research-article

InputFinder: Reverse Engineering Closed Binaries using Hardware Performance Counters

Authors:

Praveen MurthyAuthors Info & Claims

PPREW-5: Proceedings of the 5th Program Protection and Reverse Engineering Workshop

Article No.: 2, Pages 1 - 12

https://doi.org/10.1145/2843859.2843865

Published: 08 December 2015 Publication History

Abstract

The effectiveness of many dynamic program analysis techniques depends heavily on the completeness of the test suite applied during the analysis process. Test suites are often composed by developers and aim at testing all of the functionality of a software system. However, test suites may not be complete, if they exist at all. To date, only two methods exist for automatically generating test input for closed binaries: fuzzing and symbolic execution. Despite previous successes of these methods in identifying bugs, both techniques have limitations. In this paper, we propose a new method for autonomously generating valid input and identifying protocols for closed x86 binaries. The method presented can be used as a standalone tool or can be combined with other techniques for improved results. To assess its effectiveness, we test InputFinder, the implementation of our method, against binaries from the DARPA Cyber Grand Challenge example set. Our evaluations show that our method is not only effective in finding input and determining whether a protocol is expected but can also find unexpected control flow paths.

References

[1]

zzuf: Multi-purpose fuzzer. http://caca.zoy.org/wiki/zzuf.

[2]

J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In Proceedings of the 14th ACM conference on Computer and communications security, pages 317--329. ACM, 2007.

[3]

C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS '06, pages 322--335, New York, NY, USA, 2006. ACM.

Digital Library

[4]

P. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda. Prospex: Protocol specification extraction. In Security and Privacy, 2009 30th IEEE Symposium on, pages 110--125, May 2009.

Digital Library

[5]

DARPA. Cyber grand challenge binaries. https://github.com/CyberGrandChallenge/samples, 2014--2015.

[6]

erenyagdiran. I was just asked to crack a program in a job interview ! 2014.

[7]

P. Godefroid, M. Y. Levin, D. A. Molnar, et al. Automated whitebox fuzz testing. In NDSS, volume 8, pages 151--166, 2008.

[8]

J. C. King. Symbolic execution and program testing. Commun. ACM, 19(7):385--394, July 1976.

Digital Library

[9]

A. Lanzi, L. Martignoni, M. Monga, and R. Paleari. A smart fuzzer for x86 executables. In Software Engineering for Secure Systems, 2007. SESS '07: ICSE Workshops 2007. Third International Workshop on, pages 7--7, May 2007.

Digital Library

[10]

C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. SIGPLAN Not., 40(6):190--200, June 2005.

Digital Library

[11]

S. McCamant et al. FuzzBALL vine-based binary symbolic execution. http://bitblaze.cs.berkeley.edu/fuzzball.html, 2014--2015.

[12]

B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of unix utilities. Commun. ACM, 33(12):32--44, Dec. 1990.

Digital Library

[13]

B. P. Miller, D. Koski, C. Pheow, L. V. Maganty, R. Murthy, A. Natarajan, and J. Steidl. Fuzz revisited: A re-examination of the reliability of unix utilities and services. 1995.

[14]

D. Molnar, X. C. Li, and D. Wagner. Dynamic test generation to find integer bugs in x86 binary linux programs. In USENIX Security Symposium, pages 67--82, 2009.

Digital Library

[15]

D. Song, D. Brumley, et al. BitBlaze: A new approach to computer security via binary analysis. In Proceedings of the 4th International Conference on Information Systems Security. Keynote invited paper., Hyderabad, India. http://bitblaze.cs.berkeley.edu/.

Digital Library

[16]

V. M. Weaver and S. A. McKee. Can hardware performance counters be trusted? In Workload Characterization, 2008. IISWC 2008. IEEE International Symposium on, pages 141--150. IEEE, 2008.

