Information Technology Reference
In-Depth Information
Dynamic Analysis and Debugging of Binary Code
for Security Applications
Lixin Li
1
andChaoWang
2
1
Battelle Memorial Institute, Arlington, Virginia, USA
2
Department of ECE, Virginia Tech, Blacksburg, Virginia, USA
Abstract.
Dynamic analysis techniques have made a significant impact in secu-
rity practice, e.g. by automating some of the most tedious processes in detect-
ing vulnerabilities. However, a significant gap remains between existing software
tools and what many security applications demand. In this paper, we present our
work on developing a
cross-platform interactive analysis
tool, which leverages
techniques such as symbolic execution and taint tracking to analyze binary code
on a range of platforms. The tool builds upon IDA, a popular reverse engineering
platform, and provides a unified analysis engine to handle various instruction sets
and operating systems. We have evaluated the tool on a set of real-world applica-
tions and shown that it can help identify the root causes of security vulnerabilities
quickly.
1
Introduction
Dynamic and symbolic execution based techniques have made a significant impact on
analyzing the binary code, e.g. to help automate some of the most tedious and yet non-
trivial analysis in security practice. One example is white-box fuzzing [1], where the
goal is to systematically generate test inputs to exercise all feasible program paths. An-
other example is taint analysis [2], where the goal is to track how tainted inputs propa-
gate and trigger security vulnerabilities. In addition, these techniques have been used to
detect a broad class of zero-day attacks [3,4] and to generate vulnerability signatures [5]
in a honey-pot.
Despite the aforementioned progress, however, there are major limitations in existing
techniques that prevent them from being widely adopted. First, there is a lack of support
for
interactive analysis
. Current research on dynamic binary analysis focuses primarily
on fully automated methods, which is undoubtedly important for applications such as
software testing. However, security applications such as malware analysis and exploita-
tion analysis often cannot be fully automated. Although automated analysis can serve
as the starting point of another round of deeper analysis, human in the loop is still indis-
pensable. For example, an exhaustive white-box fuzzer can merely exercise all feasible
program paths and identify the necessary conditions to trigger software bugs, but cannot
decide whether the bugs are exploitable. To decide whether a bug is exploitable, the user
needs to refine the input along that path to decide whether it is a security vulnerability.
During this process, tools that support interactive analysis would be useful.
Second, there is a lack of support for
cross-platform analysis
by existing tools. This
is a burning issue as well because software today runs on an increasingly diverse set
