BinRec:Atack surface reduction through dynamic binary recovery

Compile-time specialization and feature pruning through static binary rewriting have been proposed repeatedly as techniques for reducing the attack surface of large programs, and for minimizing the trusted computing base. We propose a new approach to attack surface reduction: dynamic binary lifting and recompilation. We present BinRec, a binary recompilation framework that lifts binaries to a compiler-level intermediate representation (IR) to allow complex transformations on the captured code. After transformation, BinRec lowers the IR back to a "recovered" binary, which is semantically equivalent to the input binary, but has its unnecessary features removed. Unlike existing approaches, which are mostly based on static analysis and rewriting, our framework analyzes and lifts binaries dynamically. The crucial advantage is that we can not only observe the full program including all of its dependencies, but we can also determine which program features the end-user actually uses. We evaluate the correctness and performance of Bin-Rec, and show that our approach enables aggressive pruning of unwanted features in COTS binaries

The Effect of Instruction Padding on SFI Overhead

Software-based fault isolation (SFI) is a technique to isolate a potentially faulty or malicious software module from the rest of a system using instruction-level rewriting. SFI implementations on CISC architectures, including Google Native Client, use instruction padding to enforce an address layout invariant and restrict control flow. However this padding decreases code density and imposes runtime overhead. We analyze this overhead, and show that it can be reduced by allowing some execution of overlapping instructions, as long as those overlapping instructions are still safe according to the original per-instruction policy. We implemented this change for both 32-bit and 64-bit x86 versions of Native Client, and analyzed why the performance benefit is higher on 32-bit. The optimization leads to a consistent decrease in the number of instructions executed and savings averaging 8.6% in execution time (over compatible benchmarks from SPECint2006) for x86-32. We describe how to modify the validation algorithm to check the more permissive policy, and extend a machine-checked Coq proof to confirm that the system's security is preserved.Comment: NDSS Workshop on Binary Analysis Research, February 201

Scanning native binaries to resolve unsoundness in static analysis of mixed Java-native code

Πολλές εφαρμογές πραγματικού κόσμου σε Java περιέχουν εγγενή κώδικα γραμμένο σε C και/ή C++, ο οποίος αλληλεπιδρά με τον κώδικα Java. Αν αναλύσουμε τα εγγενή αρχεία, είναι δυνατόν να υπολογίσουμε τον τρόπο με τον οποίο ο κώδικας Java καλείται από τον εγγενή κώδικα και επιπλέον να επιλύσουμε την αβεβαιότητα στις στατικές αναλύσεις τέτοιων εφαρμογών. Παρουσιάζουμε μια ανάλυση η οποία βρίσκει κλήσεις μεθόδων Java σε εγγενή κώδικα με σάρωση αποσυναρμολογημένων δυαδικών αρχείων εγγενούς κώδικα. Η κύρια πρόκληση στην ανάλυση αυτών των δυαδικών αρχείων είναι η δυσκολία εύρεσης ορίων μεθόδων προκειμένου να βρεθεί ποια εγγενής μέθοδος καλεί ποιες μεθόδους Java της ίδιας εφαρμογής. Η ανάλυση γράφτηκε σε γλώσσα Java και Datalog και βασίζεται στο Doop framework. Συγκεκριμένα, η υλοποίηση ενός Java utility για τη σάρωση δυαδικών αρχείων σε συνδυασμό με μια συγκεκριμένη λογική ανάλυσης σε Datalog επιδεικνύει τις δυνατότητες του Doop στη δημιουργία περιεκτικών και εκφραστικών στατικών αναλύσεων.Many real-world applications contain native code written in C and/or C++, which interacts with Java code. Analyzing native files, it is possible to estimate how Java code is called by native code and furthermore resolve the unsoundness in static analyses of such applications. We present an analysis that finds Java method calls in native code by scanning disassembled binary files of native code. The main challenge in analyzing these binary files is the difficulty of finding function boundaries in order to determine which native function calls which Java method of the same application. The analysis was written in the Java and Datalog languages and is based on the Doop framework. Specifically, the implementation of a Java utility for scanning binary files combined with a specific analysis logic in Datalog demonstrates Doop's capabilities in creating concise and expressive static analyses