Binary Code Extraction and Interface Identification for Security Applications

Juan Caballero and Noah M. Johnson and Stephen McCamant and Dawn Song

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2009-133

October 2, 2009

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-133.pdf

Binary code reutilization is the process of automatically identifying the interface and extracting the instructions and data dependencies of a code fragment from an executable program, so that it is selfcontained and can be reused by external code. Binary code reutilization is useful for a number of security applications, including reusing the proprietary cryptographic or unpacking functions from a malware sample and for rewriting a network dialog. In this paper we conduct the first systematic study of automated binary code reutilization and its security applications. The main challenge in binary code reutilization is understanding the code fragment’s interface. We propose a novel technique to identify the prototype of an undocumented code fragment directly from the program’s binary, without access to source code or symbol information. Further, we must also extract the code itself from the binary so that it is self-contained and can be easily reused in another program. We design and implement a tool that uses a combination of dynamic and static analysis to automatically identify the prototype and extract the instructions of an assembly function into a form that can be reused by other C code. The extracted function can be run independently of the rest of the program’s functionality and shared with other users. We apply our approach to scenarios that include extracting the encryption and decryption routines from malware samples, and show that these routines can be reused by a network proxy to decrypt encrypted traffic on the network. This allows the network proxy to rewrite the malware’s encrypted traffic by combining the extracted encryption and decryption functions with the session keys and the protocol grammar. We also show that we can reuse a code fragment from an unpacking function for the unpacking routine for a different sample of the same family, even if the code fragment is not a complete function.

BibTeX citation:

@techreport{Caballero:EECS-2009-133,
    Author= {Caballero, Juan and Johnson, Noah M. and McCamant, Stephen and Song, Dawn},
    Title= {Binary Code Extraction and Interface Identification for Security Applications},
    Year= {2009},
    Month= {Oct},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-133.html},
    Number= {UCB/EECS-2009-133},
    Abstract= {Binary code reutilization is the process of automatically identifying the interface and extracting the instructions and data dependencies of a code fragment from an executable program, so that it is selfcontained and can be reused by external code. Binary code reutilization is useful for a number of security applications, including reusing the proprietary cryptographic or unpacking functions from a 
malware sample and for rewriting a network dialog. In this paper we conduct the first systematic study of automated binary code reutilization and its security applications. 
The main challenge in binary code reutilization is understanding the code fragment’s interface. We propose a novel technique to identify the prototype of an undocumented code fragment directly from the program’s binary, without access to source code or symbol information. Further, we must also extract the code itself from the binary so that it is self-contained and can be easily reused in another program. We design and implement a tool that uses a combination of dynamic and static analysis to automatically identify the prototype and extract the instructions of an assembly function into a form that can be reused by other C code. The extracted function can be run independently of the rest of the program’s functionality and shared with other users.
We apply our approach to scenarios that include extracting the encryption and decryption routines from malware samples, and show that these routines can be reused by a network proxy to decrypt encrypted traffic on the network. This allows the network proxy to rewrite the malware’s encrypted traffic by combining the extracted encryption and decryption functions with the session keys and the protocol
grammar. We also show that we can reuse a code fragment from an unpacking function for the unpacking routine for a different sample of the same family, even if the code fragment is not a complete function.},
}

EndNote citation:

%0 Report
%A Caballero, Juan 
%A Johnson, Noah M. 
%A McCamant, Stephen 
%A Song, Dawn 
%T Binary Code Extraction and Interface Identification for Security Applications
%I EECS Department, University of California, Berkeley
%D 2009
%8 October 2
%@ UCB/EECS-2009-133
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-133.html
%F Caballero:EECS-2009-133