Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis Of Stripped Binary Code Laune Harris University of Wisconsin – Madison

Published byVernon Cummings Modified over 9 years ago

Similar presentations

Presentation on theme: "Analysis Of Stripped Binary Code Laune Harris University of Wisconsin – Madison"— Presentation transcript:

1 Analysis Of Stripped Binary Code Laune Harris University of Wisconsin – Madison lharris@cs.wisc.edu www.paradyn.org

2 2 856c: 55 856d: 89e5 856f: 83ec08 8572: e8ddffffff 857b: c9 857c: c3 857d: 55 857e: 89e5 8581: 83ec18 858b: e8bfffffff 8591: c9 8592: c3 Binary code

3 3 856c: 55 856d: 89e5 856f: 83ec08 8572: e8ddffffff 857b: c9 857c: c3 857d: 55 857e: 89e5 8581: 83ec18 858b: e8bfffffff 8591: c9 8592: c3 push %ebp mov %esp, %ebp sub 8, %esp call 857d leave ret push %ebp mov %esp, %ebp sub %eax, %ebp call 866c leave ret Binary code (with assembly)

4 4 856c: 55 856d: 89e5 856f: 83ec08 8572: e8ddffffff 857b: c9 857c: c3 857d: 55 857e: 89e5 8581: 83ec18 858b: e8bfffffff 8591: c9 8592: c3 push %ebp mov %esp, %ebp sub 8, %esp call foo leave ret push %ebp mov %esp, %ebp sub %eax, %ebp call printf leave ret main foo Binary code (with symbol info)

5 5 A lot of code is stripped Commercial applications (usually) Proprietary libraries (often) Viruses OS libraries and utilities (depends on OS and OS version)

6 6 Steps in symbol reconstruction Find and name functions Find function size

7 7 Finding functions Build a call graph and traverse it to find function start addresses Opportunistic parsing: use existing symbol names and addresses where available Works on a spectrum of binaries ranging from binaries with all symbols to fully stripped binaries

8 8 push %ebp 856c:main Call Graph creation

9 9 push %ebp mov %esp, %ebp sub 8, %esp call 857d leave ret 856c: 856d: 856f: 8572: 857b: 857c: main Call Graph creation

10 10 push %ebp mov %esp, %ebp sub 8, %esp call func857d leave ret push %ebp 856c: 856d: 856f: 8572: 857b: 857c: 857d: main func857d Call Graph creation

11 11 push %ebp mov %esp, %ebp sub 8, %esp call func857d leave ret push %ebp mov %esp, %ebp sub %eax, %ebp call 865e call 866d leave ret 856c: 856d: 856f: 8572: 857b: 857c: 857d: 857e: 8581: 858b: 8591: 8596: 8597: main func857d Call Graph creation

12 12 Parsing Functions Disassemble function’s code by traversing intra-procedural control flow graph Highest address determines function size

13 13 Error Detection And Recovery CFG exit points are sometimes hard to identify Assume branches that are not obvious exits are intra-procedural Errors result in overestimation of function size Overlapping functions indicate error

14 14 Problems and Solutions Functions that are only called indirectly Problem: static call graph traversal does not discover these functions Solution: examine gaps in text space and use heuristics to find functions

15 15 Problems and Solutions cont’d Indirect Jumps Problem: need to find targets to complete CFG Solution: parse jump tables to find possible targets

16 16 Problems and Solutions cont’d Exception handling code Problem: creates code blocks that appear unreachable Solution: get block addresses from exception table

17 17 Test Programs paradyn5.443.5113,676 condor_starter22.602.508,168 gimp2.612.204,329 eon10.440.511,163 om30.430.30732 alara3.650.26948 bubba0.090.0266 size (MB) unstripped size (MB) stripped number of functions

18 18 Evaluation Parse time (includes CFG creation) ~1.4x faster than prev. parser (with cfg) ~1.7x slower than prev. parser (without cfg) Stripped parse time Varies: 1.2x - 1.9x slower than unstripped Symbol recreation 80% - 98% of original functions

19 19 Related Work Binary rewriters/instrumentation tools eel, emil, etch, goblin, leel, plto Disassemblers (lots available) IDAPro, Objdump, dumpbin, etc Symbol table reconstructors dress, objdump-output-beautifier

20 20 Status Implemented on x86 Ready for measurement and instrumentation Good start for security, but needs work

21 21 Future Work Develop more accurate heuristics to identify code in unlit areas of the binary Data flow analyses Port to other platforms Support unconventional function constructs Comprehensive comparison with other tools Evaluation on obfuscated code

Download ppt "Analysis Of Stripped Binary Code Laune Harris University of Wisconsin – Madison"

Similar presentations

PASTE 2011 Szeged, Hungary September 5, 2011 Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller.

PASTE 2011 Szeged, Hungary September 5, 2011 Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller.
ByteWeight: Learning to Recognize Functions in Binary Code

ByteWeight: Learning to Recognize Functions in Binary Code
© 2006 Nathan RosenblumMarch 2006Unconventional Code Constructs The New Dyninst Code Parser: Binary Code Isn't as Simple as it Used to Be Nathan Rosenblum.

© 2006 Nathan RosenblumMarch 2006Unconventional Code Constructs The New Dyninst Code Parser: Binary Code Isn't as Simple as it Used to Be Nathan Rosenblum.
ITEC 352 Lecture 25 Memory(3). Review Questions RAM –What is the difference between register memory, cache memory, and main memory? –What connects the.

ITEC 352 Lecture 25 Memory(3). Review Questions RAM –What is the difference between register memory, cache memory, and main memory? –What connects the.
Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.

Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.
Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.
Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller.

© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller.
Machine-Learning Assisted Binary Code Analysis

Machine-Learning Assisted Binary Code Analysis
Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)

Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)
School of Computer Science A Global Progressive Register Allocator David Ryan Koes Seth Copen Goldstein Carnegie Mellon University

School of Computer Science A Global Progressive Register Allocator David Ryan Koes Seth Copen Goldstein Carnegie Mellon University
Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.

Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.
IPT Readings on Instrumentation, Profiling, and Tracing Seminar presentation by Alessandra Gorla University of Lugano December 7, 2006.

IPT Readings on Instrumentation, Profiling, and Tracing Seminar presentation by Alessandra Gorla University of Lugano December 7, 2006.
Lecture 25 Generating Code for Basic Blocks Topics Code Generation Readings: 9.4-9.6 April 19, 2006 CSCE 531 Compiler Construction.

Lecture 25 Generating Code for Basic Blocks Topics Code Generation Readings: April 19, 2006 CSCE 531 Compiler Construction.
Partial Automation of an Integration Reverse Engineering Environment of Binary Code Author : Cristina Cifuentes Reverse Engineering, 1996., Proceedings.

Partial Automation of an Integration Reverse Engineering Environment of Binary Code Author : Cristina Cifuentes Reverse Engineering, 1996., Proceedings.
X86 ISA Compiler Baojian Hua Front End source code abstract syntax tree lexical analyzer parser tokens IR semantic analyzer.

X86 ISA Compiler Baojian Hua Front End source code abstract syntax tree lexical analyzer parser tokens IR semantic analyzer.
C Prog. To Object Code text text binary binary Code in files p1.c p2.c

C Prog. To Object Code text text binary binary Code in files p1.c p2.c

Similar presentations

Ads by Google