Xiangyu's Projects - Reverse Engineering

Reverse Engineering Binary Programs and Its Security Applications

This project aims to develop techniques to reverse engineer functionalities and data structures of binary executables without any symbolic information. It has many security applications. For example, understanding the functionality of code segments is critical to determining the existence of any hidden malicious logic; understanding the internal representation of critical data structures (e.g. the data structure for network connections in a browser) is key for forensic analysis.

Our contributions are highlighted as follows.

We have developed a technique that reverse engineers data structure definitions, including both syntactic and semantic information, from a given binary. It is essentially a type inference algorithm on execution traces (instead of programs) [NDSS'10]. We also developed a memory forensics technique that can identify instances of such data structures from memory snapshots. It features deriving unique graphical signatures from the data structure definitions. The signature of a data structure is essentially a points-to subgragh of the data structure that is not isomorphic to the signatures of others [NDSS'11].
We have developed a technique that can identify key code segments that deliver functionalities that are of interest to attackers, such as sending emails and storing files. The technique is also capable of semi-automatically mutating the code segments so that they can be reused for malicious purpose. For example, we can mutate the parameters to function send_mail() in pine so that a copy of each user email is steathly sent to the attacker [DSN'10].
We have developed techniques to reverse engineer the syntax of program inputs [FSE'08], which would be meaningful for testing, and the syntax of network protocols [NDSS'08].
We have developed a technique that can detect vulnerabilities in binary programs and automatically generate exploits. The technique does not rely on symbolic exection, but rather on dependence tracing. It can scale to complex programs [DSN'08].

Funding

	Binary Based Data Structure Reverse Engineering for Memory Forensics and Application Vulnerability Discovery, Northrop Grumman CyberSecurity Research Consortium, 2010-2011.
	EAGER: Binary-based Data Structure Revelation for Memory Forensics, NSF-TC-1049303, 2010-2012.

Students

Zhiqiang Lin (On Market)

Publications

NDSS	Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures , the 17th Network and Distributed System Security Symposium, 2011. [abstract][pdf]
DSN	Z. Lin, X. Zhang and D. Xu . Reuse-Oriented Camouflaging Trojan: Vulnerability Detection and Attack Construction , the 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2010. [abstract][pdf]
NDSS	Z. Lin, X. Zhang and D. Xu. Automatic Reverse Engineering of Data Structures from Binary Execution , the 17th Network and Distributed System Security Symposium, 2010. [abstract][pdf]
FSE	Z Lin and X. Zhang . Deriving Program Input Syntactic Structure from Execution , 16th ACM SIGSOFT Symposium on Foundations of Software Engineering, 2008. [abstract][pdf]
DSN	Z. Lin, X. Zhang, and D. Xu . Convicting Remote Exploitable Vulnerabilities: An Efficient Input Provenance Based Approach , IEEE/IFIP International Conference on Dependable Systems and Networks, 2008. [abstract][pdf]
NDSS	Z. Lin, X. Jiang, D. Xu, and X. Zhang. Automatic Protocol Format Reverse Engineering Through Context-Aware Monitored Execution , Network and Distributed System Security Symposium, 2008. [abstract][pdf]