GRIN: Make Rewriting More Precise
Authors: 
Linan Tian, Liwei Chen, Delin Kong, Gang ShiAuthors Info & Claims
Linan Tian, Liwei Chen, Delin Kong, Gang ShiAuthors Info & ClaimsPages 180 - 188
Abstract
In computer security, many systems and applications depend on binary rewriting techniques when source code is absent, including binary instrumentation, profiling and security policy reinforcement. While the rewriting technique is continuously evolving, many static binary rewriters are still unable to correctly disassemble and accurately cover all legal instructions. Dynamic binary rewriters can achieve accuracy, but are not able to guarantee a full-coverage. Therefore, existing binary rewriting techniques do not meet all the requirements for binary rewriting, and make various assumptions for their application purposes. In this paper, we present GRIN, a novel and practical binary rewriting tool that can accurately identify each legal instruction, while guaranteeing a code full-coverage. We design a dynamic execution technique, which can identify each legal instruction. Also, we develop a branch backtracking technique, which can address various challenges of identifying Our tool does not require any assumptions and relocation information, and can be applied to all security applications. We have implemented a prototype of GRIN and evaluated the SPEC2006 and the whole set of GNU Coreutils. The experiment results show that the average instruction redundancy for SPEC is only 0.135% and for Coreutils is 0.062%.
References
[1]
M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti, “Control-flow integrity principles, implementations, and applications,” ACM Transactions on Information and System Security (TISSEC), vol. 13, no. 1, pp. 1–40, 2009.
[2]
K. Anand, M. Smithson, K. Elwazeer, A. Kotha, J. Gruen, N. Giles, and R. Barua, “A compiler-level intermediate representation based binary analysis and rewriting system,” in Proceedings of the 8th ACM European Conference on Computer Systems, 2013, pp. 295–308.
[3]
D. Andriesse, X. Chen, V . V an Der V een, A. Slowinska, and H. Bos, “An in-depth analysis of disassembly on full-scale x86/x64 binaries,” in 25th {USENIX} Security Symposium ({USENIX} Security 16), 2016, pp. 583–600.
[4]
P . Arafa, G. M. Tchamgoue, H. Kashif, and S. Fischmeister, “Qdime: Qos-aware dynamic binary instrumentation,” in 2017 IEEE 25th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS). IEEE, 2017, pp. 132– 142.
[5]
E. Bauman, Z. Lin, K. W. Hamlen, “Superset disassembly: Statically rewriting x86 binaries without heuristics.” in NDSS, 2018.
[6]
F. Bellard, “Qemu, a fast and portable dynamic translator.” in USENIX Annual Technical Conference, FREENIX Track, vol. 41, 2005, p. 46.
[7]
A. B. Bergh, K. Keilman, D. J. Magenheimer, and J. A. Miller, “Hp-3000 emulation on hp precision architecture computers,” Hewlett-Packard Journal, vol. 38, no. 11, pp. 87–89, 1987.
[8]
D. L. Bruening, Efficient, Transparent and Comprehensive Runtime Code Manipulation. Massachusetts Institute of Technology, 2004.
[9]
J. Caballero and Z. Lin, “Type inference on executables,” ACM Computing Surveys (CSUR), vol. 48, no. 4, pp. 1–35, 2016.
[10]
B. H. Cogswell and Z. Segall, “Timing insensitive binary-to-binary migration across multiprocessor architectures,” in Proceedings of Third Workshop on Parallel and Distributed Real-Time Systems. IEEE, 1995, pp. 193–194.
[11]
C. Cowan, C. Pu, D. Maier, J. Walpole, P . Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, “Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks.” in USENIX security symposium, vol. 98. San Antonio, TX, 1998, pp. 63–78.
[12]
L. Davi, A.-R. Sadeghi, and M. Winandy, “Ropdefender: A detection tool to defend against return-oriented programming attacks,” in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011, pp. 40–51.
[13]
J. W. Davison, J. C. Knight, M. Co, J. D. Hiser, and A. Nguyen-Tuong, “Kevlar: Transitioning helix for research to practice,” UNIVERSITY OF VIRGINIA Charlottesville United States, Tech. Rep., 2016.
[14]
Z. Deng, X. Zhang, and D. Xu, “Bistro: Binary component extraction and embedding for software security applications,” in European Symposium on Research in Computer Security. Springer, 2013, pp. 200–218.
[15]
D. Developers, “Dyninst—dynamic instrumentation framework.” [Online]. Available: http://www.dyninst.org/parse,2020
[16]
A. Di Federico, M. Payer, and G. Agosta, “rev. ng: a unified binary analysis framework to recover cfgs and function boundaries,” in Proceedings of the 26th International Conference on Compiler Construction, 2017, pp. 131–141.
[17]
S. Dinesh, “Retrowrite: Statically instrumenting cots binaries for fuzzing and sanitization,” Ph.D. dissertation, Purdue University Graduate School, 2019.
[18]
W. H. Hawkins, J. D. Hiser, M. Co, A. Nguyen-Tuong, and J. W. Davidson, “Zipr: Efficient static binary rewriting for security,” in 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 2017, pp. 559–566.
[19]
J. K. Hollingsworth, B. P . Miller, and J. Cargille, “Dynamic program instrumentation for scalable performance tools,” in Proceedings of IEEE Scalable High Performance Computing Conference. IEEE, 1994, pp. 841–850.
[20]
H. Inc, “Honeywell series 200 operating systems,” 1966, http: //s3data.computerhistory.org/brochures/honeywell.osorientationmgmt. 1966.102646090.pdf.
[21]
C. Lattner and V . Adve, “The llvm compiler framework and infrastructure tutorial,” in International Workshop on Languages and Compilers for Parallel Computing. Springer, 2004, pp. 15–16.
[22]
M. A. Laurenzano, M. M. Tikir, L. Carrington, and A. Snavely, “Pebil: Efficient static binary instrumentation for linux,” in 2010 IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS). IEEE, 2010, pp. 175–183.
[23]
C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V . J. Reddi, and K. Hazelwood, “Pin: building customized program analysis tools with dynamic instrumentation,” Acm sigplan notices, vol. 40, no. 6, pp. 190–200, 2005.
[24]
S. Nanda, W. Li, L.-C. Lam, and T.-c. Chiueh, “Bird: Binary interpretation using runtime disassembly,” in International Symposium on Code Generation and Optimization (CGO’06). IEEE, 2006, pp. 12–pp.
[25]
N. Nethercote and J. Seward, “V algrind: A framework for heavyweight dynamic binary instrumentation,” in Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation. New Y ork, NY, USA: Association for Computing Machinery, 2007, p. 89–100.
[26]
T. Nyman, J.-E. Ekberg, L. Davi, and N. Asokan, “Cfi care: Hardwaresupported call and return enforcement for commercial microcontrollers,” in International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 2017, pp. 259–284.
[27]
P . O'Sullivan, K. Anand, A. Kotha, M. Smithson, and A. D. Keromytis, “Retrofitting security in cots software with binary rewriting,” in Ifip International Information Security Conference, 2011.
[28]
M. Payer, A. Barresi, and T. R. Gross, “Fine-grained control-flow integrity through binary hardening,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9148, no. i, pp. 144–164, 2015.
[29]
M. Payer and T. R. Gross, “Fine-grained user-space security through virtualization,” ACM SIGPLAN Notices, vol. 46, no. 7, pp. 157–168, 2011.
[30]
F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su, “X-force: Forceexecuting binary programs for security applications,” Proceedings of the 23rd USENIX Security Symposium, pp. 829–844, 2014.
[31]
R. Qiao and R. Sekar, “Function interface analysis: A principled approach for function recognition in cots binaries,” in 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 2017, pp. 201–212.
[32]
T. Romer, G. V oelker, D. Lee, A. Wolman, W. Wong, H. Levy, B. Bershad, and B. Chen, “Instrumentation and optimization of win32/intel executables using etch,” in Proceedings of the USENIX Windows NT Workshop, vol. 1997, 1997, pp. 1–8.
[33]
K. Scott, N. Kumar, S. V elusamy, B. Childers, J. W. Davidson, and M. L. Soffa, “Retargetable and reconfigurable software dynamic translation,” in International Symposium on Code Generation and Optimization, CGO 2003, 2003.
