Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

Wenchuan Yang,Yifei Wang,Baojiang Cui,Chen Chen

DOI: https://doi.org/10.1007/978-3-030-22263-5_38

2020-01-01

Abstract:Binary instrumentation is a process of inserting other code into an executable to observe or modify the binary execution. However, current instrumentation tools depend on platform strongly and the execution efficiency is low, which make it difficult to be used in embedded devices. In this paper, we propose a static instrumentation method using the trampoline technology to perform the binary instrumentation on the Linux OS, which can support CISC and RISC instruction sets. The experiment showed that the file size and execution time of the binary are less affected after instrumentation by comparing with other dynamic and static instrumentation tools.

Fangzheng Lin,Zhongfa Wang,Hiroshi Sasaki

2024-11-18

Abstract:Speculative execution is crucial in enhancing modern processor performance but can introduce Spectre-type vulnerabilities that may leak sensitive information. Detecting Spectre gadgets from programs has been a research focus to enhance the analysis and understanding of Spectre attacks. However, one of the problems of existing approaches is that they rely on the presence of source code (or are impractical in terms of run-time performance and gadget detection ability). This paper presents Teapot, the first Spectre gadget scanner that works on COTS binaries with comparable performance to compiler-based alternatives. As its core principle, we introduce Speculation Shadows, a novel approach that separates the binary code for normal execution and speculation simulation in order to improve run-time efficiency. Teapot is based on static binary rewriting. It instruments the program to simulate the effects of speculative execution and also adds integrity checks to detect Spectre gadgets at run time. By leveraging fuzzing, Teapot succeeds in efficiently detecting Spectre gadgets. Evaluations show that Teapot outperforms both performance (more than 20x performant) and gadget detection ability than a previously proposed binary-based approach.

Cryptography and Security,Hardware Architecture

郑举育,管海兵,梁阿磊

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.02.099

2009-01-01

Abstract:Common dynamic binary translation system is lack of debugging tools or only provides primitive debugging supports,so debugging technology becomes the bottleneck of developing system software or large scale software.This paper introduces a new debugging technology on dynamic binary translation platform,including reverse executing,debugging script and other new concepts.The debugger implemented on Crossbit is proved that it reduces the time for developer to locate bugs sharply.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Jing Qiu,Xiao Hong Su,Pei Jun Ma

DOI: https://doi.org/10.4028/www.scientific.net/amr.989-994.1782

2014-01-01

Advanced Materials Research

Abstract:Instruction traces are essential for dynamic analysis in reverse engineering. Code in instruction traces is often obfuscated to hinder analysts from understanding and analyzing in malware and binaries that protected by packers. Non-returning calls and call-stack tampering are two typical kinds of such obfuscation. We propose a deobfuscation approach to fight against these two kinds of obfuscated code. We first apply static analysis on instruction traces to identify obfuscated code. Then we transform obfuscated code into semantically equivalent instructions to make the code be easy to understand. Evaluations results on some packed binaries indicate that our approach works well in deobfuscate instruction traces with non-returning calls and call-stack tampering in high precision.

Yannan Liu,Lingxiao Wei,Zhe Zhou,Kehuan Zhang,Wenyuan Xu,Qiang Xu

DOI: https://doi.org/10.1145/2976749.2978299

2016-01-01

Abstract:With the proliferation of Internet of Things, there is a growing interest in embedded system attacks, e.g., key extraction attacks and firmware modification attacks. Code execution tracking, as the first step to locate vulnerable instruction pieces for key extraction attacks and to conduct control-flow integrity checking against firmware modification attacks, is therefore of great value. Because embedded systems, especially legacy embedded systems, have limited resources and may not support software or hardware update, it is important to design low-cost code execution tracking methods that require as little system modification as possible. In this work, we propose a non-intrusive code execution tracking solution via power-side channel, wherein we represent the code execution and its power consumption with a revised hidden Markov model and recover the most likely executed instruction sequence with a revised Viterbi algorithm. By observing the power consumption of the microcontroller unit during execution, we are able to recover the program execution flow with a high accuracy and detect abnormal code execution behavior even when only a single instruction is modified.

DENG Chao-guo,GU Da-wu,LI Juan-ru,SUN Ming

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.04.066

2011-01-01

Abstract:This paper proposed an approach of binary analysis based on full-system emulation and instruction-flow analysis technology.This approach ran executable binary code on a virtual machine which used full-system emulation technology,and then captured and analyzed runtime instruction-flow information to figure out this program's feature.This paper covered design and implement of such a binary code analysis system.Experiment result illustrates that it is more efficient and general to capture,extract and analyze runtime instruction-flow information by using this system.This approach is particularly effective to analyze binary code which uses anti-analysis technology.

