tracelet based code search in executables
play

Tracelet-Based Code Search in Executables Yaniv David & Eran - PowerPoint PPT Presentation

Jun 06, 2023 •157 likes •515 views

Tracelet-Based Code Search in Executables Yaniv David & Eran Yahav Technion,Israel 1 Finding vulnerable apps We can find identical or patched code int patchedFoo() int foo() { int alsoFoo() { { // buffer // buffer //

  1. Tracelet-Based Code Search in Executables Yaniv David & Eran Yahav Technion,Israel 1

  2. Finding vulnerable apps We can find identical or patched code int patchedFoo() int foo() { int alsoFoo() { { … … … // buffer // buffer // buffer // overflow // overflow // overflow … … … printf( … ) printf( … ) if ( … ) {} … … printf( … ) } } … } Where else does this vulnerable function exist? 2

  3. Finding vulnerable apps We can find identical or patched code int patchedFoo() int foo() { int alsoFoo() { { … … … // buffer // buffer // buffer // overflow // overflow What if we don ’ t have the source code? // overflow … … … printf( … ) printf( … ) if ( … ) {} … … printf( … ) } } … } Where else does this vulnerable function exist? 3

  4. binary functions ... mov [esp+18h+var_18],offset aD1 mov ecx,1 mov [esp+18h+var_14], ecx call _printf ... Search in Binaries Function 1 - wc Coreutils 6.12 Function 2 – diff Coreutils 7.15 4

  5. Search engine core Similarity score Measure Similarity • Fast & Scalable • Accurate (low false positives) 5

  6. Challenge1: similarity at the binary level printf( … )@foo(): printf (…)@ patchedFoo(): int patchedFoo() int foo() { { … … // buffer // buffer // overflow // overflow … … printf( … ) if ( … ) {} … printf( … ) … } } 6

  7. Challenge1: similarity at the binary level loc_401370: loc_401358: mov [esp+28h+var_28],offset aD1 mov [esp+18h+var_18],offset aD1 mov ebx,1 mov ecx,1 mov esi,4 mov [esp+18h+var_14], ecx mov [esp+28h+var_24], ebx call _printf call _printf - Offsets in memory - Register allocation - New Instruction 7

  8. Challenge2: similarity between different structures foo’s CFG: patchedFoo ’ s CFG: loc_401370: mov [esp+28h+var_28], offset aD1 mov ebx, 1 loc_401358: mov esi, 4 mov [esp+18h+var_18], offset aD1 mov [esp+28h+var_24], ebx mov ecx, 1 call _printf mov [esp+18h+var_14], ecx call _printf 8

  9. In this talk • A system for searching code in executables – Based on tracelet decomposition of each function – Works by solving a set of alignment and dataflow constraints with minimal violations on tracelets • An evaluation methodology based on tools from Information Retrieval – How do we know that our search engine is good? 9

  10. Our Approach Similarity score Pair tracelets Extract using alignment tracelets and rewrite Deal with structural changes Deal with the code changes 10

  11. Using tracelets to deal with CFG structural changes A tracelet is a fixed length sub-trace A1 A1 A1 For length=3, In this example we get: (A1,A2,A5) A3 A3 A3 mov [esp+18h+var_18], offset aD1 mov [esp+18h+var_18], offset aD1 mov [esp+18h+var_18], offset aD1 mov ecx, 1 mov ecx, 1 mov ecx, 1 (A1,A3,A5) mov [esp+18h+var_14], ecx mov [esp+18h+var_14], ecx mov [esp+18h+var_14], ecx A2 A2 A2 call _printf call _printf call _printf (A3,A4,A5) A4 A4 A4 A5 A5 A5 11

  12. Using tracelets calculate similarity between different structures foo ’ s CFG: patchedFoo ’ s CFG: B1 A1 B1 B1 B1 B3 B3 B3 B3 A3 mov [esp+28h+var_28], offset aD1 mov [esp+28h+var_28], offset aD1 mov [esp+28h+var_28], offset aD1 mov [esp+28h+var_28], offset aD1 mov ebx, 1 mov ebx, 1 mov ebx, 1 mov ebx, 1 mov esi, 4 mov esi, 4 mov esi, 4 mov esi, 4 mov [esp+28h+var_24], ebx mov [esp+28h+var_24], ebx mov [esp+28h+var_24], ebx mov [esp+28h+var_24], ebx B4 B4 B4 B4 B2 B2 B2 B2 call _printf loc_401358: call _printf call _printf call _printf A4 mov [esp+18h+var_18], offset aD1 mov ecx, 1 mov [esp+18h+var_14], ecx A2 call _printf B6 B6 B6 B6 B5 B5 B5 B5 A5 B7 B7 B7 B7 We need to find the corresponding tracelet 12