Cited By

Bhade PPaturel JSentieys OSinha S(2024)Lightweight Hardware-Based Cache Side-Channel Attack Detection for Edge Devices (Edge-CaSCADe)ACM Transactions on Embedded Computing Systems10.1145/366367323:4(1-27)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3663673
Hu YLi SXue WZhao YWen Y(2024)CarePlus: A general framework for hardware performance counter based malware detection under system resource competitionComputers & Security10.1016/j.cose.2024.103884143(103884)Online publication date: Aug-2024
https://doi.org/10.1016/j.cose.2024.103884
Carnà SFerracci SQuaglia FPellegrini A(2022)Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-channel Attacks Using Performance CountersDigital Threats: Research and Practice10.1145/35196014:1(1-24)Online publication date: 30-Apr-2022
https://dl.acm.org/doi/10.1145/3519601
Show More Cited By

InputFinder: Reverse Engineering Closed Binaries using Hardware Performance Counters
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis

Recommendations

A Static Approach to Prioritizing JUnit Test Cases

Test case prioritization is used in regression testing to schedule the execution order of test cases so as to expose faults earlier in testing. Over the past few years, many test case prioritization techniques have been proposed in the literature. Most ...
Spartan: a spectral and entropy-based partial-scan and test point insertion algorithm
Faster mutation testing inspired by test prioritization and reduction
ISSTA 2013: Proceedings of the 2013 International Symposium on Software Testing and Analysis

Mutation testing is a well-known but costly approach for determining test adequacy. The central idea behind the approach is to generate mutants, which are small syntactic transformations of the program under test, and then to measure for a given test ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

PPREW-5: Proceedings of the 5th Program Protection and Reverse Engineering Workshop

December 2015

89 pages

ISBN:9781450336420

DOI:10.1145/2843859

General Chair:
J. Todd McDonald
University of South Alabama, USA
,
Program Chairs:
Mila Dalla Preda
University of Verona, Italy
,
Natalia Stakhanova
University of New Brunswick, Canada

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

PPREW-5

PPREW-5: Program Protection and Reverse Engineering Workshop

December 8, 2015

CA, Los Angeles, USA

Acceptance Rates

PPREW-5 Paper Acceptance Rate 8 of 12 submissions, 67%;

Overall Acceptance Rate 21 of 36 submissions, 58%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
175
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)1

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bhade PPaturel JSentieys OSinha S(2024)Lightweight Hardware-Based Cache Side-Channel Attack Detection for Edge Devices (Edge-CaSCADe)ACM Transactions on Embedded Computing Systems10.1145/366367323:4(1-27)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3663673
Hu YLi SXue WZhao YWen Y(2024)CarePlus: A general framework for hardware performance counter based malware detection under system resource competitionComputers & Security10.1016/j.cose.2024.103884143(103884)Online publication date: Aug-2024
https://doi.org/10.1016/j.cose.2024.103884
Carnà SFerracci SQuaglia FPellegrini A(2022)Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-channel Attacks Using Performance CountersDigital Threats: Research and Practice10.1145/35196014:1(1-24)Online publication date: 30-Apr-2022
https://dl.acm.org/doi/10.1145/3519601
Shepherd CSemal BMarkantonakis K(2022)Investigating Black-Box Function Recognition Using Hardware Performance CountersIEEE Transactions on Computers10.1109/TC.2022.3226302(1-14)Online publication date: 2022
https://doi.org/10.1109/TC.2022.3226302
Das SWerner JAntonakakis MPolychronakis MMonrose F(2019)SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security2019 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2019.00021(20-38)Online publication date: May-2019
https://doi.org/10.1109/SP.2019.00021
Du CTan XGuo Y(2019)A Gray-Box Vulnerability Discovery Model Based on Path CoverageArtificial Intelligence and Security10.1007/978-3-030-24268-8_1(3-12)Online publication date: 11-Jul-2019
https://doi.org/10.1007/978-3-030-24268-8_1
Schwarz MGruss DLipp MMaurice CSchuster TFogh AMangard SKim JAhn GKim SKim YLopez JKim T(2018)Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU FeaturesProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196508(587-600)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196508

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents