A Value Set Analysis Refinement Approach Based on Conditional Merging and Lazy Constraint Solving

Lin, Jian; Jiang, Liehui; Wang, Yisen; Dong, Wei

doi:10.1109/access.2019.2936139

Cited by 9 publications

(8 citation statements)

References 46 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…But ours is different from the existing work [28]- [31]. Take Avatar as an example, there are three main differences between our work and Avatar.…”

Section: Related Workmentioning

confidence: 60%

A Dynamic Taint Analysis Framework Based on Entity Equipment

Ren¹,

Dong²,

Lin³

et al. 2019

IEEE Access

Self Cite

View full text Add to dashboard Cite

With the development of the Internet of Things, the security of embedded device has received extensive attention. Taint analysis technology can improve the understanding of the firmware program operating mechanism and improve the effectiveness of security analysis. It is an important method in security analysis. Traditional taint analysis of embedded device firmware requires complex pre-preparation work, setting up a virtual operating environment. Those security analysts have to invest a lot of time and effort in this work, and the results are usually unsatisfactory. In this paper, we propose a dynamic taint analysis method based on entity equipment. The core idea of our approach is to divide the taint analysis into two parts: the simulation analysis on the host and the real execution on the entity equipment. Since one of the features of our method is based on entity equipment, there is no need to build a dedicated virtual environment. Another feature is that the tested firmware program runs on entity equipment and can ensure the accuracy of the analysis by comparing the results of the taint analysis with the device firmware run-time information. We implement a prototype system and verified the effectiveness of the method, which can perform taint analysis on multiple architecture embedded firmware programs and detect vulnerabilities such as stack overflow, heap overflow and so on. Finally, we verify our prototype with a test case to effectively detect vulnerabilities in the firmware program. And we evaluate the performance of the prototype, compared with PANDA, the time overhead of our prototype is reduced by 5.9%.INDEX TERMS Embedded firmware, dynamic taint analysis, cross-debugging. I. INTRODUCE

show abstract

“…But ours is different from the existing work [28]- [31]. Take Avatar as an example, there are three main differences between our work and Avatar.…”

Section: Related Workmentioning

confidence: 60%

A Dynamic Taint Analysis Framework Based on Entity Equipment

Ren¹,

Dong²,

Lin³

et al. 2019

IEEE Access

Self Cite

View full text Add to dashboard Cite

show abstract

“…The value set obtained by VSA is overapproximated, and its accuracy is subject to the lack of runtime information and path explosion. Therefore, VSA results suffer from a high false positive rate [53]. Our evaluation also demonstrates that VSA is too imprecise for practical binary code debloating.…”

Section: Indirect Control Flowmentioning

confidence: 91%

One size does not fit all: security hardening of MIPS embedded systems via static binary debloating for shared libraries

Zhang

Ren

Lei

et al. 2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

Embedded systems have become prominent targets for cyberattacks. To exploit firmware's memory corruption vulnerabilities, cybercriminals harvest reusable code gadgets from the large shared library codebase (e.g., uClibc). Unfortunately, unlike their desktop counterparts, embedded systems lack essential computing resources to enforce security hardening techniques. Recently, we have witnessed a surge of software debloating as a new defense mechanism against code-reuse attacks; it erases unused code to significantly diminish the possibilities of constructing reusable gadgets. Because of the single firmware image update style, static library debloating shows promise to fortify embedded systems without compromising performance and forward compatibility. However, static library debloating on stripped binaries (e.g., firmware's shared libraries) is still an enormous challenge.In this paper, we show that this challenge is not insurmountable for MIPS firmware. We develop a novel system, named 𝜇Trimmer, to identify and wipe out unused basic blocks from shared libraries' binary code, without causing additional runtime overhead or memory consumption. We propose a new method to identify addresstaken blocks/functions, which further help us maintain an interprocedural control flow graph to conservatively include library code that could be potentially used by firmware. By capturing address access patterns for position-independent code, we circumvent the challenge of determining code-pointer targets and safely eliminate unused code. We run 𝜇Trimmer to debloat shared libraries for SPEC CPU2017 benchmarks, popular firmware applications (e.g., Apache, BusyBox, and OpenSSL), and a real-world wireless router firmware image. Our experiments show that not only does 𝜇Trimmer deliver functional programs, but also it can cut the exposed code surface and eliminate various reusable code gadgets remarkably. 𝜇Trimmer's debloating capability can compete with the static linking results.

show abstract

“…Can we reuse the work done by the automated analyses to effectively support that RE effort? Many automated static analyses perform some form of value-set analysis (VSA) [3], over-approximating what values memory and register locations can take on at runtime at each program point [26]. Binary analyses particularly lean on VSA because it does not require distinguishing between addresses and integers [4].…”

Section: Introductionmentioning

confidence: 99%

“…But before building a system to assist human reverse engineers, we need to understand the effects of these tradeoffs on the reverse engineers. We do not want to build a system that ends up impairing human reasoning -and approximate VSA information might do just that [26], [27].…”

Section: Introductionmentioning

confidence: 99%

Effects of Precise and Imprecise Value-Set Analysis (VSA) Information on Manual Code Analysis

Matzen¹,

Leger²,

Reedy³

2021

Proceedings 2021 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

Binary reverse engineers combine automated and manual techniques to answer questions about software. However, when evaluating automated analysis results, they rarely have additional information to help them contextualize these results in the binary. We expect that humans could more readily understand the binary program and these analysis results if they had access to information usually kept internal to the analysis, like value-set analysis (VSA) information. However, these automated analyses often give up precision for scalability, and imprecise information might hinder human decision making.To assess how precision of VSA information affects human analysts, we designed a human study in which reverse engineers answered short information flow problems, determining whether code snippets would print sensitive information. We hypothesized that precise VSA information would help our participants analyze code faster and more accurately, and that imprecise VSA information would lead to slower, less accurate performance than no VSA information. We presented hand-crafted code snippets with precise, imprecise, or no VSA information in a blocked design, recording participants' eye movements, response times, and accuracy while they analyzed the snippets. Our data showed that precise VSA information changed participants' problemsolving strategies and supported faster, more accurate analyses. However, surprisingly, imprecise VSA information also led to increased accuracy relative to no VSA information, likely due to the extra time participants spent working through the code.

show abstract

A Value Set Analysis Refinement Approach Based on Conditional Merging and Lazy Constraint Solving

Cited by 9 publications

References 46 publications

A Dynamic Taint Analysis Framework Based on Entity Equipment

A Dynamic Taint Analysis Framework Based on Entity Equipment

One size does not fit all: security hardening of MIPS embedded systems via static binary debloating for shared libraries

Effects of Precise and Imprecise Value-Set Analysis (VSA) Information on Manual Code Analysis

Contact Info

Product

Resources

About