On representation used in the binary code reverse engineering

The paper discusses the problem of representation of algorithms extracted from binary code in course of reverse engineering: both representations for automatic analysis and final representations for the user. Two key subproblems of reverse engineering are focused on: automatic search for exploitable defects and discovery of undeclared capabilities. A principal scheme of system that allows automatically finding exploitable defects is described, along with key features of an internal representation employed by such system from the viewpoint of efficient generation of equations for an SMT solver. A sequence of steps for a system that reveals undeclared capabilities is enumerated: algorithm localization, its representation in a form suitable for analysis, and recovery of its properties. In order to automate the first step a static-dynamic representation is built which includes OS-level events and calls to library functions that serve as “anchor points” for the analyst in course of algorithm localization. Further support for localization is provided by means of code slicing and navigation algorithms. Once the algorithm is localized, further work goes in two directions: dialogue-based building of an annotated representation of the algorithm as a flowchart and automated research of characteristics of the algorithm in terms of declared and undeclared data flows. Flowchart representation of an algorithm is based on building simplified function models which describe input and output buffers, and automatic analysis of data flows between buffers of calls of different functions. The general scenario of interaction between an analyst and such a flowchart in context of the undeclared capability revealing problem is described, based on annotating declared data flows and automatically revealing undeclared ones. The paper concludes with an example of such a representation and an enumeration of further work directions.

binary code, combined analysis, intermediate representation

1. Wang X., Zeldovich N., Kaashoek M. F., Solar-Lezama A. A Differntial Approach to Undefined Behavior Detection. ACM Transactions on Computer Systems, 33(1), article 1, 2015. 29 p. DOI: 10.1145/2699678.

2. Song D., Brumley D., Yin H. et al. BitBlaze: A new approach to computer security via binary analysis. Information systems security, 2008, pp. 1-25.

3. Brumley D., Jager I., Avgerinos T. et al. BAP: A binary analysis platform. International Conference on Computer Aided Verification, 2011, pp. 463-469.

4. Shoshitaishvili Y., Wang R., Salls C. et al. Sok: (state of) the art of war: Offensive techniques in binary analysis. Security and Privacy (SP), 2016 IEEE Symposium on, 2016, pp. 138-157.

5. Cha S. K., Avgerinos T., Rebert A. et al. Unleashing mayhem on binary code. Security and Privacy (SP), 2012 IEEE Symposium on, 2012, pp. 380-394.

6. Defense Advanced Research Projects Agency Program Information: Cyber Grand Challenge (CGC). Available at: http://www.darpa.mil/program/cyber-grand-challenge, accessed 01.06.2017.

7. V.A. Padaryan, A.I. Getman, M.A. Solovyev, M.G. Bakulin, A.I. Borzilov, V.V. Kaushan, I.N. Ledovskich, U.V. Markin, S.S. Panasenko. Methods and software tools for combined binary code analysis. Trudy ISP RAN/Proc. ISP RAS, vol. 26, issue 1, 2014, pp. 251-276 (in Russian). DOI: 10.15514/ISPRAS-2014-26(1)-8.

8. Nethercote N., Seward J. Valgrind: a framework for heavyweight dynamic binary instrumentation. ACM SIGPLAN notices, 42(6), 2007, pp. 89-100.

9. Luk C. K., Cohn R., Muth R. et al. Pin: building customized program analysis tools with dynamic instrumentation. ACM SIGPLAN notices, 40(6), 2005, pp. 190-200.

10. Bellard F. QEMU, a fast and portable dynamic translator. USENIX Annual Technical Conference, FREENIX Track, 2005, pp. 41-46.

11. De Moura L., Bjørner N. Z3: An efficient SMT solver. Tools and Algorithms for the Construction and Analysis of Systems, 2008, pp. 337-340.

12. V.A. Padaryan, M.A. Solov’ev, A.I. Kononov. Simulation of Operational Semantics of Machine Instructions. Programming and Computer Software, 37(3), 2011, pp. 161-170. DOI: 10.1134/S0361768811030030.

13. Dullien T., Porst S. REIL: A platform-independent intermediate representation of disassembled code for static code analysis. CanSecWest, 2009, 7 pp.

14. A.N. Fedotov, V.A. Padaryan, V.V. Kaushan, Sh.F. Kurmangaleev, A.V. Vishnyakov, A.R. Nurmukhametov. Software defect severity estimation in presence of modern defense mechanisms. Trudy ISP RAN/Proc. ISP RAS, vol. 28, issue 5, 2016, pp. 73-92 (in Russian). DOI: 10.15514/ISPRAS-2016-28(5)-4.

15. Caselden D., Bazhanyuk A., Payer M., McCamant S., Song D. HI-CFG: Construction by Binary Analysis and Application to Attack Polymorphism. In Computer Security - ESORICS 2013. Lecture Notes in Computer Science, vol 8134. Springer pp. 164-181