HI-CFG: Construction by Binary Analysis and Application to Attack Polymorphism

  • Dan Caselden
  • Alex Bazhanyuk
  • Mathias Payer
  • Stephen McCamant
  • Dawn Song
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8134)


Security analysis often requires understanding both the control and data-flow structure of a binary. We introduce a new program representation, a hybrid information- and control-flow graph (HI-CFG), and give algorithms to infer it from an instruction-level trace. As an application, we consider the task of generalizing an attack against a program whose inputs undergo complex transformations before reaching a vulnerability. We apply the HI-CFG to find the parts of the program that implement each transformation, and then generate new attack inputs under a user-specified combination of transformations. Structural knowledge allows our approach to scale to applications that are infeasible with monolithic symbolic execution. Such attack polymorphism shows the insufficiency of any filter that does not support all the same transformations as the vulnerable application. In case studies, we show this attack capability against a PDF viewer and a word processor.


Memory Access Code Block Symbolic Execution Dynamic Allocation Attack Generation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Avgerinos, T., Cha, S.K., Hao, B.L.T., Brumley, D.: AEG: Automatic exploit generation. In: NDSS 2011 (2011)Google Scholar
  2. 2.
    Babić, D., Martignoni, L., McCamant, S., Song, D.: Statically-directed dynamic automated test generation. In: ISSTA 2011 (2011)Google Scholar
  3. 3.
    Bond, M.D., McKinley, K.S.: Probabilistic calling context. In: OOPLSA 2007 (2007)Google Scholar
  4. 4.
    Brumley, D., Song, D.: Privtrans: automatically partitioning programs for privilege separation. In: USENIX Security 2004 (2004)Google Scholar
  5. 5.
    Caballero, J., Johnson, N.M., McCamant, S., Song, D.: Binary code extraction and interface identification for security applications. In: NDSS 2010 (2010)Google Scholar
  6. 6.
    Caballero, J., Poosankam, P., McCamant, S., Babic, D., Song, D.: Input generation via decomposition and re-stitching: Finding bugs in malware. In: CCS 2010 (2010)Google Scholar
  7. 7.
    Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In: CCS 2007 (2007)Google Scholar
  8. 8.
    Caselden, D., Bazhanyuk, A., Payer, M., Szekeres, L., McCamant, S., Song, D.: Transformation-aware exploit generation using a HI-CFG. Tech. Rep. UCB/EECS-2013-85, University of California, Berkeley (May 2013)Google Scholar
  9. 9.
    Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: IEEE S&P 2012 (2012)Google Scholar
  10. 10.
    Deutsch, P.: DEFLATE compressed data format specification. IETF RFC 1951 (May 1996)Google Scholar
  11. 11.
    Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. TOPLAS 9(3) (1987)Google Scholar
  12. 12.
    HI-CFG project information page,
  13. 13.
    Hopcroft, J.E., Ullman, J.D.: Set merging algorithms. SIAM J. Comput. 2(4) (1973)Google Scholar
  14. 14.
    Horwitz, S., Reps, T.W., Binkley, D.: Interprocedural slicing using dependence graphs. TOPLAS 12(1) (1990)Google Scholar
  15. 15.
    Intel: Pin website (November 2012),
  16. 16.
    Kolbitsch, C., Holz, T., Kruegel, C., Kirda, E.: Inspector Gadget: Automated extraction of proprietary gadgets from malware binaries. In: IEEE S&P 2010 (2010)Google Scholar
  17. 17.
    Lee, J., Avgerinos, T., Brumley, D.: TIE: Principled reverse engineering of types in binary programs. In: NDSS 2011 (2011)Google Scholar
  18. 18.
    Lin, Z., Zhang, X., Xu, D.: Automatic reverse engineering of data structures from binary execution. In: NDSS 2010 (2010)Google Scholar
  19. 19.
    Ma, K.-K., Yit Phang, K., Foster, J.S., Hicks, M.: Directed symbolic execution. In: Yahav, E. (ed.) SAS 2011. LNCS, vol. 6887, pp. 95–111. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. 20.
    Martignoni, L., McCamant, S., Poosankam, P., Song, D., Maniatis, P.: Path-exploration lifting: Hi-fi tests for lo-fi emulators. In: ASPLOS 2012 (2012)Google Scholar
  21. 21.
    McCamant, S., Payer, M., Caselden, D., Bazhanyuk, A., Song, D.: Transformation-aware symbolic execution for system test generation. Tech. Rep. UCB/EECS-2013-125, University of California, Berkeley (June 2013)Google Scholar
  22. 22.
    MITRE: CVE-2010-3704: Memory corruption in FoFiType1::parse (October 2010)
  23. 23.
    Newsome, J., Song, D.: Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In: NDSS 2005 (2005)Google Scholar
  24. 24.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: IEEE S&P 2010 (2010)Google Scholar
  25. 25.
    Slowinska, A., Stancescu, T., Bos, H.: Body armor for binaries: preventing buffer overflows without recompilation. In: USENIX ATC 2012 (2012)Google Scholar
  26. 26.
    Slowinska, A., Stancescu, T., Bos, H.: Howard: a dynamic excavator for reverse engineering data structures. In: NDSS 2011 (2011)Google Scholar
  27. 27.
    Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A new approach to computer security via binary analysis. In: ICISS 2008 (2008) (keynote invited paper)Google Scholar
  28. 28.
    Wang, T., Wei, T., Gu, G., Zou, W.: TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In: IEEE S&P 2010 (2010)Google Scholar
  29. 29.
    Xie, Y., Chou, A., Engler, D.R.: ARCHER: using symbolic, path-sensitive analysis to detect memory access errors. In: ESEC/FSE 2003 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Dan Caselden
    • 1
  • Alex Bazhanyuk
    • 2
  • Mathias Payer
    • 3
  • Stephen McCamant
    • 4
  • Dawn Song
    • 3
  1. 1.FireEye, Inc.USA
  2. 2.Intel CorporationUSA
  3. 3.University of CaliforniaBerkeleyUSA
  4. 4.University of MinnesotaUSA

Personalised recommendations