Skip navigation.
Home

BinBLAST Pre-Alpha Release

|

BinBLAST is an extension of Karlin and Altschul's Basic Local Alignment and Search Tool (BLAST) to work with binaries. This technique has proved invaluable in aiding reverse engineering of genomes and its variants have become mainstays of modern bioinformatics. The analog developed for security analysis of binary executables, binBLAST, demonstrates sensitivity to code versions, compiler variations, and can be used to generate antivirus signatures.

Attached to this post is the code as of the DefCon presentation, provided without much documentation. If you have the DefCon CD, there is an outline in the slides of the programs and how they fit together. This includes the proof-of-concept code necessary to produce signatures of uniqueness.

Look in the makefile to handle some fixes for your system, like where your HTTP server directories are, what your python interpreter is, etc.

It fails for a number of reasons:

  • In the original work, I was doing analysis of entire distributions that spanned multiple ISO's. The original database listing reflected this organization, was re-used for the code re-development, and makes it very difficult (and misleading) to add any file that didn't come with a particular distribution.
  • The original database didn't standardize where to find the original binary executable, necessary to visualize results. This absence makes name resolution frustrating.
  • The original dissassembly abstraction did not include offsets in the binary, highly valuable information for doing other security analysis.
  • Objdump was used as the disassembler because it was available and fast and works reasonably well on well-formed `normal' executables. Unfortunately, it's spanning-based disassembly is easily corrupted by most packing/obfuscation techniques.
  • BLAST includes a `hotspot' pre-filtering to find portions of the query that are interesting and are highly unlikely to be seen. When one of these hotspots is found verbatim, the match is extended in both directions to find the Maximal Segment Pair. The current binBLAST does not do this.
  • There have become two major modes of analysis, full-match analysis and match-coverage analysis. The original project only considered match-coverage analysis.

What happened with

What happened with BinBLAST?

When is it going to be released?

BinBLAST release

I'm planning on the next release at the beginning of March. The main time-consuming task is finishing up appropriate documentation to move this from a collection of small scripts to a useful program.

Could you re-attach the

Could you re-attach the release you already did, please?

Will be released on next

Will be released on next days?

Release delayed

I was hoping to have this done, but, as this is not my full-time job and I've had other priorities, it doesn't look like it's going to happen.

Finally done

The code is in google code:
http://code.google.com/p/binblast/