[34]
Y . Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, “Sok:(state of) the art of war: Offensive techniques in binary analysis,” in 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 2016, pp. 138–157.
[35]
R. L. Sites, A. Chernoff, M. B. Kirk, M. P . Marks, and S. G. Robinson, “Binary translation,” Communications of the ACM, vol. 36, no. 2, pp. 69–81, 1993.
[36]
A. Srivastava and A. Eustace, “Atom: A system for building customized program analysis tools,” in Proceedings of the ACM SIGPLAN 1994 conference on Programming language design and implementation, 1994, pp. 196–205.
[37]
P . Team, “Pax address space layout randomization (aslr),” 2003, https: //pax.grsecurity.net/docs/aslr.txt.
[38]
R. Wang, S. Yan, A. Bianchi, A. Machiry, and G. Vigna, “Ramblr: Making reassembly great again,” in NDSS, 2017.
[39]
S. Wang, P . Wang, and D. Wu, “Reassembleable disassembling,” in 24th {USENIX} Security Symposium ({USENIX} Security 15), 2015, pp. 627–642.
[40]
R. Wartell, V . Mohan, K. W. Hamlen, and Z. Lin, “Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code,” Proceedings of the ACM Conference on Computer and Communications Security, pp. 157–168, 2012.
[41]
M. Wenzl, G. Merzdovnik, J. Ullrich, and E. Weippl, “From hack to elaborate technique—a survey on binary rewriting,” ACM Computing Surveys (CSUR), vol. 52, no. 3, pp. 1–37, 2019.
[42]
L. Xu, F. Sun, and Z. Su, “Constructing precise control flow graphs from binaries,” University of California, Davis, Tech. Rep, 2009.
[43]
C. Zhang, C. Song, K. Z. Chen, Z. Chen, and D. Song, “Vtint: Protecting virtual function tables’ integrity.” in NDSS, 2015.
[44]
C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou, “Practical control flow integrity and randomization for binary executables,” in 2013 IEEE Symposium on Security and Privacy. IEEE, 2013, pp. 559–573.
[45]
M. Zhang, M. Polychronakis, and R. Sekar, “Protecting cots binaries from disclosure-guided code reuse attacks,” in Proceedings of the 33rd Annual Computer Security Applications Conference, 2017, pp. 128–140.
[46]
M. Zhang and R. Sekar, “Control flow integrity for {COTS} binaries,” in Presented as part of the 22nd {USENIX} Security Symposium ({USENIX} Security 13), 2013, pp. 337–352.
Recommendations
From Hack to Elaborate Technique—A Survey on Binary Rewriting
Binary rewriting is changing the semantics of a program without having the source code at hand. It is used for diverse purposes, such as emulation (e.g., QEMU), optimization (e.g., DynInst), observation (e.g., Valgrind), and hardening (e.g., Control ...
Fast dynamic binary rewriting to support thread migration in shared-ISA asymmetric multicores
COSMIC '13: Proceedings of the First International Workshop on Code OptimiSation for MultI and many CoresAsymmetric multicore processors have demonstrated a strong potential for improving performance and energy-efficiency. Shared-ISA asymmetric multicore processors overcome programmability problems in disjoint-ISA systems and enhance single-ISA ...
Link-time binary rewriting techniques for program compaction
Small program size is an important requirement for embedded systems with limited amounts of memory. We describe how link-time compaction through binary rewriting can achieve code size reductions of up to 62% for statically bound languages such as C, C++,...
Comments
Information & Contributors
Information
Published In
February 2022
202 pages
ISBN:9781450387453
DOI:10.1145/3523181
Copyright © 2022 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 18 April 2022
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- Youth Innovation Promotion Association CAS
- National Natural Science Foundation of China
Conference
ASSE' 22
ASSE' 22: 2022 3rd Asia Service Sciences and Software Engineering Conference
February 24 - 26, 2022
Macau, Macao
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 423Total Downloads
- Downloads (Last 12 months)239
- Downloads (Last 6 weeks)44
Reflects downloads up to 16 Oct 2024
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatGet Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in