Feedback-driven binary code diversification

Transactions on Architecture and Code Optimization

Volumn 9, Issue 4, 2013, Pages

  Coppens, Bart ^a   De Sutter, Bjorn ^a   Maebe, Jonas ^a  

^a GHENT UNIVERSITY   (Belgium)

Author keywords

Binary doffing; Compiler transformations; Patches; Program matching; Software diversity

Indexed keywords

BINARY DOFFING; COMPILER TRANSFORMATIONS; PATCHES; PROGRAM MATCHING; SOFTWARE DIVERSITY;

BINARY CODES;

PROGRAM COMPILERS;

EID: 84872981876     PISSN: 15443566     EISSN: 15443973     Source Type: Journal    
DOI: 10.1145/2400682.2400683     Document Type: Article

References (60)

1. ANCKAERT, B. 2008. Diversity for software protection. Ph.D. thesis, Ghent University.
2. ANCKAERT, B., JAKUBOWSKI, M., AND VENKATESAN, R. 2006. Proteus: Virtualization for diversified tamperresistance. In Proceedings of the Workshop on Digital Rights Management. 47-58.
3. ANDERSON, B., QUIST, D., NEIL, J., STORLIE, C., AND LANE, T. 2011. Graph-Based malware detection using dynamic analysis. J. Comput. Virol. 7, 247-258.
4. AVIZIENIS, A. AND CHEN, L. 1977. On the implementation of N-version programming for software fault tolerance during execution. In Proceedings of the 1st IEEE Computer Software and Applications Conference. 149-155.
5. BARRANTES, E. G., ACKLEY, D., FORREST, S., AND STEFANOVI, D. 2005. Randomized instruction set emulation. ACM Trans. Info. Syst. Secu. 8, 1, 3-40.
6. BARTH, A., LI, S., RUBINSTEIN, B., AND SONG, D. 2011. How open should open source be? arXiv:1109.0507v1.
7. BARTHEN. 2009. [WoW] [3.0.9] Symbolic info. http://www.mmowned.com/ forums/world-of-warcraft/botsprograms/memory-editing/219320-wow-3-0-9-symbolic- info.html.
8. BAYER, U., KIRDA, E., AND KRUEGEL, C. 2010. Improving the efficiency of dynamic malware analysis. In Proceedings of the 2010 ACM Symposium on Applied Computing (SAC'10). ACM, New York, 1871-1878.
9. BHATKAR, S., DUVARNEY, D., AND SEKAR, R. 2003. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX Security Symposium. 105-120.
10. BONEH, D. AND SHAW, J. 1998. Collusion-Secure fingerprinting for digital data. IEEE Trans. Info. Theory 44, 5, 1897-1905.
11. BRUMLEY, D., POOSANKAM, P., SONG, D., AND ZHENG, J. 2008. Automatic patch-based exploit generation is possible: Techniques and implications. In Proceedings of the IEEE Symposium on Security and Privacy.
12. COHEN, F. 1993. Operating system evolution through program evolution. Comput. Secur. 12, 6, 565-584.
13. COLLBERG, C., THOMBORSON, C., AND LOW, D. 1998. Manufacturing cheap, resilient, and stealthy opaque constructs. In Proceedings of the 25th Conference on Principles of Programming Languages. ACM Press, 184-196.
14. COPPENS, B., DE SUTTER, B., AND DE BOSSCHERE, K. 2012. Protecting your software releases. IEEE Secur. Priv. (to appear).
15. CORE SECURITY TECHNOLOGIES. 2010. Windows SMTP service DNS query id vulnerabilities. CoreLabs Security Advisory.
16. COX, B., EVANS, D., FILIPI, A., ROWANHILL, J., HU, W., DAVIDSON, J., KNIGHT, J., NGUYEN-TUONG, A., AND HISER, J. 2006. N-Variant systems: A secretless framework for security through diversity. In Proceedings of the 15th USENIX Security Symposium. 105-120.
17. DE SUTTER, B., ANCKAERT, B., GEIREGAT, J., CHANET, D., AND DE BOSSCHERE, K. 2008. Instruction set limitation in support of software diversity. In Proceedings of the 11th International Conference on Information Security and Cryptology (ICISC'08). Lecture Notes in Computer Science, Vol.5461. Springer, 152-165.
