Abstract
Binary lifting and recompilation allow a wide range of install-Time program transformations, such as security hardening, deobfuscation, and reoptimization. Existing binary lifting tools are based on static disassembly and thus have to rely on heuristics to disassemble binaries. In this paper, we present BinRec, a new approach to heuristic-free binary recompilation which lifts dynamic traces of a binary to a compiler-level intermediate representation (IR) and lowers the IR back to a "recovered" binary. This enables BinRec to apply rich program transformations, such as compiler-based optimization passes, on top of the recovered representation. We identify and address a number of challenges in binary lifting, including unique challenges posed by our dynamic approach. In contrast to existing frameworks, our dynamic frontend can accurately disassemble and lift binaries without heuristics, and we can successfully recover obfuscated code and all SPEC INT 2006 benchmarks including C++ applications. We evaluate BinRec in three application domains: i) binary reoptimization, ii) deobfuscation (by recovering partial program semantics from virtualization-obfuscated code), and iii) binary hardening (by applying existing compiler-level passes such as AddressSanitizer and SafeStack on binary code).
| Original language | English |
|---|---|
| Title of host publication | EuroSys '20 |
| Subtitle of host publication | Proceedings of the Fifteenth European Conference on Computer Systems |
| Publisher | Association for Computing Machinery, Inc |
| Pages | 1-16 |
| Number of pages | 16 |
| ISBN (Electronic) | 9781450368827 |
| DOIs | |
| Publication status | Published - Apr 2020 |
| Event | 15th European Conference on Computer Systems, EuroSys 2020 - Heraklion, Greece Duration: 27 Apr 2020 → 30 Apr 2020 |
Conference
| Conference | 15th European Conference on Computer Systems, EuroSys 2020 |
|---|---|
| Country/Territory | Greece |
| City | Heraklion |
| Period | 27/04/20 → 30/04/20 |
Funding
We thank our shepherd and the anonymous reviewers for their feedback. This material is based upon work partially supported by the Defense Advanced Research Projects Agency (DARPA) under contracts FA8750-15-C-0124 and FA8750-15-C-0085, by the United States Office of Naval Research (ONR) under contract N00014-17-1-2782, by the National Science Foundation under awards CNS-1619211 and CNS-1513837, and by the Netherlands Organisation for Scientific Research through grant NWO 639.023.309 VICI “Dowsing”. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA) or its Contracting Agents, the Office of Naval Research or its Contracting Agents, the National Science Foundation, or any other agency of the U.S. Government. The authors also gratefully acknowledge a gift from Oracle Corporation.
| Funders | Funder number |
|---|---|
| United States Office of Naval Research | |
| National Science Foundation | CNS-1619211, CNS-1513837 |
| National Science Foundation | |
| Office of Naval Research | N00014-17-1-2782 |
| Office of Naval Research | |
| Defense Advanced Research Projects Agency | FA8750-15-C-0085, FA8750-15-C-0124 |
| Defense Advanced Research Projects Agency | |
| Nederlandse Organisatie voor Wetenschappelijk Onderzoek | 639.023.309 |
| Nederlandse Organisatie voor Wetenschappelijk Onderzoek |