Binary Code Reverse Engineering and Retrofitting

Overview

Binary code analysis and retrofitting are imperative in the scenarios where source code is not available. For example, much of legacy code is still in use today in government and financial sector, as the software life cycles can span several decades. A major obstacle in binary code based retrofitting is the immaturity of the reverse engineering tools. Current approaches, mostly binary code patching based, to retrofitting legacy software systems have a number of drawbacks including performance overhead and security issues and therefore are generally inadequate. To the best of our knowledge, there are no binary reverse engineering tools that can disassemble a binary executable into assembly code which can be reassembled back in a fully automated manner, even with simple "Hello, World!" programs, especially when the binaries are commercial-off-the-shelf (COTS) software; they contain very little symbol and relocation information. The traditional tools do not focus on reassembleability or recompilability, but instead focus on recovering more information for analysis (and manual transformation). The recovered assembly or high level code is mostly for the program analysis and understanding purpose.

The fact that the reverse engineered code cannot be reassembled or recompiled back to executables has severely restricted the application of reverse engineering techniques in legacy software retrofitting. The analysis and transformation tools and ecosystems are disconnected and fragmented. Connecting the dots between the tools, infrastructures, and ecosystems will have great impact on software analysis and retrofitting. Recompilability is one of the main barriers that have led to this fragmented ecosystem.

To fill in the gap, a radically different approach is proposed. We will consider the recompilability as the first and topmost goal, without any compromise, and put other goals as secondary or best effort (relatively, compare to the first goal). This is in sharp contrast to the traditional reverse engineering approaches which do not focus on recompilability. Our preliminary study on reassembleable disassembling, as demonstrated by our prototype Uroboros, achieves the goal of reassembleability. We will develop further on the reverse engineering, analysis, and retrofitting infrastructure, with the similar design goal to preserve the recompilability.

People

• Dinghao Wu (Principal Investigator)
• Qinkun Bao
• Rupesh Prajapati
• Zihao Wang
• Jinquan Zhang
• Neeraj Karamchandani

Former Project Members

• Yufei Jiang
• Pei Wang
• Shuai Wang
• Dongpeng Xu

Press Release

ONR press release about our work on JRed. Others see here

Software Release

• Uroboros: Reassembleable Disassembling, released in 2015.
• LOOP Opaque Predicate Detector, released in 2015.

Publications

• Unexpected Data Dependency Creation and Chaining: A New Attack to SDN, by Feng Xiao, Jinquan Zhang*, Jianwei Huang, Guofei Gu, Dinghao Wu, and Peng Liu. In Proceedings of the 41st IEEE Symposium on Security and Privacy (IEEE S&P 2020), San Francisco, CA, May 18-20, 2020. (Accepted)

• MetaHunt: Towards Taming Malware Mutation via Studying the Evolution of Metamorphic Virus, by Li Wang*, Dongpeng Xu*, Jiang Ming*, Yu Fu*, and Dinghao Wu. In Proceedings of the 3rd International Workshop on Software PROtection (SPRO2019), Co-located with the 26th ACM Conference on Computer and Communications Security, London, UK November 11-15, 2019. (Accepted)

• Identifying Cache-Based Side Channels through Secret-Augmented Abstract Interpretation, by Shuai Wang*, Yuyan Bao*, Xiao Liu*, Pei Wang*, Danfeng Zhang, and Dinghao Wu. In Proceedings of the 28th USENIX Security Symposium (USENIX Security '19), Santa Clara, CA, August 14-16, 2019. An extended version is available at arXiv.

• Xmark: Dynamic Software Watermarking Using Collatz Conjecture, by Haoyu Ma, Chunfu Jia, Shijia Li, Wantong Zheng, and Dinghao Wu. IEEE Transactions on Information Forensics and Security, 14(11):577-583, November, 2019.

• Automatic Grading of Programming Assignments: An Approach Based on Formal Semantics, by Xiao Liu*, Shuai Wang*, Pei Wang*, and Dinghao Wu. In Proceedings of the 41st ACM/IEEE International Conference on Software Engineering (ICSE 2019), the Software Engineering Education and Training (SEET) track, Montreal, QC, Canada, 25 May - 31 May 2019.

• DeepFuzz: Automatic Generation of Syntax Valid C Programs for Fuzz Testing, by Xiao Liu*, Xiaoting Li*, Rupesh Prajapati*, and Dinghao Wu. In Proceedings of the Thirty-Third AAAI Conference on Artificial Intelligence (AAAI-19), Honolulu, Hawaii, USA, January 27 - February 1, 2019.

• A Lightweight Framework for Regular Expression Verification, by Xiao Liu*, Yufei Jiang*, and Dinghao Wu. In Proceedings of the 19th IEEE international Symposium on High Assurance Systems Engineering (HASE 2019), Hangzhou, China, January 3-5, 2019. Best Paper Award.

• Field Experience with Obfuscating Million-User iOS Apps in Large Enterprise Mobile Development, by Pei Wang*, Dinghao Wu, Zhaofeng Chen, and Tao Wei. Software: Practice and Experience, 2018.