  13. Comparing tracelets foo ’ s tracelet A1 A1 A1 (1) mov [esp+18h+var_18], offset aD1 mov [esp+18h+var_18], offset aD1 (2) mov ecx, 1 A2 mov ecx, 1 mov [esp+18h+var_14], ecx A2 (3) mov [esp+18h+var_14], ecx A2 loc_401358: call _printf (4) call _printf mov [esp+18h+var_18], offset aD1 mov ecx, 1 mov [esp+18h+var_14], ecx A5 call _printf A5 Edit A5 distance patchedFoo ’ s tracelet: B1 B1 mov [esp+28h+var_28], offset aD1 (1) mov [esp+28h+var_18], offset aD1 mov ebx, 1 (2) mov ecx, 1 B2 B1 mov esi, 4 (X) mov esi, 4 mov [esp+28h+var_24], ebx (3) mov [esp+28h+var_14], ecx B2 B2 call _printf (4) call _printf mov [esp+28h+var_28], offset aD1 mov ebx, 1 B7 B7 mov esi, 4 mov [esp+28h+var_24], ebx call _printf B7 Graph -> Align & RW linear code 13

  14. Dealing with code changes: Align A1 B1 mov [esp+28h+var_28], offset aD1 mov [esp+18h+var_18], offset aD1 mov ebx, 1 mov ecx, 1 mov esi, 4 mov [esp+18h+var_14], ecx A2 mov [esp+28h+var_24], ebx call _printf B2 call _printf A5 B7 Align tracelets using specialized edit-distance A1 B1 (1) mov [esp+18h+var_18], offset aD1 (1) mov [esp+28h+var_28], offset aD1 (2) mov ecx, 1 (2) mov ebx, 1 (X) mov esi, 4 (3) mov [esp+18h+var_14], ecx (3) mov [esp+28h+var_24], ebx A2 B2 (4) call _printf (4) call _printf A5 B7 14

  15. Dealing with code changes: DFA A1 B1 (1) mov [esp+18h+var_18], offset aD1 (1) mov [esp+28h+var_28], offset aD1 (2) mov ecx, 1 (2) mov ebx, 1 (X) mov esi, 4 (3) mov [esp+18h+var_14], ecx (3) mov [esp+28h+var_24], ebx A2 B2 (4) call _printf (4) call _printf A5 B7 Analyze data flow Record live registers A1 B1 (1) mov [esp+18h+var_18], offset aD1 (1) mov [esp+28h+var_28], offset aD1 (2) mov ecx, 1 (2) mov ebx, 1 (X) mov esi, 4 (3) mov [esp+18h+var_14], ecx (3) mov [esp+28h+var_24], ebx A2 B2 (4) call _printf (4) call _printf A5 B7 15

  16. Dealing with code changes: Symbolize A1 B1 (1) mov [esp+18h+var_18], offset aD1 (1) mov [esp+28h+var_28], offset aD1 (2) mov ecx, 1 (2) mov ebx, 1 (X) mov esi, 4 (3) mov [esp+18h+var_14], ecx (3) mov [esp+28h+var_24], ebx A2 B2 (4) call _printf (4) call _printf A5 B7 move to symbolic names B1 A1 (1) mov [esp+18h+var_18], offset aD1 (1) mov [r11 11+28h+m12 12], OF OF13 13 (2) mov ecx, 1 (2) mov r21 21, 1 (X) mov esi, 4 (3) mov [esp+18h+var_14], ecx (3) mov [r31 31+28h+m31 31], r33 33 A2 B2 (4) call _printf (4) call FC FC41 41 B7 A5 16

