CAREER: Advanced Trace-oriented Binary Code Analysis

Abstract

Binary code analysis is very attractive from a security viewpoint. First, in many tasks such as malware analysis, the source code of the program under examination is often absent, and the analysis has to be done on binary code. Second, even the source code is available, binary analysis allows us to reason about the real instructions executed on hardware and avoid the well-known WYSINWYX problem, What You See Is Not What You Execute. Third, some program behaviors, such as cache access patterns, are only exhibited in the low-level code. On the other hand, binary code analysis is faced with an increasing challenge caused by the emerging, readily available code obfuscation techniques. Traditional signature-based malware detection is often problematic as it relies on file hashes and byte (or instruction) signatures which are not very resilient to obfuscation. This project tackles the challenge by proposing several advanced methods that combine techniques from the behavior and semantics perspectives. Two new concepts, System Call Sliced Segment Equivalence Checking and N-gram Basic Block Semantics Memoization, are proposed to achieve better obfuscation resiliency and scalability. Compared with the existing approaches, these methods are based on the strong principles of program semantics and logics, more resilient to automatic obfuscation schemes, and more scalable with the proposed advanced semantics memoization techniques. In addition, the application is extended to side-channel detection with a new rigorous model. Upon completion, the project will make a significant contribution to binary code analysis in general. It will advance the state of the art of malware analysis and side-channel detection and help better defend cyber attacks, leading to more secure cyber space. Broader impact will also result from the education and dissemination initiatives.

People

• Dinghao Wu (Principal Investigator)
• Qinkun Bao
• Rupesh Prajapati
• Zihao Wang
• Jinquan Zhang
• Neeraj Karamchandani
• Xiaoting Li

Former Project Members

• Jiang Ming
• Pei Wang
• Dongpeng Xu
• Shuai Wang
• Xiao Liu

Press Release

Penn State News: IST professor uses NSF CAREER Award to advance malware detection. Also see here

Software Release

• LOOP Opaque Predicate Detector, released in 2015.
• Efficient Multi-threaded Binary Code Control Flow Profiling Pintool. (2016).

Publications

• Unexpected Data Dependency Creation and Chaining: A New Attack to SDN, by Feng Xiao, Jinquan Zhang*, Jianwei Huang, Guofei Gu, Dinghao Wu, and Peng Liu. In Proceedings of the 41st IEEE Symposium on Security and Privacy (IEEE S&P 2020), San Francisco, CA, May 18-20, 2020. (Accepted)

• MetaHunt: Towards Taming Malware Mutation via Studying the Evolution of Metamorphic Virus, by Li Wang*, Dongpeng Xu*, Jiang Ming*, Yu Fu*, and Dinghao Wu. In Proceedings of the 3rd International Workshop on Software PROtection (SPRO2019), Co-located with the 26th ACM Conference on Computer and Communications Security, London, UK November 11-15, 2019. (Accepted)

• Identifying Cache-Based Side Channels through Secret-Augmented Abstract Interpretation, by Shuai Wang*, Yuyan Bao*, Xiao Liu*, Pei Wang*, Danfeng Zhang, and Dinghao Wu. In Proceedings of the 28th USENIX Security Symposium (USENIX Security '19), Santa Clara, CA, August 14-16, 2019. An extended version is available at arXiv.

• Xmark: Dynamic Software Watermarking Using Collatz Conjecture, by Haoyu Ma, Chunfu Jia, Shijia Li, Wantong Zheng, and Dinghao Wu. IEEE Transactions on Information Forensics and Security, 14(11):577-583, November, 2019.

• Automatic Grading of Programming Assignments: An Approach Based on Formal Semantics, by Xiao Liu*, Shuai Wang*, Pei Wang*, and Dinghao Wu. In Proceedings of the 41st ACM/IEEE International Conference on Software Engineering (ICSE 2019), the Software Engineering Education and Training (SEET) track, Montreal, QC, Canada, 25 May - 31 May 2019.

