Skip to main content
QUICK REVIEW

[论文解读] Automatically Mitigating Vulnerabilities in Binary Programs via Partially Recompilable Decompilation

Pemma Reiter, Hui Jun Tay|arXiv (Cornell University)|Feb 24, 2022
Advanced Malware Detection Techniques被引用 2
一句话总结

本文提出部分可重新编译反编译(PRD),一种新颖的方法,仅将二进制程序中的漏洞函数反编译为可重新编译的源代码,从而通过源代码级别的修复工具实现自动化修补。PRD 实现了 92.9% 的测试等价性,并成功反编译了 70–89% 的单个函数,优于完整二进制反编译(1.7% 成功率),并使 APR 工具能够修补 CGC 二进制文件,性能与完整源代码工具相当。

ABSTRACT

Decompilation is the process of translating compiled code into high-level code. Control flow recovery is a challenging part of the process. "Misdecompilations" can occur, whereby the decompiled code does not accurately represent the semantics of the compiled code, despite it being syntactically valid. This is problematic because it can mislead users who are trying to reason about the program. We present CFG-based program generation: a novel approach to randomised testing that aims to improve the control flow recovery of decompilers. CFG-based program generation involves randomly generating control flow graphs (CFGs) and paths through each graph. Inspired by prior work in the domain of GPU computing, (CFG, path) pairs are "fleshed" into test programs. Each program is decompiled and recompiled. The test oracle verifies whether the actual runtime path through the graph matches the expected path. Any difference in the execution paths after recompilation indicates a possible misdecompilation. A key benefit of this approach is that it is largely independent of the source and target languages in question because it is focused on control flow. The approach is therefore applicable to numerous decompilation settings. The trade-off resulting from the focus on control flow is that misdecompilation bugs that do not relate to control flow (e.g. bugs that involve specific arithmetic operations) are out of scope. We have implemented this approach in FuzzFlesh, an open-source randomised testing tool. FuzzFlesh can be easily configured to target a variety of low-level languages and decompiler toolchains because most of the CFG and path generation process is language-independent. At present, FuzzFlesh supports testing decompilation of Java bytecode, .NET assembly and x86 machine code. In addition to program generation, FuzzFlesh also includes an automated test-case reducer that operates on the CFG rather than the low-level program, which means that it can be applied to any of the target languages. We present a large experimental campaign applying FuzzFlesh to a variety of decompilers, leading to the discovery of 12 previously-unknown bugs across two language formats, six of which have been fixed. We present experiments comparing our generic FuzzFlesh tool to two state-of-the-art decompiler testing tools targeted at specific languages. As expected, the coverage our generic FuzzFlesh tool achieves on a given decompiler is lower than the coverage achieved by a tool specifically designed for the input format of that decompiler. However, due to its focus on control flow, FuzzFlesh is able to cover sections of control flow recovery code that the targeted tools cannot reach, and identify control flow related bugs that the targeted tools miss.

研究动机与目标

  • 为解决在缺乏源代码的情况下修补软件漏洞的挑战,尤其是在部署后二进制文件中。
  • 克服完整二进制反编译的局限性,后者因可扩展性和可重新编译性问题而失败。
  • 通过部分可重新编译的反编译,使高保真、源代码级别的自动化程序修复(APR)工具能够应用于二进制程序。
  • 验证仅从少数函数反编译出的源代码是否足以支持有效且测试等价的二进制修补。
  • 证明 PRD 能使 APR 工具在二进制输入上实现与在完整源代码上相当的性能。

提出的方法

  • 使用二进制故障定位(CGFL)识别可能包含漏洞的少量函数。
  • 应用反编译器仅将可疑函数提升为高级别、可重新编译的 C/C++ 源代码,重点在于类型恢复和函数边界识别。
  • 构建二进制-源代码接口,实现反编译源代码与原始二进制文件之间的集成,同时保持执行语义的一致性。
  • 应用源代码级别的 APR 工具(例如 Prophet、GenProg)在反编译的源代码上生成补丁。
  • 使用二进制重写和重新编译技术将修补后的源代码重新集成到原始二进制文件中,确保测试等价性。
  • 仅依赖最小程度的类型推断——仅恢复偏移量和引用类型——从而减少对完整且正确的类型推断的依赖。

实验结果

研究问题

  • RQ1从二进制文件中对单个函数进行反编译,是否能生成无语法或编译限制的可重新编译源代码?
  • RQ2在何种程度上,源代码级别的 APR 工具可以通过部分反编译有效应用于二进制程序?
  • RQ3PRD 在多大程度上保持了原始二进制与修补后二进制之间的行为等价性?
  • RQ4PRD 是否能使 APR 工具在二进制上实现与在完整源代码上相当的性能?
  • RQ5PRD 在真实世界二进制文件、不同编程语言(C/C++)以及多种漏洞类型上的可推广性如何?

主要发现

  • 当实现足够的类型恢复时,PRD 可成功反编译并重新编译 70–89% 的单个函数,而完整 C 二进制文件的反编译成功率仅为 1.7%。
  • 当反编译成功时,PRD 有 92.9% 的时间生成测试等价的二进制文件,证实了行为保真度。
  • 与 PRD 集成的 APR 工具成功缓解了 DARPA CGC 二进制文件中的 85 个漏洞,性能与完整源代码 APR 工具相当或更优。
  • 由 PRD 支持的 APR 工具有时生成的补丁质量甚至优于 CGC 顶级团队生成的补丁,证明了其修复质量具有竞争力。
  • 该方法在不同数据集(包括 CGC、Rode0Day 和 MITRE CVE)上具有可推广性,并支持 C++ 和经过剥离处理的二进制文件(需反编译器支持)。
  • 通过仅关注函数偏移量和引用类型,该方法减少了对完整类型推断的依赖,从而更具可扩展性和实用性。

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。