  17. Dealing with code changes: Solve & Rewrite A1 A1 B1 B1 (1) mov [esp+18h+var_18], offset aD1 (1) mov [esp+18h+var_18], offset aD1 (1) mov [r11 (1) mov [r11+28h+m12], OF13 11+28h+m12 12], OF OF13 13 (2) mov ecx, 1 (2) mov ecx, 1 (2) mov r21 (2) mov r21, 1 21, 1 (X) mov esi, 4 (X) mov esi, 4 (3) mov [esp+18h+var_14], ecx (3) mov [esp+18h+var_14], ecx (3) mov [r31+28h+m32], r33 (3) mov [r31 31+28h+m31 31], r33 33 A2 A2 B2 B2 (4) call _printf (4) call _printf (4) call FC41 (4) call FC FC41 41 A5 A5 B7 B7 Use alignment & DFA Solve them using constraint to create constraints solver with minimal conflicts Data Flow constraints: Alignment constraints: r21=r33; r11=esp;F13= … ; m12=var_18; r11=r31; r21=ecx;e31=esp; m32=var_14; r33=ecx; FC41=_printf; 17

  18. Dealing with code changes: Solve & Rewrite A1 A1 B1 B1 (1) mov [esp+18h+var_18], offset aD1 (1) mov [esp+18h+var_18], offset aD1 (1) mov [r11+28h+m12], OF13 (1) mov [r11 11+28h+m12 12], OF OF13 13 (2) mov ecx, 1 (2) mov ecx, 1 (2) mov r21 (2) mov r21, 1 21, 1 (X) mov esi, 4 (X) mov esi, 4 (3) mov [esp+18h+var_14], ecx (3) mov [esp+18h+var_14], ecx (3) mov [r31 (3) mov [r31+28h+m32], r33 31+28h+m31 31], r33 33 A2 A2 B2 B2 (4) call _printf (4) call _printf (4) call FC (4) call FC41 FC41 41 Distance after rewrite = 1 instruction A5 A5 B7 B7 delete + 2 value changes A1 B1 (1) mov [esp+18h+var_18], offset aD1 (1) mov [esp+28h+var_18], offset aD1 (2) mov ecx, 1 (2) mov ecx, 1 (X) mov esi, 4 (3) mov [esp+18h+var_14], ecx (3) mov [esp+28h+var_14], ecx A2 B2 (4) call _printf (4) call _printf A5 B7 18

  19. Our Approach Similarity score Pair tracelets Extract using alignment tracelets and rewrite Deal with structural changes Deal with the code changes 19

  20. From paired tracelets to function similarity score Ratio Containment 20

  21. Using tracelets calculate similarity between different structures foo ’ s CFG: patchedFoo ’ s CFG: A1 B1 B3 A3 mov [esp+28h+var_28], offset aD1 mov ebx, 1 mov esi, 4 mov [esp+28h+var_24], ebx B4 loc_401358: B2 A4 call _printf mov [esp+18h+var_18], offset aD1 mov ecx, 1 mov [esp+18h+var_14], ecx A2 call _printf B6 B5 A5 B7 (A1,A2,A5)~(B1,B2,B7),(A1,A3,A4)~(B1,B3,B4), (A3,A4,A5)~(B3,B4,B7),(A1,A3,A5) -> “ lost ” 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Compilers Algorithms to executables Outline What does compiling mean? - Where do libraries

Compilers Algorithms to executables Outline What does compiling mean? - Where do libraries

Compilers Algorithms to executables Outline What does compiling mean? - Where do libraries come in? Anatomy of a compiler Compiler optimisations Can the compiler parallelise my code? Why are there differences in

877 views • 24 slides
The market, the consumer and the search Code the search Code www.designsonproperty.co.uk Agenda

The market, the consumer and the search Code the search Code www.designsonproperty.co.uk Agenda

The market, the consumer and the search Code the search Code www.designsonproperty.co.uk Agenda Whats happening in the property market now? Future trends Consumer protection What do people need? What do people need?

396 views • 26 slides
Analyzing Memory Accesses in x86 Executables Gogul Balakrishnan Thomas Reps University of

Analyzing Memory Accesses in x86 Executables Gogul Balakrishnan Thomas Reps University of

Analyzing Memory Accesses in x86 Executables Gogul Balakrishnan Thomas Reps University of Wisconsin Motivation Basic infrastructure for language-based security buffer-overrun detection information-flow vulnerabilities . . .

