where did this code come from?

Paradyn Project

Paradyn / Dyninst WeekMadison, Wisconsin

May 2-4, 2011

Where Did This Code Come From?

Nathan Rosenblum

Recovering the Provenance of Program Binaries

2Who Wrote This Code?

01110101101010101010111010100101010111000100100101101011001101010101010101001010010100100100110110110101011001001010110101001010010111010101010

1010101

GCC 4.2.xunoptimizedC++

Toolchain Provenanc

01110101101010101010111010100101010111000100100101101011001101010101010101001010010100100100110110110101011001001010110101001010010111010101010

1010101

ICC 10.xoptimizedC

Toolchain Provenanc

[mixed]

linux-vdso.so.1libpthread.so.0libasound.so.2libdl.so.2libstdc++.so.6libm.so.6libgcc_s.so.1libc.so.6 /lib64/ld-linux-x86-64.so.2librt.so.1

Debugging remote

deploymentscompiler bug?subtle incompatibility?

Forensicsreverse engineering

tools, obfuscations?decompiling

Why provenance?

Who Wrote This Code?

OutlinePROVENANCE STUDIESSYSTEM DESIGN

MODELING PROGRAM

PROVENANCE

BINARY CODE ABSTRACTIONS

System overview

01110101101010101010111010100101010111000100100101101011001101010101010101001010010100100100110110110101011001001010110101001010010111010101010

1010101program

TARGET BINARY BINARY ANALYSIS

TOOL0111010110101010101011101010010110101110101101010101010111010100101101

0111010110101010101011101010010110101110101101010101010111010100101101

TRAINING DATA LEARNING FRAMEWORK

representation +

feature selection

discovering evidence of provenance

Binary code model

program binary… 55 89 e5 83 ec 2c 57 56 53 8b 45 0c 8b 00 a3 90 a3 05 08 85 c0 74 2b 83 c4 … ⟨ mov [imm], rax ; sub [imm], rax ⟩⟨ push ebp ; * ; mov esp, ebp ⟩

Call Graphfprintf

External Libraries

program

01110101101010101010111010100101010111000100100101101011001101010101010101001010010100100100110110110101011001001010110101001010010111010101010

1010101

Control Flow Graphlayout, block

contents

Graphlets

code element nodes(e.g. basic

blocks)

typed edges(branch, call, etc.)

node colors

arithmeticprivileged instruction

Ex: instruction summary graphlets

Color bit field 214 possible colors

14 instruction categories

sparse in practice

Modeling approach some amount of

feature vector

“decompiles to <push ebp,...”

contains 27 occurrences of

“”

basic blockfunctionwhole program

Compiler toolchainC++C F77

optimized not optimized

3.4 4.2 4.4 2003 2005 2008 10 11

Toolchain details [ISSTA 2011]

compiler familyGNU, Intel, Microsoft

source language version optimization levelC, C++, Fortran [several] low, high

functions

language

family

optimization

version

Model as Conditional Random Field

Instruction sequence featuresSummary graphlet features

Evaluation

LanguageCompiler

OptimizationVersion

Functions Individually

(SVM) Linear CRF

.910.998.993.910

same label likely

statistical dependenci

MSVC code generation changes little between

versions

Program authorshipfor(int i=0; i<sz;++i){// etc

std::vector<int>::iterator it = foo.begin();

while(it != foo.end()) {// etc

Long-range control flow

Summary graphlets

basic blocks

supergraphlets

merged instruction summaries

Interprocedural graphlets

FPRINTF

[local]

Unique “color” for external functions

Anonymous internal functions

Program-author dataset

1. Author labels2. Parallel corpus 3. Linguistic homogeneity

(CS 537)several contest years

8-16 programs per contestant

C and C++ programs C programssome provided/template

Ideal:

Author attribution391,056 N-grams54,705 idioms

37,358 graphlets117,997 supergraphlets8,062 call graphlets152 library calls

1,900 features

94.7% 93.7% 84.3%Top-5

CJ 2009 CJ 2010 CS 537

77.8% 76.8% 38.4%Exact

1. CS537 has much less data2. Template code + instructor

guidance confound results

Students have less distinctive styles?

20 programmers

Summary

01110101101010101010111010100101010111000100100101101011001101010101010101001010010100100100110110110101011001001010110101001010010111010101010

1010101

questions

Backup slides follow

Program provenance

Systemglibc static codelibrary imports

Link & post-linkwhole-program optimization

rewriting toolsobfuscation tools

Compilerfamily

versionoptimization level

source language

Authorship

Instruction-level features

‹mov [imm], rax ; sub [imm], rax›

‹push ebp ; * ; mov esp, ebp›

single-instruction wildcard

opcode class abstraction hidden immediates

IDIOMS

N-GRAMS <4889c2be> <8d45f8><018b45f8>

4-grams 3-grams

Digression: finding code

program binarycode… 55 89 e5 83 ec 2c 57 56 53 8b 45 0c 8b 00 a3 90 a3 05 08 85 c0 74 2b 83 c4 …

push ebp mov esp, ebp sub 0x2c, esp ...in 0x83,eax in [dx],al sub 0x57,al ...

