3 research outputs found
liOS: Lifting iOS apps for fun and profit
Although iOS is the second most popular mobile operating system and is often
considered the more secure one, approaches to automatically analyze iOS
applications are scarce and generic app analysis frameworks do not exist. This
is on the one hand due to the closed ecosystem putting obstacles in the way of
reverse engineers and on the other hand due to the complexity of reverse
engineering and analyzing app binaries. Reliably lifting accurate call graphs,
control flows, and data dependence graphs from binary code, as well as
reconstructing object-oriented high-level concepts is a non-trivial task and
the choice of the lifted target representation determines the analysis
capabilities. None of the various existing intermediate representations is a
perfect fit for all types of analysis, while the detection of vulnerabilities
requires techniques ranging from simple pattern matching to complex
inter-procedural data flow analyses. We address this gap by introducing liOS, a
binary lifting and analysis framework for iOS applications that extracts lifted
information from several frontends and unifies them in a "supergraph"
representation that tolerates missing parts and is further extended and
interlinked by liOS "passes". A static analysis of the binary is then realized
in the form of graph traversal queries, which can be considered as an
advancement of classic program query languages. We illustrate this approach by
means of a typical JavaScript/Objective-C bridge, which can lead to remote code
execution in iOS applications
Trex: Learning Execution Semantics from Micro-Traces for Binary Similarity
Detecting semantically similar functions -- a crucial analysis capability
with broad real-world security usages including vulnerability detection,
malware lineage, and forensics -- requires understanding function behaviors and
intentions. This task is challenging as semantically similar functions can be
implemented differently, run on different architectures, and compiled with
diverse compiler optimizations or obfuscations. Most existing approaches match
functions based on syntactic features without understanding the functions'
execution semantics.
We present Trex, a transfer-learning-based framework, to automate learning
execution semantics explicitly from functions' micro-traces and transfer the
learned knowledge to match semantically similar functions. Our key insight is
that these traces can be used to teach an ML model the execution semantics of
different sequences of instructions. We thus train the model to learn execution
semantics from the functions' micro-traces, without any manual labeling effort.
We then develop a novel neural architecture to learn execution semantics from
micro-traces, and we finetune the pretrained model to match semantically
similar functions.
We evaluate Trex on 1,472,066 function binaries from 13 popular software
projects. These functions are from different architectures and compiled with
various optimizations and obfuscations. Trex outperforms the state-of-the-art
systems by 7.8%, 7.2%, and 14.3% in cross-architecture, optimization, and
obfuscation function matching, respectively. Ablation studies show that the
pretraining significantly boosts the function matching performance,
underscoring the importance of learning execution semantics.Comment: To appear in 42nd IEEE Symposium on Security and Privacy (Oakland S&P
2021
XDA: Accurate, Robust Disassembly with Transfer Learning
Accurate and robust disassembly of stripped binaries is challenging. The root
of the difficulty is that high-level structures, such as instruction and
function boundaries, are absent in stripped binaries and must be recovered
based on incomplete information. Current disassembly approaches rely on
heuristics or simple pattern matching to approximate the recovery, but these
methods are often inaccurate and brittle, especially across different compiler
optimizations.
We present XDA, a transfer-learning-based disassembly framework that learns
different contextual dependencies present in machine code and transfers this
knowledge for accurate and robust disassembly. We design a self-supervised
learning task motivated by masked Language Modeling to learn interactions among
byte sequences in binaries. The outputs from this task are byte embeddings that
encode sophisticated contextual dependencies between input binaries' byte
tokens, which can then be finetuned for downstream disassembly tasks.
We evaluate XDA's performance on two disassembly tasks, recovering function
boundaries and assembly instructions, on a collection of 3,121 binaries taken
from SPEC CPU2017, SPEC CPU2006, and the BAP corpus. The binaries are compiled
by GCC, ICC, and MSVC on x86/x64 Windows and Linux platforms over 4
optimization levels. XDA achieves 99.0% and 99.7% F1 score at recovering
function boundaries and instructions, respectively, surpassing the previous
state-of-the-art on both tasks. It also maintains speed on par with the fastest
ML-based approach and is up to 38x faster than hand-written disassemblers like
IDA Pro. We release the code of XDA at https://github.com/CUMLSec/XDA.Comment: 2021 Network and Distributed System Security Symposium (NDSS 2021