• Large-scale Third-party Library Detection in Android Markets, by Menghao Li, Pei Wang*, Wei Wang, Shuai Wang*, Dinghao Wu, Jian Liu, Rui Xue, Wei Huo, and Wei Zou. IEEE Transactions on Software Engineering (TSE), 2018.

• VMHunt: A Verifiable Approach to Partially-Virtualized Binary Code Simplification, by Dongpeng Xu*, Jiang Ming*, Yu Fu*, and Dinghao Wu. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS 2018), Toronto, Canada, October 15-19, 2018.

• RedDroid: Android Application Redundancy Customization Based on Static Analysis, by Yufei Jiang*, Qinkun Bao*, Shuai Wang*, Xiao Liu*, and Dinghao Wu. In Proceedings of the 29th IEEE International Symposium on Software Reliability Engineering (ISSRE 2018), Memphis, TN, October 15-18, 2018.

• Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Obfuscation, by Pei Wang*, Qinkun Bao*, Li Wang*, Shuai Wang*, Zhaofeng Chen, Tao Wei, and Dinghao Wu. In Proceedings of the 40th International Conference on Software Engineering (ICSE 2018), Gothenburg, Sweden, May 27 - June 3, 2018. (Acceptance rate: 105/502 = 20.9%)

• Protecting Million-User iOS Apps with Obfuscation: Motivations, Pitfalls, and Experience, by Pei Wang*, Dinghao Wu, Zhaofeng Chen, and Tao Wei. In Proceedings of the 40th International Conference on Software Engineering (ICSE 2018), Software Engineering in Practice (SEIP) Track, Gothenburg, Sweden, May 27 - June 3, 2018.

• In-Memory Fuzzing for Binary Code Similarity Analysis, by Shuai Wang* and Dinghao Wu. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2017), Urbana Champaign, Illinois, USA, October 30 - November 3, 2017. (Acceptance rate 65/314=20.7%)

• Binary Code Retrofitting and Hardening Using SGX, by Shuai Wang*, Wenhao Wang, Qinkun Bao*, Pei Wang*, XiaoFeng Wang, and Dinghao Wu. In Proceedings of the Second Workshop on Forming an Ecosystem Around Software Transformation (FEAST 2017), co-located with CCS 2017, Dallas, USA, November 3, 2017.

• Automated Synthesis of Access Control Lists, by Xiao Liu*, Brett Holden*, and Dinghao Wu. In Proceedings of the 3rd International Conference on Software Security and Assurance (ICSSA 2017), Altoona, Pennsylvania, USA, July 24-25, 2017. Best Paper Award.

• Lambda Obfuscation, by Pengwei Lan*, Pei Wang*, Shuai Wang*, and Dinghao Wu. In Proceedings of the 13th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2017), Niagara Falls, Canada, October 22-25, 2017.

• Turing Obfuscation, by Yan Wang*, Shuai Wang*, Pei Wang*, and Dinghao Wu. In Proceedings of the 13th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2017), Niagara Falls, Canada, October 22-25, 2017.

• SecControl: Bridging the Gap Between Security Tools and SDN Controllers, by Li Wang* and Dinghao Wu. In Workshop on Applications and Techniques in Cyber Security (ATCS), co-located with the 13th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2017), Niagara Falls, Canada, October 22-25, 2017.

• Semantics-Aware Machine Learning for Function Recognition in Binary Code, by Shuai Wang*, Pei Wang*, and Dinghao Wu. In Proceedings of the 33rd IEEE International Conference on Software Maintenance and Evolution (ICSME 2017), Shanghai, China. September 17-24, 2017.

• Composite Software Diversification, by Shuai Wang*, Pei Wang*, and Dinghao Wu. In Proceedings of the 33rd IEEE International Conference on Software Maintenance and Evolution (ICSME 2017), Shanghai, China. September 17-24, 2017.

