BISTRO: Binary component extraction and embedding for software security applications

Abstract

In software security and malware analysis, researchers often need to directly manipulate binary program - benign or malicious - without source code. A useful pair of binary manipulation primitives are binary functional component extraction and embedding, for extracting a functional component from a binary program and for embedding a functional component in a binary program, respectively. Such primitives are applicable to a wide range of security scenarios such as legacy program hardening, binary semantic patching, and malware function analysis. Unfortunately, existing binary rewriting techniques are inadequate to support binary function carving and embedding. In this paper, we present bistro, a system that supports these primitives without symbolic information, relocation information, or compiler support. Bistro preserves functional correctness of both the extracted functional component and the stretched binary program (with the component embedded) by patching them in a systematic fashion. We have implemented an IDA Pro-based prototype of Bistro and evaluated it using real-world Windows software. Our results show the effectiveness of Bistro, with each stretched binary incurring low time and space overhead. Furthermore, we demonstrate Bistro's capabilities in various security applications. © 2013 Springer-Verlag.