Workshop on Binary Analysis Research (BAR) 2024 Program

Patching binary code dates back to some of the earliest computer systems. Binary code patching allows access to a program without having access to the source code, obviating the need to recompile, re-link, and, in the dynamic case, re-execute. In the early days, it was a bold technique used by serious programmers to avoid the long recompile/reassemble and link steps. Code patching required an intimate knowledge of the instruction set and its binary representation. Great advances have been made in simplifying the use of code patching, making it less error prone and more flexible. "Binary rewriters" were a great advance in the technology for modifying a binary before its execution. Early tools, such as OM, EEL, and Vulcan, enabled the building of tools for tracing, simulation, testing, and sandboxing. Moving beyond static patching, we developed "dynamic instrumentation", the ability to patch code into a running program. Dynamic instrumentation provided the ability to adapt the code to the immediate need, dynamically control overhead costs. We applied this technology to both user programs and operating system kernels producing the Dyninst and Kerninst tool kits. This technology formed the foundation of the Paradyn Performance Tools. Dynamic code patching continued to get more aggressive. We developed "self-propelled instrumentation", which inserts instrumentation code that propagates itself along the program's control flow as the program executes. At its best, this technique can provide very low overhead, detailed instrumentation in support of fault isolation and identification of intermittent performance issues. More recently, we have addressed a wide variety of issues related to binary code patching including analyzing and patching defensive and obfuscated malware, parallelizing the binary code parsing process to quickly patch huge (GB+) binaries, and efficient analysis and instrumentation of GPU binaries. Key to both static and dynamic patching are the interfaces. There is a difficult balance between providing an interface that abstracts the details of the code, often using control- and data-flow graphs and instruction categories, and an interface that exposes the details of the instruction set. Our primary interface is based on editing of the control flow graph, based on an editing algebra that is closed under valid control flow graphs. In this talk, I will discuss the development of code patching over the years, with examples from the various technologies (including our tools) and present results from our latest work in self- propelled instrumentation. I will also discuss interface abstractions and our work towards the goal of multi-platform interfaces and tools.

Bio: Barton Miller is the Vilas Distinguished Achievement Professor at UW-Madison Miller is a co-PI on the Trusted CI NSF Cybersecurity Center of Excellence, where he leads the software assurance effort. His research interests include software security, in-depth vulnerability assessment, binary and malicious code analysis and instrumentation, extreme scale systems, and parallel and distributed program measurement and debugging. In 1988, Miller founded the field of Fuzz random software testing, which is the foundation of many security and software engineering disciplines. In 1992, Miller (working with his then-student Prof. Jeffrey Hollingsworth) founded the field of dynamic binary code instrumentation and coined the term “dynamic instrumentation”. Miller Miller is a Fellow of the ACM and recently won the Jean Claude Laprie Award in dependable computing for his work on fuzz testing. Miller was the chair of the Institute for Defense Analysis Center for Computing Sciences Program Review Committee, member of the U.S. National Nuclear Safety Administration Los Alamos and Lawrence Livermore National Labs Cyber Security Review Committee (POFMR), member of the Los Alamos National Laboratory Computing, Communications and Networking Division Review Committee, has been on the U.S. Secret Service Electronic Crimes Task Force (Chicago Area) is currently an advisor to the Wisconsin National Guard Cyber Prevention Team.

Binary analysis serves as a foundational technique for a wide array of cybersecurity tasks, including vulnerability identification and malware analysis. While these methods have evolved to become incredibly powerful, they are inherently bounded by the limitations of what can be inferred solely from the binary data within a file. This talk aims to provide an in-depth exploration of both the capabilities and the constraints of binary analysis, dissecting the fundamental goals that drive its usage and to explore potential solutions to these constraints. We will investigate the common objectives of binary analysis, such as code understanding, bug hunting, and threat analysis, and evaluate how these goals often remain unmet when confined to mere binary introspection. This talk will argue that while binary analysis is indispensable, it cannot be the sole methodology employed for a comprehensive solution. The presentation will advocate for the integration of external data sources, contextual information, runtime behavior, and most importantly machine learning and large language models as essential components for enriching the output of binary analysis tools. By fusing binary data with external inputs, we can transcend the inherent limitations and offer a more nuanced, accurate, and actionable analysis for our users.

Bio: Peter LaFosse, is an industry veteran. He started his journey 18 years ago working at SI Government Solutions (later acquired by Raytheon) finding and exploiting software vulnerabilities, writing tools to the same effect and running teams as well. He is a recipient of a coveted DEFCON Black Badge for Capture the Flag where he was the offensive team leader. Having served his time as a defense contractor and being dissatisfied with the tools available for software reverse engineering he co-founded Vector 35 with his business partners with the aim of building the next generation of decompiler. Eight years later Binary Ninja stands as one of the most highly regarded products in the industry.