Information Technology Reference
In-Depth Information
itself does not provide enough information about the data relations critical for security
analysts. Typically, security analysts need to construct the data flow relations manually.
We have implemented the cross-platform interactive analysis system in the popu-
lar IDA Pro tool. New features such as symbolic execution, taint tracking, and replay
have been integrated seamlessly with the existing features of IDA Pro. We have eval-
uated the new tool on a set of real world applications with known vulnerabilities, and
demonstrated the effectiveness of the tool.
The remainder of the paper is organized as follows. We provide an overview of our
tool in Section 2, and present the cross-platform symbolic execution engine, called
CBASS, in Section 3. We present the interactive taint analysis engine, called TREE,
in Section 4. We present our experimental evaluation in Section 5, review related work
in Section 6, and then give our conclusions in Section 7.
2SyemOvew
The proposed system, shown in Fig. 1, consists of the following subsystems:
-
CBASS (Cross-platform Binary Automated Symbolic execution System), which
separates the platform dependent execution trace generation process from the plat-
form independent analysis process.
-
TREE (Taint-enabled Reverse Engineering Environment), which provides a unified
replay, debugging, and taint tracking environment, allowing security analysts to
form a hypothesis and then check it interactively.
-
Front-end subsystems that support both
static processing
and
dynamic tracing
.
They translate native traces from different platforms to the common intermediate
representation (IR) and map the analysis results back.
We provide a brief description of
static processing
and
dynamic tracing
in this section,
while postponing CBASS and TREE to Sections 3 and 4, respectively.
Fig. 1.
The Architecture of our Cross-platform Interactive Analysis System
