Please enable JavaScript.
Coggle requires JavaScript to display documents.
2014 - X-Force: Force-Executing Binary Programs for Security Applications
2014 - X-Force: Force-Executing Binary Programs for Security Applications
Authors
Goal
Problem
Symbolic and concolic analysis
Concolic
Provide concrete inputs, called seed inputs, and the quality of seed inputs is critical to the execution paths that can be explored
Depends on SAT/SMT solver to resolve generated constraint
Scalability problem
Dynamic binary analysis
Quality of analysis results heavily relies on
coverage of the test inputs
Malware increasingly equipped with anti analysis technique
Malware binaries may contain multi-staged, condition-guarded, and environment-specific malicious payloads, making it difficult to reveal all payloads, even if one manages to execute them.
Static Analysis
Difficulty in handling packed and obfuscated binaries
Difficulty in indirect jump/call target analysis
Referenced by
Informations
X-Force
A binary analysis engine
Explores different execution path
Systematically forces the branch outcomes of a very small set of conditional control transfer instructions by switching its predicates
Fitness Functions
Linear Search
Quadratic Search
Exponential Search
Control the scope of path exploration which differs in accordance with the application
Taint Analysis
Track if a predicate is related to program input.
X-Force will only force branch outcomes of those tainted predicates
Generates a pool of forced executions that are supposed to meet the goal specified by a fitness function.
After each force execution fitness function will be updated with remaining space to explore
Work list contains forced executions that may be further explored by switching more predicates
Security application
Construct control-flow graph and call graphs
Control-flow graph
Graphical representation of control flow or computation during the execution of programs or applications
Call graph
Graphical representation of calling relationships between subroutines in a computer program.
Expose hidden behavior of malware (packed / obfuscated APT malware)
Common approach to understanding the behavior of an unknown malware sample is by looking at the library calls it makes
Improves analysis coverage in dynamic type reconstruction
Dynamic Binary Instrumentation
Forced Execution
Force a value on set of instructions that affects execution path (e.g predicates and jump table accesses) to have certain value, regardless of computed value
Analyzing the behavior of a binary application at runtime through the injection of instrumentation code that will be executed along normal instruction stream
Memory allocation on demand
Able to tolerate invalid memory accesses due to force execution by performing on demand memory allocations
Linear set tracing semantics
Other pointer variables that have the same address value or a value denoting an offset from the address in which memory currently being allocated will be updated
Two variables are linearly correlated if the value of one variable is computed from the value of the other variable by adding or subtracting a value
Ensures that execution is not crashable
Binary analysis
Static Analysis
Difficulty on packed and obfuscated binaries
Analyse executable without executing
Dynamic Analysis
Analyse by observing executable behavior in execution
Quality of result depends on coverage
Malware may employ anti-analysis logic that make it refuse to execute even with valid input
Symbolic and concolic analysis
Generate input to explore execution path
Generate constraints from individual instructions and solving them using SMT/SAT solvers
While symbolic and concrete execution can be performed simultaneously, user still need to provide concrete input
Many existing techniques cannot handle obfuscated / self-modifying binaries
Stripped binaries
Compiled binary files without any debugging information
Conclusion
What is?
Control-transfer
Fitness function
Evaluates how close a given solution is to the optimum solution of the desired problem
Predicate
Logical expression which evaluates to TRUE or FALSE, normally to direct the execution path in code.
Contribution
Force a binary to execute requiring no inputs or any environment setup.
May explore infeasible paths as it forces predicate outcomes whereas symbolic analysis attempts to respect path feasibility through constraint solving
Application
Constructing Control-flow Graph and Control Graph
Study hidden behavior of advanced malwares
Reverse engineering variable types and data structure definitions of executable