liOS: Lifting iOS apps for fun and profit

Although iOS is the second most popular mobile operating system and is often considered the more secure one, approaches to automatically analyze iOS applications are scarce and generic app analysis frameworks do not exist. This is on the one hand due to the closed ecosystem putting obstacles in the way of reverse engineers and on the other hand due to the complexity of reverse engineering and analyzing app binaries. Reliably lifting accurate call graphs, control flows, and data dependence graphs from binary code, as well as reconstructing object-oriented high-level concepts is a non-trivial task and the choice of the lifted target representation determines the analysis capabilities. None of the various existing intermediate representations is a perfect fit for all types of analysis, while the detection of vulnerabilities requires techniques ranging from simple pattern matching to complex inter-procedural data flow analyses. We address this gap by introducing liOS, a binary lifting and analysis framework for iOS applications that extracts lifted information from several frontends and unifies them in a "supergraph" representation that tolerates missing parts and is further extended and interlinked by liOS "passes". A static analysis of the binary is then realized in the form of graph traversal queries, which can be considered as an advancement of classic program query languages. We illustrate this approach by means of a typical JavaScript/Objective-C bridge, which can lead to remote code execution in iOS applications

Trex: Learning Execution Semantics from Micro-Traces for Binary Similarity

Detecting semantically similar functions -- a crucial analysis capability with broad real-world security usages including vulnerability detection, malware lineage, and forensics -- requires understanding function behaviors and intentions. This task is challenging as semantically similar functions can be implemented differently, run on different architectures, and compiled with diverse compiler optimizations or obfuscations. Most existing approaches match functions based on syntactic features without understanding the functions' execution semantics. We present Trex, a transfer-learning-based framework, to automate learning execution semantics explicitly from functions' micro-traces and transfer the learned knowledge to match semantically similar functions. Our key insight is that these traces can be used to teach an ML model the execution semantics of different sequences of instructions. We thus train the model to learn execution semantics from the functions' micro-traces, without any manual labeling effort. We then develop a novel neural architecture to learn execution semantics from micro-traces, and we finetune the pretrained model to match semantically similar functions. We evaluate Trex on 1,472,066 function binaries from 13 popular software projects. These functions are from different architectures and compiled with various optimizations and obfuscations. Trex outperforms the state-of-the-art systems by 7.8%, 7.2%, and 14.3% in cross-architecture, optimization, and obfuscation function matching, respectively. Ablation studies show that the pretraining significantly boosts the function matching performance, underscoring the importance of learning execution semantics.Comment: To appear in 42nd IEEE Symposium on Security and Privacy (Oakland S&P 2021

XDA: Accurate, Robust Disassembly with Transfer Learning

Accurate and robust disassembly of stripped binaries is challenging. The root of the difficulty is that high-level structures, such as instruction and function boundaries, are absent in stripped binaries and must be recovered based on incomplete information. Current disassembly approaches rely on heuristics or simple pattern matching to approximate the recovery, but these methods are often inaccurate and brittle, especially across different compiler optimizations. We present XDA, a transfer-learning-based disassembly framework that learns different contextual dependencies present in machine code and transfers this knowledge for accurate and robust disassembly. We design a self-supervised learning task motivated by masked Language Modeling to learn interactions among byte sequences in binaries. The outputs from this task are byte embeddings that encode sophisticated contextual dependencies between input binaries' byte tokens, which can then be finetuned for downstream disassembly tasks. We evaluate XDA's performance on two disassembly tasks, recovering function boundaries and assembly instructions, on a collection of 3,121 binaries taken from SPEC CPU2017, SPEC CPU2006, and the BAP corpus. The binaries are compiled by GCC, ICC, and MSVC on x86/x64 Windows and Linux platforms over 4 optimization levels. XDA achieves 99.0% and 99.7% F1 score at recovering function boundaries and instructions, respectively, surpassing the previous state-of-the-art on both tasks. It also maintains speed on par with the fastest ML-based approach and is up to 38x faster than hand-written disassemblers like IDA Pro. We release the code of XDA at https://github.com/CUMLSec/XDA.Comment: 2021 Network and Distributed System Security Symposium (NDSS 2021