Binary Code Extraction and Interface Identification for Security Applications

摘要

Binary code reuse is the process of automatically identifyingrnthe interface and extracting the instructions andrndata dependencies of a code fragment from an executablernprogram, so that it is self-contained and can bernreused by external code. Binary code reuse is useful forrna number of security applications, including reusing thernproprietary cryptographic or unpacking functions fromrna malware sample and for rewriting a network dialog.rnIn this paper we conduct the first systematic study of automatedrnbinary code reuse and its security applications.rnThe main challenge in binary code reuse is understandingrnthe code fragment's interface. We propose arnnovel technique to identify the prototype of an undocumentedrncode fragment directly from the program's binary,rnwithout access to source code or symbol information.rnFurther, we must also extract the code itself fromrnthe binary so that it is self-contained and can be easilyrnreused in another program. We design and implement arntool that uses a combination of dynamic and static analysisrnto automatically identify the prototype and extractrnthe instructions of an assembly function into a form thatrncan be reused by other C code. The extracted functionrncan be run independently of the rest of the program'srnfunctionality and shared with other users.rnWe apply our approach to scenarios that include extractingrnthe encryption and decryption routines fromrnmalware samples, and show that these routines can bernreused by a network proxy to decrypt encrypted trafficrnon the network. This allows the network proxy tornrewrite the malware's encrypted traffic by combining thernextracted encryption and decryption functions with thernsession keys and the protocol grammar. We also showrnthat we can reuse a code fragment from an unpackingrnfunction for the unpacking routine for a different samplernof the same family, even if the code fragment is not arncomplete function.