All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask
Disassembly of binary code is hard, but necessary for improving the security of binary software. Over the past few decades, research in binary disassembly has produced many tools and frameworks, which have been made available to researchers and security professionals. These tools employ a variety of strategies that grant them different characteristics. We have systematically studied nine popular, open-source tools. We couple the manual examination of their code bases with the most comprehensive experimental evaluation (thus far) using 3,788 binaries. Our study yields a comprehensive description and organization of strategies for disassembly, classifying them as either algorithm or else heuristic. Meanwhile, we measure and report the impact of individual algorithms on the results of each tool. We find that while principled algorithms are used by all tools, they still heavily rely on heuristics to increase code coverage. Depending on the heuristics used, different coverage-vs-correctness trade-offs come in play, leading to tools with different strengths and weaknesses.
ShrinkWrap - VTV extension for protecting VTables
C++ is a popular, fast, object-oriented (OO) language used to develop some of the most popular software, such as Web browsers, including Chrome and Mozilla. OO languages, such as C++, support run-time method binding, i.e., determining the method to be called based on the run-time type of an object, instead of the static type of the pointer pointing to that object. Modern compilers typically provide this functionality through VTables, which provide an efficient way to call the correct method at run time. Unfortunately, VTables are based on indirect calls, i.e., virtual calls, which is what makes them a prominent target for hijacking the control flow of a program. While multiple source- and binary-based solutions for protecting VTables have been proposed already, we found that in practice they are too conservative, which allows determined attackers to circumvent them. In this paper we delve into the design of C++ VTables and match that knowledge against the now industry standard protection scheme of VTV. We designed a new approach that significantly refines VTV, to offer a provably optimal protection scheme. As we build on top of VTV, we preserve all of its advantages in terms of software compatibility and overhead. Thus, our proposed design comes for free for any user today. Besides the design we also develop a testing methodology, which can be used by future developers to validate their implementations. ShrinkWrap was evaluated using Google Chrome.
Applications can be logically separated to parts that face different types of threats, or suffer dissimilar exposure to a particular threat because of external events or innate properties of the software. Based on this observation, we propose the virtual partitioning of applications that will allow the selective and targeted application of those protection mechanisms that are most needed on each partition, or manage an application’s attack surface by protecting the most exposed partition. We demonstrate the value of our scheme by introducing a methodology to automatically partition software, based on an intrinsic property such as user authentication. Our approach is able to automatically determine the point where the user authenticates, without access to source code. At runtime, we partition binaries using a binary monitor that utilizes the identified authentication points to split execution to pre- and post-authentications parts, and adapts defenses by switching between protection mechanisms of varied intensity, such as dynamic taint analysis and instruction-set randomization.
REASSURE is a tool based on Intel's PIN dynamic instrumentation framework that implements software self-healing using rescue points. Rescue points are existing code locations that handle certain anticipated errors in the target application, usually by returning an error code. REASSURE is a self-contained mechanism to enable the use of such rescue points on binary-only software, without any changes in the operating system. REASSURE won best paper award in IWSEC'11, in Tokyo, Japan.
REASSURE is currently not available.
libdft is a framework based on Intel's PIN dynamic instrumentation framework that provides dynamic data flow tracking (DFT) for x86 binaries. DFT can be used to track data while a program is executing, and powers techniques like Dynamic Taint Analysis (DTA) that can be used to harden software. This work appeared in VEE'12.
ISRuPIN is a tool based on Intel's PIN dynamic instrumentation framework that implements instruction-set randomization for x86 binaries in Linux. It is relatively lightweight, and it supports shared libraries and multiple randomization keys. This work appeared in ACSAC'10.
Paranoid Android (PA) is a framework that transparently and faithfully replicates the execution of lightweight devices such as smartphones. By replicating execution on more powerful hardware, PA can apply multiple and diverse security checks on the replica to detect even zero-day attacks. Our prototype works on Google’s Android system. This work appeared in ACSAC'10.
PA can be made available on request.
Eudaemon is a framework for dynamically switching a native application from executing natively to executing under dynamic taint analysis. It is based on Qemu’s user-space emulator. Our work on Eudaemon was published in EuroSys’08.
Eudaemon can be made available on request.
The Argos secure emulator is a whole system emulator (based on the Qemu emulator) that employs dynamic taint analysis to detect zero-day attacks (such as buffer-overflows, dangling pointers, etc). Argos is primarily used to to host honeypots, and analyze the detected attacks. Our work on Argos was published in EUROSYS’06.
FFPF is an operating system I/O subsystem that minimizes copying and context switching in the Linux kernel. FFPF was published in OSDI’04. FFPF is now Streamline thanks to Willem De Bruijn.