Estimating types in binaries using predictive modeling

Omer Katz; Ran El-Yaniv; Eran Yahav

doi:10.1145/2837614.2837674

Estimating types in binaries using predictive modeling

Omer Katz, Ran El-Yaniv, Eran Yahav

Computer Science

Technion - Israel Institute of Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Reverse engineering is an important tool in mitigating vulnerabilities in binaries. As a lot of software is developed in object-oriented languages, reverse engineering of object-oriented code is of critical importance. One of the major hurdles in reverse engineering binaries compiled from object-oriented code is the use of dynamic dispatch. In the absence of debug information, any dynamic dispatch may seem to jump to many possible targets, posing a significant challenge to a reverse engineer trying to track the program flow. We present a novel technique that allows us to statically determine the likely targets of virtual function calls. Our technique uses object tracelets - statically constructed sequences of operations performed on an object - to capture potential runtime behaviors of the object. Our analysis automatically pre-labels some of the object tracelets by relying on instances where the type of an object is known. The resulting type-labeled tracelets are then used to train a statistical language model (SLM) for each type.We then use the resulting ensemble of SLMs over unlabeled tracelets to generate a ranking of their most likely types, from which we deduce the likely targets of dynamic dispatches.We have implemented our technique and evaluated it over real-world C++ binaries. Our evaluation shows that when there are multiple alternative targets, our approach can drastically reduce the number of targets that have to be considered by a reverse engineer.

Original language	English
Title of host publication	POPL 2016 - Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
Editors	Rupak Majumdar, Rastislav Bodik
Pages	313-326
Number of pages	14
ISBN (Electronic)	9781450335492
DOIs	https://doi.org/10.1145/2837614.2837674
State	Published - 11 Jan 2016
Event	43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2016 - St. Petersburg, United States Duration: 20 Jan 2016 → 22 Jan 2016

Publication series

Name	Conference Record of the Annual ACM Symposium on Principles of Programming Languages
Volume	20-22-January-2016

Conference

Conference	43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2016
Country/Territory	United States
City	St. Petersburg
Period	20/01/16 → 22/01/16

Keywords

Reverse engineering
Static binary analysis
X86

All Science Journal Classification (ASJC) codes

Software

Access to Document

10.1145/2837614.2837674

Cite this

Katz, O., El-Yaniv, R., & Yahav, E. (2016). Estimating types in binaries using predictive modeling. In R. Majumdar, & R. Bodik (Eds.), POPL 2016 - Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (pp. 313-326). (Conference Record of the Annual ACM Symposium on Principles of Programming Languages; Vol. 20-22-January-2016). https://doi.org/10.1145/2837614.2837674

@inproceedings{44f57489b2334b46bed5d3740d760e9f,

title = "Estimating types in binaries using predictive modeling",

abstract = "Reverse engineering is an important tool in mitigating vulnerabilities in binaries. As a lot of software is developed in object-oriented languages, reverse engineering of object-oriented code is of critical importance. One of the major hurdles in reverse engineering binaries compiled from object-oriented code is the use of dynamic dispatch. In the absence of debug information, any dynamic dispatch may seem to jump to many possible targets, posing a significant challenge to a reverse engineer trying to track the program flow. We present a novel technique that allows us to statically determine the likely targets of virtual function calls. Our technique uses object tracelets - statically constructed sequences of operations performed on an object - to capture potential runtime behaviors of the object. Our analysis automatically pre-labels some of the object tracelets by relying on instances where the type of an object is known. The resulting type-labeled tracelets are then used to train a statistical language model (SLM) for each type.We then use the resulting ensemble of SLMs over unlabeled tracelets to generate a ranking of their most likely types, from which we deduce the likely targets of dynamic dispatches.We have implemented our technique and evaluated it over real-world C++ binaries. Our evaluation shows that when there are multiple alternative targets, our approach can drastically reduce the number of targets that have to be considered by a reverse engineer.",

keywords = "Reverse engineering, Static binary analysis, X86",

author = "Omer Katz and Ran El-Yaniv and Eran Yahav",

note = "Publisher Copyright: {\textcopyright} 2016 ACM.; 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2016 ; Conference date: 20-01-2016 Through 22-01-2016",

year = "2016",

month = jan,

day = "11",

doi = "10.1145/2837614.2837674",

language = "الإنجليزيّة",

series = "Conference Record of the Annual ACM Symposium on Principles of Programming Languages",

pages = "313--326",

editor = "Rupak Majumdar and Rastislav Bodik",

booktitle = "POPL 2016 - Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages",