Shouguo Yang,Zhengzi Xu,Yang Xiao,Zhe Lang,Wei Tang,Yang Liu,Zhiqiang Shi,Hong Li,Limin Sun

DOI: https://doi.org/10.1145/3604608

IF: 3.685

2023-06-17

ACM Transactions on Software Engineering and Methodology

Abstract:Vulnerability is a major threat to software security. It has been proven that binary code similarity detection approaches are efficient to search for recurring vulnerabilities introduced by code sharing in binary software. However, these approaches suffer from high false-positive rates since they usually take the patched functions as vulnerable, and they usually do not work well when binaries are compiled with different compilation settings. To this end, we propose an approach, named Robin , to confirm recurring vulnerabilities by filtering out patched functions. Robin is powered by a lightweight symbolic execution to solve the set of function inputs that can lead to the vulnerability-related code. It then executes the target functions with the same inputs to capture the vulnerable or patched behaviors for patched function filtration. Experimental results show that Robin achieves high accuracy for patch detection across different compilers and compiler optimization levels respectively on 287 real-world vulnerabilities of 10 different software. Based on accurate patch detection, Robin significantly reduces the false-positive rate of state-of-the-art vulnerability detection tools (by 94.3% on average), making them more practical. Robin additionally detects 12 new potentially vulnerable functions.

computer science, software engineering

XUE Zhi-ping,XUE Zhi,WANG Yi-jun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2008.01.031

2008-01-01

Abstract:A Unix security auditing system based on dynamic tracing is described in this paper, and the design and realization are discussed. In the system, the detectors, set by dynamic tracing DTrace in the kernel, are used to collect audit information, and the audit logs are written in a standard format. Meanwhile, the secure storage and automatic analysis for the logs are realized in C/S mode.

Ping CHEN,Hao HAN,Xiao-bing SHEN,Xin-chun YIN,Bing MAO,Li XIE

2010-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:In recent years, Integer bugs have been rising sharply and become a potential threat as it is often hidden behind other bugs. In this paper, we propose a tool which can automatically detect Integer bugs. We implement the tool based on static and dynamic program analysis. In the static phase, the tool decompiles a binary and creates the suspect instruction set. In the dynamic phase, it monitors the instructions in the suspect set and generates the test cases to further detect which instructions are real Integer bugs. Our tool has two advantages. First, it provides more accurate and sufficient type information. Second, static analysis reduces the instructions which are monitored at runtime. Experimental results shows that our tool can efficiently detect the Integer bugs in several real-world programs. In addition, our tool has no false negatives and low false positives.

Fei Peng,Xiang Gao,Naijie Gu,Ji Qiu

DOI: https://doi.org/10.1109/ICECC.2011.6066387

2011-01-01

Abstract:Dynamic binary instrumentation tools play a very important role in program analysis. The information gathered by these tools is quite useful in software development, testing, debugging, simulation and optimization. SEntre is such an instrumentation system with the features of efficiency, ease-to-use interface, transparency and comprehensiveness. To obtain good performance, we employ instrumentation while copying (IWC) mechanism. The interface provided by SEntre is very simple but powerful. User can develop different tools based on SEntre. To illustrate SEntre's versatility, we describe two tools, one is used to obtain memory access address and the other is an extremely fast simulator.

J. Vadayath,Kyle Zeng,Christophe Hauser,Ruoyu Wang,Y. Fratantonio,Tiffany Bao,Adam Doupé,Nicolaas Weideman,Yan Shoshitaishvili,Moritz Eckert,Gokulkrishna Praveen Menon,D. Balzarotti

Abstract:In spite of their effectiveness in the context of vulnerability discovery, current state-of-the-art binary program analysis approaches are limited by inherent trade-offs between accuracy and scalability. In this paper, we identify a set of vulnerability properties that can aid both static and dynamic vulnerability detection techniques, improving the precision of the former and the scalability of the latter. By carefully integrating static and dynamic techniques, we detect vulnerabilities that exhibit these properties in real-world programs at a large scale. We implemented our technique, making several advancements in the analysis of binary code, and created a prototype called A RBITER . We demonstrate the effectiveness of our approach with a large-scale evaluation on four common vulnerability classes: CWE-131 (Incorrect Calculation of Buffer Size), CWE-252 (Unchecked Return Value), CWE-134 (Un-controlled Format String), and CWE-337 (Predictable Seed in Pseudo-Random Number Generator). We evaluated our approach on more than 76,516 x86-64 binaries in the Ubuntu repositories and discovered new vulnerabilities, including a flaw inserted into programs during compilation.

