Binary Disassembly Block Coverage by Symbolic Execution vs. Recursive Descent

Author

Jonathan D. Miller

Date of Award

3-22-2012

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

Rusty O. Baldwin, PhD.

Abstract

This research determines how appropriate symbolic execution is (given its current implementation) for binary analysis by measuring how much of an executable symbolic execution allows an analyst to reason about. Using the S2E Selective Symbolic Execution Engine with a built-in constraint solver (KLEE), this research measures the effectiveness of S2E on a sample of 27 Debian Linux binaries as compared to a traditional static disassembly tool, IDA Pro. Disassembly code coverage and path exploration is used as a metric for determining success. This research also explores the effectiveness of symbolic execution on packed or obfuscated samples of the same binaries to generate a model-based evaluation of success for techniques commonly employed by malware. Obfuscated results were much higher than expected, which lead to the discovery that S2E was not actually handling the multiple executable memory regions present in unpacker runtime code. Three recommendations are made to address the shortcomings of S2E and allow it to process obfuscated samples correctly.

AFIT Designator

AFIT-GCO-ENG-12-09

DTIC Accession Number

ADA559973

Recommended Citation

Miller, Jonathan D., "Binary Disassembly Block Coverage by Symbolic Execution vs. Recursive Descent" (2012). Theses and Dissertations. 1138.
https://scholar.afit.edu/etd/1138