Labeling library functions in stripped binaries

Jacobson, Emily R.; Rosenblum, Nathan; Miller, Barton P.

doi:10.1145/2024569.2024571

Cited by 43 publications

(19 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Previous work has shown that with only 20 executable binary samples per compiler as training data, it is possible to use a linear Conditional Random Field (CRF) to determine the compiler used with accuracy of 93% on average [41], [27]. Other work has shown that by using pattern matching, library functions can be identified with precision and recall between 0.98 and 1.00 based on each one of three criteria; compiler version, library version, and linux distribution [23].…”

Section: Stylisticmentioning

confidence: 99%

When Coding Style Survives Compilation: De-anonymizing Programmers from Executable Binaries

Çalışkan

Yamaguchi

Dauber

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

112

View full text Add to dashboard Cite

The ability to identify authors of computer programs based on their coding style is a direct threat to the privacy and anonymity of programmers. While recent work found that source code can be attributed to authors with high accuracy, attribution of executable binaries appears to be much more difficult. Many distinguishing features present in source code, e.g. variable names, are removed in the compilation process, and compiler optimization may alter the structure of a program, further obscuring features that are known to be useful in determining authorship. We examine programmer de-anonymization from the standpoint of machine learning, using a novel set of features that include ones obtained by decompiling the executable binary to source code. We adapt a powerful set of techniques from the domain of source code authorship attribution along with stylistic representations embedded in assembly, resulting in successful deanonymization of a large set of programmers.We evaluate our approach on data from the Google Code Jam, obtaining attribution accuracy of up to 96% with 100 and 83% with 600 candidate programmers. We present an executable binary authorship attribution approach, for the first time, that is robust to basic obfuscations, a range of compiler optimization settings, and binaries that have been stripped of their symbol tables. We perform programmer de-anonymization using both obfuscated binaries, and real-world code found "in the wild" in single-author GitHub repositories and the recently leaked Nulled.IO hacker forum. We show that programmers who would like to remain anonymous need to take extreme countermeasures to protect their privacy.

show abstract

Section: Stylisticmentioning

confidence: 99%

When Coding Style Survives Compilation: De-anonymizing Programmers from Executable Binaries

Çalışkan

Yamaguchi

Dauber

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

112

View full text Add to dashboard Cite

show abstract

“…IDA Pro uses a technique called FLIRT, which uses pattern matching to detect and identify the presence of compiler-generated patterns and certain library functions, and can be extended with user-provided databases [8]. On Linux, system library functions can be identified by the system call numbers they embed to interface with the kernel, and then one can iteratively try to identify the callers of the already identified functions [9]. Machine learning can be used to automatically learn patterns required to identify library functions [10].…”

Section: Related Workmentioning

confidence: 99%

Obfuscating Windows DLLs

Abrath¹,

Coppens²,

Volckaert³

et al. 2015

2015 IEEE/ACM 1st International Workshop on Software Protection

View full text Add to dashboard Cite

Abstract-We present two techniques to obfuscate the interfaces between application binaries and Windows system DLLs (dynamic-link libraries). The first technique obfuscates the related symbol information in the binary to prevent static analyses from identifying the invoked library functions. The second technique combines static linking with code obfuscation to avoid the external interface altogether, thus preventing dynamic attacks as well. This is done while still maintaining compatibility with multiple Windows versions, through run-time adaptation of the application. As the first concrete result of this ongoing research, we demonstrate and evaluate the techniques using a proof-ofconcept tool applied to a simple test program.

show abstract

“…(Recovering aggregation relationships is possible future work -see §6.) Jacobson et al describe the idea of using semantic descriptors to fingerprint system-call wrapper functions and label them meaningfully in stripped binaries [15]. Bardin et al use Value Analysis with Precision Requirements (VAPR) for recovering a Control Flow Graph (CFG) from an unstructured program [3].…”

Section: Related Workmentioning

confidence: 99%

Recovery of Class Hierarchies and Composition Relationships from Machine Code

Srinivasan

Reps

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We present a reverse-engineering tool, called Lego, which recovers class hierarchies and composition relationships from stripped binaries. Lego takes a stripped binary as input, and uses information obtained from dynamic analysis to (i) group the functions in the binary into classes, and (ii) identify inheritance and composition relationships between the inferred classes. The software artifacts recovered by Lego can be subsequently used to understand the object-oriented design of software systems that lack documentation and source code, e.g., to enable interoperability. Our experiments show that the class hierarchies recovered by Lego have a high degree of agreement-measured in terms of precision and recall-with the hierarchy defined in the source code.

show abstract

Labeling library functions in stripped binaries

Cited by 43 publications

References 14 publications

When Coding Style Survives Compilation: De-anonymizing Programmers from Executable Binaries

When Coding Style Survives Compilation: De-anonymizing Programmers from Executable Binaries

Obfuscating Windows DLLs

Recovery of Class Hierarchies and Composition Relationships from Machine Code

Contact Info

Product

Resources

About