Title: Breaking and Making Binary Analysis

Jinho Jung

Ph.D. Student

School of Computer Science

Georgia Institute of Technology

Email: jinho.jung@gatech.edu

Date: Thursday, Mar 18, 2021

Time: 10 AM to 12:00 PM (EST)

Location: *No Physical Location*

BlueJeans: https://bluejeans.com/jjung63

Committee:

Dr. Taesoo Kim (advisor), School of Computer Science, Georgia Institute of Technology

Dr. Joy Arluraj (co-advisor), School of Computer Science, Georgia Institute of Technology

Dr. Paul Pearce (co-advisor), School of Computer Science, Georgia Institute of Technology

Dr. Wenke Lee, School of Computer Science, Georgia Institute of Technology

Dr. Kyu Hyung Lee, Department of Computer Science, University of Georgia

Abstract:

Binary analysis detects software vulnerability. Cutting-edge analysis techniques can quickly and automatically explore the internals of a program and report any discovered problems. Therefore, developers commonly use various analysis techniques as part of their software development process. Unfortunately, it also means that such techniques and the automatic natures of binary testing methods are appealing to adversaries who are looking for zero-day vulnerabilities.

In the thesis defense, I will present the new domain of the binary analysis in both directions: 1) a protection technique against the fuzz testing and 2) two new binary analysis frameworks. The mitigation approach will help developers protect the released software from attackers who can apply fuzzing techniques. On the other hand, the new binary analysis frameworks will provide a set of solutions to address the challenges that COTS binary fuzzing and malware analysis face.

1) Disabling fuzz testing on binary with anti-fuzzing techniques: I will discuss a new mitigation approach, called Fuzzification, that helps developers to protect their programs from malicious fuzzing attempts.

2) Enabling COTS binary analysis with a semi-automatic harness synthesis: I will present a set of solutions to address the challenges of fuzzing on COTS binaries on Windows OS. First, my system tries to synthesize a harness for the application based on sample execution traces. Then it tests the harness, instead of the original complicated program, using an efficient implementation of a fast process cloning mechanism on Windows.

3) Enabling potentially malicious binary analysis with driver generation and symbolic execution: RATs (Remote Access Trojans) are used for spying on victims. I will present our system to study the prevalence of RATs on a large-scale. Through our end-to-end system, we can automatically and rapidly extract the sample binary's network scanning signatures.