Advertisement

BitBlaze: A New Approach to Computer Security via Binary Analysis

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5352)

Abstract

In this paper, we give an overview of the BitBlaze project, a new approach to computer security via binary analysis. In particular, BitBlaze focuses on building a unified binary analysis platform and using it to provide novel solutions to a broad spectrum of different security problems. The binary analysis platform is designed to enable accurate analysis, provide an extensible architecture, and combines static and dynamic analysis as well as program verification techniques to satisfy the common needs of security applications. By extracting security-related properties from binary programs directly, BitBlaze enables a principled, root-cause based approach to computer security, offering novel and effective solutions, as demonstrated with over a dozen different security applications.

Keywords

Binary analysis malware analysis and defense vulnerability analysis and defense reverse engineering 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    CVC Lite documentation (Page checked 7/26/2008), http://www.cs.nyu.edu/acsys/cvcl/doc/
  2. 2.
    The DOT language (Page checked 7/26/2008), http://www.graphviz.org/doc/info/lang.html
  3. 3.
    On the run - building dynamic modifiers for optimization, detection, and security. Original DynamoRIO announcement via PLDI tutorial (June 2002)Google Scholar
  4. 4.
    ARM. ARM Architecture Reference Manual (2005) Doc. No. DDI-0100IGoogle Scholar
  5. 5.
    Balakrishnan, G.: WYSINWYX: What You See Is Not What You eXecute. PhD thesis, Computer Science Department, University of Wisconsin at Madison (August 2007)Google Scholar
  6. 6.
    Balakrishnan, G., Gruian, R., Reps, T., Teitelbaum, T.: Codesurfer/x86 - a platform for analyzing x86 executables. In: Proceedings of the International Conference on Compiler Construction (April 2005)Google Scholar
  7. 7.
    Brumley, D., Caballero, J., Liang, Z., Newsome, J., Song, D.: Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. In: Proceedings of the USENIX Security Symposium, Boston, MA (August 2007)Google Scholar
  8. 8.
    Brumley, D., Hartwig, C., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Song, D.: Bitscope: Automatically dissecting malicious binaries. Technical Report CS-07-133, School of Computer Science, Carnegie Mellon University (March 2007)Google Scholar
  9. 9.
    Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. Countering the Largest Security Threat Series: Advances in Information Security, vol. 36, Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Towards automatically identifying trigger-based behavior in malware using symbolic execution and binary analysis. Technical Report CMU-CS-07-105, Carnegie Mellon University School of Computer Science (January 2007)Google Scholar
  11. 11.
    Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 2–16 (2006)Google Scholar
  12. 12.
    Brumley, D., Poosankam, P., Song, D., Zheng, J.: Automatic patch-based exploit generation is possible: Techniques and implications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy (2008)Google Scholar
  13. 13.
    Brumley, D., Wang, H., Jha, S., Song, D.: Creating vulnerability signatures using weakest pre-conditions. In: Proceedings of Computer Security Foundations Symposium (July 2007)Google Scholar
  14. 14.
    Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In: Proceedings of the 14th ACM Conferences on Computer and Communication Security (CCS 2007) (October 2007)Google Scholar
  15. 15.
    Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In: Proceedings of the ACM Conference on Computer and Communications Security (October 2007)Google Scholar
  16. 16.
    Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: Proceedings of the 13th USENIX Security Symposium (Security 2004) (August 2004)Google Scholar
  17. 17.
    Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worms. In: In Proceedings of the Symposium on Systems and Operating Systems Principles (SOSP 2005) (2005)Google Scholar
  18. 18.
    Crandall, J.R., Chong, F.T.: Minos: Control data attack prevention orthogonal to memory model. In: Proceedings of the 37th International Symposium on Microarchitecture (MICRO 2004) (December 2004)Google Scholar
  19. 19.
    DataRescue. IDA Pro. (Page checked 7/31/2008), http://www.datarescue.com
  20. 20.
    Dijkstra, E.W.: A Discipline of Programming. Prentice Hall, Englewood Cliffs (1976)zbMATHGoogle Scholar
  21. 21.
    Ganesh, V., Dill, D.: STP: A decision procedure for bitvectors and arrays, http://theory.stanford.edu/~vganesh/stp
  22. 22.
    Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 524–536. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Intel Corporation. Intel 64 and IA-32 Architectures Software Developer’s Manual, Volumes 1-5 (April 2008)Google Scholar
  24. 24.
    Jackson, D., Rollins, E.J.: Chopping: A generalization of slicing. Technical Report CS-94-169, Carnegie Mellon University School of Computer Science (1994)Google Scholar
  25. 25.
    Kang, M.G., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM 2007) (October 2007)Google Scholar
  26. 26.
    Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proceedings of the USENIX Security Symposium (2004)Google Scholar
  27. 27.
    Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Proceedings of the ACM Conference on Programming Language Design and Implementation (June 2005)Google Scholar
  28. 28.
    Microsoft. Phoenix framework (Paged checked 7/31/2008), http://research.microsoft.com/phoenix/
  29. 29.
    Microsoft. Phoenix project architect posting (Page checked 7/31/2008) (July 2008), http://forums.msdn.microsoft.com/en-US/phoenix/thread/90f5212c-05a-4aea-9a8f-a5840a6d101d
  30. 30.
    Muchnick, S.S.: Advanced Compiler Design and Implementation. Academic Press, London (1997)Google Scholar
  31. 31.
    Nethercote, N.: Dynamic Binary Analysis and Instrumentation or Building Tools is Easy. PhD thesis, Trinity College, University of Cambridge (2004)Google Scholar
  32. 32.
    Newsome, J., Brumley, D., Franklin, J., Song, D.: Replayer: Automatic protocol replay by binary analysis. In: Write, R., De Capitani di Vimercati, S., Shmatikov, V. (eds.) Proceedings of the ACM Conference on Computer and Communications Security, pp. 311–321 (2006) Google Scholar
  33. 33.
    Newsome, J., Brumley, D., Song, D.: Sting: An end-to-end self-healing system for defending against zero-day worm attacks. Technical Report CMU-CS-05-191, Carnegie Mellon University School of Computer Science (2006)Google Scholar
  34. 34.
    Newsome, J., Brumley, D., Song, D.: Vulnerability-specific execution filtering for exploit prevention on commodity software. In: Proceedings of the 13th Annual Network and Distributed Systems Security Symposium, NDSS (2006)Google Scholar
  35. 35.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005) (February 2005)Google Scholar
  36. 36.
  37. 37.
    Simpson, L.T.: Value-Driven Redundancy Elimination. PhD thesis, Rice University Department of Computer Science (1996)Google Scholar
  38. 38.
    Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2004) (October 2004)Google Scholar
  39. 39.
    Tridgell, A.: How samba was written (Checked on 8/21/2008) (August 2003), http://www.samba.org/ftp/tridge/misc/french_cafe.txt
  40. 40.
    Tucek, J., Newsome, J., Lu, S., Huang, C., Xanthos, S., Brumley, D., Zhou, Y., Song, D.: Sweeper: A lightweight end-to-end system for defending against fast worms. In: Proceedings of the EuroSys Conference (2007)Google Scholar
  41. 41.
  42. 42.
    Yin, H., Liang, Z., Song, D.: HookFinder: Identifying and understanding malware hooking behaviors. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS 2008) (February 2008)Google Scholar
  43. 43.
    Yin, H., Song, D., Manuel, E., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conferences on Computer and Communication Security (CCS 2007) (October 2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  1. 1.UC BerkeleyUSA
  2. 2.Carnegie Mellon UniversityUSA
  3. 3.College of William and MaryUSA

Personalised recommendations