithms. DeMal takes a malicious executable as input and predicts its code composition structure. In an evaluation with 155 malware samples, DeMal performs well on achieving an average F1-score of 71.3%, and 14.5% of the samples reach an average precision of 90%. The analysis time on each sample is about 19.79s. On extended experiments with 1,621 benign programs and over 10,0 0 0 stripped malware sam-ples, we also verify DeMal's scalability on common programs as well as the large-scale performance, respectively. The visualization of the results also strongly demonstrates DeMal's module decomposition capabilities.(c) 2022 Published by Elsevier Ltd.
The security of binaryprograms is significantly threatened by software vulnerabilities. When vulnerabilities are found, those applications are exposed to malicious attacks that exploit the known vulnerabilities. Thus...
详细信息
The security of binaryprograms is significantly threatened by software vulnerabilities. When vulnerabilities are found, those applications are exposed to malicious attacks that exploit the known vulnerabilities. Thus, it is necessary to patch them when vulnerabilities are reported to the public as soon as possible. However, it still heavily relies on manual work to locate and correct the corresponding defective code in the binaryprograms. In order to raise productivity and ensure software security, it becomes imperative to automate the process. In this paper, we propose BINPATCH to automatically patch known vulnerabilities of binaryprograms. It first locates the defective function, which contains the vulnerability, via similar code comparison. Then, it reuses the corresponding code from the correct version of the defective function as the patch code and inserts it to the defective function via binary rewriting. BINPATCH is evaluated on eight real-world vulnerabilities, and the experimental results show that it is able to not only locate the defective code effectively but also patch the code correctly.
We present a novel approach to automatically recover information about the address space layout of remote processes in the presence of Address Space Layout Randomization (ASLR). Our system, dubbed Sleak, performs stat...
详细信息
ISBN:
(纸本)9781450376280
We present a novel approach to automatically recover information about the address space layout of remote processes in the presence of Address Space Layout Randomization (ASLR). Our system, dubbed Sleak, performs static analysis and symbolic execution of binary executable programs, and identifies program paths and input parameters leading to partial (i.e., only a few bits) or complete (i.e., the whole address) information disclosure vulnerabilities, revealing addresses of known objects of the target service or application. Sleak takes, as input, the binary executable program, and generates a symbolic expression for each program output that leaks information about the addresses of objects, such as stack variables, heap structures, or function pointers. By comparing these expressions with the concrete output of a remote process executing the same binaryprogram image, our system is able to recover from a few bits to whole addresses of objects of the target application or service. Discovering the address of a single object in the target application is often enough to guess the layout of entire sections of the address space, which can be leveraged by attackers to bypass ASLR.
The Internet of Things (IoT) enables many new and exciting applications, but it also creates a number of new risks related to information security. Several recent attacks on IoT devices and systems illustrate that the...
详细信息
The Internet of Things (IoT) enables many new and exciting applications, but it also creates a number of new risks related to information security. Several recent attacks on IoT devices and systems illustrate that they are notoriously insecure. It has also been shown that a major part of the attacks resulted in full adversarial control over IoT devices, and the reason for this is that IoT devices themselves are weakly protected and they often cannot resist even the most basic attacks. Penetration testing or ethical hacking of IoT devices can help discovering and fixing their vulnerabilities that, if exploited, can result in highly undesirable conditions, including damage of expensive physical equipment or even loss of human life. In this paper, we give a basic introduction into hacking IoT devices. We give an overview on the methods and tools for hardware hacking, firmware extraction and unpacking, and performing basic firmware analysis. We also provide a survey on recent research on more advanced firmware analysis methods, including static and dynamic analysis of binaries, taint analysis, fuzzing, and symbolic execution techniques. By giving an overview on both practical methods and readily available tools as well as current scientific research efforts, our work can be useful for both practitioners and academic researchers.
The current static analysis approaches for detecting stack overflow vulnerabilities in binaries are only usable to the functions in system libraries and not suitable for user defined functions. In this paper, we model...
详细信息
ISBN:
(纸本)9781538630136
The current static analysis approaches for detecting stack overflow vulnerabilities in binaries are only usable to the functions in system libraries and not suitable for user defined functions. In this paper, we model the characteristic of stack overflow vulnerabilities and propose a static taint analysis method, which can recognize user defined functions that may have that type of vulnerabilities. The experiments on 4 runtime libraries and 2 executables show that this method can find the stack overflow vulnerabilities in binaries correctly and effectively.
binary code clone detection (or similarity comparison) is a fundamental technique for many important applications, such as plagiarism detection, malware analysis, software vulnerability assessment and program comprehe...
详细信息
ISBN:
(纸本)9781538605356
binary code clone detection (or similarity comparison) is a fundamental technique for many important applications, such as plagiarism detection, malware analysis, software vulnerability assessment and program comprehension. With the prevailing of smart and IoT (Internet of Things) devices, more and more programs are ported from traditional desktop platforms (e.g., IA-32) to ARM and MIPS architectures. It becomes imperative to detect cloned binary code across architectures. However, because of incomparable instruction sets of different architectures as well as alternative compiling configurations, it is difficult to conduct a binary code clone detection with traditional syntax-or structure-based methods. To address, we propose a semantics-based approach to fulfill the target. We recognize arguments and indirect jump targets of each binary function, and emulate executions of those functions, extracting semantic signatures to measure the similarity of functions. The approach has been implemented in a prototype system named CACOMPARE to detect cloned binary functions across architectures and compiling configurations. It supports comparisons between mainstream architectures (IA-32, ARM and MIPS) and is able to analyse binaries on the Linux platform. The experimental results show that CACOMPARE not only is effective in dealing with binaries of different architectures and variant compiling configurations, but also improves the accuracy of binary code clone detection comparing to state-of-the-art solutions.
暂无评论