BitBlaze: Binary Analysis for Computer Security

[Research Statement and Overview] [Software Release] [Current Projects] [Publications] [News and Press] [Members] [Job Openings] [Contact]

Research Statement and Overview

Binary analysis is imperative for protecting COTS (common off-the-shelf) programs and analyzing and defending against the myriad of malicious code, where source code is unavailable, and the binary may even be obfuscated. Also, binary analysis provides the ground truth about program behavior since computers execute binaries (executables), not source code. However, binary analysis is challenging due to the lack of higher-level semantics. Many higher level techniques are often inadequate for analyzing even benign binaries, let alone potentially malicious binaries. Thus, we need to develop tools and techniques which work at the binary level, can be used for analyzing COTS software, as well as malicious binaries.

The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to (1) analyze and develop novel COTS protection and diagnostic mechanisms and (2) analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation.

The BitBlaze project consists of two central research directions: (1) the design and development of the underlying BitBlaze Binary Analysis Platform, and (2) applying the BitBlaze Binary Analysis Platform to real security problems. The two research focii drive each other: as new security problems arise, we develop new analysis techniques. Similarly, we develop new analysis techniques in order to better or more efficiently solve known problems. Below, we give an overview of the two research directions.

Here is an overview paper of the BitBlaze project. Some of our tools are also available under an open-source license.

The BitBlaze Binary Analysis Platform

The underlying BitBlaze Binary Analysis Platform features a novel fusion of static and dynamic analysis techniques, dynamic symbolic execution, and whole-system emulation and binary instrumentation. The BitBlaze platform has different components for each task: Vine, TEMU, and Rudder. The three components in tandem provide the power for effective analysis of real-world binary programs for various applications.

Release Information: We are now making some key parts of the BitBlaze Binary Analysis Platform available under open-source licenses. See a separate page for more information.

In conjunction with our BlackHat 2010 presentation, we have also made a demonstration binary release of some tools for trace-based crash analysis.

BitBlaze in Action: Security Applications

Using the BitBlaze Binary Analysis Platform, we have enabled new approaches and solutions to a suite of different security problems. These results demonstrate the utility and effectiveness of the BitBlaze approach and vision---binary analysis enables fundamentally new approaches to a broad spectrum of different security problems, often solving problems at their root cause; the underlying BitBlaze Binary Analysis Platform is extensible and powerful for a broad spectrum of different security applications.

In particular, we show below three classes of security applications: (1) vulnerability detection, diagnosis, and defense; (2) automatic in-depth malware analysis and defense; (3) automatic model extraction and analysis.

BitBlaze in the News: Vulnerabilities and Coverage

FPGate project got Microsoft BlueHat Prize Contest's Special Recognition Award in 2012.

FPGate stops attacks targeting function pointers by limiting indirect transfers to only those targets that are legal in the original program. When deployed together with other existing lightweight protections, FPGate can provide a level of protection comparable to CFI (Control Flow Integrity), stopping almost all control fow hijacking attacks including ROP. FPGate has two main advantages compared with previous solutions: it can inter-operate well with existing non-hardened libraries, so it can be deployed progressively; we also develop a method to recognize all sources and targets automatically in modern security-sensitive binary executables, thus FPGate can be applied directly on these binary files. The performance overhead of FPGate is only 0.36% in average measured using SPECint 2006. FPGate is a joint work of Lenx with Chao Zhang, Zhaofeng Chen, Lei Duan from Peking University, and Laszlo Szekeres, Stephen McCamant, Dawn Song from UC Berkeley.

Vulnerabilities Discovered

News Coverage

Job Openings and Volunteer Positions

The BitBlaze project is looking for developers to help extend and enhance our state-of-the art framework for binary analysis in security applications. In particular, we're looking for developers/researchers with skills and experience including computer security, languages and compilers, assembly language, low-level operating system work, and decision procedures. We have openings for interns (for the summer or another similar period), staff scientists/staff programmers, postdocs, and open-source contributors. If interested, send a CV/resume and interest description to at



For general questions regarding the BitBlaze project, please send email to bitblaze at

To receive announcements about code releases and other bitblaze related updates, please subscribe to the Bitblaze Announcement List