From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: caml-list@sympa.inria.fr Delivered-To: caml-list@sympa.inria.fr Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) by sympa.inria.fr (Postfix) with ESMTPS id 256567FB5F for ; Sun, 25 Oct 2015 20:04:09 +0100 (CET) IronPort-PHdr: 9a23:carhZhIWIIRZre7z29mcpTZWNBhigK39O0sv0rFitYgUIvjxwZ3uMQTl6Ol3ixeRBMOAu68C07KempujcFJDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXsq3G/pQQfBg/4fVIsYL+lR8iK14ye7KObxd76W01wnj2zYLd/fl2djD76kY0ou7ZkMbs70RDTo3FFKKx8zGJsIk+PzV6nvp/jtLYqySlbuuog+shcSu26Ov1gFf0LRAghZkM44svmqRmLZAeG4zM5U2ESnwAAVwvI6hf3Qpf4viL/s+t53CSAFcLzRLEwHz+l6vE4ZgXvjXI8NyMw8Snog8p/xPZEqRSuvBxiyo+FONi9O/93f6ebdtQfEzkSFv1NXjBMV9vvJ7AECPAMaKMB99Hw Authentication-Results: mail2-smtp-roc.national.inria.fr; spf=None smtp.pra=wangshuai901@gmail.com; spf=Pass smtp.mailfrom=wangshuai901@gmail.com; spf=None smtp.helo=postmaster@mail-ob0-f170.google.com Received-SPF: None (mail2-smtp-roc.national.inria.fr: no sender authenticity information available from domain of wangshuai901@gmail.com) identity=pra; client-ip=209.85.214.170; receiver=mail2-smtp-roc.national.inria.fr; envelope-from="wangshuai901@gmail.com"; x-sender="wangshuai901@gmail.com"; x-conformance=sidf_compatible Received-SPF: Pass (mail2-smtp-roc.national.inria.fr: domain of wangshuai901@gmail.com designates 209.85.214.170 as permitted sender) identity=mailfrom; client-ip=209.85.214.170; receiver=mail2-smtp-roc.national.inria.fr; envelope-from="wangshuai901@gmail.com"; x-sender="wangshuai901@gmail.com"; x-conformance=sidf_compatible; x-record-type="v=spf1" Received-SPF: None (mail2-smtp-roc.national.inria.fr: no sender authenticity information available from domain of postmaster@mail-ob0-f170.google.com) identity=helo; client-ip=209.85.214.170; receiver=mail2-smtp-roc.national.inria.fr; envelope-from="wangshuai901@gmail.com"; x-sender="postmaster@mail-ob0-f170.google.com"; x-conformance=sidf_compatible X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0B8AADoJi1WlarWVdFUCoJpgSFgDwaELahvkCKBBoFaI4JBgzkCgRAHORMBAQEBAQEBARABAQEBBw0JCR8wgiuCBwEBAQIBARIRHQEbDAsGAQMBCwYFCw0qAgIhAQERAQUBHAYTGweHeAEDCggNpCCBMT4xi0mBbIJ5h3cKGScNVoQAAQEBBwEBAQEBAQEWAQUOimGBBoJQgWBZBAeCaYFFBZJig00HhRyGEYF1gVmEP45Ig1+CJBIjgRcREQGCRCOBeCI0AQEBAYcUAQEB X-IPAS-Result: A0B8AADoJi1WlarWVdFUCoJpgSFgDwaELahvkCKBBoFaI4JBgzkCgRAHORMBAQEBAQEBARABAQEBBw0JCR8wgiuCBwEBAQIBARIRHQEbDAsGAQMBCwYFCw0qAgIhAQERAQUBHAYTGweHeAEDCggNpCCBMT4xi0mBbIJ5h3cKGScNVoQAAQEBBwEBAQEBAQEWAQUOimGBBoJQgWBZBAeCaYFFBZJig00HhRyGEYF1gVmEP45Ig1+CJBIjgRcREQGCRCOBeCI0AQEBAYcUAQEB X-IronPort-AV: E=Sophos;i="5.20,197,1444687200"; d="scan'208";a="184380651" Received: from mail-ob0-f170.google.com ([209.85.214.170]) by mail2-smtp-roc.national.inria.fr with ESMTP/TLS/AES128-GCM-SHA256; 25 Oct 2015 20:04:07 +0100 Received: by obctp1 with SMTP id tp1so100403996obc.2 for ; Sun, 25 Oct 2015 12:04:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=IQGAvBMt18xCz4Az3E/GIcrEf/R8KdgixGBPdMbOyi8=; b=M6wZhFIoMm8fP2aSBPmDeXNx8OWNE7ozWTu83LwYZurYKk7XoOsCU8vsWRfczzg420 AQHvmEC7LLtU/gA9EFqzCUzLVPHZykah8HhLDOtEpMuV9ArDQMP470O7tjSspPIa/R4N 8ZI0/hNRrszzi24Yb9vj1NMIg7C08UNNKb8ME8Q29wnmj2l6n0dEg9M/rsu9cb1/iMz2 nLzCcrHSJNkCG9P90/NN7RWGpWpCbm1vE9cZkHeMdoBXnl8rDwOwE8MzugPRb/NCOUAf P1/9gkkh4zDfTvPNQGKCUxargilM6B8vwU4oN68gbqwBe+dgSv0bgy0QWz57mCd2VSfd ZXow== MIME-Version: 1.0 X-Received: by 10.60.144.231 with SMTP id sp7mr23051380oeb.7.1445799846279; Sun, 25 Oct 2015 12:04:06 -0700 (PDT) Received: by 10.202.102.77 with HTTP; Sun, 25 Oct 2015 12:04:06 -0700 (PDT) In-Reply-To: References: Date: Sun, 25 Oct 2015 15:04:06 -0400 Message-ID: From: Shuai Wang To: Kenneth Adam Miller Cc: Ivan Gotovchits , caml users Content-Type: multipart/alternative; boundary=047d7b47225e4100480522f2820e Subject: Re: [Caml-list] [ANN] Uroboros 0.1 --047d7b47225e4100480522f2820e Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello Kenneth, Sorry for the late reply. I have several deadlines during this weekend. To answer your question, our current approach cannot ensure 100% "reposition" correct. The most challenging part is to identify code pointers in global data