Crosys: Cross Architectural Dynamic Analysis
Pages 55 - 62
Abstract
Though there was a surge in the production of IoT devices, IoT malware analysis has remained a problem wanting for a clever solution. However, unlike PC and mobile, whose running environment is relatively standardized, IoT malware is rooted in Linux binary so that it can be built for various CPUs and with multiple libraries. For that, developing an effective dynamic analysis tool can be a challenging task.
In this paper, we present Crosys, a method for dynamic analysis of multi-architectural binaries in a single analysis host through intermediate language interpretation and binary rewriting. We explain how we elaborate binary lifting to assure both accuracy and stability. Then we propose cross-architectural dynamic analysis enabled by our work. In the end, we evaluated the stability of rewritten binary and the efficiency of dynamic analysis using technology.
References
[1]
2022. lli - directly execute programs from LLVM bitcode. https://llvm.org/docs/CommandGuide/lli.html
[2]
Cybersecurity & Infrastructure Security Agency. 2017. Heightened DDoS Threat Posed by Mirai and Other Botnets. https://www.cisa.gov/news-events/alerts/2016/10/14/heightened-ddos-threat-posed-mirai-and-other-botnets
[3]
Dennis Andriesse, Xi Chen, Victor Van Der Veen, Asia Slowinska, and Herbert Bos. 2016. An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries. In USENIX Security Symposium. 583–600.
[4]
Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, and Michalis Kallitsis. 2017. Understanding the mirai botnet. In 26th $USENIX$ security symposium ($USENIX$ Security 17). 1093–1110.
[5]
arm. 2023. ABI for the Arm 32-bit Architecture. https://developer.arm.com/Architectures/Application Binary Interface
[6]
Gogul Balakrishnan and Thomas Reps. 2004. Analyzing memory accesses in x86 executables. In Compiler Construction: 13th International Conference, CC 2004, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2004, Barcelona, Spain, March 29-April 2, 2004. Proceedings 13. 5–23.
[7]
Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In USENIX annual technical conference, FREENIX Track. 41, 46.
[8]
David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J Schwartz. 2011. BAP: A binary analysis platform. In Computer Aided Verification: 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings 23. 463–469.
[9]
Daming Dominic Chen, Manuel Egele, Maverick Woo, and David Brumley. 2016. Towards fully automated dynamic analysis for embedded firmware. In Proc. of NDSS. 21–24.
[10]
Abraham Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. Halucinator: Firmware re-hosting through abstraction layer emulation. In Proceedings of the 29th USENIX Security Symposium.
[11]
Andrei Costin, Apostolis Zarras, and Aurélien Francillon. 2016. Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. 437–448.
[12]
Emanuele Cozzi, Mariano Graziano, Yanick Fratantonio, and Davide Balzarotti. 2018. Understanding linux malware. In 2018 IEEE symposium on security and privacy (SP). 161–175.
[13]
Daniele Cono D’Elia and Camil Demetrescu. 2016. Flexible on-stack replacement in LLVM. In Proceedings of the 2016 International Symposium on Code Generation and Optimization. 250–260.
[14]
Alessandro Di Federico, Mathias Payer, and Giovanni Agosta. 2017. rev. ng: a unified binary analysis framework to recover CFGs and function boundaries. In Proceedings of the 26th International Conference on Compiler Construction. 131–141.
[15]
Adel Djoudi and Sébastien Bardin. 2015. Binsec: Binary code analysis with low-level regions. In Tools and Algorithms for the Construction and Analysis of Systems: 21st International Conference, TACAS 2015, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2015, London, UK, April 11-18, 2015, Proceedings 21. 212–217.
[16]
Stephen J Fink and Feng Qian. 2003. Design, implementation and evaluation of adaptive recompilation with on-stack replacement. In International Symposium on Code Generation and Optimization, 2003. CGO 2003. 241–252.
[17]
Antonio Flores-Montoya and Eric Schulte. 2020. Datalog disassembly. In Proceedings of the 29th USENIX Conference on Security Symposium. 1075–1092.
[18]
Free Software Foundation. 2021. GNU Automake - Generalities about Testing. https://www.gnu.org/software/automake/manual/html_node/Generalities-about-Testing.html
[19]
Free Software Foundation. 2021. GNU Automake - Support for test suites. https://www.gnu.org/software/automake/manual/html_node/Tests.html
[20]
Andrea Gussoni, Alessandro Di Federico, Pietro Fezzardi, and Giovanni Agosta. 2019. Performance, correctness, exceptions: Pick three. In Binary Analysis Research Workshop.
[21]
Urs Hölzle, Craig Chambers, and David Ungar. 1992. Debugging optimized code with dynamic deoptimization. In Proceedings of the ACM SIGPLAN 1992 conference on Programming language design and implementation. 32–43.
[22]
Ding-Yong Hong, Chun-Chen Hsu, Pen-Chung Yew, Jan-Jan Wu, Wei-Chung Hsu, Pangfeng Liu, Chien-Min Wang, and Yeh-Ching Chung. 2012. HQEMU: a multi-threaded and retargetable dynamic binary translator on multicores. In Proceedings of the Tenth International Symposium on Code Generation and Optimization. 104–113.