}

Katz, O, El-Yaniv, R & Yahav, E 2016, Estimating types in binaries using predictive modeling. in R Majumdar & R Bodik (eds), POPL 2016 - Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Conference Record of the Annual ACM Symposium on Principles of Programming Languages, vol. 20-22-January-2016, pp. 313-326, 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2016, St. Petersburg, United States, 20/01/16. https://doi.org/10.1145/2837614.2837674

Estimating types in binaries using predictive modeling. / Katz, Omer; El-Yaniv, Ran; Yahav, Eran.
POPL 2016 - Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ed. / Rupak Majumdar; Rastislav Bodik. 2016. p. 313-326 (Conference Record of the Annual ACM Symposium on Principles of Programming Languages; Vol. 20-22-January-2016).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Estimating types in binaries using predictive modeling

AU - Katz, Omer

AU - El-Yaniv, Ran

AU - Yahav, Eran

PY - 2016/1/11

Y1 - 2016/1/11

N2 - Reverse engineering is an important tool in mitigating vulnerabilities in binaries. As a lot of software is developed in object-oriented languages, reverse engineering of object-oriented code is of critical importance. One of the major hurdles in reverse engineering binaries compiled from object-oriented code is the use of dynamic dispatch. In the absence of debug information, any dynamic dispatch may seem to jump to many possible targets, posing a significant challenge to a reverse engineer trying to track the program flow. We present a novel technique that allows us to statically determine the likely targets of virtual function calls. Our technique uses object tracelets - statically constructed sequences of operations performed on an object - to capture potential runtime behaviors of the object. Our analysis automatically pre-labels some of the object tracelets by relying on instances where the type of an object is known. The resulting type-labeled tracelets are then used to train a statistical language model (SLM) for each type.We then use the resulting ensemble of SLMs over unlabeled tracelets to generate a ranking of their most likely types, from which we deduce the likely targets of dynamic dispatches.We have implemented our technique and evaluated it over real-world C++ binaries. Our evaluation shows that when there are multiple alternative targets, our approach can drastically reduce the number of targets that have to be considered by a reverse engineer.

AB - Reverse engineering is an important tool in mitigating vulnerabilities in binaries. As a lot of software is developed in object-oriented languages, reverse engineering of object-oriented code is of critical importance. One of the major hurdles in reverse engineering binaries compiled from object-oriented code is the use of dynamic dispatch. In the absence of debug information, any dynamic dispatch may seem to jump to many possible targets, posing a significant challenge to a reverse engineer trying to track the program flow. We present a novel technique that allows us to statically determine the likely targets of virtual function calls. Our technique uses object tracelets - statically constructed sequences of operations performed on an object - to capture potential runtime behaviors of the object. Our analysis automatically pre-labels some of the object tracelets by relying on instances where the type of an object is known. The resulting type-labeled tracelets are then used to train a statistical language model (SLM) for each type.We then use the resulting ensemble of SLMs over unlabeled tracelets to generate a ranking of their most likely types, from which we deduce the likely targets of dynamic dispatches.We have implemented our technique and evaluated it over real-world C++ binaries. Our evaluation shows that when there are multiple alternative targets, our approach can drastically reduce the number of targets that have to be considered by a reverse engineer.

KW - Reverse engineering

KW - Static binary analysis

KW - X86

UR - http://www.scopus.com/inward/record.url?scp=84962506552&partnerID=8YFLogxK

U2 - 10.1145/2837614.2837674

DO - 10.1145/2837614.2837674

M3 - منشور من مؤتمر

T3 - Conference Record of the Annual ACM Symposium on Principles of Programming Languages

SP - 313

EP - 326

BT - POPL 2016 - Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages

A2 - Majumdar, Rupak

A2 - Bodik, Rastislav

T2 - 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2016

Y2 - 20 January 2016 through 22 January 2016

ER -

Estimating types in binaries using predictive modeling

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this