Cross-architecture bug search in binary executables

Pewny, Jannik; Garmany, Behrad; Gawlik, Robert; Rossow, Christian; Holz, Thorsten

doi:10.1515/itit-2016-0040

Cited by 71 publications

(178 citation statements)

References 17 publications

Supporting

Mentioning

177

Contrasting

Order By: Relevance

“…(1) for each α ∈ M do (2) for each node β ∈ α do (3) if β is a leaf node then (4) tm � sequentia_mutating(β) (5) result � sending_monitoring(tm) (6) if interesting(result) then (7) alert(tm) (8) end if (9) end if (10) end for (11) end for (12) loop (13) for each α ∈ M do (14) indexList � randomIndexList(0, len(α)) (15) for each λ ∈ indexList do (16) tm � random_mutating(λ) (17) end for (18) result � sending_monitoring(tm) (19) if interesting(result) then (20) alert(tm) (21) end if (22) end for (23) end loop ALGORITHM 2: WMIFuzzer fuzz scheduling algorithm. be infected and this can be monitored outside.…”

Section: Remote Monitoringmentioning

confidence: 99%

See 1 more Smart Citation

Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface

Wang

Zhang

Chen

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

A novel approach for discovering vulnerability in commercial off-the-shelf (COTS) IoT devices is proposed in this paper, which will revolutionize the area. Unlike previous work, the web management interface in IoT was used to detect vulnerabilities by leveraging fuzzing technology. To validate and evaluate this scheme, a tool named WMIFuzzer was designed and implemented. There were also two challenges: (1) due to the diversity of web interface implementations, there were no existing seed messages for fuzzing this interface and it was inefficient while taking random messages to launch the fuzzing and (2) because of the highly structured seed message, fuzzing with byte-level mutation could conduce to be rejected by the device at an early stage. To address these challenges, a brute-force UI automation was designed to drive the web interface to generate initial seed messages automatically, as well as a weighted message parse tree (WMPT) was proposed to guide the mutation to generate mostly structure-valid messages. The extensive experimental results show that WMIFuzzer could achieve expected result while 10 vulnerabilities including 6 zero-days in 7 COTS IoT devices were discovered.

show abstract

Section: Remote Monitoringmentioning

confidence: 99%

“…irdly, static methods [16][17][18] or dynamic methods [6,15,19,20] are deployed to detect aws in these unpacked les. However, rmware-based approaches su er from known drawbacks.…”

Section: Introductionmentioning

confidence: 99%

Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface

Wang

Zhang

Chen

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Regardless of their end goal, one of the important steps in these techniques is to correctly identify the Instruction Set Architecture (ISA) of the op-codes within the binary code. Some techniques can perform the analysis using architecture-independent or crossarchitecture methods [16,17,32]. However, many of those techniques still require the exact knowledge of the binary code's ISA.…”

Section: Introductionmentioning

confidence: 99%

ISAdetect

Kairajärvi

Costin

Hämäläinen

2020

Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

Static and dynamic binary analysis techniques are actively used to reverse engineer software's behavior and to detect its vulnerabilities, even when only the binary code is available for analysis. To avoid analysis errors due to misreading op-codes for a wrong CPU architecture, these analysis tools must precisely identify the Instruction Set Architecture (ISA) of the object code under analysis. The variety of CPU architectures that modern security and reverse engineering tools must support is ever increasing due to massive proliferation of IoT devices and the diversity of firmware and malware targeting those devices. Recent studies concluded that falsely identifying the binary code's ISA caused alone about 10% of failures of IoT firmware analysis. The state of the art approaches detecting ISA for executable object code look promising, and their results demonstrate effectiveness and high-performance. However, they lack the support of publicly available datasets and toolsets, which makes the evaluation, comparison, and improvement of those techniques, datasets, and machine learning models quite challenging (if not impossible). This paper bridges multiple gaps in the field of automated and precise identification of architecture and endianness of binary files and object code. We develop from scratch the toolset and datasets that are lacking in this research space. As such, we contribute a comprehensive collection of open data, open source, and open API web-services. We also attempt experiment reconstruction and cross-validation of effectiveness, efficiency, and results of the state of the art methods. When training and testing classifiers using solely code-sections from executable binary files, all our classifiers performed equally well achieving over 98% accuracy. The results are consistent and comparable with the current state of the art, hence supports the general validity of the algorithms, features, and approaches suggested in those works. CCS CONCEPTS• Security and privacy → Software reverse engineering; • Computing methodologies → Machine learning; • Computer systems organization → Embedded and cyber-physical systems. * This paper is based on: author's MSc thesis [21] and extended pre-print version [22].

show abstract

“…In detail, we leverage the technique in our previous work [68] In our semantic analysis, for both patched and original partial traces, we first generate various configurations of pre-state and run the partial traces and measure the corresponding post-state values. Then, we compute the semantic summary for patched and original partial traces, and compare them following the techniques in [68,69]. Finally, if the semantic difference is below a pre-defined threshold value (i.e., < ∆ d ).…”

Section: Identifying Security Patchesmentioning

confidence: 99%

“…Such vulnerability types include, side-channel information leakage, memory leakage and uninitialized variables whose patterns are particular to the OpenSSL binaries. However, summarizing these pattern will enable us to identify clone or copypaste type vulnerabilities that are very commonly observed in the wild [69,75].…”

Section: Patch and Vulnerability Patterns (Rq2)mentioning

confidence: 99%

Scalable analysis for malware and vulnerability detection in binaries

Chandramohan¹

View full text Add to dashboard Cite

for their valuable advice and suggestions that helped me to improve my research work. Further, they also helped to improve my writing skills. In addition, I would like to take this opportunity to thank my friends and colleagues at the Cyber Security Lab (CSL) for their support and making my doctoral journey a pleasant experience. Further, I would also like to thank CSL laboratory executive Mr. Tan Suan Hai for his help and technical support during my stay at Cyber Security Lab. Finally, I am indebted to my parents for their unconditional support and love, and always encouraging me for my studies and raising me to the level where I stand today. vii List of Figures 2.1 BOFM and eBOFM features extracted for the sample malware trace

show abstract

Cross-architecture bug search in binary executables

Cited by 71 publications

References 17 publications

Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface

Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface

ISAdetect

Scalable analysis for malware and vulnerability detection in binaries

Contact Info

Product

Resources

About