Demystify Today's Binary Disassembling and How Modern ABI Makes it Easier

Presented at Black Hat Asia 2020 Virtual, Oct. 1, 2020, 10:20 a.m. (40 minutes).

Disassembling is the process of restoring instructions and structure information from binary code, forming the foundation of nearly all the solutions for binary security. Incentivized by both industry needs and government programs, binary disassembling gains remarkable advancement and incorporates "magical" techniques to handle complex constructs. In this talk, we will demystify the techniques armed by binary disassembling through a presentation on our study with 8 open-released tools (Ghidra, Angr, McSema, Dyninst, Radare2, Jakstab, Uroboros, and Objdump). We will also give a comprehensive (maybe partial) view of the advancement in binary disassembling across recent years. <br /> <br /> Going beyond the understanding, we will also present our intensive measurement on the above tools and on the most popular commercial tools (including IDA Pro and Binary Ninja). To support the evaluation, we extend the mainstream compilers (LLVM and GCC) and linker (GNU Gold Linker) to enable end-to-end collection of ground truth (which produce the highest level of completeness and accuracy). As we will detail in the talk, our evaluation separately measures individual techniques to understand their degree of use, utilities, and pitfalls. This evaluation leads to many understandings that are contrary to common beliefs but are expected to significantly facilitate the development of binary disassembling. <br /> <br /> In the last part, we will present a key finding from our study --- the development of Application Binary Interface (ABI) is making disassembling easier. In particular, ABI is mandating the availability of frame information for exception handling (e.g., System V x86-64 ABI). Such information makes it more reliable to collect function boundaries, function signatures, and local variables from binary code. We will demonstrate a tool that exploits exception handling information to achieve superior utility of disassembling.

Presenters:

  • Jun Xu - Assistant Professor, Stevens Institute of Technology
    Jun Xu is an Assistant Professor in the Computer Science Department at Stevens Institute of Technology. He received his PhD degree from Pennsylvania State University and his bachelor degree from USTC. His research mainly lies in the areas of software security and system security. He has published many papers at top-tier cyber security conferences, including IEEE S&P, ACM CCS and USENIX Security. His recent research focuses are automated software testing and binary code analysis. He is a recipient of ACM CCS Outstanding Paper Award, Penn State Alumni Dissertation Award, RSA Security Scholar Award and USTC Guo-moruo Scholarship.
  • Chengbin Pang - Researcher, Stevens Institute of Technology
    Chengbin Pang is a security researcher at Stevens Institute of Technology. He is focusing on reverse engineering, fuzzing, and software hardening.
  • Eric Koskinen - Assistant Professor, Stevens Institute of Technology
    Eric Koskinen is an Assistant Professor at Stevens Institute of Technology. Previously, he was a Lecturer/Researcher at Yale University and a Visiting Professor at New York University. He received a PhD in Computer Science from the University of Cambridge. He also spent time at IBM Watson, Microsoft, and from 2002-2005, He was a Software Engineer at Amazon.com. His research yields techniques that improve the way programmers develop reliable and efficient concurrent software for multi-core and distributed systems. To this end, he has made advances along a spectrum of fields, ranging from systems/concurrency methodologies to foundational results in formal methods.

Links:

Similar Presentations: