Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
SEQUOIA: Scalable Policy-Based Access Control for Search Operations in Data-Driven Applications Kapitel lesen Erstes Kapitel lesen

2017 | OriginalPaper | Buchkapitel

JTR: A Binary Solution for Switch-Case Recovery

verfasst von : Lucian Cojocar, Taddeus Kroes, Herbert Bos

Erschienen in: Engineering Secure Software and Systems

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Most security solutions that rely on binary rewriting assume a clean separation between code and data. Unfortunately, jump tables violate this assumption. In particular, switch statements in binary code often appear as indirect jumps with jump tables that interleave with executable code—especially on ARM architectures. Most existing rewriters and disassemblers handle jump tables in a crude manner, by means of pattern matching. However, any deviation from the pattern (e.g. slightly different instructions) leads to a mismatch.
Instead, we propose a complementary approach to “solve” jump tables and automatically find the right target addresses of the indirect jump by means of a tailored Value Set Analysis (VSA). Our approach is generic and applies to binary code without any need for source, debug symbols, or compiler generated patterns.
We benchmark our technique on a large corpus of ARM binaries, including malware and firmware. For gcc binaries, our results approach those of IDA Pro when IDA has symbols (which is generally not the case), while for clang binaries we outperform IDA Pro with debug symbols by orders of magnitude: IDA finds 11 of 828 switch statements implemented as jump tables in SPEC, while we find 763.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel KASLR is Dead: Long Live KASLR
Nächstes Kapitel A Formal Approach to Exploiting Multi-stage Attacks Based on File-System Vulnerabilities of Web Applications
Anhänge
Nur mit Berechtigung zugänglich
Fußnoten
1
23% of switch statements are lowered to jump tables by gcc. When compiling SPEC CPU 2006 with clang (for ARM), 21% of the switch statements are lowered to jump tables.
 
3
“bugfix: ARM: memset.S: use unsigned comparisons”–http://​goo.​gl/​5NiXJq.
 
