Técnicas para identificação de funções de bibliotecas em binários vinculados estaticamente

Abstract

Statically-linked libraries can cause the work of a reverse engineering analyst to get disproportionately hard compared to the work of the programmer who developed the software under study. This situation often arises not as an obfuscation tactic but as a measure to ease software distribution. For example, many malware programs designed for the Linux platform employ static linking to avoid compatibility problems when propagating to other systems. Many tools often used in reverse engineering practice, such as IDA Pro, Ghidra, Radare2, and Binary Ninja, have mechanisms that aim to recognize functions from these libraries, employing techniques that vary from byte sequence matching to the evaluation of control flow graph metrics. Works from the literature propose alternatives rarely adopted in practice, in part due to the lack of a comprehensive evaluation methodology. Besides, the techniques usually assume that the same version of the library used to compile a binary will be used to analyze it but neglect the issue of recognizing that version. There are also no studies about the impact of applying signatures with a different version than the one used to build the program. The present work studies these aspects on recognizing statically linked libraries by applying signatures generated from several distinct versions of the standard C language library and proposes a technique that allows fast recognition, up to 72% cases, of the version of the standard C library linked to Linux binary. This way, the work hopes to contribute to achieving better accuracy when recognizing statically linked library function.