research-article

Labeling library functions in stripped binaries

Authors:

Emily R. Jacobson,

Nathan Rosenblum,

Barton P. MillerAuthors Info & Claims

PASTE '11: Proceedings of the 10th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools

Pages 1 - 8

https://doi.org/10.1145/2024569.2024571

Published: 05 September 2011 Publication History

Abstract

Binary code presents unique analysis challenges, particularly when debugging information has been stripped from the executable. Among the valuable information lost in stripping are the identities of standard library functions linked into the executable; knowing the identities of such functions can help to optimize automated analysis and is instrumental in understanding program behavior. Library fingerprinting attempts to restore the names of library functions in stripped binaries, using signatures extracted from reference libraries. Existing methods are brittle in the face of variations in the toolchain that produced the reference libraries and do not generalize well to new library versions. We introduce semantic descriptors, high-level representations of library functions that avoid the brittleness of existing approaches. We have extended a tool, unstrip, to apply this technique to fingerprint wrapper functions in the GNU C library. unstrip discovers functions in a stripped binary and outputs a new binary, with meaningful names added to the symbol table. Other tools can leverage these symbols to perform further analysis. We demonstrate that our semantic descriptors generalize well and substantially outperform existing library fingerprinting techniques.

References

[1]

G. Balakrishnan, T. Reps, D. Melski, and T. Teitelbaum. WYSINWYX: What You See Is Not What You eXecute. In Verified Software: Theories, Tools, Experiments. Springer-Verlag, 2007.

Digital Library

[2]

U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, February 2009.

[3]

T. E. Cheatham, G. H. Holloway, and J. A. Townley. Symbolic evaluation and the analysis of programs. IEEE Trans. Softw. Eng., 5 (4): 402--417, 1979.

Digital Library

[4]

M. Christodorescu, S. Jha, and C. Krugel. Mining specifications of malicious behavior. In Proceedings of the Sixth Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, pages 5--14, Dubrovnik, Croatia, 2007.

Digital Library

[5]

C. Cifuentes and A. Fraboulet. Intraprocedural static slicing of binary executables. In Proc. International Conference on Software Maintenance, pages 188--195, Bari, Italy, October 1997.

Digital Library

[6]

C. Cifuentes and K. J. Gough. Decompilation of binary programs. Software--Practice and Experience, 25 (7), 1995.

Digital Library

[7]

P. Coward. Symbolic execution systems-a review. Software Engineering Journal, 3 (6): 229--239, Nov 1988.

Digital Library

[8]

ROSED. J. Quinlan et al. ROSE Compiler Project. http://www.rosecompiler.org.

[9]

T. Dullien and R. Rolles. Graph-based comparison of executable objects. In Symposium sur la Sécurité des Technologies de l'Information et des Communications (SSTIC), June 2005.

[10]

M. V. Emmerik. Signatures for library functions in executable files. Technical Report 2194, Queensland University of Technology, 1994.

[11]

H. Flake. Structural comparison of executable objects. In Conference Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2004), Dortmund, Germany, July 2004.

[12]

M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing near-optimal malware specifications from suspicious behaviors. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, Berkeley, California, May 2010.

Digital Library

[13]

I. Guilfanova and DataRescue. Fast library identificatiion and recognition technology. http://www.hex-rays.com/idapro/flirt.htm, 1997.

[14]

Hex-Rays. IDA Pro disassembler. http://www.hex-rays.com/idapro.

[15]

A. Kiss, J. Jasz, G. Lehotai, and T. Gyimothy. Interprocedural static slicing of binary executables. In Source Code Analysis and Manipulation, Amsterdam, The Netherlands, September 2003.

[16]

C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zho, and X. Wang. Effective and efficient malware detection at the end host. In Eighteenth USENIX Security Symposium, Montreal, Canada, August 2009.

Digital Library

[17]

C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In Eighth International Symposium on Recent Advances in Intrusion Detection (RAID 2005), Seattle,WA, September 2005.

Digital Library

[18]

Paradyn Project. Dyninst 7.0. 2011. URL http://www.paradyn.org/html/dyninst7.0-features.html.

[19]

Paradyn Project. ParseAPI: An application program interface for binary parsing. 2011. URL http://paradyn.org/html/parse0.9-features.html.

[20]

Paradyn Project. shape unstrip. 2011. URL http://paradyn.org/html/tools/unstrip.html.

[21]

N. Rosenblum, X. Zhu, B. Miller, and K. Hunt. Learning to analyze binary computer code. In 23rd conference on Artificial Intellegence (AAAI '08), Chicago, IL, July 2008.

Digital Library

[22]

N. E. Rosenblum, B. P. Miller, and X. Zhu. Extracting compiler provenance from program binaries. In 9th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering (PASTE '10), Toronto, Ontario, Canada, June 2010.

