BinBLAST Pre-Alpha Release
BinBLAST is an extension of Karlin and Altschul's Basic Local Alignment and Search Tool (BLAST) to work with binaries. This technique has proved invaluable in aiding reverse engineering of genomes and its variants have become mainstays of modern bioinformatics. The analog developed for security analysis of binary executables, binBLAST, demonstrates sensitivity to code versions, compiler variations, and can be used to generate antivirus signatures.
Attached to this post is the code as of the DefCon presentation, provided without much documentation. If you have the DefCon CD, there is an outline in the slides of the programs and how they fit together. This includes the proof-of-concept code necessary to produce signatures of uniqueness.
Look in the makefile to handle some fixes for your system, like where your HTTP server directories are, what your python interpreter is, etc.
It fails for a number of reasons:
- In the original work, I was doing analysis of entire distributions that spanned multiple ISO's. The original database listing reflected this organization, was re-used for the code re-development, and makes it very difficult (and misleading) to add any file that didn't come with a particular distribution.
- The original database didn't standardize where to find the original binary executable, necessary to visualize results. This absence makes name resolution frustrating.
- The original dissassembly abstraction did not include offsets in the binary, highly valuable information for doing other security analysis.
- Objdump was used as the disassembler because it was available and fast and works reasonably well on well-formed `normal' executables. Unfortunately, it's spanning-based disassembly is easily corrupted by most packing/obfuscation techniques.
- BLAST includes a `hotspot' pre-filtering to find portions of the query that are interesting and are highly unlikely to be seen. When one of these hotspots is found verbatim, the match is extended in both directions to find the Maximal Segment Pair. The current binBLAST does not do this.
- There have become two major modes of analysis, full-match analysis and match-coverage analysis. The original project only considered match-coverage analysis.