BinPro: Tools and Techniques for Binary-Source Code Authentication

As the age of the Internet of Things (“IoT”) dawns, we face a growing legion of embedded, intelligent, and internet-connected devices. Although these devices provide significant utility for end-users, they also come with potential security flaws and vulnerabilities. Such vulnerabilities can be accidentally placed in devices (i.e. bugs, design defects) or intentionally placed by a malicious actor (i.e. a backdoor). 

One tool we have to combat these vulnerabilities is software code audits. With programs such as Microsoft's Shared Source Initiative, end-users and organizations can get access to source code to conduct security audits on the software and hardware they use. However, such audits are expensive, often costing millions of dollars. Further, after committing the resources for such audits, how can we be sure the code running on every device actually matches the code that was audited?

BinPro combines static analysis, graph matching, and ML to detect and mitigate the threat of maliciously inserted backdoors by finding the optimal correspondence between source and binaries.

Our granted patent “U.S. 10,657,253: System and method for determining correspondence and accountability between binary code and source code” defines the process for discovering these flaws as outlined below:

Our tool and method can check for correspondence between source code and binaries with 75% accuracy, thus significantly limiting the threat of and risk of a security compromise resulting from a mismatched binary. When evaluated on binaries with inserted backdoors, BinPro successfully detects and flags the modified function in every instance.

 

BENEFITS

Current tools make too many assumptions about access to information about the product and the transparency of source code, binaries and components of the system being assessed. Having to depend on these is unworkable in many cases as access to this information may be restricted by license, the information may be considered a trade-secret or proprietary, or the information may be too difficult to attain (for example run-time profiling information).

Our technologies are resilient and less dependent on information about the component being assessed. Compared to existing tools, ours require far less effort on the part of the end user. All vulnerabilities within a particular device were uncovered using our products by a single graduate student. In comparison, existing tools require a large team to perform security assessments and uncover the same vulnerabilities.

 

APPLICATIONS

Our techniques are more effective than existing tools at finding vulnerabilities, including in real-world settings with a large Canadian telecommunications partner who is championing the development of this technology. 

Our techniques have discovered several vulnerabilities during testing, including previously unknown vulnerabilities in popular web applications and Android devices. For this and other vulnerabilities, we have been paid large “bug bounties”, which are financial rewards for discovering and reporting previously unknown vulnerabilities. 

 

STATUS

Our patented tools and methods have been validated in research labs, accepted as research contributions in three Master’s Theses, a refereed publication, and in real‑world settings with a large Canadian telecommunications company.

Additional implementations require further work to make them reliable enough for commercial use. In addition, interfaces within the product can be improved so that they are easier to use for the end-user.

Seeking interested parties for licensing.

ID:

P1867

Related Resources

VPRI Contact

Donna Shukaris

Innovations & Entrepreneurship Manager
Innovations & Partnerships Office (IPO)
(416) 946-7247