Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform

Henderson, Andrew; Prakash, Aravind; Yan, Lok Kwong; Hu, Xin; Wang, Xujiewen; Zhou, Rundong; Yin, Heng

doi:10.1145/2610384.2610407

Cited by 80 publications

(31 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…One could define the ground truth semantics of an instruction set for all possible states, and prove the above properties. In fact, recent work on the DECAF engine has manually specified instruction semantics for the integer arithmetic subset of instructions in SMT theories and has proved comparable properties of manually engineered taint rules [28]. While it is a laudable goal, scaling this approach to entire complex instruction sets (e.g.…”

Section: A the Taint Inference Problemmentioning

confidence: 99%

“…Since its introduction over a decade ago, numerous taint analysis engines have been developed. Most of these taint analysis engines have been based on a deductive approach [11], [15], [20], [28], [32], [42], [51]. A taint engine has a set of static rules called taint propagation rules capturing how the inputs of a program statement influence (or taint) its outputs.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

One Engine To Serve 'em All: Inferring Taint Rules Without Architectural Semantics

Chua¹,

Wang²,

Baluta³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Dynamic binary taint analysis has wide applications in the security analysis of commercial-off-the-shelf (COTS) binaries. One of the key challenges in dynamic binary analysis is to specify the taint rules that capture how taint information propagates for each instruction on an architecture. Most of the existing solutions specify taint rules using a deductive approach by summarizing the rules manually after analyzing the instruction semantics. Intuitively, taint propagation reflects on how an instruction input affects its output, and thus can be observed from instruction executions. In this work, we propose an inductive method for taint propagation and develop a universal taint tracking engine that is architecture-agnostic. Our taint engine, TAINTINDUCE, can learn taint rules with minimal architectural knowledge by observing the execution behavior of instructions. To measure its correctness and guide taint rule generation, we define the precise notion of soundness for bit-level taint tracking in this novel setup. In our evaluation, we show that TAINTINDUCE automatically learns rules for 4 widely used architectures: x86, x64, AArch64, and MIPS-I. It can detect vulnerabilities for 24 CVEs in 15 applications on both Linux and Windows over millions of instructions and is comparable with other mature existing tools (TEMU [51], libdft [32], Triton [42]). TAINTINDUCE can be used as a stand-alone taint engine or be used to complement existing taint engines for unhandled instructions. Further, it can be used as a cross-referencing tool to uncover bugs in taint engines, emulation implementations and ISA documentations.

show abstract

Section: A the Taint Inference Problemmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

One Engine To Serve 'em All: Inferring Taint Rules Without Architectural Semantics

Chua¹,

Wang²,

Baluta³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Due to the rise of symbolic execution, some researchers attempt to provide a combination method of dynamic taint analysis and symbolic execution, such as DTA++ [10], BitBlaze [11], and DECAF [12], which can improve the path coverage of dynamic taint analysis. Lai et al [13] mark each byte of external input data to perform fine-grained taint analysis, which improves the granularity of dynamic taint analysis.…”

Section: Related Workmentioning

confidence: 99%

OFFDTAN: A New Approach of Offline Dynamic Taint Analysis for Binaries

Wang

Dou

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Dynamic taint analysis is a powerful technique for tracking the flow of sensitive information. Different approaches have been proposed to accelerate this process in an online or offline manner. Unfortunately, most of these approaches still have performance bottlenecks and thus reduce analytical efficiency. To address this limitation, we present OFFDTAN, a new approach of offline dynamic taint analysis for binaries. OFFDTAN can be described in terms of four stages: dynamic information acquisition, vulnerability modeling, offline analysis, and backtrace analysis. It first records program runtime information and models the stack buffer overflow vulnerabilities and controlled jump vulnerabilities. Then it performs offline analysis and backtrace analysis to locate vulnerabilities. We implement OFFDTAN on the basis of QEMU virtual machine and apply it to off-the-shelf applications. In order to illustrate how our approach works, we first employ a case study. Furthermore, six applications have been verified so as to evaluate our approach. Experimental results demonstrate that our approach is correct and effective. Compared with other offline analysis tools, OFFDTAN has much lower application runtime overhead.

show abstract

“…Figure 1 depicts the workflow to build our reference extractor. We first open three classes of labeled PDF samples (i.e., well-formed PDFs with JavaScript, well-formed PDFs without JavaScript and malformed PDFs) with Adobe Reader in an execution monitor [20] to collect memory access and execution traces. In the end, we perform offline analysis on the traces to identify three tap points that are associated with JavaScript extraction, PDF processing termination and processing error.…”

Section: A the Need For A New Techniquementioning

confidence: 99%

Extract Me If You Can: Abusing PDF Parsers in Malware Detectors

Carmony

Yin

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Owing to the popularity of the PDF format and the continued exploitation of Adobe Reader, the detection of malicious PDFs remains a concern. All existing detection techniques rely on the PDF parser to a certain extent, while the complexity of the PDF format leaves an abundant space for parser confusion. To quantify the difference between these parsers and Adobe Reader, we create a reference JavaScript extractor by directly tapping into Adobe Reader at locations identified through a mostly automatic binary analysis technique. By comparing the output of this reference extractor against that of several opensource JavaScript extractors on a large data set obtained from VirusTotal, we are able to identify hundreds of samples which existing extractors fail to extract JavaScript from. By analyzing these samples we are able to identify several weaknesses in each of these extractors. Based on these lessons, we apply several obfuscations on a malicious PDF sample, which can successfully evade all the malware detectors tested. We call this evasion technique a PDF parser confusion attack. Lastly, we demonstrate that the reference JavaScript extractor improves the accuracy of existing JavaScript-based classifiers and how it can be used to mitigate these parser limitations in a real-world setting. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform

Cited by 80 publications

References 16 publications

One Engine To Serve 'em All: Inferring Taint Rules Without Architectural Semantics

One Engine To Serve 'em All: Inferring Taint Rules Without Architectural Semantics

OFFDTAN: A New Approach of Offline Dynamic Taint Analysis for Binaries

Extract Me If You Can: Abusing PDF Parsers in Malware Detectors

Contact Info

Product

Resources

About