4
We compiled SPEC with Clang and with GCC. We tried static and dynamic linking.
 
Literatur
1.
2.
3.
4.
5.
6.
Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow integrity. In: CCS12 (2005)
7.
Anand, K., Smithson, M., Elwazeer, K., Kotha, A., Gruen, J., Giles, N., Barua, R.: A compiler-level intermediate representation based binary analysis and rewriting system. In: ECCS8, pp. 295–308 (2013)
8.
Anand, K., Smithson, M., Kotha, A., Elwazeer, K., Barua, R.: Decompilation to compiler high IR in a binary rewriter. Technical report, University of Maryland (2010)
9.
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: ACM SIGPLAN (2014)
10.
11.
Balakrishnan, G., Reps, T.: What you see is not what you execute. ACM Trans. Program. Lang. Syst. 32(6), 23:1–23:84 (2010)CrossRef
12.
Bansal, S., Aiken, A.: Binary translation using peephole super optimizers. In: OSDI 2008 (2008)
13.
Bao, T., Burket, J., Woo, M., Turner, R., Brumley, D. Byteweight: learning to recognize functions in binary code. In: USENIX Security 2014 (2014)
14.
Bardin, S., Herrmann, P., Védrine, F.: Refinement-based CFG reconstruction from unstructured programs. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 54–69. Springer, Heidelberg (2011). doi:10.​1007/​978-3-642-18275-4_​6 CrossRef
15.
Brauer, J., Hansen, R.R., Kowalewski, S., Larsen, K.G., Olesen, M.C.: Adaptable value-set analysis for low-level code. In: SSV 2012 (2012)
16.
Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: BAP: a binary analysis platform. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 463–469. Springer, Heidelberg (2011). doi:10.​1007/​978-3-642-22110-1_​37 CrossRef
17.
Brumley, D., Lee, J., Schwartz, E.J., Woo, M.: Native x86 decompilation using semantics-preserving structural analysis and iterative control-flow structuring. In: USENIX SEC 2013 (2013)
18.
Castro, M., Costa, M., Martin, J.-P., Peinado, M., Akritidis, P., Donnelly, A., Barham, P., Black, R.: Fast byte-granularity software fault isolation. In: SIGOPS 2009 (2009)
19.
Cha, S.K., Woo, M., Brumley, D.: Program-adaptive mutational fuzzing. In: S&P 2015 (2015)
20.
Cifuentes, C., Van Emmerik, M.: Recovery of jump table case statements from binary code. In: Program Comprehension (1999)
21.
Cojocar, L., Zaddach, J., Verdult, R., Bos, H., Francillon, A., Balzarotti, D.: Parser identification in embedded systems. In: ACSAC 2015 (2015)
22.
Davi, L., Lehmann, D., Sadeghi, A.-R., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: USENIX SEC 2014 (2014)
23.
Di Federico, A., Payer, M., Agosta, G.: Rev.Ng: a unified binary analysis framework to recover CFGs and function boundaries. In: Proceedings of the 26th International Conference on Compiler Construction, CC 2017, pp. 131–141. ACM (2017)
24.
Durfina, L., Křoustek, J., Zemek, P., Kolávr, D., Hruska, T., Masarík, K., Meduna, A.: Design of a retargetable decompiler for a static platform-independent malware analysis. Int. J. Secur. Its Appl. 5(4), 91–106 (2011)
25.
Erlingsson, U., Abadi, M., Vrable, M., Budiu, M., Necula, G.: Software guards for system address spaces. In: OSDI 2006 (2006)
26.
Evans, I., Long, F., Otgonbaatar, U., Shrobe, H., Rinard, M., Okhravi, H., Sidiroglou-Douskos, S.: Control jujutsu: on the weaknesses of fine-grained control flow integrity. In: CCS 2015 (2015)
27.
Ford, B., Cox, R.: Vx32: lightweight user-level sandboxing on the x86. In: USENIX Annual Technical Conference
28.
Ganesh, V., Leek, T., Rinard, M.: Taint-based directed whitebox fuzzing. In: ICSE 2009 (2009)
29.
Gedich, A., Lazdin, A.: Improved algorithm for identification of switch tables in executable code. In: FRUCT 2015 (2015)
30.
Harris, L.C., Miller, B.P.: Practical analysis of stripped binary code. ACM SIGARCH Comput. Archit. News 33(5), 63–68 (2005)CrossRef
31.
Holsti, N.: Analysing switch-case tables by partial evaluation. In: WCET (2007)
32.
33.
Kinder, J., Veith, H.: Precise static analysis of untrusted driver binaries. In: FMCAD 2010 (2010)
34.
Křoustek, J.: Retargetable Analysis of Machine Code. PhD thesis, Faculty of Information Technology, Brno University of Technology, CZ (2015)
35.
Kästner, D., Wilhelm, S.: Generic Control Flow Reconstruction from Assembly Code
36.
Li, Y., McCune, J., Newsome, J., Perrig, A., Baker, B., Drewry, W.: Minibox : a two-way sandbox for x86 native code. In: USENIX ATC 2014 (2014)
37.
McCabe, T.J.: A complexity measure. IEEE Softw. Eng. (1976)
38.
McCamant, S., Morrisett, G.: Evaluating SFI for a CISC architecture. In: USENIX-SS 2006 (2006)
39.
Meng, X., Miller, B.: Binary code is not easy. In: ISSTA 2016 (2016)
40.
41.
Ming, J., Wu, D., Xiao, G., Wang, J., Liu, P. TaintPipe: pipelined symbolic taint analysis. In: USENIX SEC 2015 (2015)
42.
O’Sullivan, P., Anand, K., Kotha, A.: Retrofitting security in COTS software with binary rewriting. In: IFP SEC 2011 (2011)
43.
Reinbacher, T., Brauer, J.: Precise control flow reconstruction using boolean logic. In: EMSOFT 2011 (2011)
44.
Sayle, R.A.: A superoptimizer analysis of multiway branch code generation. In: Proceedings of the GCC Developers Summit (2008)
45.
Sehr, D., Muth, R., Biffle, C. L., Khimenko, V., Pasko, E., Yee, B., Schimpf, K., Chen, B.: Adapting software fault isolation to contemporary CPU architectures. In: USENIX SEC 2010 (2010)
46.
Shen, B.-Y., Chen, J.-Y., Hsu, W.-C., Yang, W.: An LLVM-based static binary translator. In: Proceedings of the 2012 International Conference on Compilers, Architectures and Synthesis for Embedded Systems, CASES 2012, pp. 51–60. ACM, New York (2012)
47.
Shin, Y., Williams, L.: An empirical model to predict security vulnerabilities using code complexity metrics. In: ESEM 2008 (2008)
48.
Shoshitaishvili, Y., Wang, R., Salls, C., Stephens, N., Polino, M., Dutcher, A., Grosen, J., Feng, S., Hauser, C., Kruegel, C., Vigna, G.: SoK: (State of) the art of war: offensive techniques in binary analysis. In: S&P 2016 (2016)
49.
Smithson, M., Anand, K., Kotha, A.: Binary rewriting without relocation information. Technical report. University of Maryland, November 2010
50.
Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, U., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: USENIX SEC 2014 (2014)
51.
Tikir, M. M., Laurenzano, M., Carrington, L., Snavely, A.: PMaC binary instrumentation library for PowerPC/AIX. In: Workshop on Bin. Inst. and App. (2006)
52.
van der Veen, V., Andriesse, D., Göktaş, E., Gras, B., Sambuc, L., Slowinska, A., Bos, H., Giuffrida, C.: Practical context-sensitive cfi. In: CCS 2015 (2015)
53.
Wang, S., Wang, P., Wu, D.: Reassembleable disassembling. In: USENIX SEC 2015 (2015)
54.
Wang, X., Jhi, Y.-C., Zhu, S., Liu, P. Still : Exploit code detection via static taint and initialization analyses. In: ACSAC 2008 (2008)
55.
Yee, B., Sehr, D., Dardyk, G., Chen, J., Muth, R., Ormandy, T., Okasaka, S., Narula, N., Fullagar, N.: Native client: a sandbox for portable, untrusted x86 native code. In: S&P 2009 (2009)
56.
Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D.: A framework to support dynamic security analysis of embedded systems’ firmwares. In: NDSS 2014 (2014)
57.
Zeng, B., Tan, G., Morrisett, G.: Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In: CCS18, pp. 29–40. ACM (2011)
58.
Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX SEC 2013 (2013)
Metadaten
Titel
JTR: A Binary Solution for Switch-Case Recovery
verfasst von
Lucian Cojocar
Taddeus Kroes
Herbert Bos
Copyright-Jahr
2017
Buch
Engineering Secure Software and Systems

Print ISBN: 978-3-319-62104-3

Electronic ISBN: 978-3-319-62105-0

Copyright-Jahr: 2017

DOI
https://doi.org/10.1007/978-3-319-62105-0_12