• BinSim: Trace-based Semantic Binary Diffing via System Call Sliced Segment Equivalence Checking, by Jiang Ming, Dongpeng Xu, Yufei Jiang, and Dinghao Wu. In Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, Canada, August 16-18, 2017. Conditionally accepted. (Acceptance rate 85/522=16.3%)
• CacheD: Identifying Cache-Based Timing Channels in Production Software, by Shuai Wang, Pei Wang, Xiao Liu, Danfeng Zhang, and Dinghao Wu. In Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, Canada, August 16-18, 2017. Accepted. (Acceptance rate 85/522=16.3%)
• Cryptographic Function Detection in Obfuscated Binaries via Bit-precise Symbolic Loop Mapping, by Dongpeng Xu, Jiang Ming, and Dinghao Wu. In Proceedings of the 38th IEEE Symposium on Security and Privacy, San Jose, CA, May 22-24, 2017. (Acceptance rate 60/450=13.3%)
• LibD: Scalable and Precise Third-party Library Detection in Android Markets, by Menghao Li, Wei Wang, Pei Wang, Shuai Wang, Dinghao Wu, Jian Liu, Rui Xue, and Wei Huo. In Proceedings of the 39th ACM/IEEE International Conference on Software Engineering (ICSE 2017), Buenos Aires, Argentina, May 20-28, 2017. (Acceptance rate: 16.4%)
• Adaptive Unpacking of Android Apps, by Lei Xue, Xiapu Luo, Le Yu, Shuai Wang, and Dinghao Wu. In Proceedings of the 39th ACM/IEEE International Conference on Software Engineering (ICSE 2017), Buenos Aires, Argentina, May 20-28, 2017. (Acceptance rate: 16.4%)
• Semantics-Based Obfuscation-Resilient Binary Code Similarity Comparison with Applications to Software and Algorithm Plagiarism Detection, by Lannan Luo†, Jiang Ming, Dinghao Wu, Peng Liu, and Sencun Zhu. IEEE Transactions on Software Engineering, 2017. A preliminary version appeared in Proceedings of the 22nd ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE 2014).
• StraightTaint: Decoupled Offline Symbolic Taint Analysis, by Jiang Ming, Dinghao Wu, Jun Wang, Gaoyao Xiao, and Peng Liu. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE 2016), Singapore, September 3-7, 2016. (Acceptance rate: 19.1%)
• BinCFP: Efficient Multi-threaded Binary Code Control Flow Profiling, by Jiang Ming and Dinghao Wu. In Proceedings of the 16th IEEE International Working Conference on Source Code Analysis and Manipulation, Engineering Track, (SCAM 2016), Raleigh, NC, USA, October 2-3, 2016.

• Generalized Dynamic Opaque Predicates: A New Control Flow Obfuscation Method, by Dongpeng Xu, Jiang Ming, and Dinghao Wu. In Proceedings of the 19th Information Security Conference (ISC '16), Honolulu, Hawaii, USA, September 7-9, 2016.
• JRed: Program Customization and Bloatware Mitigation based on Static Analysis, by Yufei Jiang, Dinghao Wu, and Peng Liu. In Proceedings of the 40th IEEE Computer Society International Conference on Computers, Software & Applications (COMPSAC 2016), Atlanta, Georgia, USA, June 10-14, 2016. (Acceptance rate: 18%)
• Translingual Obfuscation, by Pei Wang, Shuai Wang, Jiang Ming, Yufei Jiang, and Dinghao Wu. In Proceedings of the 1st IEEE European Symposium on Security and Privacy (Euro S&P 2016), Saarbrucken, Germany, March 21-24, 2016. (Acceptance rate: 29/168 = 17.3%) An extended version is available at arXiv.
• Uroboros: Instrumenting Stripped Binaries with Static Reassembling, by Shuai Wang, Pei Wang, and Dinghao Wu. In Proceedings of the 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER 2016), Osaka, Japan, March 14-16, 2016.
• Feature-based Software Customization: Preliminary Analysis, Formalization, and Methods, by Yufei Jiang, Can Zhang, Dinghao Wu, and Peng Liu. In Proceedings of the 17th IEEE High Assurance Systems Engineering Symposium (HASE 2016), Orlando, Florida, USA, January 7-9, 2016.
• LOOP: Logic-Oriented Opaque Predicate Detection in Obfuscated Binary Code, by Jiang Ming, Dongpeng Xu, Li Wang, and Dinghao Wu. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS 2015), Denver, Colorado, USA, October 12-16, 2015. (Acceptance rate: 128/646 = 19.8%) Open source software release.
• Reassembleable Disassembling, by Shuai Wang, Pei Wang, and Dinghao Wu. In Proceedings of the 24th USENIX Security Symposium, Washington, D.C., August 12-14, 2015. (Acceptance rate: 67/426 = 15.7%)
  Open source software release.
• TaintPipe: Pipelined Symbolic Taint Analysis, by Jiang Ming, Dinghao Wu, Gaoyao Xiao, Jun Wang, and Peng Liu. In Proceedings of the 24th USENIX Security Symposium, Washington, D.C., August 12-14, 2015. (Acceptance rate: 67/426 = 15.7%)
• A Preliminary Analysis and Case Study of Feature-based Software Customization (Extended Abstract), by Yufei Jiang, Can Zhang, Dinghao Wu, and Peng Liu. In Proceedings of the 2015 IEEE International Conference on Software Quality, Reliability and Security (QRS 2015), Vancouver, Canada, August 3-5, 2015.

Sponsor

• A New Direction for Software Reverse Engineering and Binary Code Retrofitting, Dinghao Wu (PI), Office of Naval Research (ONR) N00014-17-1-2894, $3,568,941, 2017-2022.

• Reverse Engineering Based Software Diversification for Cyber Fault Tolerance, Dinghao Wu (PI), Office of Naval Research (ONR), Grant No. N00014-16-1-2912, $509,378, 2016-2019.

• Secure Lean Binary Code, Dinghao Wu (PI) and Peng Liu, Office of Naval Research (ONR), Grant No. N00014-16-1-2265, $504,930, 2016-2019.

• Towards Secure Lean Software, Dinghao Wu (PI) and Peng Liu, Office of Naval Research (ONR), Grant No. N00014-13-1-0175, $423,520, 2013-2017.