Advertisement

iBinHunt: Binary Hunting with Inter-procedural Control Flow

  • Jiang Ming
  • Meng Pan
  • Debin Gao
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7839)

Abstract

Techniques have been proposed to find the semantic differences between two binary programs when the source code is not available. Analyzing control flow, and in particular, intra-procedural control flow, has become an attractive technique in the latest binary diffing tools since it is more resistant to syntactic, but non-semantic, differences. However, this makes such techniques vulnerable to simple function obfuscation techniques (e.g., function inlining) attackers any malware writers could use. In this paper, we first show function obfuscation as an attack to such binary diffing techniques, and then propose iBinHunt which uses deep taint and automatic input generation to find semantic differences in inter-procedural control flows. Evaluation on comparing various versions of a \(\verb"http"\) server and \(\verb"gzip"\) shows that iBinHunt not only is capable of comparing inter-procedural control flows of two programs, but offers substantially better accuracy and efficiency in binary diffing.

Keywords

binary diffing semantic difference taint analysis 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    BitBlaze: Binary analysis for computer security, http://bitblaze.cs.berkeley.edu/
  2. 2.
    Briones, I., Gomez, A.: Graphs, entropy and grid computing: Automatic comparison of malware. In: Proceedings of the 2004 Virus Bulletin Conference (2004)Google Scholar
  3. 3.
    Brumley, D., Hartwig, C., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Bitscope: Automatically dissecting malicious binaries. Technical Report, CMU-CS-07-133, School of Computer Science, Carnegie Mellon University (March 2007)Google Scholar
  4. 4.
    Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of the 16th ACM Conference on Computer and Communication Security, Chicago, IL (November 2009)Google Scholar
  5. 5.
    Carrera, E., Erdelyi, G.: Digital genome mapping al advanced binary malware analysis. In: Proceedings of the 2004 Virus Bulletin Conference (2004)Google Scholar
  6. 6.
    Cavallaro, L., Saxena, P., Sekar, R.: On the limits of information flow techniques for malware analysis and containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: 13th USENIX Security Symposium (2004)Google Scholar
  8. 8.
    Chow, S., Gu, Y., Johnson, H., Zakharov, V.: An approach to the obfuscation of control-flow of sequential computer programs. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 144–155. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Sciences, The University of Auckland (July 1997)Google Scholar
  10. 10.
    Cui, W.: Discoverer: Automatic protocol reverse engineering from network traces. In: Proceedings of the 16th USENIX Security Symposium (2007)Google Scholar
  11. 11.
    DarunGrim, J.O.: A binary diffing tool, http://www.darungrim.org
  12. 12.
    Dullien, T., Rolles, R.: Graph-based comparison of executable objects. In: Proceedings of SSTIC 2005 (2005)Google Scholar
  13. 13.
    Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.: Dynamic spyware analysis. In: Proceedings of the 2007 Usenix Annual Conference (2007)Google Scholar
  14. 14.
    Flake, H.: Structural comparison of executable objects. In: Proceedings of the GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment 2004 (2004)Google Scholar
  15. 15.
    Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Ganesh, V., Leek, T., Rinard, M.: Taint-based directed whitebox fuzzing. In: Proceedings of the 2009 IEEE 31st International Conference on Software Engineering (2009)Google Scholar
  17. 17.
    Gao, D., Reiter, M.K., Song, D.: BinHunt: Automatically finding semantic differences in binary programs. In: Chen, L., Ryan, M.D., Wang, G. (eds.) ICICS 2008. LNCS, vol. 5308, pp. 238–255. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Garey, M.R., Johnso, D.S.: Computers and intractability: A guide to the theory of np-completeness (1979)Google Scholar
  19. 19.
    Godefroid, P., Levin, M.Y., Molnar, D.: Automated whitebox fuzz testing. In: Network and Distributed System Security Symposium, NDSS 2008 (2008)Google Scholar
  20. 20.
    Hu, X., Chiueh, T., Shin, K.: Large-scale malware indexing using function-call graphs. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)Google Scholar
  21. 21.
    Jeongwook, O.: Fight against 1-day exploits: Diffing binaries vs anti-diffing binaries. In: Black Hat (2009)Google Scholar
  22. 22.
    Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Levi, G.: A note on the derivation of maximal common subgraphs of two directed or undirected graphs. Calcolo 9 (1972)Google Scholar
  24. 24.
    Li, P., Gao, D., Reiter, M.K.: Automatically adapting a trained anomaly detector to software patches. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 142–160. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  25. 25.
    Molnar, D., Li, X.C., Wagner, D.: Dynamic test generation to find integer bugs in x86 binary linux programs. In: Proceedings of USENIX Security Symposium (2009)Google Scholar
  26. 26.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Network and Distributed System Security Symposium, NDSS 2005 (2005)Google Scholar
  27. 27.
    Tenable Network Security Inc. PatchDiff. A patch analysis plugin for ida, http://cgi.tenablesecurity.com/tenable/patchdiff.php
  28. 28.
    Raymond, J., Willett, P.: Maximum common subgraph isomorphism algorithms for the matching of chemical structures. Journal of Computer-Aided Molecular Design 16 (2002)Google Scholar
  29. 29.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (2010)Google Scholar
  30. 30.
    Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  31. 31.
    Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems (2004)Google Scholar
  32. 32.
    Wang, C., Davidson, J., Hill, J., Knight, J.: Protection of software-based survivability mechanisms. In: Proceedings of International Conference of Dependable Systems and Networks (2001)Google Scholar
  33. 33.
    Wang, Z., Pierce, K., McFarling, S.: Bmat – a binary matching tool for stale profile propagation. Journal of Instruction-Level Parallelism 2 (2000)Google Scholar
  34. 34.
    Wondracek, G., Comparetti, P.M., Kruegel, C., Kirda, E.: Automatic network protocol analysis. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, NDSS 2008 (2008)Google Scholar
  35. 35.
    Yin, H., Song, D.: Panorama: capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security, CCS 2007 (2007)Google Scholar
  36. 36.
    Yin, H., Song, D.: Temu: Binary code analysis via whole-system layered annotative execution. Technical Report, EECS Department, University of California, Berkeley (January 2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Jiang Ming
    • 1
  • Meng Pan
    • 2
  • Debin Gao
    • 3
  1. 1.College of Info Sciences and TechPenn State UniversityUSA
  2. 2.D’Crypt Pte Ltd.Singapore
  3. 3.School of Info SystemsSingapore Management UniversitySingapore

Personalised recommendations