SYMBION: Interleaving Symbolic with Concrete Execution

Gritti, Fabrice; Fontana, Lorenzo; Gustafson, Eric; Pagani, Fabio; Continella, Andrea; Kruegel, Christopher; Vigna, Giovanni

doi:10.1109/cns48642.2020.9162164

Cited by 13 publications

(4 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…PS 3 can work with various architectures, since we can access the source code and compile it into the corresponding binaries. Angr is an open source binary program analysis framework in Python and has been used extensively in binary analysis [8,17,22], as well as patch presence test [23,33,37]. We use Z3 [15] to simplify the expression and calculation of the stack address offset to ensure that the memory mapping is more precise.…”

Section: Methodsmentioning

confidence: 99%

PS3: Precise Patch Presence Test based on Semantic Symbolic Signature

Zhan,

Hu,

et al. 2024

Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

View full text Add to dashboard Cite

During software development, vulnerabilities have posed a significant threat to users. Patches are the most effective way to combat vulnerabilities. In a large-scale software system, testing the presence of a security patch in every affected binary is crucial to ensure system security. Identifying whether a binary has been patched for a known vulnerability is challenging, as there may only be small differences between patched and vulnerable versions. Existing approaches mainly focus on detecting patches that are compiled in the same compiler options. However, it is common for developers to compile programs with very different compiler options in different situations, which causes inaccuracy for existing methods. In this paper, we propose a new approach named PS 3 , referring to precise patch presence test based on semantic-level symbolic signature. PS 3 exploits symbolic emulation to extract signatures that are stable under different compiler options. Then PS 3 can precisely test the presence of the patch by comparing the signatures between the reference and the target at semantic level.To evaluate the effectiveness of our approach, we constructed a dataset consisting of 3,631 (CVE, binary) pairs of 62 recent CVEs in four C/C++ projects. The experimental results show that PS 3 achieves scores of 0.82, 0.97, and 0.89 in terms of precision, recall, and F1 score, respectively. PS 3 outperforms the state-of-the-art baselines by improving 33% in terms of F1 score and remains stable in different compiler options.

show abstract

Section: Methodsmentioning

confidence: 99%

PS3: Precise Patch Presence Test based on Semantic Symbolic Signature

Zhan,

Hu,

et al. 2024

Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

View full text Add to dashboard Cite

show abstract

“…Angr [47] is a Python-based framework that enables static analyses of binaries and symbolic execution. Recent advances to Angr [14] allow transfering state to and from concrete execution environments (e.g., QEMU) which enables transitioning between concrete and symbolic executions.…”

Section: Related Workmentioning

confidence: 99%

PyPANDA: Taming the PANDAmonium of Whole System Dynamic Analysis

Craig¹,

Fasano²,

Ballo³

et al. 2021

Proceedings 2021 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

“…Angr is an open-source powerful tool for binary analysis ], thus being selected as basis for the MALVERSE development. Angr was also used as basis for other research work in multiple aspects, such as for: tracing disjoint binary functions [Ma et al 2019] (a technique presented in [Caballero et al 2010]), fixing binary loading [Xu et al 2017], or in concolic executions [Gritti et al 2020]. Despite powerful, Angr has some limitations, as pointed in previous work [Yin et al 2018.…”

Section: Related Workmentioning

confidence: 99%

Malware MultiVerse: From Automatic Logic Bomb Identification to Automatic Patching and Tracing

Botacin¹,

Grégio²

2021

Preprint

View full text Add to dashboard Cite

Malware and other suspicious software often hide behaviors and components behind logic bombs and context-sensitive execution paths. Uncovering these is essential to react against modern threats, but current solutions are not ready to detect these paths in a completely automated manner. To bridge this gap, we propose the Malware Multiverse (MALVERSE), a solution able to inspect multiple execution paths via symbolic execution aiming to discover function inputs and returns that trigger malicious behaviors. MALVERSE automatically patches the context-sensitive functions with the identified symbolic values to allow the software execution in a traditional sandbox. We implemented MALVERSE on top of Angr and evaluated it with a set of Linux and Windows evasive samples. We found that MALVERSE was able to generate automatic patches for the most common evasion techniques (e.g., ptrace checks).

show abstract

SYMBION: Interleaving Symbolic with Concrete Execution

Cited by 13 publications

References 19 publications

PS3: Precise Patch Presence Test based on Semantic Symbolic Signature

PS3: Precise Patch Presence Test based on Semantic Symbolic Signature

PyPANDA: Taming the PANDAmonium of Whole System Dynamic Analysis

Malware MultiVerse: From Automatic Logic Bomb Identification to Automatic Patching and Tracing

Contact Info

Product

Resources

About