Abstract
Any technique to ensure memory safety requires knowledge of (a) precise array bounds and (b) the data types accessed by memory load/store and pointer move instructions (called, owners) in the program. While this information can be effectively derived by compiler-level approaches much of this information may be lost during the compilation process and become unavailable to binary-level tools. In this work we conduct the first detailed study on how accurately can this information be extracted or reconstructed by current state-of-the-art static reverse engineering (RE) platforms for binaries compiled with and without debug symbol information. Furthermore, it is also unclear how the imprecision in array bounds and instruction owner information that is obtained by the RE tools impacts the ability of techniques to detect illegal memory accesses at run-time. We study this issue by designing, building, and deploying a novel binary-level technique to assess the properties and effectiveness of the information provided by the static RE algorithms in the first stage to guide the run-time instrumentation to detect illegal memory accesses in the decoupled second stage. Our work explores the limitations and challenges for static binary analysis tools to develop accurate binary-level techniques to detect memory errors.
We thank the anonymous reviewers and the paper shepherd. This work is sponsored in part by the National Security Agency (NSA) Science of Security Initiative.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
DWARF is a debugging file format used by many compilers, including the GCC compiler used in this work, to support source level debugging.
- 2.
Our code can be accessed here: https://github.com/Ruturaj4/vulcan_prototype.
- 3.
The implementation of our run-time framework can correctly process all programs in the SARD-88 and SARD-89 suites, as well as most of the SPEC cpu2006 integer benchmarks. However, our implementation currently encounters memory/performance issues with some larger SPEC benchmarks. We will address these implementation issues and improve tool robustness in our ongoing work.
- 4.
The results with Ghidra in the first stage are similar, and are included in the Appendix in Table 3 to conserve space. There are more failures in the Ghidra-based configuration primarily due to poorer analysis of global strings and buffers by Ghidra.
- 5.
- 6.
In theory, the performance of our run-time framework should be comparable with a compiler-based approach, like SoftBound [27]. Our run-time implementation is currently in the prototype stage and was designed to primarily explore the properties and potential of the static RE tools to detect memory errors in program binaries. As such, we have not yet explored performance optimizations and associated trade offs with memory error detection accuracy for the run-time framework.
References
Hex-rays decompiler (2020). https://www.hex-rays.com/products/decompiler/
Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy Bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In: USENIX Security Symposium, pp. 51–66 (2009)
Andriesse, D., Chen, X., van der Veen, V., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 583–600. Austin, August 2016
Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation, PLDI 1994, pp. 290–301 (1994)
Bao, T., Burket, J., Woo, M., Turner, R., Brumley, D.: BYTEWEIGHT: learning to recognize functions in binary code. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 845–860. San Diego, August 2014
Caballero, J., Grieco, G., Marron, M., Lin, Z., Urbina, D.: ARTISTE: automatic generation of hybrid data structure signatures from binary code executions (2010)
Cowan, C., et al.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th Conference on USENIX Security Symposium - Volume 7. SSYM 1998, p. 5. (1998)
Dhumbumroong, S., Piromsopa, K.: BoundWarden: Thread-enforced spatial memory safety through compile-time transformations. Science of Computer Programming 198, 102519 (2020)
Dhurjati, D., Adve, V.: Backwards-compatible array bounds checking for c with very low overhead. In: Proceedings of the 28th International Conference on Software Engineering, pp. 162–171. ACM (2006)
Dhurjati, D., Kowshik, S., Adve, V.: SAFECode: enforcing alias analysis for weakly typed languages. In: ACM SIGPLAN Notices, vol. 41, pp. 144–157. ACM (2006)
dwarfstd.org: Dwarf debugging information format (2021). http://www.dwarfstd.org/doc/DWARF4.pdf
Eliben, p.: pyelftools (2021). https://github.com/eliben/pyelftools
ElWazeer, K., Anand, K., Kotha, A., Smithson, M., Barua, R.: Scalable variable and data type detection in a binary rewriter. SIGPLAN Not. 48(6), 51–60 (2013)
Hasabnis, N., Misra, A., Sekar, R.: Light-weight bounds checking. In: Proceedings of the Tenth International Symposium on Code Generation and Optimization, CGO 2012, pp. 135–144. ACM, New York (2012)
Henning, J.L.: Spec cpu2006 benchmark descriptions. SIGARCH Comput. Archit. News 34(4), 1–17 (2006)
Jim, T., Morrisett, J.G., Grossman, D., Hicks, M.W., Cheney, J., Wang, Y.: Cyclone: a safe dialect of c. In: Proceedings of the General Track of the Annual Conference on USENIX Annual Technical Conference, ATEC 2002, pp. 275–288 (2002)