Digital Library

[23]

H. Theiling. Ecxtracting safe and precise control flow from binaries. In 7th Conference on Real-Time Computing Systems and Applications (RTCSA '00), Washington, DC, December 2000.

Digital Library

Cited By

Avitan MRavve EVolkovich Z(2024)Assembly Function Recognition in Embedded Systems as an Optimization ProblemMathematics10.3390/math1205065812:5(658)Online publication date: 23-Feb-2024
https://doi.org/10.3390/math12050658
Jiang MDai QZhang WChang RZhou YLuo XWang RLiu YRen K(2023)A Comprehensive Study on ARM Disassembly ToolsIEEE Transactions on Software Engineering10.1109/TSE.2022.318781149:4(1683-1703)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2022.3187811
Alrabaee SDebbabi MWang L(2022)A Survey of Binary Code Fingerprinting Approaches: Taxonomy, Methodologies, and FeaturesACM Computing Surveys10.1145/348686055:1(1-41)Online publication date: 17-Jan-2022
https://dl.acm.org/doi/10.1145/3486860
Show More Cited By

Index Terms

Labeling library functions in stripped binaries
1. Software and its engineering
  1. Software creation and management
    1. Software post-development issues
      1. Software reverse engineering

Recommendations

Probabilistic Naming of Functions in Stripped Binaries
ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

Debugging symbols in binary executables carry the names of functions and global variables. When present, they greatly simplify the process of reverse engineering, but they are almost always removed (stripped) for deployment. We present the design and ...
Detecting Variadic Functions in Stripped Binaries from C/C++
Identifying functions in binary code with reverse extended control flow graphs

In binary code analysis, current function identification approaches are challenged by functions without explicit call sites and handcrafted assembly without standard prologues/epilogues. We propose a new function representation called a reverse extended ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PASTE '11: Proceedings of the 10th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools

September 2011

46 pages

ISBN:9781450308496

DOI:10.1145/2024569

Program Chairs:
Jeff Foster
University of Maryland, College Park, USA
,
Lori Pollock
University of Delaware, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 September 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ESEC/FSE'11

Sponsor:

SIGSOFT

ESEC/FSE'11: Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

September 5, 2011

Szeged, Hungary

Acceptance Rates

Overall Acceptance Rate 57 of 159 submissions, 36%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

43
Total Citations
View Citations
445
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Avitan MRavve EVolkovich Z(2024)Assembly Function Recognition in Embedded Systems as an Optimization ProblemMathematics10.3390/math1205065812:5(658)Online publication date: 23-Feb-2024
https://doi.org/10.3390/math12050658
Jiang MDai QZhang WChang RZhou YLuo XWang RLiu YRen K(2023)A Comprehensive Study on ARM Disassembly ToolsIEEE Transactions on Software Engineering10.1109/TSE.2022.318781149:4(1683-1703)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2022.3187811
Alrabaee SDebbabi MWang L(2022)A Survey of Binary Code Fingerprinting Approaches: Taxonomy, Methodologies, and FeaturesACM Computing Surveys10.1145/348686055:1(1-41)Online publication date: 17-Jan-2022
https://dl.acm.org/doi/10.1145/3486860
Wang XXu XLi QYuan MXue JLee J(2022)Recovering container class types in C++ binariesProceedings of the 20th IEEE/ACM International Symposium on Code Generation and Optimization10.1109/CGO53902.2022.9741274(131-143)Online publication date: 2-Apr-2022
https://dl.acm.org/doi/10.1109/CGO53902.2022.9741274
Koo HPark SKim T(2021)A Look Back on a Function Identification ProblemProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3488018(158-168)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3488018
Gao HCheng SXue YZhang WCadar CZhang X(2021)A lightweight framework for function name reassignment based on large-scale stripped binariesProceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3460319.3464804(607-619)Online publication date: 11-Jul-2021
https://dl.acm.org/doi/10.1145/3460319.3464804
Akabane SOkamoto T(2021)Identification of toolchains used to build IoT malware with statically linked librariesProcedia Computer Science10.1016/j.procs.2021.09.291192:C(5130-5138)Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1016/j.procs.2021.09.291
Clements AGustafson EScharnowski TGrosen PFritz DKruegel CVigna GBagchi SPayer MCapkun SRoesner F(2020)HALucinatorProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489280(1201-1218)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489280
Byrne ANadgowda SCoskun A(2020)ACEProceedings of the 2020 Sixth International Workshop on Serverless Computing10.1145/3429880.3430098(37-42)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3429880.3430098
David YAlon UYahav E(2020)Neural reverse engineering of stripped binaries using augmented control flow graphsProceedings of the ACM on Programming Languages10.1145/34282934:OOPSLA(1-28)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3428293
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents