Howard: a Dynamic Excavator for Reverse Engineering Data Structures

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2011

Volumn , Issue , 2011, Pages

  Slowinska, Asia ^a   Stancescu, Traian ^a   Bos, Herbert ^a  

^a VU UNIVERSITY AMSTERDAM   (Netherlands)

Author keywords

[No Author keywords available]

Indexed keywords

CODES (SYMBOLS); DATA STRUCTURES; NETWORK SECURITY;

DYNAMICS ANALYSIS; ENGINEERING DATA; ENGINEERING PRODUCTS; MEMORY CORRUPTION ATTACKS; NEW SOLUTIONS; REVERSE ENGINEERING TECHNIQUES; SIMPLE++; SOURCE CODES; SYSTEM USE;

REVERSE ENGINEERING;

EID: 84951736831     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (47)

1. Null httpd remote heap overflow vulnerability. http://www.securityfocus.com/bid/5774l.
2. Ollydbg. http://www.ollydbg.de/.
3. A. V. Aho, M. S. Lam, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools, Second Edition. Pearson Education, Addison Wesley, 2007.
4. P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In IEEE Symposium on Security and Privacy, 2008.
5. P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In Proceedings of the 18th Usenix Security Symposium, August 2009.
6. D. F. Bacon, S. L. Graham, and O. J. Sharp. Compiler transformations for high-performance computing. ACM Comput. Surv., 26:345–420, 1994.
7. G. Balakrishnan, R. Gruian, T. Reps, and T. Teitelbaum. Codesurfer/x86—a platform for analyzing x86 executuables. In Lecture Notes in Computer Science, pages 250–254. Springer, 2005.
8. G. Balakrishnan and T. Reps. Analyzing memory accesses in x86 binary executables. In Proc. Conf. on Compiler Construction (CC), April 2004.
9. G. Balakrishnan, T. Reps, D. Melski, and T. Teitelbaum. WYSINWYX: What you see is not what you execute. In In Verified Software: Theories, Tools, Experiments, page 1603, 2007.
10. F. Bellard. QEMU, a fast and portable dynamic translator. In Proc. of the USENIX Annual Technical Conference, 2005.
11. S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In SSYM’05: Proceedings of the 14th conference on USENIX Security Symposium, Berkeley, CA, USA, 2005. USENIX Association.
12. J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In CCS’07: Proceedings of the 14th ACM conference on Computer and communications security, 2007.
13. C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In USENIX Symposium on Operating Systems Design and Implementation (OSDI 2008), 2008.
14. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In SSYM’05: Proceedings of the 14th conference on USENIX Security Symposium, 2005.
15. V. Chipounov, V. Kuznetsov, and G. Candea. S2E: A platform for in vivo multi-path analysis of software systems. In 16th Intl. Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2011.
16. S. Cho, H. Chang, and Y. Cho. Implementation of an obfuscation tool for C/C++ source code protection on the XScale architectures. In Proceedings of the 6th IFIP WG 10.2 International Workshop on Software Technologies for Embedded and Ubiquitous Systems, 2008.
17. S. Chow, P. A. Eisen, H. Johnson, and P. C. v. Oorschot. White-box cryptography and an aes implementation. In Revised Papers from the 9th Annual International Workshop on Selected Areas in Cryptography (SAC’02), 2002.
18. M. Christodorescu, N. Kidd, and W.-H. Goh. String analysis for x86 binaries. In Proceedings of the 6th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE 2005), 2005.
19. C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical report, Department of Computer Sciences, The University of Auckland, Auckland, New Zealand, 1997.
20. P. M. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda. Prospex: Protocol specification extraction. In SP’09: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, 2009.
21. C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In 7th USENIX Security Symposium, 1998.
22. A. Cozzie, F. Stratton, H. Xue, and S. T. King. Digging for data structures. In USENIX Symposium on Operating Systems Design and Implementation (OSDI 2008, pages 255–266, San Diego, CA, December 2008.
