Type

Text

Type

Thesis

Date

2011-09-13

Keywords

Stripped Win32 Binaries

Source

This work is sponsored by the Stony Brook University Graduate School in compliance with the requirements for completion of degree.

Identifier

http://hdl.handle.net/11401/70920

Publisher

The Graduate School, Stony Brook University: Stony Brook, NY.

Format

application/pdf

Abstract

Many software security techniques require instrumentation of programs either to add runtime checks or to perform dynamic analysis. Unfortunately, commercially distributed application binaries on the Win32 platform are often stripped of their symbol table, and therefore cannot be easily disassembled, let alone correctly instrumented. BIRD is an instrumentation tool that applies an IA-32 disassembler both statically and dynamically, and successfully guarantees that no instruction in an input binary can be executed without being examined first. Unfortunately, the first version of BIRD has several correctness and performance problems. This report describes our experiences of optimizing the first BIRD prototype to remove these problems. In particular, we develop a speculative disassembly technique that reaps most of the performance benefits of static disassembly while ensuring the same disassembly correctness as dynamic disassembly, a bitmapbased situation check algorithm that reduces the performance overhead associated with situation checking to the minimum, and finally a comprehensive in-place instrumentation technique that relies mostly on instruction substitution and drastically cuts down the number of invocations to debug exceptions (int 3). Together these performance optimizations reduce the total instrumentation overhead of a set of Win32 programs from 10-14% to 4-5% on average. To show usefulness of a tool like BEAST, we developed it further to extract a call graph and a system call site control flow graph (scsfg) from stripped Win32 binaries. A call graph gives a fair overview of dependencies between functions and tells which functions iv are linked to each other. A control flow graph adds certain level of determinism to the call graph by enlisting the order in which functions are called. In this report we present design, implementation and evaluation of these applications.

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.