Omer Katz

Omer Katz, Yuval Olshaker, Yoav Goldberg et al.

We address the problem of automatic decompilation, converting a program in low-level representation back to a higher-level human-readable programming language. The problem of decompilation is extremely important for security researchers. Finding vulnerabilities and understanding how malware operates is much easier when done over source code. The importance of decompilation has motivated the construction of hand-crafted rule-based decompilers. Such decompilers have been designed by experts to detect specific control-flow structures and idioms in low-level code and lift them to source level. The cost of supporting additional languages or new language features in these models is very high. We present a novel approach to decompilation based on neural machine translation. The main idea is to automatically learn a decompiler from a given compiler. Given a compiler from a source language S to a target language T , our approach automatically trains a decompiler that can translate (decompile) T back to S . We used our framework to decompile both LLVM IR and x86 assembly to C code with high success rates. Using our LLVM and x86 instantiations, we were able to successfully decompile over 97% and 88% of our benchmarks respectively.

Omer Katz, Benjamin Livshits

As malware, exploits, and cyber-attacks advance over time, so do the mitigation techniques available to the user. However, while attackers often abandon one form of exploitation in favor of a more lucrative one, mitigation techniques are rarely abandoned. Mitigations are rarely retired or disabled since proving they have outlived their usefulness is often impossible. As a result, performance overheads, maintenance costs, and false positive rates induced by the different mitigations accumulate, culminating in an outdated, inefficient, and costly security solution. We advocate for a new kind of tunable framework on which to base security mechanisms. This new framework enables a more reactive approach to security allowing us to optimize the deployment of security mechanisms based on the current state of attacks. Based on actual evidence of exploitation collected from the field, our framework can choose which mechanisms to enable/disable so that we can minimize the overall costs and false positive rates while maintaining a satisfactory level of security in the system. We use real-world Snort signatures to simulate the benefits of reactively disabling signatures when no evidence of exploitation is observed and compare them to the costs of the current state of deployment. Additionally, we evaluate the responsiveness of our framework and show that in case disabling a security mechanism triggers a reappearance of an attack we can respond in time to prevent mass exploitation. Through large-scale simulations that use integer linear and Bayesian solvers, we discover that our responsive strategy is both computationally affordable and results in significant reductions in false positives (~20% over traces that are about 9 years long), at the cost of introducing a moderate number of false negatives. Finding the optimal sampling strategy takes less than 2.5 minutes in the vast majority of cases.