Fang Wangsheng,Shao Liping,Zhang Kejun

DOI: https://doi.org/10.3969/j.issn.1008-0570.2006.33.028

2006-01-01

Abstract:According to the structure characters of portable executable file format, the methods taking advantages of redundant spaces, redundant structures and static spaces allocated to strings to embed information into PE file are introduced in this paper. To prevent the embedded data from being understood and modified, a method is provided there, which make use of translating data in other forms to disguise information. To recover the original information, a method being availed of secret sharing schemas is also given. When some embedded informations are damaged, others can be used to recover the original embedded information to keep the em- bedded data completely.

Zhengong Cai,Xiaohu Yang,Xinyu Wang,Aleksander J. Kavs

DOI: https://doi.org/10.1587/transinf.e95.d.205

2012-01-01

IEICE Transactions on Information and Systems

Abstract:Feature location is to identify source code that implements a given feature. It is essential for software maintenance and evolution. A large amount of research, including static analysis, dynamic analysis and the hybrid approaches, has been done on the feature location problems. The existing approaches either need plenty of scenarios or rely on domain experts heavily. This paper proposes a new approach to locate functional feature in source code by combining the change impact analysis and information retrieval. In this approach, the source code is instrumented and executed using a single scenario to obtain the execution trace. The execution trace is extended according to the control flow to cover all the potentially relevant classes. The classes are ranked by trace-based impact analysis and information retrieval. The ranking analysis takes advantages of the semantics and structural characteristics of source code. The identified results are of higher precision than the individual approaches. Finally, two open source cases have been studied and the efficiency of the proposed approach is verified.

Tao Wei,Runpu Wu,Tielei Wang,Xinjian Zhao,Wei Zou,Weihong Zheng

DOI: https://doi.org/10.1007/978-3-642-28798-5_19

2012-01-01

Abstract:Call graph plays an important role in interprocedural program analysis methods. However, due to the common exist of function pointers and virtual functions in large programs, call graphs used in current program analysis systems are usually incomplete and imprecise, especially in analysis systems for binary executables. In this paper, we present a scalable and effective approach to automatically resolve virtual-function calls in executables. For the benchmark used in previous studies, our approach resolved almost 100% of reachable virtual function call-sites, whereas CodeSurfer/x86 resolved about 82%. © 2012 Springer-Verlag.

Ryoichi Isawa,Masaki Kamizono,Daisuke Inoue

DOI: https://doi.org/10.1007/978-3-642-42054-2_74

2013-01-01

Abstract:In this paper, we focus on the problem of the unpacking of packed executables in a generic way. That is, we do not assume specific knowledge about the algorithms used to produce the packed executable to do the unpacking (i.e. we do not extract/create a reverse algorithm). In general, when launched, a packed executable will first reconstruct the code of the original program, write it down someplace in memory and then transfer the execution to that original code by assigning the Extended Instruction Pointer (EIP) to the so-called Original Entry Point (OEP) of the program. Accordingly, if we had a way to accurately identify that transfer event in the execution flow and thus the OEP, we could more easily extract the original code for analysis (cf. by inspecting the remaining code after the OEP was reached). We then propose an effective generic unpacking method based on the combination of two novel OEP detection techniques, one relying on the incremental measurement of the entropy of the information stored in the memory space assigned to the unpacking process, and the other on the incremental searching and counting of potential Windows API calls in that same memory space.

WANG Chun-lei,LIU Qiang,ZHAO Gang,DAI Yi-qi

DOI: https://doi.org/10.3778/j.issn.1002-8331.2009.26.024

2009-01-01

Abstract:The detection of flaw functions in binary executables is an important technique for software vulnerability analysis.A flaw function detection method based upon the static analysis of executable is proposed.The foundation of this method is the signature theme of flaw functions in the form of binary instruction flow.This method establishes the set of potential function call sequences in the running process and constructs the function call graph by statically analyzing the binary executable,and detects the set of flaw functions the executable invoked by matching and analyzing the signatures of flaw functions with the function call graph.Experimental results demonstrate that the method is effective for detecting the flaw functions in executables,and is useful for further security analysis.

