Learning Types for Binaries

Xu, Zhiwu; Cheng, Wen; Qin, Shengchao

doi:10.1007/978-3-319-68690-5_26

Cited by 8 publications

(6 citation statements)

References 19 publications

(19 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Studies on reverse engineering of variable types from binary executables by leveraging the semantics of instructions [20], [21], [22], [23], [24], [25], [26], [27], [28], [29] are related to our work. However, TASE has several differences with existing approaches.…”

Section: Our Work In This Paper We Propose a New Solution Calledmentioning

confidence: 99%

“…Related studies on x86/x64 binaries include recovering parameter types [20], [21], recognizing parameters without recovering parameter types [60], [61], [62], [63], identifying function boundary [64], [65], [66], [67], and inferring variable types [22], [23], [24], [25], [26], [27], [28], [29]. Detailed description is in given Supplementary material K.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

SigRec: Automatic Recovery of Function Signatures in Smart Contracts

Chen

Luo

et al. 2022

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Millions of smart contracts have been deployed onto Ethereum for providing various services, whose functions can be invoked. For this purpose, the caller needs to know the function signature of a callee, which includes its function id and parameter types. Such signatures are critical to many applications focusing on smart contracts, e.g., reverse engineering, fuzzing, attack detection, and profiling. Unfortunately, it is challenging to recover the function signatures from contract bytecode, since neither debug information nor type information is present in the bytecode. To address this issue, prior approaches rely on source code, or a collection of known signatures from incomplete databases or incomplete heuristic rules, which, however, are far from adequate and cannot cope with the rapid growth of new contracts. In this paper, we propose a novel solution that leverages how functions are handled by Ethereum virtual machine (EVM) to automatically recover function signatures. In particular, we exploit how smart contracts determine the functions to be invoked to locate and extract function ids, and propose a new approach named type-aware symbolic execution (TASE) that utilizes the semantics of EVM operations on parameters to identify the number and the types of parameters. Moreover, we develop SigRec, a new tool for recovering function signatures from contract bytecode without the need of source code and function signature databases. The extensive experimental results show that SigRec outperforms all existing tools, achieving an unprecedented 98.7% accuracy within 0.074 seconds. We further demonstrate that the recovered function signatures are useful in attack detection, fuzzing and reverse engineering of EVM bytecode.

show abstract

Section: Our Work In This Paper We Propose a New Solution Calledmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

SigRec: Automatic Recovery of Function Signatures in Smart Contracts

Chen

Luo

et al. 2022

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

show abstract

“…In the variable recovery phase, TIE uses VSA to infer high-level variable locations by analyzing access patterns in memory. BITY [33] uses a pre-learned classifier to predict types for binaries. BITY first recovers variables from binary codes using VSA, then extracts the related representative instructions of the variables as well as some other useful information as their features.…”

Section: B Application Of Vsamentioning

confidence: 99%

A Value Set Analysis Refinement Approach Based on Conditional Merging and Lazy Constraint Solving

Lin¹,

Jiang²,

Wang³

et al. 2019

IEEE Access

View full text Add to dashboard Cite

Value set analysis is a common static binary program analysis approach. Value set analysis attempts to identify a tight over-approximation of the program state at any given point in the program and can be used to detect vulnerability. Existing memory corruption detection analysis technologies based on value set analysis have a high false positive rate, because value set analysis suffers from a lack of accuracy. We observed that two main sources of imprecision in value set analysis are merge operation and failed branch conditions tracking. In order to address above problems, in this paper, we propose a value set analysis refinement approach based on conditional merging and lazy constraint solving. We propose a variable dependence analysis algorithm to divide program paths into subsets and only merge the states which satisfy the condition that the states are from the same subset, which reduces the imprecision from the merging operation. We collect path predicates as path constraint and solve the path constraint using Satisfiability Modulo Theories (SMT) solver lazily to get a tighter number range of the variable when a variable need be refined, which reduces the imprecision from the failed branch conditions tracking. We implement a prototype system RVSA based on the proposed approach and verify its effectiveness according to experimentation. Compared with state-of-the-art approach, the experimental results demonstrate that the false positive rate is reduced by 12.9%. Furthermore, using our proposed approach, 25 zero-day vulnerabilities are found in the Netgear httpd binary.

show abstract

“…• A series of experiments are conducted to evaluate our approach, which demonstrated that our approach is able to learn more precise types, with reasonable performance, and can help detect malware. This paper extends [11] and further contains the details of the revised algorithms, a points-to analysis for pointer and struct, the generation of the type learning problem, more experiments and several recent related work. In more detail, we first revise the variable recovery algorithm and instruction extraction algorithm for global variables.…”

Section: Introductionmentioning

confidence: 99%

“…end if 25: end for 26: return V Compared to our conference version [11], there are two minor differences for the processing for pointer type: one is to take some possible offsets into account, that is, the address pattern * (v + of f set) in Line 11; and the other is to extend transitivity of variables from data registers to any possible variables, that is v in Line 13 can be any possible variable. Both of them enable us to find more indirect variables.…”

mentioning

confidence: 99%

Type Learning for Binaries and Its Applications

Cheng

Qin

2019

IEEE Trans. Rel.

Self Cite

View full text Add to dashboard Cite

Binary type inference is a challenging problem due partly to the fact that during the compilation much type-related information has been lost. Most existing research work resorts to program analysis techniques, which can be either too heavyweight to be viable in practice or too conservative to be able to infer types with high accuracy. In this work, we propose a new approach to learning types for binary code. Motivated by "duck typing", our approach learn types for recovered variables from their features and properties (e.g., related representative instructions). We first use machine learning to train a classifier with basic types as its levels from binaries with debugging information. The classifier is then used to learn types for new, unseen binaries. While for composite types, such as pointer and struct, a points-to analysis is performed. Finally, several experiments are conducted to evaluate our approach. The results demonstrate that our approach is more precise, both in terms of correct types and compatible types, than the commercial tool Hey-Rays, the open source tool Snowman and a recent tool EKLAVYA using machine learning. We also show that the type information our proposed system learns is capable of helping detect malware.

show abstract

Learning Types for Binaries

Cited by 8 publications

References 19 publications

SigRec: Automatic Recovery of Function Signatures in Smart Contracts

SigRec: Automatic Recovery of Function Signatures in Smart Contracts

A Value Set Analysis Refinement Approach Based on Conditional Merging and Lazy Constraint Solving

Type Learning for Binaries and Its Applications

Contact Info

Product

Resources

About