• DeepFuzz: Automatic Generation of Syntax Valid C Programs for Fuzz Testing, by Xiao Liu*, Xiaoting Li*, Rupesh Prajapati*, and Dinghao Wu. In Proceedings of the Thirty-Third AAAI Conference on Artificial Intelligence (AAAI-19), Honolulu, Hawaii, USA, January 27 - February 1, 2019.

• A Lightweight Framework for Regular Expression Verification, by Xiao Liu*, Yufei Jiang*, and Dinghao Wu. In Proceedings of the 19th IEEE international Symposium on High Assurance Systems Engineering (HASE 2019), Hangzhou, China, January 3-5, 2019. Best Paper Award.

• Field Experience with Obfuscating Million-User iOS Apps in Large Enterprise Mobile Development, by Pei Wang*, Dinghao Wu, Zhaofeng Chen, and Tao Wei. Software: Practice and Experience, 2018.

• Large-scale Third-party Library Detection in Android Markets, by Menghao Li, Pei Wang*, Wei Wang, Shuai Wang*, Dinghao Wu, Jian Liu, Rui Xue, Wei Huo, and Wei Zou. IEEE Transactions on Software Engineering (TSE), 2018.

• VMHunt: A Verifiable Approach to Partially-Virtualized Binary Code Simplification, by Dongpeng Xu*, Jiang Ming*, Yu Fu*, and Dinghao Wu. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS 2018), Toronto, Canada, October 15-19, 2018.

• RedDroid: Android Application Redundancy Customization Based on Static Analysis, by Yufei Jiang*, Qinkun Bao*, Shuai Wang*, Xiao Liu*, and Dinghao Wu. In Proceedings of the 29th IEEE International Symposium on Software Reliability Engineering (ISSRE 2018), Memphis, TN, October 15-18, 2018.

• Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Obfuscation, by Pei Wang*, Qinkun Bao*, Li Wang*, Shuai Wang*, Zhaofeng Chen, Tao Wei, and Dinghao Wu. In Proceedings of the 40th International Conference on Software Engineering (ICSE 2018), Gothenburg, Sweden, May 27 - June 3, 2018. (Acceptance rate: 105/502 = 20.9%)

• Protecting Million-User iOS Apps with Obfuscation: Motivations, Pitfalls, and Experience, by Pei Wang*, Dinghao Wu, Zhaofeng Chen, and Tao Wei. In Proceedings of the 40th International Conference on Software Engineering (ICSE 2018), Software Engineering in Practice (SEIP) Track, Gothenburg, Sweden, May 27 - June 3, 2018.

• In-Memory Fuzzing for Binary Code Similarity Analysis, by Shuai Wang* and Dinghao Wu. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2017), Urbana Champaign, Illinois, USA, October 30 - November 3, 2017. (Acceptance rate 65/314=20.7%)

• Binary Code Retrofitting and Hardening Using SGX, by Shuai Wang*, Wenhao Wang, Qinkun Bao*, Pei Wang*, XiaoFeng Wang, and Dinghao Wu. In Proceedings of the Second Workshop on Forming an Ecosystem Around Software Transformation (FEAST 2017), co-located with CCS 2017, Dallas, USA, November 3, 2017.

• Automated Synthesis of Access Control Lists, by Xiao Liu*, Brett Holden*, and Dinghao Wu. In Proceedings of the 3rd International Conference on Software Security and Assurance (ICSSA 2017), Altoona, Pennsylvania, USA, July 24-25, 2017. Best Paper Award.

• Lambda Obfuscation, by Pengwei Lan*, Pei Wang*, Shuai Wang*, and Dinghao Wu. In Proceedings of the 13th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2017), Niagara Falls, Canada, October 22-25, 2017.

• Turing Obfuscation, by Yan Wang*, Shuai Wang*, Pei Wang*, and Dinghao Wu. In Proceedings of the 13th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2017), Niagara Falls, Canada, October 22-25, 2017.

• SecControl: Bridging the Gap Between Security Tools and SDN Controllers, by Li Wang* and Dinghao Wu. In Workshop on Applications and Techniques in Cyber Security (ATCS), co-located with the 13th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2017), Niagara Falls, Canada, October 22-25, 2017.