18. DULLIEN, T. AND ROLLES, R. 2005. Graph-based comparison of executable objects. In Symposium sur la Śecurit́e des Technologies de l'Information et des Communications.
19. EAGLE, C. 2011. The IDA Pro Book 2nd Ed. No Starch Press.
20. ECONOMOU, N. 2010. Microsoft Virtual PC: The hyper-hole-visor bug & MS10-048: Win32k window creation vulnerability (CVE-2010-1897). http://www.ek.party.org/archive/2010/ekoparty-2010/economou=2x1Microsoft-bug. pdff
21. ERGUN, F., KILIAN, J., AND KUMAR, R. 1999. A note on the limits of collusion-resistant watermarks. Proceedings of the 17th International Conference on Theory and Application of Cryotographic Techniques. 140-149.
22. FLAKE, H. 2004. Structural comparison of executable objects. In Proceedings of the Detection of Intrusions and Malware & Vulnerability Assessment, GI SIG SIDAR Workshop. 161-173.
23. FORREST, S., SOMAYAJI, A., AND ACKLEY, D. 1997. Building diverse computer systems. In Proceedings of the Workshop on Hot Topics in Operating Systems. 67-72.
24. FRIJTERS, J. 2010. Reverse engineering the MS10-060 .NET security patch. http://weblog.ikbm.net/permaLink.aspx?guid=cle9440e=becc=44a4=bf2a=12c407f07737.
25. GAO, D., REITER, M. K., AND SONG, D. 2008. Binhunt: Automatically finding semantic differences in binary programs. In Proceedings of the 10th International Conference on Information and Communications Security (ICICS '08). Springer 238-255.
26. HARRIS, S., HARPER, A., EAGLE, C., AND NESS, J. 2008. Gray Hat Hacking: The Ethical Hacker's Handbook. McGraw-Hill.
27. JOHNSON, N. 2011. From patch to proof-of-concept: MS10-081. http://blogs.ixlacom.com/ixia-blog/microsoftvulnerablilty-proof-of-concept/.
28. JONES, D. W. 1988. The ultimate risc. SIGARCH Comput. Archit. News 16, 3, 48-55.
29. KC, G., KEROMYTIS, A., AND PREVELAKIS, V. 2003. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security. 272-280.
30. KIM, M. AND NOTKIN, D. 2006. Program element matching for multi-version program analyses. In Proceedings of the 2006 International Workshop on Mining Software Repositories. 58-64.
31. KIM, M., NOTKIN, D., AND GROSSMAN, D. 2007. Automatic inference of structural changes for matching across program versions. In Proceedings of the 29th International Conference on Software Engineering.
32. LEDOUX, C., WALENSTEIN, A., AND LAKHOTIA, A. 2012. Improved malware classification through sensor fusion using disjoint union. In Proceedings of the 6th International Conference on Information Systems, Technology and Management (ICISTM). 360-371.
33. LEE, B. AND JANG, Y. 2012. Exploit shop website. http://exploitshop. wordpress.com/
34. LINN, C. AND DEBRAY, S. 2003. Obfuscation of executable code to improve resistance to static disassembly. In Proceedings of the ACM Conference on Computer and Communications Security. 290-299.
35. LOVELESS, M. 2006. Corporate security: A hacker perspective. In Proceedings of the 20th Large Installation System Administration Conference.
36. MADOU, M., ANCKAERT, B., DE SUTTER, B., AND DE BOSSCHERE, K. 2005. Hybrid static-dynamic attacks against software protection mechanisms. In Proceedings of the 5th ACM Workshop on Digital Rights Management. 75-82.
37. MILLER, W. AND MYERS, E. 1985. A file comparison program. Softw. Pract. Exper. 15, 11, 1025-1040.
