唐和平,黄曙光,吴志勇

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.23.018

2010-01-01

Computer Engineering and Applications Journal

Abstract:In order to analyze executable file,this paper proposes a method of understanding program by data flow analysis. It firstly translates disassemble results into data flow descriptive language and gets Reach In and Out definition,builds intra-procedur data flow equations,and then solves equations to refer relation between function input and output.The method has been validated by experiment on string copy function without extra clue.

Qian Yu,Lansheng Han,Tinghui Dong,Cai Fu,Ming Liu

2014-01-01

Abstract:General steps of analyzing malicious binary files include: Firstly, disassemble binary codes into assembly codes applicable on the current machine; Secondly, conduct analysis to all acquired assembly codes and comprehend code intents before identifying the attribution. These steps are summarized in inclusive descriptions rather than operable properties. One of the major difficulties contained is: Nowadays obfuscated code technique besets with a barrier to direct extraction for effective information from disassembled code files. This paper proposes one binary code analysis method that is generally applicable: Firstly perform an overall analysis to the binary file and complete preliminary wiping off interference information before screening out code snippets with respectively independent functions; secondly, conduct respective processing to each code snippet and achieve more independent basic behavioral units. Inter-skipping relationship within these basic behavioral units helps reestablish the fundamental logic framework of the entire snippet, or control flow graph "CFG". In return the logic framework of the entire program is deduced as well as the genuine intent of obfuscated codes. The last part of the paper carries out corresponding simulation experiment to provide supporting voice for its correctness and effectiveness.

Juanru Li,Dawu Gu,Chaoguo Deng,Yuhao Luo

DOI: https://doi.org/10.1007/978-3-642-23602-0_15

2010-01-01

China Communications

Abstract:Computer system’s runtime information is an essential part of the digital evidence. Current digital forensic approaches mainly focus on memory and I/O data, while the runtime instructions from processes are often ignored. We present a novel approach on runtime instruction forensic analysis and have developed a forensic system which collects instruction flow and extracts digital evidence. The system is based on whole-system emulation technique and analysts are allowed to define analysis strategy to improve analysis efficiency and reduce overhead. This forensic approach and system are applicable to binary code analysis, information retrieval and malware forensics.

SUN Ming,GU Da-wu,LI Juan-ru,LUO Yu-hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2012.02.068

2012-01-01

Abstract:Static binary analysis methods cannot meet the demand for malicious code analysis,and the traditional dynamic analysis approaches cannot effectively find the critical information among the huge amount of dynamic binary code.This paper gave a kind of differential analysis approach on dynamic binary code and provided its model and method.This approach could effectively extract the sensitive information from malicious code and make the function module or data spread understood.Finally,it provided an experiment based on differential binary analysis system,which validated the capability and efficiency of the approach.

唐和平,吴志勇,黄曙光,李永成

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.17.009

2010-01-01

Abstract:On the basis of data flow analysis,this paper translates program into data flow descriptive markers and obtains reach in and out definitions sets of basic blocks through data flow reach-definition anlysis.It establishes relation between function input and output to achieve static understanding.Experimental results demonstrate that string operating functions such as copy routine are correctly identified without extra clue by using this method.

李卷孺,谷大武,陆海宁

DOI: https://doi.org/10.3724/sp.j.1087.2008.02608

2008-01-01

Journal of Computer Applications

Abstract:The stripped binary form software is a typical object that software analysis and program understanding activity often deal with. Traditional analysis and comprehension models based on source code or debug symbol information are often useless when handling this kind of software for lack of information. A comprehension approach for stripped binary code was proposed. The analysis object was transformed to runtime process and the process information was imported. Then the program's action feature was imported using the external behavior and interface as the supplementary information, the feature was mapped to binary code. Finally, program slicing and debugging techniques were used to analyze program. The approach has access to more information for software analysis and program understanding and reduces the complexity, thus solves the information shortage and model building problem when analyzing stripped binary code.

Jun Guo,Lei Wang,Zhanyong Tang,Dingyi Fang

DOI: https://doi.org/10.13245/j.hust.160311

2016-01-01

Abstract:Current binary code de-obfuscation approaches only target a limited set of specific obfusca-tions and are ineffective against new obfuscations.State-of-the-art approaches of this problem are based on dynamic analysis and face the challenge of low code coverage.A semantics-based automated de-obfuscation approach was introduced.The key point of this approach is to optimize the instruction traces of the obfuscated program with the results of semantically relevant instruction identification, which can be applied to both existing and new obfuscation techniques.Moreover,a low-cost solution for multiple execution paths exploration was introduced.The proposed solution can enhance the code coverage and reduce the overhead at the same time.Experiment results show that the de-obfuscation approach is particularly effective and can be an invaluable aid for malware analysis.It can reduce the difficulty,and improve the efficiency of malware analysis effectively.