[AAAI 2008]Model compiler-specific “function entry points”Compute max-likelihood labels F1 from .86 - .99 depending on compiler

Byte-sequence model [PASTE 2010]

program binary

GCC GCCICC ICC

Compiler labels modeled as CRF...

yi yi-1 yj yj+1sequence labels ∈ {icc,gcc,...,data}…

… 55 89 e5 83 ec 2c 57 56 53 8b 45 0c 8b 00 a3 90 a3 05 08 85 c0 74 2b 83 c4 …

Digression: Conditional Random Fields

weights (learned)labels

evidence feature functions

Linear chain CRF

exact inference tractable

if xi decompiles to idiom u

otherwise=fu

Idiom feature function

⎩⎨

Byte-sequence model [PASTE 2010]

program binary

yi yi-1 yj yj+1sequence labels ∈ {icc,gcc,...,data}…

… 55 89 e5 83 ec 2c 57 56 53 8b 45 0c 8b 00 a3 90 a3 05 08 85 c0 74 2b 83 c4 …

94% accuracy labeling mixed-compiler sequences+18% accuracy increase in

function finding

01110101101010101010111010100101010111000100100101101011001101010101010101001

Feature selection

(condor)

training programs

Distance metrics

distance metric

Mahalanobis distance

Equivalently:

How do we get A?

Style clustering

Programs, no training data

01110101101010101010111010100101010111000100100101101011001101010101010101001

011101011010101010101110101001010101110001001001011010110011010101010101010010111010110

1010101010111010100101010111000100100101101011001101010101010101001

01110101101010101010111010100101010111000100100101101011001101010101010101001

Conclude: XWho Wrote This Code?

Transfer learning

01110101101010101010111010100101010111000100100101101011001101010101010101001

0111010110101010101011101010010101011100010010010110101100110101010101010100101110101101010101010111010100101010111000100100101101011001101010101010101001

01110101101010101010111010100101010111000100100101101011001101010101010101001

0111010110101010101011101010010101011100010010010110101100110101010101010100101110101101010101010111010100101010111000100100101101011001101010101010101001

01110101101010101010111010100101010111000100100101101011001101010101010101001

0111010110101010101011101010010101011100010010010110101100110101010101010100101110101101010101010111010100101010111000100100101101011001101010101010101001

01110101101010101010111010100101010111000100100101101011001101010101010101001

0111010110101010101011101010010101011100010010010110101100110101010101010100101110101101010101010111010100101010111000100100101101011001101010101010101001

Alice Bob ? ?

01110101101010101010111010100101010111000100100101101011001101010101010101001

0111010110101010101011101010010101011100010010010110101100110101010101010100101110101101010101010111010100101010111000100100101101011001101010101010101001

01110101101010101010111010100101010111000100100101101011001101010101010101001

0111010110101010101011101010010101011100010010010110101100110101010101010100101110101101010101010111010100101010111000100100101101011001101010101010101001

01110101101010101010111010100101010111000100100101101011001101010101010101001

Large-margin Nearest Neighbors

(LMNN)Weinberger, Saul 2009

semi-definite program☹one-time cost☺

Component modelssemi-open world provenance

component sharing (e.g. command and control)programmer movement between groups

mixture of styles

01110101101010101010111010100101010111000100100101101011001101010101010101001

style vs. functionality?

infinite mixture models

interpreting style clusters

Social code networks

program binaries

where did this code come from?

decompilingwhy provenance

rax sub imm

rax push ebp

c4 mov imm

mov esp

nathan rosenblumrecovering

basic blockstyped edgesbranch

subtle incompatibility

Documents

where did the christian bible come from?

where did european men come from

hannibal: where did we come from? (dashcon presentation)

09 where did the water come from and where did it go -...

where did the king james bible come from

where did all the elements come from?

cubed: where did your cubicle come from?

where did i come from ?????

schema.org: where did that come from!

11. where did countries come from

where did it come from

《where did i come from?》

where did knowledge audits come from - green chameleon ·...

where did the earth come from.docx

do now: where did your ancestors come from? why did they...

where did life come from?

where did the european men come from

where did the moon come from?

where did obama come from

where did these two come from?