CS 260: Binary Analysis for Computer Security

Overvew

This is a graduate-level research-oriented course. The goal of this course is to teach graduate students the state-of-the-art binary analysis techniques and tools and their applications to security problems. This course is aimed to balance between lectures, lab assignments and projects, such that the students can grasp the core concepts, gain first-hand experience through lab assignments to reinforce the understanding of these concepts, and further explore unknowns via course projects.

• Instructor: Heng Yin
• Email: heng AT cs DOT ucr DOT edu
• Office: Winston Chung Hall 316
• Office hours: 3:10-4:40PM, Monday/Wednesday, or by appointment
• Location and Time:Gordon Watkins Hall 1117, M/W/F 2:10-3:00PM

Communication

We will use iLearn for assignments and grading, and Piazza for Q&A and general announcements.

Paper Review and Presentation

Each student is responsible to present one paper in the class for about 15 minutes and lead the discussion. Use this signup sheet to select which paper to present (first come first serve). Use your R'Mail to access it.

Each student is required to write reviews of at least 400 words for all the papers presented by students, before the papers are presented in class. A review must include the following aspects:

• Briefly summerize the problem and how this paper tackles the problem.
• Describe in some details the positive points.
• Describe in some details the negative points, or any improvements you can suggest.
• List questions you have and would like to discuss in the class.

Lab Assignments

1. Binary Code Comprehension: Construct simple exploits from binary code.
2. Dynamic Binary Instrumentation: Develop a simple pintool for shadow stack protection.
3. Experimenting with Evolutionary Fuzzing
4. Symbolic Execution: Write simple angr scripts to find vulnerabilities.

Projects

A list of suggeted projects will be provided. Students may also propose their own projects. Projects can be done individually or by groups. Each group should not exceed 3 students. In the project report, clearly state each member's contribution.

Grading (Tentative)

• Class participation: 15%
• Lab assignments: 30%
• Presentation: 15%
• Paper reviews: 10%
• Project: 30%

Schedule

Monday	Wednesday	Friday
01/07 Syllabus/Introduction	01/09 Binary Code Comprehension	01/11 Binary Code Comprehension (cont'ed) Buffer Overflow Exploit Construction Lab 1 released
01/14 Dynamic Binary Instrumentation	01/16 Dynamic Taint Analysis	01/18 Whole-System Dynamic Analysis Lab 2 released.
01/21 No Class (Holiday)	01/23 Symbolic Execution	01/25 Symbolic Execution (cont'ed) Lab 3 released.
01/28 Fuzzing	01/30 Reverese Engineering of Data Structures and Types	02/01 Binary Code Search
02/04 Unleashing MAYHEM on Binary Code	02/06 QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing	02/08 Neuro-Symbolic Execution: Augmenting Symbolic Execution with Neural Constraints
02/11 Angura: Efficient Fuzzing by Principled Search	02/13 Function Interface Analysis: A Principled Approach for Function Recognition in COTS Binaries	02/15 NEUZZ: Efficient Fuzzing with Neural Program Smoothing
02/18 No Class (Holiday)	02/20 Directed Greybox Fuzzing	02/22 Driller: Augmenting Fuzzing through Selective Symbolic Execution
02/25 Debin: Predicting Debug Information in Stripped Binaries	02/27 Send Hardest Problem My Way: Probablistic Path Prioritization for Hybird Fuzzing	03/01 Asm2Vec: Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization
03/04 Neural Machine Translation Inspired Binary Code Similarity Comparison beyond Function Pairs	03/06 Reassembleable Disassembling	03/08 Ramblr: Making Reassembly Great Again
03/11 Using Logic Programming to Recover C++ Classes and Methods from Compiled Executables	03/13 No Class (Conference travel)	03/15 Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits

Reading List

Dynamic Binary Instrumentation

• Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation
• Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation

Dynamic Taint Analysis

• Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
• Pointless Tainting? Evaluating the Practicality of Pointer Tainting
• On the Soundness and Precision of Dynamic Taint Analysis
• One Engine To Serve’em All: Inferring Taint Rules Without Architectural Semantics

Whole-System Analysis

• Panorama: capturing system-wide information flow for malware detection and analysis
• Make It Work, Make It Right, Make It Fast: Building a Platform-Neutral Whole-System Dynamic Binary Analysis Platform
• Repeatable Reverse Engineering for the Greater Good with PANDA

Disassembling

• An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries
• Byteweight: Learning to recognize functions in binary code
• Recognizing Functions in Binaries with Neural Networks
• Function Interface Analysis: A Principled Approach for Function Recognition in COTS Binaries
• Reassembleable Disassembling
• Ramblr: Making Reassembly Great Again

Fuzzing

• Optimizing Seed Selection for Fuzzing
• Scheduling Black-box Mutational Fuzzing
• Program-adaptive mutational fuzzing
• VUzzer: application-aware evolutionary fuzzing
• Automated whitebox fuzz testing
• Coverage-based greybox fuzzing as markov chain
• NEUZZ: Efficient Fuzzing with Neural Program Smoothing
• Angora: Efficient Fuzzing by Principled Search
• Skyfire: Data-Driven Seed Generation for Fuzzing

Symbolic Execution

• All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)
• Symbolic Execution for Software Testing: Three Decades Later
• Unleashing MAYHEM on Binary Code
• QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
• Neuro-Symbolic Execution: Augmenting Symbolic Execution with Neural Constraints

Hybrid Fuzzing

• Driller: augmenting fuzzing through selective symbolic execution
• Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing

Exploit Generation

• AEG: Automatic Exploit Generation
• Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits

Type and Data Structure Reconstruction

• TIE: Principled reverse engineering of types in binary programs
• Automatic Reverse Engineering of Data Structures from Binary Execution
• Howard: A Dynamic Excavator for Reverse Engineering Data Structures
• Debin: Predicting Debug Information in Stripped Binaries

Control Structure Reconstruction

• Native x86 decompilation using semantics-preserving structural analysis and iterative control-flow structuring
• No More Gotos: Decompilation Using Pattern-Independent Control-Flow Structuring and Semantic-Preserving Transformations

C++ Reverse Engineering

• vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries
• MARX: Uncovering Class Hierarchies in C++ Programs
• Using Logic Programming to Recover C++ Classes and Methods from Compiled Executables

Code Search

• Scalable Graph-based Bug Search for Firmware Images
• Neural Network-based Graph Embedding for Cross-Platform Binary Code Similarity Detection
• Asm2Vec: Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization
• Neural Machine Translation Inspired Binary Code Similarity Comparison beyond Function Pairs

Misc

• Syntia: Synthesizing the Semantics of Obfuscated Code