CUI Baojiang,GUO Pengfei,WANG Jianxin

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.z2.019

2009-01-01

Abstract:A system model that combines symbolic and actual execution was developed for path analyses of binary codes to find program bug.A debugger was built to dynamically load a program to obtain the binary code.The transformed system binary code is transformed into expressions containing more information than the assembly code which are useful for svmbolic execution.The symbolic code is then executed with the actual code to obtain the path conditions.The svmbolic execution analysis of the verification test program links the program's execution path to its unique input.Tests show that the system model can precisely analyze the relationships between the program input and its execution path.

Zian Liu,Chao Chen,Ahmed Ejaz,Dongxi Liu,Jun Zhang

DOI: https://doi.org/10.1007/978-3-031-22677-9_21

2022-01-01

Abstract:Binary code analysis is a process of analyzing the software or operating system when source code is inaccessible. This scenario occurs when one needs to analyze malware, a compiled software, or a closed-sourced operating system such as Windows, IOS, etc. In these scenarios, the source codes are deliberately made inaccessible by the vendor or programmer for various reasons. Binary analysis contains a wide range of analysis aims, techniques and methodologies. We concluded the methodologies into two categories: data-driven analysis and software-engineering-based analysis. Each category has a similar process in their methodology. We also concluded their limitation and summaries the challenges and future work.

Wang Chunlei,Zhao Gang,Dai Yiqi

DOI: https://doi.org/10.1109/ICCSIT.2009.5234950

2009-01-01

Abstract:This paper proposes a control flow based security analysis approach for binary executables. Through deeply investigating the theory of control flow security, we develop the Control Flow Security Model (CFSM) which includes the formal definitions for program semantics and security properties for control flow. CFSM specifies that program execution dynamically follows only certain paths, in accordance with a statically declared security properties specified as Control Flow Constraint Specification (CFCS). We have proposed an efficient control flow security analysis algorithm for verifying that a particular control flow model satisfies the associated security properties. Our work contributes to bridging the gap between abstract specifications of control flow security properties and actual control flow security analysis for binary executables. The effectiveness and the practical usefulness of the approach are exemplified by an illustrative analysis of heap overflow vulnerability.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

Tong Ye,Lingfei Wu,Tengfei Ma,Xuhong Zhang,Yangkai Du,Peiyu Liu,Shouling Ji,Wenhai Wang

DOI: https://doi.org/10.48550/arXiv.2310.16853

2023-10-24

Abstract:Automatically generating function summaries for binaries is an extremely valuable but challenging task, since it involves translating the execution behavior and semantics of the low-level language (assembly code) into human-readable natural language. However, most current works on understanding assembly code are oriented towards generating function names, which involve numerous abbreviations that make them still confusing. To bridge this gap, we focus on generating complete summaries for binary functions, especially for stripped binary (no symbol table and debug information in reality). To fully exploit the semantics of assembly code, we present a control flow graph and pseudo code guided binary code summarization framework called CP-BCS. CP-BCS utilizes a bidirectional instruction-level control flow graph and pseudo code that incorporates expert knowledge to learn the comprehensive binary function execution behavior and logic semantics. We evaluate CP-BCS on 3 different binary optimization levels (O1, O2, and O3) for 3 different computer architectures (X86, X64, and ARM). The evaluation results demonstrate CP-BCS is superior and significantly improves the efficiency of reverse engineering.

Programming Languages,Artificial Intelligence

Hongfa Xue,Shaowen Sun,Guru Venkataramani,Tian Lan

DOI: https://doi.org/10.1109/access.2019.2917668

IF: 3.9

2019-01-01

IEEE Access

Abstract:Binary code analysis is crucial in various software engineering tasks, such as malware detection, code refactoring, and plagiarism detection. With the rapid growth of software complexity and the increasing number of heterogeneous computing platforms, binary analysis is particularly critical and more important than ever. Traditionally adopted techniques for binary code analysis are facing multiple challenges, such as the need for cross-platform analysis, high scalability and speed, and improved fidelity, to name a few. To meet these challenges, machine learning-based binary code analysis frameworks attract substantial attention due to their automated feature extraction and drastically reduced efforts needed on large-scale programs. In this paper, we provide the taxonomy of machine learning-based binary code analysis, describe the recent advances and key findings on the topic, and discuss the key challenges and opportunities. Finally, we present our thoughts for future directions on this topic.

DOU Zeng-jie,WANG Zhen-yu,CHEN Nan,WANG Rui-min,TIAN Jia

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.21.011

2010-01-01

Abstract:In order to analyze program control flow precisely and depict program control structure correctly,this paper introduces an overall architecture for control flow analysis and proposes an algorithm to generate the control flow of executable code. Key techniques such as abstraction of executable code and program control flow generation are described. Simple Assembly language Intermediate Representation(SAIR) is presented. Without changing semantics of the disassembly code,SAIR ensures thesimplicity and stringentness of analysis. The functions that create program control flow are defined based on SAIR and the algorithm that generates the control flow is proposed. The example of analyzing program control flow is given.

