SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis

Shoshitaishvili, Yan; Wang, Ruoyu; Salls, Christopher; Stephens, Nick; Polino, Mario; Dutcher, Andrew; Grosen, John; Feng, Siji; Hauser, Christophe; Kruegel, Christopher; Vigna, Giovanni

doi:10.1109/sp.2016.17

Cited by 623 publications

(347 citation statements)

References 41 publications

Supporting

Mentioning

345

Contrasting

Unclassified

Order By: Relevance

“…Furthermore, we extend the feature set with the frequency of selected byte patterns known to characterize certain architectures, encoded as regular expressions to obtain a fair trade-off between expressive power and matching speed. We include the patterns of known function prologues and epilogues from the archinfo project part of angr, a binary analysis framework [3]. While this latter set of features is a signature and requires effort to adapt to further architectures, we remark that it is completely optional and allows ELISA to perform better in discriminating between similar architectures.…”

Section: Isa Identificationmentioning

confidence: 99%

“…cpu_rec [36] is a plugin for the popular binwalk tool that uses a statistical approach, based on Markov chains with similarity measures by cross-entropy computation, to detect the CPU architecture or a binary file, or of part of a binary file, among a corpus of 72 architectures. A completely different approach leverages static signatures: the Angr static analysis framework [3] includes a tool (Boyscout) to identify the CPU architecture of an executable by matching the file to a set of signatures containing the byte patterns of function prologues and epilogues of the known architectures, and picking the architecture with most matches; as a drawback, the signatures require maintenance and their quality and completeness is critical for the quality of the classification; also, this method may fail on heavily optimized or obfuscated code lacking of function prologues and epilogues.…”

Section: Related Workmentioning

confidence: 99%

“…They range from disassemblers and decompilers, to complex analysis frameworks [1,2] that combine static analysis with other techniques, primarily symbolic execution [3,4], fuzzing [5,6], or both [7]. Binary analysis techniques are useful in many domains: For example, discovering vulnerabilities [8], understanding and reconstructing the behavior of a program, as well as modifying legacy software when the source code is lost (e.g., to apply security [9] or functionality patches).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

ELISA: ELiciting ISA of Raw Binaries for Fine-Grained Code and Data Separation

Nicolao

Pogliani

Polino

et al. 2018

Detection of Intrusions and Malware, and Vulnerability Assessment

Self Cite

View full text Add to dashboard Cite

Static binary analysis techniques are widely used to reconstruct the behavior and discover vulnerabilities in software when source code is not available. To avoid errors due to mis-interpreting data as machine instructions (or vice-versa), disassemblers and static analysis tools must precisely infer the boundaries between code and data. However, this information is often not readily available. Worse, compilers may embed small chunks of data inside the code section. Most state of the art approaches to separate code and data are rooted on recursive traversal disassembly, with severe limitations when dealing with indirect control instructions. We propose ELISA, a technique to separate code from data and ease the static analysis of executable files. ELISA leverages supervised sequential learning techniques to locate the code section(s) boundaries of header-less binary files, and to predict the instruction boundaries inside the identified code section. As a preliminary step, if the Instruction Set Architecture (ISA) of the binary is unknown, ELISA leverages a logistic regression model to identify the correct ISA from the file content. We provide a comprehensive evaluation on a dataset of executables compiled for different ISAs, and we show that our method is capable to identify code sections with a byte-level accuracy (F1 score) ranging from 98.13% to over 99.9% depending on the ISA. Fine-grained separation of code from embedded data on x86, x86-64 and ARM executables is accomplished with an accuracy of over 99.9%.

show abstract

Section: Isa Identificationmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

ELISA: ELiciting ISA of Raw Binaries for Fine-Grained Code and Data Separation

Nicolao

Pogliani

Polino

et al. 2018

Detection of Intrusions and Malware, and Vulnerability Assessment

Self Cite

View full text Add to dashboard Cite

show abstract

“…If the process is stopped by the conditional statement, the concolic engine is used to guide the next section and the fuzzer takes over again and searches for vulnerabilities in the deep path more quickly. Driller is a hybrid fuzzing tool using AFL (American Fuzzy Lop) [9] and Angr [18]. AFL is a fuzzer that generates and transforms input values through a genetic algorithm and Angr is an engine that performs symbol execution by converting binary codes into Valgrind's VEX IR, which is also known by Mayhem and S2E [19] as the most optimized symbol execution engine.…”

Section: Hybrid Fuzzingmentioning

confidence: 99%

An Automated Vulnerability Detection and Remediation Method for Software Security

Jurn¹,

Kim²,

Kim³

2018

Sustainability

View full text Add to dashboard Cite

Abstract:As hacking techniques become more sophisticated, vulnerabilities have been gradually increasing. Between 2010 and 2015, around 80,000 vulnerabilities were newly registered in the CVE (Common Vulnerability Enumeration), and the number of vulnerabilities has continued to rise. While the number of vulnerabilities is increasing rapidly, the response to them relies on manual analysis, resulting in a slow response speed. It is necessary to develop techniques that can detect and patch vulnerabilities automatically. This paper introduces a trend of techniques and tools related to automated vulnerability detection and remediation. We propose an automated vulnerability detection method based on binary complexity analysis to prevent a zero-day attack. We also introduce an automatic patch generation method through PLT/GOT table modification to respond to zero-day vulnerabilities.

show abstract

“…Veritesting [9] is a combination of DSE and SSE, and has been integrated into the angr [29] platform as an effective selecting method to avoid path explosion. Veritesting starts with DSE, when the program encounters a branch and needs to fork new executions, it switches to an SSE-style approach.…”

Section: Pruning Redundance Strategymentioning

confidence: 99%

A Survey of Search Strategies in the Dynamic Symbolic Execution

Liu

Zhou

2017

ITM Web Conf.

View full text Add to dashboard Cite

Dynamic symbolic execution (DSE) is an important way to discover software vulnerabilities. One key challenge in DSE is to find proper paths in the huge program execution space to generate effective inputs. Currently, the main search strategies used for DSE include classical search strategy, heuristic search strategy, and pruning redundance strategy. This paper reviews and compares the main search strategies of DSE in recent years, including the Generational strategy, CarFast, Control-Flow

show abstract

SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis

Cited by 623 publications

References 41 publications

ELISA: ELiciting ISA of Raw Binaries for Fine-Grained Code and Data Separation

ELISA: ELiciting ISA of Raw Binaries for Fine-Grained Code and Data Separation

An Automated Vulnerability Detection and Remediation Method for Software Security

A Survey of Search Strategies in the Dynamic Symbolic Execution

Contact Info

Product

Resources

About