• Semantics-Aware Machine Learning for Function Recognition in Binary Code, by Shuai Wang*, Pei Wang*, and Dinghao Wu. In Proceedings of the 33rd IEEE International Conference on Software Maintenance and Evolution (ICSME 2017), Shanghai, China. September 17-24, 2017.

• Composite Software Diversification, by Shuai Wang*, Pei Wang*, and Dinghao Wu. In Proceedings of the 33rd IEEE International Conference on Software Maintenance and Evolution (ICSME 2017), Shanghai, China. September 17-24, 2017.

• BinSim: Trace-based Semantic Binary Diffing via System Call Sliced Segment Equivalence Checking, by Jiang Ming*, Dongpeng Xu*, Yufei Jiang*, and Dinghao Wu. In Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, Canada, August 16-18, 2017. (Acceptance rate 85/522=16.3%)
• CacheD: Identifying Cache-Based Timing Channels in Production Software, by Shuai Wang*, Pei Wang*, Xiao Liu*, Danfeng Zhang, and Dinghao Wu. In Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, Canada, August 16-18, 2017. (Acceptance rate 85/522=16.3%)
• A Lightweight Framework for Regex Verification, by Xiao Liu and Dinghao Wu (advisor). Bronze Medal, the ACM Graduate Student Research Competition at PLDI'17, Barcelona, Spain. June 2017.

• Cryptographic Function Detection in Obfuscated Binaries via Bit-precise Symbolic Loop Mapping, by Dongpeng Xu*, Jiang Ming*, and Dinghao Wu. In Proceedings of the 38th IEEE Symposium on Security and Privacy (IEEE S&P 2017), San Jose, CA, May 22-24, 2017. (Acceptance rate 60/450=13.3%)
• LibD: Scalable and Precise Third-party Library Detection in Android Markets, by Menghao Li, Wei Wang, Pei Wang*, Shuai Wang*, Dinghao Wu, Jian Liu, Rui Xue, and Wei Huo. In Proceedings of the 39th ACM/IEEE International Conference on Software Engineering (ICSE 2017), Buenos Aires, Argentina, May 20-28, 2017. (Acceptance rate: 16.4%)
• Adaptive Unpacking of Android Apps, by Lei Xue, Xiapu Luo, Le Yu, Shuai Wang, and Dinghao Wu. In Proceedings of the 39th ACM/IEEE International Conference on Software Engineering (ICSE 2017), Buenos Aires, Argentina, May 20-28, 2017. (Acceptance rate: 16.4%)
• Semantics-Based Obfuscation-Resilient Binary Code Similarity Comparison with Applications to Software and Algorithm Plagiarism Detection, by Lannan Luo†, Jiang Ming*, Dinghao Wu, Peng Liu, and Sencun Zhu. IEEE Transactions on Software Engineering, 43(12), December 2017. A preliminary version appeared in Proceedings of the 22nd ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE 2014).
• MalwareHunt: Semantics-Based Malware Diffing Speedup by Normalized Basic Block Memoization, by Jiang Ming*, Dongpeng Xu*, and Dinghao Wu. Journal of Computer Virology and Hacking Techniques, 13(3), August 2017. (First online May 17, 2016). A preliminary version appeared in Proceedings of the 30th IFIP SEC 2015 International Information Security and Privacy Conference (IFIP SEC 2015).
• Impeding Behavior-based Malware Analysis via Replacement Attacks to Malware Specications, by Jiang Ming*, Zhi Xin, Pengwei Lan*, Dinghao Wu, Peng Liu, and Bing Mao. Journal of Computer Virology and Hacking Techniques, 13(3), August 2017. (First online May 31, 2016). A preliminary version appeared in Proceedings of the 13th International Conference on Applied Cryptography and Network Security (ACNS 2015).

Sponsor



National Science Foundation (NSF) — Secure and Trustworthy Cyberspace (SaTC)

CAREER: Advanced Trace-oriented Binary Code Analysis, Dinghao Wu (PI), National Science Foundation (NSF) CNS-1652790, $494,703, 2017-2022.