Katz, O., El-Yaniv, R., Yahav, E.: Estimating types in binaries using predictive modeling. In: Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. POPL 2016 .pp. 313–326 (2016)
Kratkiewicz, K.: A taxonomy of buffer overflow for evaluating static and dynamic software testing tools. In: In Proceedings of Workshop on Software Security Assurance Tools, Techniques and Metrics, NIST (2006)
Lee, J., Avgerinos, T., Brumley, D.: TIE: principled reverse engineering of types in binary programs. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2011, San Diego, California, USA, 6–9 February 2011 (2011)
Lin, Z., Zhang, X., Xu, D.: Automatic Reverse Engineering of Data Structures from Binary Execution. CERIAS - Purdue University, West Lafayette (2010)
Liu, Z., Wang, S.: How far we have come: testing decompilation correctness of C decompilers. In: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2020, pp. 475–487 (2020)
Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. In: ACM Sigplan notices. vol. 40, pp. 190–200 (2005)
Maier, A., Gascon, H., Wressnegger, C., Rieck, K.: TypeMiner: recovering types in binary programs using machine learning. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 288–308. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_14
Matsakis, N.D., Klock, F.S.: The rust language. In: Proceedings of the 2014 ACM SIGAda Annual Conference on High Integrity Language Technology, HILT 2014, pp. 103–104 (2014)
Meng, X., Miller, B.: Binary code is not easy. In: Proceedings of the 25th International Symposium on Software Testing and Analysis (2016)
Metrics, S.S.A., Evaluation, T.: Nist Juliet test suite for c/c++ (2010). https://samate.nist.gov/SRD/testsuite.php
Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: Softbound: highly compatible and complete spatial memory safety for c. In: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 245–258 (2009)
National Security Agency Ghidra, N.: Ghidra (2019). https://www.nsa.gov/resources/everyone/ghidra/
Necula, G.C., McPeak, S., Weimer, W.: Ccured: type-safe retrofitting of legacy code. SIGPLAN Not. 37(1), 128–139 (2002)
Noonan, M., Loginov, A., Cok, D.: Polymorphic type inference for machine code. In: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2016, pp. 27–41 (2016)
Pang, C., et al.: SoK: all you ever wanted to know about x86/x64 binary disassembly but were afraid to ask (2020)
Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: a fast address sanity checker. In: Presented as part of the 2012 \(\{\)USENIX\(\}\) Annual Technical Conference (\(\{\)USENIX\(\}\)\(\{\)ATC\(\}\) 12), pp. 309–318 (2012)
Seward, J., Nethercote, N.: Using valgrind to detect undefined value errors with bit-precision. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC 2005, p. 2 (2005)
Simpson, M.S., Barua, R.K.: Memsafe: ensuring the spatial and temporal memory safety of c at runtime. Software: Practice and Experience 43(1), 93–128 (2013)
Slowinska, A., Stancescu, T., Bos, H.: Howard: a dynamic excavator for reverse engineering data structures. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2011, San Diego, California, USA, 6th February - 9th February 2011. The Internet Society (2011)
Slowinska, A., Stancescu, T., Bos, H.: Body armor for binaries: preventing buffer overflows without recompilation. In: Proceedings of the 2012 USENIX Conference on Annual Technical Conference, . USENIX ATC 2012, p. 11 (2012)
Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 48–62 (2013)
Wang, H., et al.: Locating vulnerabilities in binaries via memory layout recovering. In: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2019, pp. 718–728 (2019)
Xu, Z., Wen, C., Qin, S.: Learning types for binaries. In: Duan, Z., Ong, L. (eds.) ICFEM 2017. LNCS, vol. 10610, pp. 430–446. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68690-5_26
Zitser, M., Lippmann, R., Leek, T.: Testing static analysis tools using exploitable buffer overflows from open source code. In: Proceedings of the 12th ACM SIGSOFT Twelfth International Symposium on Foundations of Software Engineering, SIGSOFT 2004/FSE-12, pp. 97–106 (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A Optimized Benchmarks
Figure 6 shows the results from the static analysis phase and compares the accuracy of array bounds detection, pointer identification, and instruction owner detection for optimized binaries.
Appendix B Detection Accuracy Using Ghidra
Table 3 shows the detection accuracy of Ghidra for SARD-88 benchmarks.
Appendix C Program Execution Time Overhead by the Pin-Based Run-Time Technique
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Vaidya, R., Kulkarni, P.A., Jantz, M.R. (2021). Explore Capabilities and Effectiveness of Reverse Engineering Tools to Provide Memory Safety for Binary Programs. In: Deng, R., et al. Information Security Practice and Experience. ISPEC 2021. Lecture Notes in Computer Science(), vol 13107. Springer, Cham. https://doi.org/10.1007/978-3-030-93206-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-93206-0_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93205-3
Online ISBN: 978-3-030-93206-0
eBook Packages: Computer ScienceComputer Science (R0)