On the Representation of Results of Binary Code Reverse Engineering
A representation of algorithms extracted from binary code by reverse engineering is discussed. Both intermediate representations designed for automatic analysis and final representations passed to the end user are considered. The two main tasks of reverse engineering—automatic detection of exploitable vulnerabilities and discovery of undocumented features— are analyzed. The basic scheme of the system implementing the automatic detection of exploitable vulnerabilities is presented and the key properties of the intermediate representation designed for solving this problem using an efficient generation of a system of equations for an SMT solver are described. The workflow for discovering undocumented features is described. These steps are the localization of the algorithm, its representation in the form that is convenient for analysis, and investigation of its properties. To automate the first phase, a combined static and dynamic representation is constructed, which includes OS-level events and calls to library functions; they serve as anchor points used by the analyst for the algorithm localization. The further support of localization uses code slicing and navigation algorithms. Once the algorithm is localized, the further work goes in two directions: interactive construction of a compact annotated representation of the algorithm by a flowchart and automated investigation of the algorithm properties aimed at determining declared and undeclared data flows. The representation of the algorithm is based on the construction of simplified models of functions taking into account input and output buffers and on the automatic detection of data dependences between buffers of various function calls. The overall scenario of the analyst' work with such a flowchart in the context of discovering undocumented features is described; this scenario is based on annotating the declared data flows and on the automatic detection of undeclared data flows. In conclusion, an example of the resulting representation is discussed and the directions of further research are discussed.
Keywordsbinary code combined analysis intermediate representation
Unable to display preview. Download preview PDF.
- 2.Song, D., Brumley, D., Yin, H., et al., BitBlaze: A new approach to computer security via binary analysis, Inf. Syst. Security, 2008, pp. 1–25Google Scholar
- 4.Shoshitaishvili, Y., Wang, R., Salls, C., et al., Sok: (state of) the art of war: Offensive techniques in binary analysis, in IEEE Symposium on Security and Privacy (SP), 2016, pp. 138–157Google Scholar
- 5.Cha, S. K., Avgerinos, T., Rebert, A., et al., Unleashing mayhem on binary code, in IEEE Symposium on Security and Privacy (SP), 2012, pp. 380–394Google Scholar
- 6.Defense Advanced Research Projects Agency Program Information: Cyber Grand Challenge (CGC). https://doi.org/www.darpa.mil/program/cyber-grand-challenge
- 7.Padaryan, V.A., Get’man, A.I., Solov’ev, M.A., Bakulin, M.G., Borzilov, A.I., Kaushan, V.V., Ledovskykh, I.N., Markin, Yu.V., and Panasenko, S.S., Methods and software tools supporting the combined analysis of binary code, Trudy ISP RAN, 2014, vol. 26, no. 1, pp. 251–276.Google Scholar
- 12.Kaushan, V.V., Mamontov, A.Yu., Padaryan, V.A., and Fedotov, A.N., A method for detecting some types of memory bugs in binary code, Trudy ISP RAN, 2015, vol. 27, no. 2, pp. 105–126.Google Scholar
- 15.Bellard, F., QEMU, a fast and portable dynamic translator, in USENIX Annual Technical Conference, FREENIX Track, 2005, pp. 41–46Google Scholar
- 18.Dullien, T. and Porst, S., REIL: A platform-independent intermediate representation of disassembled code for static code analysis, in Proc. of CanSecWest, 2009.Google Scholar
- 19.Fedotov, A.N., Padaryan, V.A., Kaushan, V.V., Kurmangaleev, Sh.F., Vishnyakov, A.V., and Nurmukhametov, A.R., Assesing the criticality of software vulnerabilities under the conditions of modern protection mechanisms, Trudy ISP RAN, 2016, vol. 28, no. 5, pp. 73–92.Google Scholar
- 20.Caselden, D., Bazhanyuk, A., Payer, M., McCamant, S., and Song, D., HI-CFG: Construction by binary analysis and application to attack polymorphism, in Computer Security–ESORICS 2013, Lect. Notes Comput. Sci., 2013, vol. 8134. pp. 164–181.Google Scholar