[23]
Hyukmin Kwon Jaewoo Shim and Sangrok Lee. 2020. A Cross Debugger for Multi-Architecture Binaries. https://llvm.org/devmtg/2020-04/talks.html
[24]
Jieun Lee Jaeyong Ko, Sangrok Lee and Jaewoo Shim. 2022. Execution Domain Transition: Binary and LLVM IR can run in conjunction. https://www.youtube.com/watch?v=s7nNYZvkGi8
[25]
Hyungseok Kim, Soomin Kim, Junoh Lee, Kangkook Jee, and Sang Kil Cha. 2023. Reassembly is Hard: A Reflection on Challenges and Strategies.
[26]
Soomin Kim, Markus Faerevaag, Minkyu Jung, Seungll Jung, DongYeop Oh, JongHyup Lee, and Sang Kil Cha. 2017. Testing intermediate representations for binary analysis. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). 353–364.
[27]
William Largent. 2018. New VPNFilter malware targets at least 500K networking devices worldwide. https://blog.talosintelligence.com/vpnfilter/
[28]
Yen-Ting Lee, Tao Ban, Tzu-Ling Wan, Shin-Ming Cheng, Ryoichi Isawa, Takeshi Takahashi, and Daisuke Inoue. 2020. Cross platform IoT-malware family classification based on printable strings. In 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). 775–784.
[29]
Cullen Linn and Saumya Debray. 2003. Obfuscation of executable code to improve resistance to static disassembly. In Proceedings of the 10th ACM conference on Computer and communications security. 290–299.
[30]
Hongjiu Lu, Michael Matz, Milind Girkar, Jan Hubiaka, Andreas Jaeger, and Mark Mitchell. 2018. System v application binary interface amd64 architecture processor supplement (with lp64 and ilp32 programming models) version 1.0.
[31]
Koh M. Nakagawa. 2021. Reverse-engineering Rosetta 2 part1: Analyzing AOT files and the Rosetta 2 runtime. https://ffri.github.io/ProjectChampollion/part1/
[32]
UNIX PRESS. 1996. System V application binary interface: MIPS Architecture Processor Supplement.
[33]
Benjamin Schwarz, Saumya Debray, and Gregory Andrews. 2002. Disassembly of executable code revisited. In Ninth Working Conference on Reverse Engineering, 2002. Proceedings. 45–54.
[34]
Bor-Yeh Shen, Jiunn-Yeu Chen, Wei-Chung Hsu, and Wuu Yang. 2012. LLBT: an LLVM-based static binary translator. In Proceedings of the 2012 international conference on Compilers, architectures and synthesis for embedded systems. 51–60.
[35]
Y Shoshitaishvili, R Wang, and Ch Salls. 2016. The Art of War: Offensive Techniques in Binary Analysis", IEEE Symposium on Security and Privacy.
[36]
Matthew Smithson, Khaled ElWazeer, Kapil Anand, Aparna Kotha, and Rajeev Barua. 2013. Static binary rewriting without supplemental information: Overcoming the tradeoff between coverage and correctness. In 2013 20th Working Conference on Reverse Engineering (WCRE). 52–61.
[37]
Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, and Mathias Payer. 2019. Firmfuzz: Automated iot firmware introspection and analysis. In Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things. 15–21.
[38]
Ruoyu Wang, Yan Shoshitaishvili, Antonio Bianchi, Aravind Machiry, John Grosen, Paul Grosen, Christopher Kruegel, and Giovanni Vigna. 2017. Ramblr: Making Reassembly Great Again. In NDSS.
[39]
Shuai Wang, Pei Wang, and Dinghao Wu. 2015. Reassembleable disassembling. In 24th $USENIX$ Security Symposium ($USENIX$ Security 15). 627–642.
[40]
Philipp Wegner. 2023. Global IoT market size to grow 19% in 2023 —IoT shows resilience despite economic downturn. https://iot-analytics.com/iot-market-size/
[41]
Steve Zucker and Kari Karhi. 1995. System V Application Binary Interface: PowerPC™ Processor Supplement.
Index Terms
- Crosys: Cross Architectural Dynamic Analysis
Recommendations
A robust dynamic analysis system preventing SandBox detection by Android malware
SIN '15: Proceedings of the 8th International Conference on Security of Information and NetworksDue to an increase in the number of Android malware applications and their diversity, it has become necessary for the security community to develop automated dynamic analysis systems. Static analysis has its limitations that can be overcome by dynamic ...
Combined Static and Dynamic Analysis
Static analysis is usually faster than dynamic analysis but less precise. Therefore it is often desirable to retain information from static analysis for run-time verification, or to compare the results of both techniques. However, this requires writing ...
Dynamic Malware Analysis in the Modern Era—A State of the Art Survey
Although malicious software (malware) has been around since the early days of computers, the sophistication and innovation of malware has increased over the years. In particular, the latest crop of ransomware has drawn attention to the dangers of ...
Comments
Information & Contributors
Information
Published In
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 06 June 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
SOAP '23
Sponsor:
SOAP '23: 12th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis
June 17, 2023
FL, Orlando, USA
Acceptance Rates
Overall Acceptance Rate 11 of 11 submissions, 100%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 134Total Downloads
- Downloads (Last 12 months)44
- Downloads (Last 6 weeks)8
Reflects downloads up to 11 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in