B-Side: Binary-Level Static System Call Identification
- URL: http://arxiv.org/abs/2410.18053v1
- Date: Wed, 23 Oct 2024 17:26:52 GMT
- Title: B-Side: Binary-Level Static System Call Identification
- Authors: Gaspard Thévenon, Kevin Nguetchouang, Kahina Lazri, Alain Tchana, Pierre Olivier,
- Abstract summary: We present B-Side, a static binary analysis tool able to identify a superset of the system calls that an x86-64 static/dynamic executable may invoke at runtime.
B-Side assumes no access to program/libraries sources, and shows a good degree of precision by leveraging symbolic execution.
- Score: 1.6050948947693462
- License:
- Abstract: System call filtering is widely used to secure programs in multi-tenant environments, and to sandbox applications in modern desktop software deployment and package management systems. Filtering rules are hard to write and maintain manually, hence generating them automatically is essential. To that aim, analysis tools able to identify every system call that can legitimately be invoked by a program are needed. Existing static analysis works lack precision because of a high number of false positives, and/or assume the availability of program/libraries source code -- something unrealistic in many scenarios such as cloud production environments. We present B-Side, a static binary analysis tool able to identify a superset of the system calls that an x86-64 static/dynamic executable may invoke at runtime. B-Side assumes no access to program/libraries sources, and shows a good degree of precision by leveraging symbolic execution, combined with a heuristic to detect system call wrappers, which represent an important source of precision loss in existing works. B-Side also allows to statically detect phases of execution in a program in which different filtering rules can be applied. We validate B-Side and demonstrate its higher precision compared to state-of-the-art works: over a set of popular applications, B-Side's average $F_1$ score is 0.81, vs. 0.31 and 0.53 for competitors. Over 557 static and dynamically-compiled binaries taken from the Debian repositories, B-Side identifies an average of 43 system calls, vs. 271 and 95 for two state-of-the art competitors. We further evaluate the strictness of the phase-based filtering policies that can be obtained with B-Side.
Related papers
- Eliminating Position Bias of Language Models: A Mechanistic Approach [119.34143323054143]
Position bias has proven to be a prevalent issue of modern language models (LMs)
Our mechanistic analysis attributes the position bias to two components employed in nearly all state-of-the-art LMs: causal attention and relative positional encodings.
By eliminating position bias, models achieve better performance and reliability in downstream tasks, including LM-as-a-judge, retrieval-augmented QA, molecule generation, and math reasoning.
arXiv Detail & Related papers (2024-07-01T09:06:57Z) - Keeping Behavioral Programs Alive: Specifying and Executing Liveness Requirements [2.4387555567462647]
We propose an idiom for tagging states with "must-finish," indicating that tasks are yet to be completed.
We also offer semantics and two execution mechanisms, one based on a translation to B"uchi automata and the other based on a Markov decision process (MDP)
arXiv Detail & Related papers (2024-04-02T11:36:58Z) - One for All and All for One: GNN-based Control-Flow Attestation for
Embedded Devices [16.425360892610986]
Control-Flow (CFA) is a security service that allows an entity (verifier) to verify the integrity of code execution on a remote computer system.
Existing CFA schemes suffer from impractical assumptions, such as requiring access to the prover's internal state.
We introduce RAGE, a novel, lightweight CFA approach with minimal requirements.
arXiv Detail & Related papers (2024-03-12T10:00:06Z) - SYSPART: Automated Temporal System Call Filtering for Binaries [4.445982681030902]
Recent approaches automatically identify the system calls required by programs to block unneeded ones.
SYSPART is an automatic system-call filtering system designed for binary-only server programs.
arXiv Detail & Related papers (2023-09-10T23:57:07Z) - PEM: Representing Binary Program Semantics for Similarity Analysis via a
Probabilistic Execution Model [25.014876893315208]
We propose a new method to represent binary program semantics.
It is based on a novel probabilistic execution engine that can effectively sample the input space and the program path space of subject binaries.
Our evaluation on 9 real-world projects with 35k functions, and comparison with 6 state-of-the-art techniques show that PEM can achieve a precision of 96% with common settings.
arXiv Detail & Related papers (2023-08-29T17:20:35Z) - In-Distribution Barrier Functions: Self-Supervised Policy Filters that
Avoid Out-of-Distribution States [84.24300005271185]
We propose a control filter that wraps any reference policy and effectively encourages the system to stay in-distribution with respect to offline-collected safe demonstrations.
Our method is effective for two different visuomotor control tasks in simulation environments, including both top-down and egocentric view settings.
arXiv Detail & Related papers (2023-01-27T22:28:19Z) - Robust Control for Dynamical Systems With Non-Gaussian Noise via Formal
Abstractions [59.605246463200736]
We present a novel controller synthesis method that does not rely on any explicit representation of the noise distributions.
First, we abstract the continuous control system into a finite-state model that captures noise by probabilistic transitions between discrete states.
We use state-of-the-art verification techniques to provide guarantees on the interval Markov decision process and compute a controller for which these guarantees carry over to the original control system.
arXiv Detail & Related papers (2023-01-04T10:40:30Z) - General Cutting Planes for Bound-Propagation-Based Neural Network
Verification [144.7290035694459]
We generalize the bound propagation procedure to allow the addition of arbitrary cutting plane constraints.
We find that MIP solvers can generate high-quality cutting planes for strengthening bound-propagation-based verifiers.
Our method is the first verifier that can completely solve the oval20 benchmark and verify twice as many instances on the oval21 benchmark.
arXiv Detail & Related papers (2022-08-11T10:31:28Z) - Actor-Critic based Improper Reinforcement Learning [61.430513757337486]
We consider an improper reinforcement learning setting where a learner is given $M$ base controllers for an unknown Markov decision process.
We propose two algorithms: (1) a Policy Gradient-based approach; and (2) an algorithm that can switch between a simple Actor-Critic scheme and a Natural Actor-Critic scheme.
arXiv Detail & Related papers (2022-07-19T05:55:02Z) - Automatically Mitigating Vulnerabilities in Binary Programs via
Partially Recompilable Decompilation [8.31538179550799]
We propose Partially Recompilable Decompilation (PRD)
PRD lifts suspect binary functions to source, available for analysis, revision, or review, and creates a patched binary.
We evaluate PRD in two contexts: a fully automated process incorporating source-level Automated Program Repair (APR) methods; human-edited source-level repairs.
arXiv Detail & Related papers (2022-02-24T19:48:45Z) - Higher Performance Visual Tracking with Dual-Modal Localization [106.91097443275035]
Visual Object Tracking (VOT) has synchronous needs for both robustness and accuracy.
We propose a dual-modal framework for target localization, consisting of robust localization suppressingors via ONR and the accurate localization attending to the target center precisely via OFC.
arXiv Detail & Related papers (2021-03-18T08:47:56Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.