38. MOORE, H. 2008. Exploiting IIS via HTMLEncode (MS08-006). https://strikecenter.bpointsys.com/articles/permalink?month=02&year= 2008&title=Exploiting-lis-via-html-encode-ms08-006&day=13.
39. NAGARAJAN, V., ZHANG, X., GUPTA, R., MADOU, M., DE SUTTER, B., AND DE BOSSCHERE, K. 2007. Matching control flow of program versions. In Proceedings of the 23rd IEEE International Conference on Software Maintenance. 83-94.
40. O'DONNELL, A. AND SETHU, H. 2004. On achieving software diversity for improved network security using distributed coloring algorithms. In Proceedings of the 11th ACM Conference on Computer and Communications Security. ACM Press, 121-131.
41. OH, J. 2009. Fight against 1-day exploits: Diffing binaries vs anti-diffing binaries. In BlackHat USA. http://www.blackhat.com/html/bh-usa-09/ bh-usa-09-archives.html.
42. PERCIVAL, C. 2003. Naive differences of executable code. http://www.daemonology.net/bsdiff/.
43. PROTAS, A. AND MANZUIK, S. 2006. Skeletons in Microsoft's closet-silently fixed vulnerabilities. BlackHat Europe. http://www.blackhat.com/html/bh-europe- 06/bh-ev-06-speakers.htmll
44. SABIN, T. 2004. Comparing binaries with graph isomorphisms. Tech. rep., BindView RAZOR Team.
45. SHACHAM, H., PAGE, M., PFAFF, B., GOH, E.-J., MODADUGU, N., ANDBONEH, D. 2004. On the effectiveness of addressspace randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security. ACM Press, 298-307.
46. SHARIF, M., LANZI, A., GRIFFIN, J., AND LEE, W. 2009. Automatic reverse engineering of malware emulators. In Proceedings of the IEEE Symposium on Security and Privacy.
47. SLAWLERGUY. 2008. Reversing the ms08-067 patch. http:// dontstoffbearsuppurpose.com/2008/10/23/lookingat-ms08-067/.
48. SOTIROV, A. 2006. Reverse Engineering Microsoft Binaries. CanSecWest.
49. SOVAREL, A., EVANS, D., AND PAUL, N. 2005. Where is the FEEB? The effectiveness of instruction set randomization. In Proceedings of the 14th USENIX Security Symposium. 145-160.
50. VARGHESE, N. 2008. Reverse engineering for Exploit Writers. Clubhack.
51. WAGNER, R. AND FISCHER, M. 1974. The string-to-string correction problem. J. ACM 21, 1, 168-173.
52. WALENSTEIN, A., MATHUR, R., CHOUCHANE, M. R., AND LAKHOTIA, A. 2008. Constructing malware normalizers using term rewriting. J. Comput. Virol. 4, 4, 307-322.
53. WALIA, H. 2011. Reversing Microsoft Patches to Reveal Vulnerable Code. Nullcon.
54. WANG, C., DAVIDSON, J., HILL, J., AND KNIGHT, J. 2001. Protection of software-based survivability mechanisms. In Proceedings of the 2nd International Conference of Dependable Systems and Networks. IEEE Computer Society Press, 193-202.
55. WANG, Z., PIERCE, K., AND MCFARLING, S. 2000. Bmat-a binary matching tools for stale profile propagation. J. Instruct. Level Parallel. 2, 1-20.
56. ZHANG, X. AND GUPTA, R. 2005a. Matching execution histories of program versions. In Proceedings of the 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 197-206.
57. ZHANG, X. AND GUPTA, R. 2005b. Whole execution traces and their applications. ACM Trans. Archit. Code Optim. 2, 3, 301-334.
58. ZHOU, Y. AND MAIN, A. 2006. Diversity via code transformations: A solution for NGNA renewable security. In NCTA-The National Show.
59. ZYNAMICS. 2012a. BinDiff. http://www.zynamics.com/bindiff.html.
60. Zynamics 2012b. Zynamics BinDiff Manual. Zynamics.