sections, as we discussed in our paper, it is quite difficult to handle even with some static analysis techniques (type inference, for instance). We do have some false positive, as shown in the appendix of our paper [1]. We will research more to eliminate the false positive. I believe it is doable to present a sound solution. It indeed requires some additional trampolines inserted in the binary code. You may refer to this paper for some enlightens [2]. As for the disassembling challenges, we directly adopt a disassembly approach proposed by an excellent work [3]. You can check out their evaluation section, and find that their approach can correctly disassemble large-size applications without any error. My experience is that Linux ELF binaries are indeed easier to disassemble, and typical compilers (gcc; icc; llvm) would not insert data into code sections (the embedded data can trouble linear disassembler a lot). However, if I am asked to work on PE binaries, then I will probably start from IDA-Pro. We consider the disassembling challenge is orthogonal to our research. IMHO, our research reveals the (important) fact that even though theoretically relocation issue is hard to solve with 100% accuracy, it might not be as troublesome as it was assumed by previous work. Simple solutions can achieve good results. I hope it answers your questions, otherwise, please let me know :) Best, Shuai [1] Shuai Wang, Pei Wang, Dinghao Wu, Reassembleable Disassembling. [2] Zhui Deng, Xiangyu Zhang, Dongyan Xu, BISTRO: Binary Component Extraction and Embedding for Software Security Applications [3] Mingwei Zhang, Sekar, R, Control Flow Integrity for COTS Binaries. On Fri, Oct 23, 2015 at 6:31 PM, Kenneth Adam Miller < kennethadammiller@gmail.com> wrote: > Well it's interesting that you've gone with a binary recompilation > approach. How do you ensure that, statically, for any given edit, you > reposition all the jump targets correctly? How do you deal with the > difficulty of disassembly reducing to the halting problem? > > On Fri, Oct 23, 2015 at 4:59 PM, Shuai Wang > wrote: > >> Hi guys, >> >> I am glad that you are interested in our work!! >> >> Actually this project starts over 1.5 years ago, and I believe at that >> time, BAP (version 0.7 I believe?) is still a research prototype.. >> >> I choose to implement from the stretch is because I want to have a nice >> tool for my own research projects, also I can have an opportunity >> to learn OCaml... :) >> >> Yes, I definitely would like to unite our efforts!! >> >> Best, >> Shuai >> >> >> >> >> On Fri, Oct 23, 2015 at 1:30 PM, Ivan Gotovchits wrote: >> >>> Hi Shuai, >>> >>> Nice work! But I'm curious, why didn't you use [bap][1] as a >>> disassembler? >>> >>> Do you know, that we have a low-level interface to disassembling, like >>> [linear_sweep][2] or even >>> lower [Disasm_expert.Basic][3] interface, that can disassemble on >>> instruction level granularity. >>> >>> It will be very interesting, if we can unite our efforts. >>> >>> Best wishes, >>> Ivan Gotovchits >>> >>> [1]: https://github.com/BinaryAnalysisPlatform/bap >>> [2]: >>> http://binaryanalysisplatform.github.io/bap/api/master/Bap.Std.html#VAL= linear_sweep >>> [3]: >>> http://binaryanalysisplatform.github.io/bap/api/master/Bap.Std.Disasm_e= xpert.Basic.html >>> >>> >>> >>> >>> On Fri, Oct 23, 2015 at 1:05 PM, Shuai Wang >>> wrote: >>> >>>> Dear List, >>>> >>>> I=E2=80=99m glad to announce the first release of Uroboros: an infras= tructure >>>> for reassembleable disassembling and transformation. >>>> >>>> You can find the code here: https://github.com/s3team/uroboros >>>> You can find our research paper which describes the core technique >>>> implemented in Uroboros here: >>>> >>>> https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-= paper-wang-shuai.pdf >>>> >>>> We will provide a project home page, as well as more detailed documents >>>> in the near future. Issues and pull requests welcomed. >>>> >>>> Happy hacking! >>>> >>>> Sincerely, >>>> Shuai >>>> >>> >>> >> > --047d7b47225e4100480522f2820e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hello Kenneth,