931 views • 39 slides
Compiler CS 449 Executables and gcc Object Linking Preprocessed C source files source

Compiler CS 449 Executables and gcc Object Linking Preprocessed C source files source

Compiler CS 449 Executables and gcc Object Linking Preprocessed C source files source Executable .c cpp cc1 .o ld Preprocessor Compiler Linker Jonathan Misurda jmisurda@cs.pitt.edu Executables Older Executable Formats What

302 views • 3 slides
Process Control processes and executables job control ps and kill top at

Process Control processes and executables job control ps and kill top at

Process Control processes and executables job control ps and kill top at cron, crontab, and calendar Processes vs. Executables A process is a program that is executing in memory. An executable is a program that

533 views • 20 slides
Approaches Based on guided code generation Based on exploring existing code Based on

Approaches Based on guided code generation Based on exploring existing code Based on

Approaches Based on guided code generation Based on exploring existing code Based on spreadsheet interaction Using R for teaching statistics to nonmajors: Comparing experiences of 2.5 different approaches Thomas Baier University of

639 views • 7 slides
Types of Environments Goal Based Agents Plan ahead Fully observable vs. partially

Types of Environments Goal Based Agents Plan ahead Fully observable vs. partially

3/22/2018 Outline CSE 473: Artificial Intelligence Spring 2018 Search Problems Uninformed Search Methods Problem Spaces & Search Depth-First Search Breadth-First Search Uniform-Cost Search Steve Tanimoto Heuristic

210 views • 7 slides
Local and Stochastic Search Some material based on D Lin, B Selman 1 Search Overview

Local and Stochastic Search Some material based on D Lin, B Selman 1 Search Overview

RN, Chapter 4.3 4.4; 7.6 Local and Stochastic Search Some material based on D Lin, B Selman 1 Search Overview Introduction to Search Blind Search Techniques Heuristic Search Techniques Constraint Satisfaction Problems

818 views • 52 slides
Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den

Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den

Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den Broeck, Miryung Kim University of California, Los Angeles Tool and dataset: https://github.com/AishwaryaSivaraman/ALICE-ILP-for-Code-Search

618 views • 51 slides
Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den

Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den

Active Inductive Logic Programming for Code Search Aishwarya Sivaraman, Tianyi Zhang, Guy Van den Broeck, Miryung Kim University of California, Los Angeles Tool and dataset: https://github.com/AishwaryaSivaraman/ALICE-ILP-for-Code-Search

607 views • 43 slides
Succeeding at Search A Job Search on Indeed Finding a job on Indeed Start your search Type the

Succeeding at Search A Job Search on Indeed Finding a job on Indeed Start your search Type the

Succeeding at Search A Job Search on Indeed Finding a job on Indeed Start your search Type the words that target what youre Place screenshot here looking for. Include job title, skill or company name. Include city, state or zip code.

296 views • 18 slides
1 Conceptual Example (III): Less formally (II) Or-tree-based Search n If all

1 Conceptual Example (III): Less formally (II) Or-tree-based Search n If all

2.4.3 Or-tree-based Search Formal Definitions (I) Or-tree-based Search Model A = ( S , T ): Basic Idea: n Prob set of problem descriptions If every solution is okay, represent the different n Altern Prob +

190 views • 3 slides
Alias Analysis of Executable Code S. Debray, et al. (POPL 98) Presented by Xin Qi What is

Alias Analysis of Executable Code S. Debray, et al. (POPL 98) Presented by Xin Qi What is

Alias Analysis of Executable Code S. Debray, et al. (POPL 98) Presented by Xin Qi What is Special about Executables We no longer have Types cant do type filtering Structures jump all around We have Pointer

812 views • 18 slides
Uninformed Search (Ch. 3-3.4) 2 Search Goal based agents need to search to find a path from

Uninformed Search (Ch. 3-3.4) 2 Search Goal based agents need to search to find a path from

1 Uninformed Search (Ch. 3-3.4) 2 Search Goal based agents need to search to find a path from their start to the goal (a path is a sequence of actions, not states) For now we consider problem solving agents who search on atomically

739 views • 38 slides
Satsy Input-Output Code Search Engine Carl Chapman Cole Groff Cody Hoover Trevor Lund Kaitlin

Satsy Input-Output Code Search Engine Carl Chapman Cole Groff Cody Hoover Trevor Lund Kaitlin