23. W. Cui, M. Peinado, K. Chen, H. J. Wang, and L. Irun-Briz. Tupni: automatic reverse engineering of input formats. In CCS’08: Proceedings of the 15th ACM conference on Computer and communications security, 2008.
24. DataRescue. High level constructs width IDA Pro. http://www.hex-rays.com/idapro/datastruct/datastruct.pdf, 2005.
25. T. DeRaadt. Advances in openbsd. CanSecWest, http://www.openbsd.org/papers/csw03/index.html, April 2003.
26. S. Drape. Generalising the array split obfuscation. Information Sciences, 177:202–219, 2007.
27. P. Ferrie. Attacks on virtual machine emulators. White paper, Symantec advanced threat research, 2007.
28. O. Golovanevsky and A. Zaks. Struct-reorg: current status and future perspectives. In Proceedings of the GCC Developers Summit, 2007.
29. M. Hagog and C. Tice. Cache aware data layout reorganization optimization in gcc. In Proceedings of the GCC Developers Summit, 2005.
30. Z. Lin, X. Jiang, D. Xu, and X. Zhang. Automatic protocol format reverse engineering through context-aware monitored execution. In Proceedings of the 15th Annual Network and Distributed System Security Symposium, 2008.
31. Z. Lin, X. Zhang, and D. Xu. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10), San Diego, CA, March 2010.
32. K. Makris and K. D. Ryu. Dynamic and adaptive updates of non-quiescent subsystems in commodity operating system kernels. In EuroSys, pages 327–340, 2007.
33. T. Moseley, V. Tovinkere, R. Ramanujan, D. A. Connors, and D. Grunwald. Loopprof: Dynamic techniques for loop detection and profiling. In Proceedings of the Workshop on Binary Instrumentation and Applications (WBIA), 2006.
34. J. Newsome, D. Brumley, and D. X. Song. Vulnerability-specific execution filtering for exploit prevention on commodity software. In Proceedings of the Network and Distributed System Security Symp osium, NDSS 2006, San Diego, California, USA, February 2006.
35. J. Newsome and D. Song. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In Proceedings of the Network and Distributed Systems Security Symposium, 2005.
36. A. One. Smashing the stack for fun and profit. Phrack, 7(49), 1996.
37. T. Raffetseder, C. Krügel, and E. Kirda. Detecting system emulators. In Information Security, 10th International Conference, ISC 2007, 2007.
38. G. Ramalingam, J. Field, and F. Tip. Aggregate structure identification and its application to program analysis. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, 1999.
39. T. Reps and G. Balakrishnan. Improved memory-access analysis for x86 executables. In CC’08/ETAPS’08: Proceedings of the Joint European Conferences on Theory and Practice of Software 17th international conference on Compiler construction, 2008.
40. Secunia. DEP/ASLR implementation progress in popular third-party windows applications. White paper, http://secunia.com/gfx/pdf/DEPASLR2010paper.pdf, June 2010.
41. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and communications security (CCS’04), 2004.
42. A. Slowinska, T. Stancescu, and H. Bos. Precise data structure excavation. Technical Report IR-CS-55, Vrije Universiteit Amsterdam, February 2010.
43. Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace. Reformat: automatic reverse engineering of encrypted messages. In ESORICS’09: Proceedings of the 14th European conference on Research in computer security, 2009.
44. G. Wondracek, P. Milani Comparetti, C. Kruegel, and E. Kirda. Automatic network protocol analysis. In 15th Symposium on Network and Distributed System Security (NDSS), 2008.
45. Y. Younan, P. Philippaerts, L. Cavallaro, R. Sekar, F. Piessens, and W. Joosen. PAriCheck: an efficient pointer arithmetic checker for C programs. In ASIACCS’10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, 2010.
46. Y. Zhong, M. Orlovich, X. Shen, and C. Ding. Array regrouping and structure splitting using whole-program reference affinity. In Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation (PLDI’04), 2004.
47. Y. Zhou, A. Main, Y. X. Gu, and H. Johnson. Information hiding in software with mixed boolean-arithmetic transforms. In Proceedings of the 8th international conference on Information security applications, WISA’07, 2007.