Binary Code Extraction and Interface Identification for Security Applications
Saved in:
| Title: | Binary Code Extraction and Interface Identification for Security Applications |
|---|---|
| Authors: | Caballero, Juan, Johnson, Noah M., McCamant, Stephen, Song, Dawn |
| Contributors: | CALIFORNIA UNIV BERKELEY DEPT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE |
| Source: | DTIC |
| Publication Year: | 2009 |
| Collection: | Defense Technical Information Center: DTIC Technical Reports database |
| Subject Terms: | Cybernetics, CODING, DATA PROCESSING SECURITY, EXTRACTION, IDENTIFICATION, CRYPTOGRAPHY, INTERFACES, BINARY CODES, REUTILIZATION |
| Description: | Binary code reutilization is the process of automatically identifying the interface and extracting the instructions and data dependencies of a code fragment from an executable program, so that it is self-contained and can be reused by external code. Binary code reutilization is useful for a number of security applications, including reusing the proprietary cryptographic or unpacking functions from a malware sample and for rewriting a network dialog. In this paper we conduct the first systematic study of automated binary code reutilization and its security applications. The main challenge in binary code reutilization is understanding the code fragment's interface. We propose a novel technique to identify the prototype of an undocumented code fragment directly from the program's binary, without access to source code or symbol information. Further, we must also extract the code itself from the binary so that it is self-contained and can be easily reused in another program. We design and implement a tool that uses a combination of dynamic and static analysis to automatically identify the prototype and extract the instructions of an assembly function into a form that can be reused by other C code. The extracted function can be run independently of the rest of the program's functionality and shared with other users. We apply our approach to scenarios that include extracting the encryption and decryption routines from malware samples, and show that these routines can be reused by a network proxy to decrypt encrypted traffic on the network. This allows the network proxy to rewrite the malware's encrypted traffic by combining the extracted encryption and decryption functions with the session keys and the protocol grammar. ; Supported in part by AFOSR under grant 22178970-4170. |
| Document Type: | text |
| File Description: | text/html |
| Language: | English |
| Relation: | http://www.dtic.mil/docs/citations/ADA538737 |
| Availability: | http://www.dtic.mil/docs/citations/ADA538737 http://oai.dtic.mil/oai/oai?&verb=getRecord&metadataPrefix=html&identifier=ADA538737 |
| Rights: | Approved for public release; distribution is unlimited. |
| Accession Number: | edsbas.8A72A03A |
| Database: | BASE |
Nájsť tento článok vo Web of Science | Abstract: | Binary code reutilization is the process of automatically identifying the interface and extracting the instructions and data dependencies of a code fragment from an executable program, so that it is self-contained and can be reused by external code. Binary code reutilization is useful for a number of security applications, including reusing the proprietary cryptographic or unpacking functions from a malware sample and for rewriting a network dialog. In this paper we conduct the first systematic study of automated binary code reutilization and its security applications. The main challenge in binary code reutilization is understanding the code fragment's interface. We propose a novel technique to identify the prototype of an undocumented code fragment directly from the program's binary, without access to source code or symbol information. Further, we must also extract the code itself from the binary so that it is self-contained and can be easily reused in another program. We design and implement a tool that uses a combination of dynamic and static analysis to automatically identify the prototype and extract the instructions of an assembly function into a form that can be reused by other C code. The extracted function can be run independently of the rest of the program's functionality and shared with other users. We apply our approach to scenarios that include extracting the encryption and decryption routines from malware samples, and show that these routines can be reused by a network proxy to decrypt encrypted traffic on the network. This allows the network proxy to rewrite the malware's encrypted traffic by combining the extracted encryption and decryption functions with the session keys and the protocol grammar. ; Supported in part by AFOSR under grant 22178970-4170. |
|---|