Computer Science

Yesheng Zhi,Yuanyuan Zhang,Juanru Li,Dawu Gu

DOI: https://doi.org/10.1007/978-3-319-59288-6_47

2016-01-01

Abstract:Security testing of software on embedded devices is often impeded for lacking advanced program analysis tools. The main obstacle is that state-of-the-art tools do not support the instruction set of common architectures of embedded device (e.g., MIPS). It requires either developing new program analysis tool aiming to architecture or introducing many manual efforts to help security testing. However, re-implementing a program analysis tool needs considerable amount of time and is generally a repetitive task. To address this issue efficiently, our observation is that most programs on embedded devices are compiled from source code of high level languages, and it is feasible to compile the same source code to different platforms. Therefore, it is also expected to directly translate the compiled executable to support another platform. This paper presents a binary translation based security testing approach for software on embedded devices. Our approach first translates a MIPS executable to an x86 executable leveraging the LLVM-IR, then reuses existing x86 program analysis tools to help employ in-depth security testing. This approach is not only efficient for it reuses existing tools and utilizes the x86 platform with higher performance to conduct security analysis and testing, but also more flexible for it can test code fragment with different levels of granularity (e.g., a function or an entire program). Our evaluation on frequently used data transformation algorithms and utilities illustrates the accuracy and efficiency of the proposed approach.

Zhe Fang,Minglu Li,Chuliang Weng,Yuan Luo

DOI: https://doi.org/10.1007/978-3-642-10665-1_8

2009-01-01

Abstract:The binary translator is a software component of a computer system. It converts binary code of one ISA into binary code of another ISA. Recent trends show that binary translators have been used to save CPU power consumption and CPU die size, which makes binary translators a possible indispensable component of future computer systems. And such situation would give new opportunities to the security of these computer systems. One of the opportunities is that we can perform malicious code checking dynamically in the layer of binary translators. This approach has many advantages, both in terms of capability of detection and checking overhead. In this paper, we proposed a working dynamic malicious code checking module integrated to an existent open-source binary translator, QEMU, and explained that our module's capability of detection is superior to other malicious code checking methods while acceptable performance is still maintained.

Erzhou Zhu,Haibing Guan,Alei Liang,Rongbin Xu,Xuejian Li,Feng Liu

DOI: https://doi.org/10.1007/978-3-642-38715-9_28

2013-01-01

Abstract:For the purpose of discovering security flaws in software, many dynamic and static taint analyzing techniques have been proposed. The dynamic techniques can precisely find the security flaws of the software; but it suffers from substantial runtime overhead. On the other hand, the static techniques require no runtime overhead; but it is often not accurate enough. In this paper, we propose HYBit, a novel hybrid framework which integrates dynamic and static taint analysis to diagnose the security flaws for binary programs. In the framework, the source binary is first analyzed by the dynamic taint analyzer; then, with the runtime information provided by its dynamic counterpart, the static taint analyzer can process the unexecuted part of the target program easily. Furthermore, a taint behavior filtration mechanism is proposed to optimize the performance of the framework. We evaluate our framework from three perspectives: efficiency, coverage, and effectiveness, and the results are encouraging. © 2013 Springer-Verlag Berlin Heidelberg.

Huajie Chen,Tian Zhang,Lei Bu,Xuandong Li

DOI: https://doi.org/10.1109/ssiri-c.2011.20

2011-01-01

Abstract:Dynamic analysis has been widely used in program analysis. Instrumentation is a general technology used to trace dynamic behavior of software. This paper presents a java source code instrumentation tool, which supports making instrumentation manually and automatically according to rules based on AST analysis. On one hand, users can instrument source code manually. It supports to manage those instrumentation points. On the other hand, code snippets can be instrumented automatically in compliance with criteria defined by users. This tool defines some inside criteria and makes instrumentation automatically for them. What's more, these inside criteria can be expanded. By instrumentation, a dynamic execution report about the java source code can be obtained.

GAO Hai-chang,FENG Bo-qin,HE Hang-jun,ZHU Li

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.09.011

2006-01-01

Abstract:Usage of pointer in C/C++ language makes program source code flexible and convenient,but the memory usage errors(memory leak,write overflow,wild pointer and so on.) occur in the process is very difficult to analyze and eliminate.Aimed at errors of dynamic memory management,a dynamic memory detection method based on source file extraction and source code instrumentation on Linux Platform was developed,and a dynamic memory detection module was designed.The module can detect memory leak,write overflow,free wild pointer and mismatch using of memory functions to source code.Finally,an instance to test write overflow was carried to validate the effectiveness of our method and module.

WANG Ke-chao,CHENG Jian,WANG Tian-tian,REN Xiang-min

DOI: https://doi.org/10.3969/j.issn.1001-3695.2015.02.035

2015-01-01

Abstract:In order to better meet the needs of program analysis technology such as test coverage analysis,and automatic de-bugging,this paper proposed a program instrumentation model and developed a practical tool.Based on double buffering tech-nique,it constructed lexical analyzer and syntax analyzer.Instrumentation information was collected during syntactic deduc-tion.Thus instrumentation action was performed and instrumented object file was generated according to instrumentation poli-cy.It applied the program spectrum constructed by the instrumentation method to four state-art of coverage based software auto-matic debugging techniques.The defect statement was identified as the most suspicious statement by all the four techniques.It indicates that the program instrumentation method can provide necessary runtime information for accurate and efficient program analysis.