Kai-long ZHU,YU-liang LU,Hui HUANG,Zhao-kun DENG,Yi-jie DENG

DOI: https://doi.org/10.3785/j.issn.1008-973x.2019.05.002

2019-01-01

Abstract:The construction of control flow graph (CFG) was the basis of binary program analysis. A hybrid analysis approach combining static and dynamic analysis techniques was proposed, for the problems that the static construction method cannot handle the indirect jump cases and dynamic construction methods were inefficient and not suitable for large-scale programs. The static analysis technique was used to obtain the basic control flow of the target program. Test cases generated by fuzz testing were used to dynamically analyze the target program, during which a dynamic binary instrumentation technique was used to obtain information of indirect jumps. Finally, the analysis results in the former two steps were integrated to generate CFGs. A CFG construction system CFGConstructor targeting on x86 binaries was designed and implemented based on the proposed hybrid analysis method. Experiments were carried out on the sample programs and CGC dataset to evaluate the effectiveness and efficiency. Results show that the proposed approach can construct more complete CFGs than static analysis do, and is more efficient than dynamic analysis, capable to analyze large programs.

秦青文,王戟,孙旭光,梅文华

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.22.029

2008-01-01

Abstract:Binary program transformation has played an important role in reverse program analysis.This paper proposes a program transformation method.In the method,machine code is first disassembled by IDA Pro.Along with rules and optimizing strategies,the program is transformed to intermediate language.The deterministic finite automata and context-free grammars are designed to parse assembly language,and the code optimization theory is also included in dataflow analysis.The intermediate language has a good readability,generality and comprehensibility.After transformation,the code contracts dramatically.The technique described can run automatically,which effectively reduce the amount of time in solving software analysis problems and debugging executable programs.A transform instance using this technique is presented.

Erzhou Zhu,Peng Wen,Kanqi Ni,Ruhui Ma

DOI: https://doi.org/10.1016/j.cose.2019.05.018

IF: 5.105

2019-01-01

Computers & Security

Abstract:With the increasing availability of the computational power and constraint solving technology, the symbolic execution technology has regained interest in recent years. However, it still suffers from state explosion and low efficiency issues due to the large number of paths that need to be analyzed and the complexity of the constraints generated. Meanwhile, most of the present symbolic execution techniques are working on the source code, but the source code of most software is hard to acquire in practice. In order to cope with these issues, this paper presents BinSE, a lightweight dynamic symbolic execution framework for analyzing x86 binary programs. The framework adapts the dynamic analysis model, which combines symbolic execution with concrete execution to simplify the complexity of the path conditions. Furthermore, the hierarchical backward program slicing and the revised irrelevant API filtration mechanisms are introduced to optimize the performance of the framework. According to the experimental results, the proposed framework is efficient and can cover almost all the effective paths of the target program. Meanwhile, it also holds a promise to provide novel solutions to a broad spectrum of security problems. To demonstrate our technique, we apply the framework to detect buffer overflow vulnerability from binary executables.

Chang Da,Li Zhou-jun,Yang Tian-fang,Hu Chao-jian

DOI: https://doi.org/10.3969/j.issn.1674-9456.2011.09.009

2011-01-01

Abstract:The differences of system platform,compiler and compilation options are likely to lead semantic differences between source code and executable code,only source code analysis may omit vulnerabilities hidden in executable code.Even source code analysis has verified the nature of the need for security,but yet it can not assure the security nature in the executable code are satisfied not contrary to.This paper designed and implemented a program execution tracer based on dynamic binary instrumentation.The results show our prototype tool can accurately trace in the execution path,and be able to filter out 90% to 99% secondary instructions.At last,this paper discussed other technical solutions,the shortcoming of current prototype tool and the future work.

Jing Qiu,Xiaohong Su,Peijun Ma

DOI: https://doi.org/10.4028/www.scientific.net/amm.577.852

2014-01-01

Applied Mechanics and Materials

Abstract:We present a new approach for disassembling executables with self-modifying code. Self-modifying code is very common in malware. Conventional static or dynamic approaches cannot handle self-modifying code very well. We combine static and dynamic analysis to fight against self-modifying code with the multiple-path exploration technique. The evaluation results indicate that our approach works well in disassembling executables with self-modifying code with high precision and code coverage compared with the state-of-art disassembler.

HUANG Hui,LU Yu-liang,XIA Yang

DOI: https://doi.org/10.3969/j.issn.1001-3695.2013.09.064

2013-01-01

Abstract:Aiming towards automatic defect detection for binary programs,based on software virtual machine's dynamic binary translation and taint propagation,this paper studied mechanisms necessary for symbolic execution including program's run-time semantics' extraction,intermediate language based symbolic calculation,enhanced the path-scheduling mechanism in traditional dynamic symbolic execution,analyzed symbolic asserts' expressions for common program defects,with an online dynamic symbolic execution system built up detecting defects in binary programs.Experiments prove the method's effectiveness in defect detection for real binary programs.