Maosheng Zhang,Ying Zhao,Zengmingyu He

DOI: https://doi.org/10.1109/compsac.2017.137

2017-01-01

Abstract:Log analysis plays an important role for computer failure diagnosis. With the ever increasing size and complexity of logs, the task of analyzing logs has become cumbersome to carry out manually. For this reason, recent research has focused on automatic analysis techniques for large log files. However, log messages are texts with certain formats and it is very challenging for automatic analysis to understand the semantic meanings of log messages. The current state-of-the-art approaches depend on the quality of observed log messages or source code producing these log messages. In this paper, we propose a method GenLog that can extract log templates from stripped executables (neither source code nor debugging information need to be available). GenLog finds all log related functions in a binary through a combined bottom-up and top-down slicing method, reconstructs the memory buffers where log messages were constructeStripped X86 Binaries d, and identifies components of log messages using data flow analysis and taint propagation analysis. GenLog can be used to analyze large binary code, and is suitable for commercial off-the-shelf (COTS) software or dynamic libraries. We evaluated GenLog on four X86 executables and one of them is Nginx. The experiments show that GenLog can identify the template for log messages in testing log files with a precision of 99.9%.

Yunan Zhang,Xu,Yixin Jiang

DOI: https://doi.org/10.1109/trustcom50675.2020.00111

2020-01-01

Abstract:Binary code search has received much attention recently due to its impactful applications, e.g., plagiarism detection, malware detection and software vulnerability auditing. However, developing an effective binary code search tool is challenging due to the gigantic syntax and structural differences in binaries resulted from different compilers, compiler options and malware family. In this paper, we propose a scalable and accurate binary search engine which performs syntactic matching by combining a set of key techniques to address the challenges above. The key contribution is binary code searching technique which combined function filtering and partial trace method to match the function code relatively quick and accurate. In addition, a simhash and basic information based function filtering is proposed to dramatically reduce the irrelevant target functions. Besides, we introduce a partial trace method for matching the shortlisted function accurately. The experimental results show that our method can find similar functions, even with the presence of program structure distortion, in a scalable manner.

He SUN,Lifa WU,Zheng HONG,Huiying YAN,Yafeng ZHANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2017.03.027

2017-01-01

Abstract:Extracting a complete and accurate function call graph is the foundation of malware similarity analysis based on function call graph.This paper proposes a malware function call graph extraction method which integrates both dynamic and static analysis methods.It extracts executable path of malicious programs on the basis of static disassembly,and an active discovery strategy of hidden information is used to find out the hidden instructions and function calls in the malware.A dynamic feedback mechanism is used to ensure the information synchronization during the process of static and dynamic analysis.The experimental results show that the proposed method can deal with all kinds of reverse analysis technologies and extract a complete and accurate function call graph from malwares.

Xin Liu,Yunsuo Duan,Zhong Chen

2004-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:The copyright protection mechanism emphasizes preventing the intellectual property right from being violated beforehand, which can not satisfy the demand lying in law practice that the same source feature of software should be determined. In this paper feature of executable code is analyzed from static and dynamic state and a same source feature measuring method is put forward. The running result of demo system supports the method well. The same source feature measuring problem of executable code is resolved primarily in this paper.

ZHANG Yi-chi,PANG Jian-min,ZHAO Rong-cai,HAN Xiao-su

2009-01-01

Abstract:Malware writers make use of exception return of subroutine to evade detecting by malware detectors.To crack the technique,this paper proposes a novel disassembly algorithm.This algorithm decodes an executable file twice and emulates the operations on memory stack.Through this twice-decoding and emulation process,this algorithm can be used to recognize exception returns and thus ensure the correctness of a decoding process.Compared with two commonly used disassemblers IDAPro and OBJDump,this algorithm is better at identifying this kind of exception and improves the rate of disassembly.

Zhenhui Li,Shuangping Xing,Lin Yu,Huiping Li,Fan Zhou,Guangqiang Yin,Xikai Tang,Zhiguo Wang

