Binary code is everywhere. In most situations, users only have access to code in binary (i.e., executable) form. Most common, off-the-shelf (COTS) software (e.g., Microsoft Windows, Adobe Acrobat, etc.) is only available to end-users in binary form. Malicious code (i.e., malware) created by attackers is typically only available in binary form. The ubiquity of binary code means any security techniques that only require access to the program binary are likely to be widely applicable. Further, binary code analysis allows us to argue about the security of the code that will run, not just the code that was compiled.
The goal of our binary analysis research is to develop faithful program analysis techniques and tools. Traditional source-level program analysis techniques often fail (miserably) at the binary level because binary code has fewer abstractions that found at the source code level. The (missing) abstractions are typically what make source code level analysis work well. For example, source code has user-defined types, functions, and local variables, each of which help source-code level analysis scale. At the binary level, we have no user types, no functions, and global registers and memory.
Our research philosophy is that fundamental advances should be guided by compelling applications. Some of the applications of binary analysis we investigate are:
- Scalable formal verification techniques
- Automatic reverse engineering
- Vulnerability-Based Signature Generation
- Automatic Exploit Generation
- Crypto verification
- Malware analysis
- Vulnerability detection in COTS software
If you are interested in collaborating in any of these areas, please contact David Brumley.
Much of our research is distilled into our next-generation binary analysis platform, called BAP. BAP provides:
- A faithful representative of binary code in a formally specified intermediate language called BIL
- A set of core program analyses abstractions suitable for low-level code.
- Techniques and interfaces that allow for formal verification of binary code down to the bit level.
We have two distributions of BAP. First, we give source code access to our latest development version (i.e., "trunk") to our research partners. There are two ways to become a research partner. First, we can have an active scholarly research collaboration. Second, you can become a CyLab partner. Unfortunately we are unable to give out access to the latest trunk to others not working directly with us.
We also periodically have public releases in the interests of scholarly dissemination. The open releases tend to be more stable, but have fewer "cutting edge" features. At this time, we retain all copyright and modification rights. If you have a project in mind where this is an issue, please contact David.
If you find BAP useful, we would appreciate it if you would email David. Such notes help us secure additional funding, which in turn allows us to add new features and make more releases.
Ok, now for the good stuff:
- bap-0.4.tar.gz
- bap-0.3.tar.gz Special release for CAV 2011
- bap-0.2.tar.gz
- bap-0.1.tar.gz
- Mailing List for users and developers.
- Bug Tracking System, in case you find a bug (we encourage everyone to submit bug reports, which we will try to address).
- Documentation as HTML and PDF.
- Youtube video
BAP is the next-generation binary analysis platform. The BAP team is:
- David Brumley (PI)
- Ivan Jager
- Thanassis Avgerinos
- Edward Schwartz
- JongHyup Lee
The History of BAP: BAP is the successor to the binary analysis techniques developed for Vine (the static analysis component of BitBlaze) as part of David Brumley work on the BitBlaze project, which is headed up by Dawn Song. BAP clearly builds upon Vine, and we are indebted to all that worked with us on that project. Although BAP is a complete rewrite of Vine, many of the core ideas remain the same, such as a formalized IL. However, many things changed. For example, the IL now allows us to express endianness explicitly. We found this necessary in order to fully support bi-endian architectures such as ARM. This change in the IL required changes throughout the code. In addition, we now have well-defined interfaces and utilities. Vine grew organically out of many projects. We took lessons learned from those projects to develop the core API and utilities.
We would especially like to thank contributors to Vine and to the general development and direction of our platform. In particular, we would like to thank and recognize:
- Dawn Song
- Juan Caballero
- Cody Hartwig
- Eric Li
- Zhenkai Liang
- James Newsome
- Pongsin Poosankam