Interprocedural static slicing of binary executables

Kiss, Ákos; Jász, Judit; Lehotai, G.; Gyimóthy, Tibor

doi:10.1109/scam.2003.1238038

Cited by 31 publications

(26 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The extracted authentication slice 5 is then passed to Firmalice's Symbolic Execution engine. This engine explores the slice symbolically, and attempts to find user inputs that would reach the privileged program point.…”

Section: Approach Overviewmentioning

confidence: 99%

See 1 more Smart Citation

Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware

Shoshitaishvili

Wang

Hauser

et al. 2015

Proceedings 2015 Network and Distributed System Security Symposium

261

143

View full text Add to dashboard Cite

Abstract-Embedded devices have become ubiquitous, and they are used in a range of privacy-sensitive and security-critical applications. Most of these devices run proprietary software, and little documentation is available about the software's inner workings. In some cases, the cost of the hardware and protection mechanisms might make access to the devices themselves infeasible. Analyzing the software that is present in such environments is challenging, but necessary, if the risks associated with software bugs and vulnerabilities must be avoided. As a matter of fact, recent studies revealed the presence of backdoors in a number of embedded devices available on the market. In this paper, we present Firmalice, a binary analysis framework to support the analysis of firmware running on embedded devices. Firmalice builds on top of a symbolic execution engine, and techniques, such as program slicing, to increase its scalability. Furthermore, Firmalice utilizes a novel model of authentication bypass flaws, based on the attacker's ability to determine the required inputs to perform privileged operations. We evaluated Firmalice on the firmware of three commercially-available devices, and were able to detect authentication bypass backdoors in two of them. Additionally, Firmalice was able to determine that the backdoor in the third firmware sample was not exploitable by an attacker without knowledge of a set of unprivileged credentials.

show abstract

Section: Approach Overviewmentioning

confidence: 99%

“…That is, starting from a given program point, we can produce every statement on which that point depends. This step leverages slicing techniques from existing work in the literature [5]. Slicing is used to improve the feasibility of the symbolic analysis on large binaries, in two ways.…”

Section: Backward Slicingmentioning

confidence: 99%

Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware

Shoshitaishvili

Wang

Hauser

et al. 2015

Proceedings 2015 Network and Distributed System Security Symposium

261

143

View full text Add to dashboard Cite

show abstract

“…In previous work (Kiss et al, 2003) we furnished two static methods for improving the slicing of binaries. The first approach described how architecture specific knowledge could be used to extract information from function prologs and epilogs in order to determine the output parameters of functions more precisely.…”

Section: Refining Static Analysesmentioning

confidence: 99%

“…However, static slices of even small programs are in many cases too large (Beszédes et al, 2002), which means that often too large portions of the code still need to be examined. In our previous paper (Kiss et al, 2003) we applied interprocedural static slicing on real life binary executables and achieved an average slice size of 56-68%. We looked for ways of improving static data dependence analysis but found that, although the number of data dependences could be reduced significantly, sometimes even by 59%, this reduction was not reflected in the size of the slices, which only dropped by 1-4%.…”

Section: Introductionmentioning

confidence: 99%

Using Dynamic Information in the Interprocedural Static Slicing of Binary Executables

2005

View full text Add to dashboard Cite

Although the slicing of programs written in a high-level language has been widely studied in the literature, relatively few papers have been published on the slicing of binary executable programs. The lack of existing solutions for the latter is really hard to understand since the application domain for slicing binaries is similar to that for slicing high-level languages. Furthermore, there are special applications of the slicing of programs without source code like source code recovery, code transformation and the detection of security critical code fragments. In this paper, in addition to describing the method of interprocedural static slicing of binaries, we discuss how the set of the possible targets of indirect call sites can be reduced by dynamically gathered information. Our evaluation of the slicing method shows that, if indirect function calls are extensively used, both the number of edges in the call graph and the size of the slices can be significantly reduced.

show abstract

“…Research carried out during the last decade by our research group [64,65,6,56,55,7,8,36,4,49,9] as well as by others [48,22,33,14,2,31,13,44,32,3,54,37,21,46,28,19,16,34,66] has developed the foundations for performing static analysis at the machine-code level. The machine-code-analysis problem comes in two versions: (i) with symbol-table/debugging information (unstripped executables), and (ii) without symbol-table/debugging information (stripped executables).…”

Section: Introductionmentioning

confidence: 99%

Improved Memory-Access Analysis for x86 Executables

Reps

Balakrishnan²

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Over the last seven years, we have developed static-analysis methods to recover a good approximation to the variables and dynamically allocated memory objects of a stripped executable, and to track the flow of values through them. It is relatively easy to track the effects of an instruction operand that refers to a global address (i.e., an access to a global variable) or that uses a stack-frame offset (i.e., an access to a local scalar variable via the frame pointer or stack pointer). In our work, our algorithms are able to provide useful information for close to 100% of such "direct" uses and defs.It is much harder for a static-analysis algorithm to track the effects of an instruction operand that uses a non-stack-frame register. These "indirect" uses and defs correspond to accesses to an array or a dynamically allocated memory object. In one study, our approach recovered useful information for only 29% of indirect uses and 33% of indirect defs. However, using the technique described in this paper, the algorithm recovered useful information for 81% of indirect uses and 90% of indirect defs.

show abstract

Interprocedural static slicing of binary executables

Cited by 31 publications

References 24 publications

Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware

Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware

Using Dynamic Information in the Interprocedural Static Slicing of Binary Executables

Improved Memory-Access Analysis for x86 Executables

Contact Info

Product

Resources

About