Format recovery
Abstract
One of widespread applications in binary code analysis is format recovery for files and network messages. If studied code is protected from analysis, analytic suffers from unacceptable time-intense expenses. In this paper we propose a method for automated format recovery. The method is based on binary code dynamic analysis and allows recovering hierarchical structure of analyzed memory buffers, and, moreover, recover semantics for certain fields. We present prototype tool, which supports the described method, and evaluate the tool using a model sample.
About the Authors
A. I. Getman
ISP RAS, Moscow
Russian Federation
Russian Federation
Y. V. Markin
ISP RAS, Moscow
Russian Federation
Russian Federation
V. A. Padaryan
ISP RAS, Moscow
Russian Federation
Russian Federation
E. I. Shchetinin
ISP RAS, Moscow
Russian Federation
Russian Federation
References
1. W. Cui, J. Kannan, H.J. Wang. Discoverer: Automatic Protocol Reverse Engineering from Network Traces. // 16th USENIX Security Symposium, 2007. Pp. 199–212.
2. J. Lim, T. Reps, B. Liblit. Extracting Output Formats from Executables. // Proceedings of the 13th Working Conference on Reverse Engineering, 2006. Pp. 167 – 178.
3. J. Caballero, H. Yin, Z. Liang, D. Song. Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. // Proceedings of the 14th ACM conference on Computer and communications security, 2007. Pp. 317 – 329.
4. Z. Lin, X. Jiang, D. Xu, X. Zhang. Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution. // Proceedings of the 15th Annual Network and Distributed System Security Symposium, 2008.
5. G. Wondracek, P. Milani Comparetti, C. Kruegel, E. Kirda. Automatic Network Protocol Analysis. // Proceedings of the 15th Annual Network and Distributed System Security Symposium, 2008.
6. W. Cui, M. Peinado, K. Chen, H.J. Wang, L. Irun-Briz. Tupni: Automatic Reverse Engineering of Input Formats. // Proceedings of the 15th ACM conference on Computer and communications security, 2008. Pp. 391 402.
7. G. Ramalingam, J.Field, F. Tip. Aggregate Structure Identification and its Application to Program Analysis. // In Symp. on Principles of Programming Languages, 1999. Pp. 119 – 132.
8. J. Newsome, D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. // In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2005.
9. Альфред В. Ахо, Моника С. Лам, Рави Сети, Джеффри Д. Ульман. Компиляторы. Принципы, Технологии и Инструментарий. / Вильямс, 2008 г.
10. S. Needleman, C. Wunsch. A general method applicable to the search for similarities in the amino acid sequence of two proteins. // Journal of molecular biology. 1970 Mar;48(3):443-53.
Review
For citations:
Getman A.I., Markin Y.V., Padaryan V.A., Shchetinin E.I. Format recovery. Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS). 2010;19. (In Russ.)
Email this article 