Skip to main content
SpringerLink
Log in

iBinHunt: Binary Hunting with Inter-procedural Control Flow

  • Conference paper
Information Security and Cryptology – ICISC 2012 (ICISC 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7839))

Included in the following conference series:

Abstract

Techniques have been proposed to find the semantic differences between two binary programs when the source code is not available. Analyzing control flow, and in particular, intra-procedural control flow, has become an attractive technique in the latest binary diffing tools since it is more resistant to syntactic, but non-semantic, differences. However, this makes such techniques vulnerable to simple function obfuscation techniques (e.g., function inlining) attackers any malware writers could use. In this paper, we first show function obfuscation as an attack to such binary diffing techniques, and then propose iBinHunt which uses deep taint and automatic input generation to find semantic differences in inter-procedural control flows. Evaluation on comparing various versions of a \(\verb"http"\) server and \(\verb"gzip"\) shows that iBinHunt not only is capable of comparing inter-procedural control flows of two programs, but offers substantially better accuracy and efficiency in binary diffing.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. BitBlaze: Binary analysis for computer security, http://bitblaze.cs.berkeley.edu/

  2. Briones, I., Gomez, A.: Graphs, entropy and grid computing: Automatic comparison of malware. In: Proceedings of the 2004 Virus Bulletin Conference (2004)

    Google Scholar 

  3. Brumley, D., Hartwig, C., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Bitscope: Automatically dissecting malicious binaries. Technical Report, CMU-CS-07-133, School of Computer Science, Carnegie Mellon University (March 2007)

    Google Scholar 

  4. Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of the 16th ACM Conference on Computer and Communication Security, Chicago, IL (November 2009)

    Google Scholar 

  5. Carrera, E., Erdelyi, G.: Digital genome mapping al advanced binary malware analysis. In: Proceedings of the 2004 Virus Bulletin Conference (2004)

    Google Scholar 

  6. Cavallaro, L., Saxena, P., Sekar, R.: On the limits of information flow techniques for malware analysis and containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  7. Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: 13th USENIX Security Symposium (2004)

    Google Scholar 

  8. Chow, S., Gu, Y., Johnson, H., Zakharov, V.: An approach to the obfuscation of control-flow of sequential computer programs. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 144–155. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  9. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Sciences, The University of Auckland (July 1997)

    Google Scholar 

  10. Cui, W.: Discoverer: Automatic protocol reverse engineering from network traces. In: Proceedings of the 16th USENIX Security Symposium (2007)

    Google Scholar 

  11. DarunGrim, J.O.: A binary diffing tool, http://www.darungrim.org

  12. Dullien, T., Rolles, R.: Graph-based comparison of executable objects. In: Proceedings of SSTIC 2005 (2005)

    Google Scholar 

  13. Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: Proceedings of the 2007 Usenix Annual Conference (2007)

    Google Scholar 

  14. Flake, H.: Structural comparison of executable objects. In: Proceedings of the GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment 2004 (2004)

    Google Scholar 

  15. Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  16. Ganesh, V., Leek, T., Rinard, M.: Taint-based directed whitebox fuzzing. In: Proceedings of the 2009 IEEE 31st International Conference on Software Engineering (2009)

    Google Scholar 

  17. Gao, D., Reiter, M.K., Song, D.: BinHunt: Automatically finding semantic differences in binary programs. In: Chen, L., Ryan, M.D., Wang, G. (eds.) ICICS 2008. LNCS, vol. 5308, pp. 238–255. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  18. Garey, M.R., Johnso, D.S.: Computers and intractability: A guide to the theory of np-completeness (1979)

    Google Scholar 

  19. Godefroid, P., Levin, M.Y., Molnar, D.: Automated whitebox fuzz testing. In: Network and Distributed System Security Symposium, NDSS 2008 (2008)

    Google Scholar 

  20. Hu, X., Chiueh, T., Shin, K.: Large-scale malware indexing using function-call graphs. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)

    Google Scholar 

  21. Jeongwook, O.: Fight against 1-day exploits: Diffing binaries vs anti-diffing binaries. In: Black Hat (2009)

    Google Scholar 

  22. Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  23. Levi, G.: A note on the derivation of maximal common subgraphs of two directed or undirected graphs. Calcolo 9 (1972)

    Google Scholar 

  24. Li, P., Gao, D., Reiter, M.K.: Automatically adapting a trained anomaly detector to software patches. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 142–160. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  25. Molnar, D., Li, X.C., Wagner, D.: Dynamic test generation to find integer bugs in x86 binary linux programs. In: Proceedings of USENIX Security Symposium (2009)

    Google Scholar 

  26. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Network and Distributed System Security Symposium, NDSS 2005 (2005)

    Google Scholar 

  27. Tenable Network Security Inc. PatchDiff. A patch analysis plugin for ida, http://cgi.tenablesecurity.com/tenable/patchdiff.php

  28. Raymond, J., Willett, P.: Maximum common subgraph isomorphism algorithms for the matching of chemical structures. Journal of Computer-Aided Molecular Design 16 (2002)

    Google Scholar 

  29. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (2010)

    Google Scholar 

  30. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  31. Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems (2004)

    Google Scholar 

  32. Wang, C., Davidson, J., Hill, J., Knight, J.: Protection of software-based survivability mechanisms. In: Proceedings of International Conference of Dependable Systems and Networks (2001)

    Google Scholar 

  33. Wang, Z., Pierce, K., McFarling, S.: Bmat – a binary matching tool for stale profile propagation. Journal of Instruction-Level Parallelism 2 (2000)

    Google Scholar 

  34. Wondracek, G., Comparetti, P.M., Kruegel, C., Kirda, E.: Automatic network protocol analysis. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, NDSS 2008 (2008)

    Google Scholar 

  35. Yin, H., Song, D.: Panorama: capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security, CCS 2007 (2007)

    Google Scholar 

  36. Yin, H., Song, D.: Temu: Binary code analysis via whole-system layered annotative execution. Technical Report, EECS Department, University of California, Berkeley (January 2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. College of Info Sciences and Tech, Penn State University, USA

    Jiang Ming

  2. D’Crypt Pte Ltd., Singapore

    Meng Pan

  3. School of Info Systems, Singapore Management University, Singapore

    Debin Gao

Authors
  1. Jiang Ming
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Meng Pan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Debin Gao
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Engineering, Sejong University, 143-747, Seoul, Korea

    Taekyoung Kwon

  2. School of Computer Science and Engineering, Inha University, 402-751, Incheon, Korea

    Mun-Kyu Lee

  3. National Security Research Institute, 306-600, Daejeon, Korea

    Daesung Kwon

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ming, J., Pan, M., Gao, D. (2013). iBinHunt: Binary Hunting with Inter-procedural Control Flow. In: Kwon, T., Lee, MK., Kwon, D. (eds) Information Security and Cryptology – ICISC 2012. ICISC 2012. Lecture Notes in Computer Science, vol 7839. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37682-5_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-37682-5_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-37681-8

  • Online ISBN: 978-3-642-37682-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation