Egalito

Williams-King, David; Kobayashi, Hidenori; Williams-King, Kent; Patterson, Graham; Spano, Frank C.; Wu, Yi Feng; Yang, Junfeng; Kemerlis, Vasileios P.

doi:10.1145/3373376.3378470

Cited by 46 publications

(9 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…All analyses operate on binary code. Static analyses are based on the Egalito [56] framework, while dynamic analyses use Intel's Pin [34] framework.…”

Section: Overviewmentioning

confidence: 99%

“…To identify all loops, we employ the Egalito [56] binary-analysis tool to statically disassemble applications and libraries, and extract the control-flow graph (CFG) of each function of the application and its libraries. We focus on loops produced using: for() {}, while() {}, do{} while(), and goto statements.…”

Section: Loops Identificationmentioning

confidence: 99%

“…These graphs are then used to compute the serving partition and the system calls made from it. Although reverse-engineering arbitrary binary software can be challenging, recent research [13,56] has demonstrated that it can be accomplished in a sound manner for modern x86-64/ARM Linux binaries. Moreover, SysPart introduces a combination of value-flow analysis (VFA) and heuristics, among other static analyses, to increase the precision of the FCG and to resolve the names of libraries and functions loaded at run time (e.g., via dlopen() and dlsym()).…”

Section: Introductionmentioning

confidence: 99%

“…Evaluation: SysPart was implemented for x86-64 Linux, using static and dynamic analyses built as passes over the Egalito framework [56] and run-time tools over Intel's Pin framework [34], respectively. The FCG was further pruned using TypeArmor [55], and application binaries were rewritten using Egalito to install a Linux Seccomp-BPF filter just before the main loop.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

SysPart: Automated Temporal System Call Filtering for Binaries

Rajagopalan,

Kleftogiorgos,

Göktas

et al. 2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Restricting the system calls available to applications reduces the attack surface of the kernel and limits the functionality available to compromised applications. Recent approaches automatically identify the system calls required by programs to block unneeded ones. For servers, they even consider different phases of execution to tighten restrictions after initialization completes. However, they require access to the source code for applications and libraries, depend on users identifying when the server transitions from initialization to serving clients, or do not account for dynamically-loaded libraries. This paper introduces SysPart, an automatic system-call filtering system designed for binary-only server programs that addresses the above limitations. Using a novel algorithm that combines static and dynamic analysis, SysPart identifies the serving phases of all working threads of a server. Static analysis is used to compute the system calls required during the various serving phases in a sound manner, and dynamic observations are only used to complement static resolution of dynamically-loaded libraries when necessary. We evaluated SysPart using six popular servers on x86-64 Linux to demonstrate its effectiveness in automatically identifying serving phases, generating accurate system-call filters, and mitigating attacks. Our results show that SysPart outperforms prior binary-only approaches and performs comparably to source-code approaches. CCS CONCEPTS• Security and privacy → Systems security.

show abstract

“…All analyses operate on binary code. Static analyses are based on the Egalito [56] framework, while dynamic analyses use Intel's Pin [34] framework.…”

Section: Overviewmentioning

confidence: 99%

Section: Loops Identificationmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

SysPart: Automated Temporal System Call Filtering for Binaries

Rajagopalan,

Kleftogiorgos,

Göktas

et al. 2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Binary memory dependence analysis, which determines whether two machine instructions in an executable can access the same memory location, is critical for many security-sensitive tasks, including detecting vulnerabilities [18,36,86], analyzing malware [38,93], hardening binaries [4,29,44,90], and forensics [19,35,58,91].…”

Section: Introductionmentioning

confidence: 99%

NeuDep: neural binary memory dependence analysis

Pei

She

Wang

et al. 2022

Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Enginee

Self Cite

View full text Add to dashboard Cite

Determining whether multiple instructions can access the same memory location is a critical task in binary analysis. It is challenging as statically computing precise alias information is undecidable in theory. The problem aggravates at the binary level due to the presence of compiler optimizations and the absence of symbols and types. Existing approaches either produce significant spurious dependencies due to conservative analysis or scale poorly to complex binaries.We present a new machine-learning-based approach to predict memory dependencies by exploiting the model's learned knowledge about how binary programs execute. Our approach features (i) a self-supervised procedure that pretrains a neural net to reason over binary code and its dynamic value flows through memory addresses, followed by (ii) supervised finetuning to infer the memory dependencies statically. To facilitate efficient learning, we develop dedicated neural architectures to encode the heterogeneous inputs (i.e., code, data values, and memory addresses from traces) with specific modules and fuse them with a composition learning strategy.We implement our approach in NeuDep and evaluate it on 41 popular software projects compiled by 2 compilers, 4 optimizations, and 4 obfuscation passes. We demonstrate that NeuDep is more precise (1.5×) and faster (3.5×) than the current state-of-the-art. Extensive probing studies on security-critical reverse engineering tasks suggest that NeuDep understands memory access patterns, learns function signatures, and is able to match indirect calls. All

show abstract