RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization
- 1 May 2020
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- p. 1497-1511
- https://doi.org/10.1109/sp40000.2020.00009
Abstract
Analyzing the security of closed source binaries is currently impractical for end-users, or even developers who rely on third-party libraries. Such analysis relies on automatic vulnerability discovery techniques, most notably fuzzing with sanitizers enabled. The current state of the art for applying fuzzing or sanitization to binaries is dynamic binary translation, which has prohibitive performance overhead. The alternate technique, static binary rewriting, cannot fully recover symbolization information and hence has difficulty modifying binaries to track code coverage for fuzzing or to add security checks for sanitizers.The ideal solution for binary security analysis would be a static rewriter that can intelligently add the required instrumentation as if it were inserted at compile time. Such instrumentation requires an analysis to statically disambiguate between references and scalars, a problem known to be undecidable in the general case. We show that recovering this information is possible in practice for the most common class of software and libraries: 64-bit, position independent code. Based on this observation, we develop RetroWrite, a binary-rewriting instrumentation to support American Fuzzy Lop (AFL) and Address Sanitizer (ASan), and show that it can achieve compiler-level performance while retaining precision. Binaries rewritten for coverage-guided fuzzing using RetroWrite are identical in performance to compiler-instrumented binaries and outperform the default QEMU-based instrumentation by 4.5x while triggering more bugs. Our implementation of binary-only Address Sanitizer is 3x faster than Valgrind’s memcheck, the state-of-the-art binary-only memory checker, and detects 80% more bugs in our evaluation.Keywords
This publication has 33 references indexed in Scilit:
- Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary FirmwarePublished by Internet Society ,2015
- BISTRO: Binary Component Extraction and Embedding for Software Security ApplicationsLecture Notes in Computer Science, 2013
- Anywhere, any-time binary instrumentationPublished by Association for Computing Machinery (ACM) ,2011
- Differentiating Code from Data in x86 BinariesLecture Notes in Computer Science, 2011
- Retrofitting Security in COTS Software with Binary RewritingIFIP Advances in Information and Communication Technology, 2011
- Jakstab: A Static Analysis Platform for BinariesLecture Notes in Computer Science, 2008
- DIVINE: DIscovering Variables IN ExecutablesPublished by Springer Science and Business Media LLC ,2007
- Practical analysis of stripped binary codeACM SIGARCH Computer Architecture News, 2005
- The undecidability of aliasingACM Transactions on Programming Languages and Systems, 1994
- An Approach to the Problem of Detranslation of Computer ProgramsThe Computer Journal, 1980