Dr. Heng Yin's Home Page

DECAF

DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. For its technical details, please check our ISSTA'14 conference paper and our TSE journal paper. Its source code can be found here.

DeepMem

DeepMem is a deep neural network based memory forensic tool. Please read our CCS'18 paper for the technical details and check out this GitHub repository for source code.

DroidScope

DroidScope is dynamic analysis platform for Android apps, and is specifically designed for analyzing Android malware. Please read our USENIX Security paper for technical details, and check out our GitHub repository for source code.

DroidUnpack

DroidUnpack is a generic unpacker for packed Android apps based on whole-system emulation. It extends DroidScope to support both Dalvik virtual machine (DVM) and Android Run Time (ART). Our NDSS'18 paper provides some technical details about this tool and presents exensive study on current status of packers, unpackers and packed Android malware. The source code can be found within DroidScope.

Genius

Genius is a bug search engine for cross-platform/cross-architecture binary code. Please read our CCS'16 and CCS'17 papers for technical details. Part of the source code is available at this GitHub repository. The firmware dataset can be downloaded from here (about 57GB).

MAB-malware

MAB-Malware an open-source reinforcement learning framework to generate AEs for PE malware. We model this problem as a classic multi-armed bandit (MAB) problem, by treating each action-content pair as an independent slot machine. We model each machine's reward as a Beta distribution and use Thompson sampling to select the next action and content, striking a balance between exploitation and exploration. We devise an action minimization process, which minimizes an AE by removing redundant actions and further reducing essential actions into even smaller actions (called micro-actions). We then assign rewards only to these essential micro-actions. This minimization process also helps interpret the root cause of evasions. The source code is available at this GitHub Repository.

PalmTree

PalmTree is a pre-trained assembly language model for downstream deep learning-based binary analysis applications. Please read our CCS'21 paper for technical detailis. The source code and the pre-trained model can be found in this GitHub repository.

Whitebox Fuzzing

This whitebox fuzzing tool based on DECAF and BAP 1.0. An instruction trace is collected using the tracecap plugin in DECAF, and then the symbolic execution in BAP is used to compute path constraints and generate new inputs for fuzzing. Source code can be found here.