DOI: https://doi.org/10.32604/cmc.2023.046595

2024-01-01

Abstract:Software security analysts typically only have access to the executable program and cannot directly access the source code of the program. This poses significant challenges to security analysis. While it is crucial to identify vulnerabilities in such non-source code programs, there exists a limited set of generalized tools due to the low versatility of current vulnerability mining methods. However, these tools suffer from some shortcomings. In terms of targeted fuzzing, the path searching for target points is not streamlined enough, and the completely random testing leads to an excessively large search space. Additionally, when it comes to code similarity analysis, there are issues with incomplete code feature extraction, which may result in information loss. In this paper, we propose a cross-platform and cross-architecture approach to exploit vulnerabilities using neural network obfuscation techniques. By leveraging the Angr framework, a deobfuscation technique is introduced, along with the adoption of a VEX-IR-based intermediate language conversion method. This combination allows for the unified handling of binary programs across various architectures, compilers, and compilation options. Subsequently, binary programs are processed to extract multi-level spatial features using a combination of a skip-gram model with self-attention mechanism and a bidirectional Long Short-Term Memory (LSTM) network. Finally, the graph embedding network is utilized to evaluate the similarity of program functionalities. Based on these similarity scores, a target function is determined, and symbolic execution is applied to solve the target function. The solved content serves as the initial seed for targeted fuzzing. The binary program is processed by using the de-obfuscation technique and intermediate language transformation method, and then the similarity of program functions is evaluated by using a graph embedding network, and symbolic execution is performed based on these similarity scores. This approach facilitates cross-architecture analysis of executable programs without their source codes and concurrently reduces the risk of symbolic execution path explosion.

computer science, information systems,materials science, multidisciplinary

Ping Chen,Hao Han,Yi Wang,Xiaobin Shen,Xinchun Yin,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-11145-7_26

2009-01-01

Abstract:Recently, Integer bugs have been increasing sharply and become the notorious source of bugs for various serious attacks. In this paper, we propose a tool, IntFinder, which can automatically detect Integer bugs in a x86 binary program. We implement IntFinder based on a combination of static and dynamic analysis. First, IntFinder decompiles a x86 binary code, and creates the suspect instruction set. Second, IntFinder dynamically inspects the instructions in the suspect set and confirms which instructions are actual Integer bugs with the error-prone input. Compared with other approaches, IntFinder provides more accurate and sufficient type information and reduces the instructions which will be inspected by static analysis. Experimental results are quite encouraging: IntFinder has detected the integer bugs in several practical programs as well as one new bug in slocate-2.7, and it achieves a low false positives and negatives.

Xiangzhe Xu,Zhou Xuan,Shiwei Feng,Siyuan Cheng,Yapeng Ye,Qingkai Shi,Guanhong Tao,Le Yu,Zhuo Zhang,Xiangyu Zhang

DOI: https://doi.org/10.48550/arXiv.2308.15449

2023-08-30

Abstract:Binary similarity analysis determines if two binary executables are from the same source program. Existing techniques leverage static and dynamic program features and may utilize advanced Deep Learning techniques. Although they have demonstrated great potential, the community believes that a more effective representation of program semantics can further improve similarity analysis. In this paper, we propose a new method to represent binary program semantics. It is based on a novel probabilistic execution engine that can effectively sample the input space and the program path space of subject binaries. More importantly, it ensures that the collected samples are comparable across binaries, addressing the substantial variations of input specifications. Our evaluation on 9 real-world projects with 35k functions, and comparison with 6 state-of-the-art techniques show that PEM can achieve a precision of 96% with common settings, outperforming the baselines by 10-20%.

Software Engineering

Chengbin Pang,Ruotong Yu,Dongpeng Xu,Eric Koskinen,Georgios Portokalidis,Jun Xu

DOI: https://doi.org/10.48550/arXiv.2104.03168

2021-04-07

Abstract:Function entry detection is critical for security of binary code. Conventional methods heavily rely on patterns, inevitably missing true functions and introducing errors. Recently, call frames have been used in exception-handling for function start detection. However, existing methods have two problems. First, they combine call frames with heuristic-based approaches, which often brings error and uncertain benefits. Second, they trust the fidelity of call frames, without handling the errors that are introduced by call frames. In this paper, we first study the coverage and accuracy of existing approaches in detecting function starts using call frames. We found that recursive disassembly with call frames can maximize coverage, and using extra heuristic-based approaches does not improve coverage and actually hurts accuracy. Second, we unveil call-frame errors and develop the first approach to fix them, making their use more reliable.

Cryptography and Security

Nozima Murodova,Hyungjoon Koo

DOI: https://doi.org/10.48550/arXiv.2310.08011

2023-10-12

Abstract:An executable binary typically contains a large number of machine instructions. Although the statistics of popular instructions is well known, the distribution of non-popular instructions has been relatively under explored. Our finding shows that an arbitrary group of binaries com es with both i) a similar distribution of common machine instructions, and ii) quite a few rarely appeared instructions (e.g., less than five occurrences) apart from the distribution. Their infrequency may represent the signature of a code chunk or the footprint of a binary. In this work, we investigate such rare instructions with an in-depth analysis at the source level, clas sifying them into four categories.

