Advertisement

Interactive Function Identification Decreasing the Effort of Reverse Engineering

  • Fatih KilicEmail author
  • Hannes Laner
  • Claudia Eckert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9589)

Abstract

Today’s software is growing in size and complexity. Consequently analysing closed-source binaries becomes time-consuming and labour-intensive. In the common use case, the analyst is only interested in specific functions of the given application. Identifying the relevant functions is difficult since no related meta information is given. In this paper we present a framework which speeds up the reverse-engineering process using interactive function identification. We use the benefits of Dynamic Binary Instrumentation as base to collect the executed function calls. We support the analyst in filtering the relevant functions for specific functionality. Our approach is divided into three process steps. Real-time data gathering, user defined information processing/filtering and graphical representation. We show a significant speed up in the reverse engineering process using our framework. We reduce the number of executed functions to be viewed by the analyst more than 90 % and due to visual components we help the analyst pre-selecting the functions on an abstract level.

Keywords

Reverse engineering Information visualisation Security IP protection 

References

  1. 1.
    Hex-Rays IDA. https://hex-rays.com/products/ida/index.shtml. Accessed 10 Aug 2015
  2. 2.
  3. 3.
    Sqlite. http://sqlite.org. Accessed 10 Aug 2015
  4. 4.
  5. 5.
    Openssl. https://www.openssl.org/. Accessed 10 Aug 2015
  6. 6.
    Gpg. https://www.gnupg.org. Accessed 10 Aug 2015
  7. 7.
  8. 8.
    Bruening, D., Zhao, Q.: Practical memory checking with Dr. Memory. In: Proceedings of the 9th Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO 2011, pp. 213–223. IEEE Computer Society, Washington, DC, USA (2011)Google Scholar
  9. 9.
    Bruening, D., Zhao, Q., Amarasinghe, S.: Transparent dynamic instrumentation. In: Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments, VEE 2012, pp. 133–144. ACM, New York (2012)Google Scholar
  10. 10.
    Buck, B., Hollingsworth, J.K.: An API for runtime code patching. Int. J. High Perform. Comput. Appl. 14(4), 317–329 (2000)CrossRefGoogle Scholar
  11. 11.
    Caballero, J., Poosankam, P., Kreibich, C., Dispatcher, S.D.: Enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 621–634 (2009)Google Scholar
  12. 12.
    Conti, G., Dean, E., Sinda, M., Sangster, B.: Visual reverse engineering of binary and data files. In: Goodall, J.R., Conti, G., Ma, K.-L. (eds.) VizSec 2008. LNCS, vol. 5210, pp. 1–17. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Corporation, I.: Pin tools. https://software.intel.com/sites/landingpage/pintool/docs/62732/Pin/html/. Accessed 10 Aug 2015
  14. 14.
    Developers, V.: Valgrind user manual. http://valgrind.org/docs/manual/manual.html. Accessed 10 Aug 2015
  15. 15.
    Diehl, S.: Software Visualization: Visualizing the Structure, Behaviour, and Evolution of Software. Springer Science and Business Media, Heidelberg (2007)zbMATHGoogle Scholar
  16. 16.
    DynamoRIO. Dynamorio API. http://dynamorio.org/docs/. Accessed 10 Aug 2015
  17. 17.
    Eick, S.G., Steffen, J.L., Sumner Jr., E.E.: Seesoft-a tool for visualizing line oriented software statistics. IEEE Trans. Softw. Eng. 18(11), 957–968 (1992)CrossRefGoogle Scholar
  18. 18.
    Gröbert, F., Willems, C., Holz, T.: Automated identification of cryptographic primitives in binary programs. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 41–60. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. 19.
    Jacomy, M., Heymann, S., Venturini, T., Bastian, M.: ForceAtlas2, a continuous graph layout algorithm for handy network visualization. Medialab Center Res. 560 (2011)Google Scholar
  20. 20.
    Kienle, H.M., Müller, H.A.: Rigian environment for software reverse engineering, exploration, visualization, and redocumentation. Sci. Comput. Program. 75(4), 247–263 (2010)CrossRefzbMATHGoogle Scholar
  21. 21.
    Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005, pp. 190–200. ACM, New York (2005)Google Scholar
  22. 22.
    Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation (2007)Google Scholar
  23. 23.
    Quist, D., Liebrock, L.M., et al.: Visualizing compiled executables for malware analysis. In: 6th International Workshop on Visualization for Cyber Security, VizSec 2009, pp. 27–32. IEEE (2009)Google Scholar
  24. 24.
    Reniers, D., Voinea, L., Ersoy, O., Telea, A.: The solid* toolset for software visual analytics of program structure and metrics comprehension: from research prototype to product. Sci. Comput. Program. 79, 224–240 (2014)CrossRefGoogle Scholar
  25. 25.
    Trinius, P., Holz, T., Göbel, J., Freiling, F.C.: Visual analysis of malware behavior using treemaps and thread graphs. In: 6th International Workshop on Visualization for Cyber Security, VizSec 2009, pp. 33–38. IEEE (2009)Google Scholar
  26. 26.
    Wang, R., Wang, X., Zhang, K., Li, Z.: Towards automatic reverse engineering of software security configurations. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 245–256. ACM, New York (2008)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Technische Universität MünchenMunichGermany
  2. 2.Fraunhofer AISECMunichGermany

Personalised recommendations