Sorry for the late reply= . I have several deadlines during this weekend.=C2=A0

<= div>To answer your question, our current approach cannot ensure 100% "= reposition" correct.=C2=A0
The most challenging part is to i= dentify code pointers in global data sections, as we discussed=C2=A0
<= div>in our paper, it is quite difficult to handle even with some static ana= lysis techniques=C2=A0
(type inference, for instance). We do have= some false positive, as shown in the appendix of our paper [1].=C2=A0
We will research more to eliminate the false positive.=C2=A0

I believe it is doable to present a sound solution. It ind= eed requires some additional
trampolines inserted in the binary c= ode. You may refer to this paper for some enlightens [2].=C2=A0
= =C2=A0
As for the disassembling challenges, we directly adopt a d= isassembly approach proposed=C2=A0
by an excellent work [3]. = You can check out their evaluation section, and find that their approach=C2= =A0
can correctly disassemble large-size applications without any= error. My experience is that Linux ELF=C2=A0
binaries are indeed= easier to disassemble, and typical compilers (gcc; icc; llvm) would not=C2= =A0
insert data into code sections (the embedded data can trouble= linear disassembler a lot).=C2=A0

However, if I a= m asked to work on PE binaries, then I will probably start from IDA-Pro.=C2= =A0
We consider the disassembling challenge is orthogonal to our = research.=C2=A0

IMHO, our research reveals the (im= portant) fact that even though theoretically relocation issue=C2=A0
is hard to solve with 100% accuracy, it might not be as troublesome as i= t was assumed by previous work.
Simple solutions can achieve good= results.=C2=A0

I hope it answers your questions, = otherwise, please let me know :)=C2=A0

Best,
=
Shuai

[1] Shuai Wang, Pei Wang, Dinghao Wu, R= eassembleable Disassembling.
[2]=C2=A0Zhui Deng, Xiangyu Zhang, Dongyan Xu, BISTRO: Binary Component Extraction and Embedding for Software Secu= rity Applications
[3]=C2=A0Mingwei Zhang, Sekar, R, Control Fl= ow Integrity for COTS Binaries.


<= div>




On Fri, Oct 23, 2015 at 6:3= 1 PM, Kenneth Adam Miller <kennethadammiller@gmail.com> wrote:
Well it'= ;s interesting that you've gone with a binary recompilation approach. H= ow do you ensure that, statically, for any given edit, you reposition all t= he jump targets correctly? How do you deal with the difficulty of disassemb= ly reducing to the halting problem?

On Fri, O= ct 23, 2015 at 4:59 PM, Shuai Wang <wangshuai901@gmail.com> wrote:
Hi guys,
I am glad that you are interested in our work!!=C2=A0
=

Actually this project starts over 1.5 years ago, and I = believe at that time, BAP (version 0.7 I believe?) is still a research prot= otype..

I choose to implement from the stretch=C2= =A0is because I want to have a nice tool for my own research projects, also= I can have an opportunity
to learn OCaml... :)

Yes, I definitely would like to unite our efforts!!=C2=A0

Best,
Shuai




On Fri, Oct 23, 2015 at 1:30 PM, Ivan Gotovchits = <ivg@ieee.org><= /span> wrote:
Hi Shuai,

Nice work! But I'm curious, why d= idn't you use [bap][1] as a disassembler?=C2=A0

Do you know, that we have a low-level interface to disassembling, like [l= inear_sweep][2] or even
lower [Disasm_expert.Basic][3] interface,= that can disassemble on instruction level granularity.

It will be very interesting, if we can unite our efforts.
<= br>
Best wishes,
Ivan Gotovchits

[1]:=C2=A0https://github.com/BinaryAnalysisPlatform/bap




On Fri, Oct 23, 2015 at 1:05 PM, Sh= uai Wang <wangshuai901@gmail.com> wrote:
Dear List,

I=E2=80=99m glad to=C2=A0= announce=C2=A0the first release of Uroboros: =C2=A0an i
You can find the code here:=C2=A0https://github.com/s3team/uro= boros=C2=A0
You can fi= nd our research paper which describes the core technique implemented in Uro= boros here:=C2=A0
<= span style=3D"font-size:12.8000001907349px">https://www.usenix.org/system/f= iles/conference/usenixsecurity15/sec15-paper-wang-shuai.pdf
<= /div>

We will provide a project home pag= e, as well as more detailed documents in the near future. =C2=A0Issues and pull requests welcomed.=

Ha= ppy hacking!

Sincerely,
Shuai




--047d7b47225e4100480522f2820e--