{"id":796,"date":"2024-11-21T14:39:49","date_gmt":"2024-11-21T14:39:49","guid":{"rendered":"https:\/\/reversea.me\/?p=796"},"modified":"2025-05-21T09:26:04","modified_gmt":"2025-05-21T09:26:04","slug":"identifying-runtime-libraries-in-statically-linked-binaries-with-mantilla","status":"publish","type":"post","link":"https:\/\/reversea.me\/index.php\/identifying-runtime-libraries-in-statically-linked-binaries-with-mantilla\/","title":{"rendered":"Identifying Runtime Libraries in Statically Linked Binaries with MANTILLA"},"content":{"rendered":"Reading Time: <\/span> 5<\/span> minutes<\/span><\/span>\n

TL;DR<\/strong>: Statically linked binaries can include vulnerabilities if not updated with the latest versions of libraries. Similarly, embedding libraries within the binary reduces dependency on the environment while running the binary. This makes identifying linked libraries in malware binaries essential for effective analysis. To help in this process, we present MANTILLA<\/a>, a tool designed to identify runtime libraries in statically linked Linux binaries using static analysis and machine learning. MANTILLA extracts architecture-independent features from the binaries and uses a K-Nearest Neighbors (KNN) model to determine which libraries are linked. In our talk at NoConName 2024 (on Nov 19, 2024)<\/a>, we will share deeper insights into how MANTILLA works, its architecture-agnostic features, and how it can be used for both malware analysis and vulnerability detection. Our evaluation shows high accuracy across multiple architectures, demonstrating the value of MANTILLA in both malware analysis and vulnerability detection. If this post leaves you wanting more and you want to delve deeper into our research, we recommend reading our recently published scientific article (here<\/a>).<\/p>\n\n\n\n

\n\n\n\n

For an attacker, a vulnerable and unpatched application is an irresistible target. Vulnerabilities often persist in applications due to outdated third-party dependencies, especially when binaries are statically linked. Static linking<\/em> makes binaries self-contained and portable, but it also complicates updating libraries. Similarly, it makes reverse engineering more challenging. Interestingly, these features are precisely why malware authors prefer static linking, as it ensures compatibility across target platforms and adds complexity to analysis efforts.<\/p>\n\n\n\n

To help address these challenges, we developed MANTILLA<\/a>, a tool to identify runtime libraries in statically linked Linux binaries. This identification helps filter out library functions, allowing analysts to focus on the core behavior of the malware and detect vulnerabilities in outdated libraries.<\/p>\n\n\n\n

What is MANTILLA?<\/h2>\n\n\n\n

MANTILLA, a
system for runtiMe librAries ideNtification in sTatIcally-Linked Linux binAries<\/em>, is specially designed to automatically identify runtime libraries within a binary using static analysis and KNN classification. Figure 1 shows a high-level overview of MANTILLA.
It is based on the radare2<\/a> reverse engineering framework to extract a variety of features that are independent of the binary’s architecture, such as cyclomatic complexity, instruction count, and entropy.<\/p>\n\n\n

\n
\"\"
Figure 1: High-level system overview of MANTILLA<\/em>.<\/figcaption><\/figure><\/div>\n\n\n

The system then uses these features to classify the binary through a supervised machine learning model. Specifically, MANTILLA uses K-Nearest Neighbors (KNN) to predict the runtime library linked in the binary, with final decisions made using a majority voting system across all functions in the binary.<\/p>\n\n\n\n

How does it work?<\/h2>\n\n\n\n

MANTILLA operates in two phases:<\/p>\n\n\n\n