Satsy Input-Output Code Search Engine Carl Chapman Cole Groff Cody Hoover Trevor Lund Kaitlin McAbee Problem Statement Lots of open-source code is available for use. Instead of rewriting code that already exists, can we search to

444 views • 23 slides
Uninformed Search Alice Gao Lecture 3 Based on work by K. Leyton-Brown, K. Larson, and P. van

Uninformed Search Alice Gao Lecture 3 Based on work by K. Leyton-Brown, K. Larson, and P. van

1/34 Uninformed Search Alice Gao Lecture 3 Based on work by K. Leyton-Brown, K. Larson, and P. van Beek 2/34 Outline Learning Goals Uninformed Search Breadth-First Search Depth-First Search Iterative-Deepening Search Comparing the

732 views • 34 slides
ROCK ISLAND POWERHOUSE 1 B1-B4 Modernization Bid 16-60 Contract Award Recommendation Special

ROCK ISLAND POWERHOUSE 1 B1-B4 Modernization Bid 16-60 Contract Award Recommendation Special

ROCK ISLAND POWERHOUSE 1 B1-B4 Modernization Bid 16-60 Contract Award Recommendation Special Commission Meeting December 30, 2016 1 Need for Special Commission Meeting The lowest price bidder for B1-B4 Unit Modernization has provided an

523 views • 33 slides
Maximizing Student Success: A Guide to Multiple Measures LORI MACDONALD CSU Early Assessment

Maximizing Student Success: A Guide to Multiple Measures LORI MACDONALD CSU Early Assessment

10/4/19 Maximizing Student Success: A Guide to Multiple Measures LORI MACDONALD CSU Early Assessment Program Established to provide students an opportunity to measure their readiness for college-level English and mathematics. EAP uses 11

87 views • 7 slides
Making sense of Public Private Partnerships PPPLab B4 Study: Business Models in Food &

Making sense of Public Private Partnerships PPPLab B4 Study: Business Models in Food &

Making sense of Public Private Partnerships PPPLab B4 Study: Business Models in Food & Water PPPs First findings of 2012 FDOV & FDW project proposals Objectives & Methodology of the study Objectives Generate lessons learned

498 views • 23 slides
Curriculum on Communications L2/B: Organizing Your Thoughts Organizing Your Thoughts Agenda

Curriculum on Communications L2/B: Organizing Your Thoughts Organizing Your Thoughts Agenda

California Cadet Corps Curriculum on Communications L2/B: Organizing Your Thoughts Organizing Your Thoughts Agenda B1. Public Speaking B2. Oral Presentation B3. Effective Writing B4. Creative Writing PUBLIC SPEAKING B1.

607 views • 39 slides
Resonant Double Higgs Production in the Singlet Extended Standard Model at the LHC

Resonant Double Higgs Production in the Singlet Extended Standard Model at the LHC

Resonant Double Higgs Production in the Singlet Extended Standard Model at the LHC arXiv:1701.08774, submitted to PRD Matthew Sullivan, Ian M. Lewis University of Kansas Pheno 2017 Outline 1 Singlet Extended Standard Model 2 The Models

642 views • 20 slides
and public and patient involvement in Canadian drug assessment Katherine Boothe Associate

and public and patient involvement in Canadian drug assessment Katherine Boothe Associate

(Re)defining legitimacy? Expertise and public and patient involvement in Canadian drug assessment Katherine Boothe Associate Professor, Political Science McMaster University boothek@mcmaster.ca Disclosure I have no actual or potential

413 views • 12 slides
Working together for the Early Years, why and where does local government fit in and who is

Working together for the Early Years, why and where does local government fit in and who is

Working together for the Early Years, why and where does local government fit in and who is the B4 Early Years Coalition Who are we and how did we come together? The B4 Early Years Coalition (B4) is a Tasmanian Government initiative

422 views • 7 slides
University of Illinois Parking Department FY20 Parking Rate Increases Parking fiscal management

University of Illinois Parking Department FY20 Parking Rate Increases Parking fiscal management

University of Illinois Parking Department FY20 Parking Rate Increases Parking fiscal management Parking revenue, such as permit and meter fees, citation fines, and event fees, is the only funding source for five parking structures and 150+

305 views • 14 slides

More recommend