Software Engineering

Guancheng Li,Yongheng Chen,Tianyi Li,Tongxin Li,Xinfeng Wu,Chao Zhang,Xinhui Han

2018-01-01

Abstract:Debugging is one of most useful techniques used in reverse engineering and diagnosing. However, some softwares, especially commercial and malicious ones, have embedded antidebugging techniques to protect themselves from being analyzed. Due to the diversity of anti-debugging techniques, evading antidebugging is challenging work, which relies heavily on expertise. In this poster, we propose a novel approach to bypass antidebugging with Intel Processor Tracing (PT). It identifies the location of anti-debugging code with the help of PT, and automatically patches the code to bypass it, enabling developers to debug anti-debugging software.

Laune C. Harris,Barton P. Miller

DOI: https://doi.org/10.1145/1127577.1127590

2005-12-01

ACM SIGARCH Computer Architecture News

Abstract:Executable binary code is the authoritative source of information about program content and behavior. The compile, link, and optimize steps can cause a program's detailed execution behavior to differ substantially from its source code. Binary code analysis is used to provide information about a program's content and structure, and is therefore a foundation of many applications, including binary modification[3,12,22,31], binary translation[5,29], binary matching[30], performance profiling[13,16,18], debugging, extraction of parameters for performance modeling, computer security[7,8] and forensics[23,26]. Ideally, binary analysis should produce information about the content of the program's code (instructions, basic blocks, functions, and modules), structure (control and data flow), and data structures (global and stack variables). The quality and availability of this information affects applications that rely on binary analysis.

WANG Xiaolin,ZHANG Binbin,JIN Xinxin,WANG Zhenlin,LUO Yingwei,LI Xiaoming

DOI: https://doi.org/10.3778/j.issn.1673-9418.2011.06.002

2011-01-01

Abstract:It’s essential to learn about sensitive instructions that cause virtual machine (VM) to exit to the virtual machine monitor (VMM) to find new ways to optimize the performance of VM.This paper proposes a novel method,competition in bucket method (CBM),to track all VM exits efficiently,by mapping sensitive instructions to buckets according to instruction addresses,and find out hot instructions in each bucket.

Yilei Zhang,Haoyu Liao,Zekun Wang,Bo Huang,Jianmei Guo

2024-05-15

Abstract:Static binary lifting is essential in binary rewriting frameworks. Existing tools overlook the impact of External Function Completion (EXFC) in static binary lifting. EXFC recovers the prototypes of External Functions (EXFs, functions defined in standard shared libraries) using only the function symbols available. Incorrect EXFC can misinterpret the source binary, or cause memory overflows in static binary translation, which eventually results in program crashes. Notably, existing tools struggle to recover the prototypes of mangled EXFs originating from binaries compiled from C++. Moreover, they require time-consuming manual processing to support new libraries.

Software Engineering

Yixuan Ma,Shuang Liu,Jiajun Jiang,Guanhong Chen,Keqiu Li

DOI: https://doi.org/10.1145/3468264.3473925

2021-10-29

Abstract:Driven by the high profit, Portable Executable (PE) malware has been consistently evolving in terms of both volume and sophistication. PE malware family classification has gained great attention and a large number of approaches have been proposed. With the rapid development of machine learning techniques and the exciting results they achieved on various tasks, machine learning algorithms have also gained popularity in the PE malware family classification task. Three mainstream approaches that use learning based algorithms, as categorized by the input format the methods take, are image-based, binary-based and disassembly-based approaches. Although a large number of approaches are published, there is no consistent comparisons on those approaches, especially from the practical industry adoption perspective. Moreover, there is no comparison in the scenario of concept drift, which is a fact for the malware classification task due to the fast evolving nature of malware. In this work, we conduct a thorough empirical study on learning-based PE malware classification approaches on 4 different datasets and consistent experiment settings. Based on the experiment results and an interview with our industry partners, we find that (1) there is no individual class of methods that significantly outperforms the others; (2) All classes of methods show performance degradation on concept drift (by an average F1-score of 32.23%); and (3) the prediction time and high memory consumption hinder existing approaches from being adopted for industry usage.

Cryptography and Security,Machine Learning,Software Engineering