Abstract
Binary code reuse is the process of automatically identifying the interface and extracting the instructions and data dependencies of a code fragment from an executable program, so that it is self-contained and can be reused by external code. Binary code reuse is useful for a number of security applications, including reusing the proprietary cryptographic or unpacking functions from a malware sample and for rewriting a network dialog. In this paper we conduct the first systematic study of automated binary code reuse and its security applications. The main challenge in binary code reuse is understanding the code fragment’s interface. We propose a novel technique to identify the prototype of an undocumented code fragment directly from the program’s binary, without access to source code or symbol information. Further, we must also extract the code itself from the binary so that it is self-contained and can be easily reused in another program. We design and implement a tool that uses a combination of dynamic and static analysis to automatically identify the prototype and extract the instructions of an assembly function into a form that can be reused by other C code. The extracted function can be run independently of the rest of the program’s functionality and shared with other users. We apply our approach to scenarios that include extracting the encryption and decryption routines from malware samples, and show that these routines can be reused by a network proxy to decrypt encrypted traffic on the network. This allows the network proxy to rewrite the malware’s encrypted traffic by combining the extracted encryption and decryption functions with the session keys and the protocol grammar. We also show that we can reuse a code fragment from an unpacking function for the unpacking routine for a different sample of the same family, even if the code fragment is not a complete function.
Original language | English (US) |
---|---|
State | Published - 2010 |
Externally published | Yes |
Event | 17th Symposium on Network and Distributed System Security, NDSS 2010 - San Diego, United States Duration: Feb 28 2010 → Mar 3 2010 |
Conference
Conference | 17th Symposium on Network and Distributed System Security, NDSS 2010 |
---|---|
Country/Territory | United States |
City | San Diego |
Period | 2/28/10 → 3/3/10 |
Bibliographical note
Publisher Copyright:© 2010 Proceedings of the Symposium on Network and Distributed System Security, NDSS 2010. All Rights Reserved.