Visual Reverse Engineering of Binary and Data Files

  • Gregory Conti
  • Erik Dean
  • Matthew Sinda
  • Benjamin Sangster
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5210)

Abstract

The analysis of computer files poses a difficult problem for security researchers seeking to detect and analyze malicious content, software developers stress testing file formats for their products, and for other researchers seeking to understand the behavior and structure of undocumented file formats. Traditional tools, including hex editors, disassemblers and debuggers, while powerful, constrain analysis to primarily text based approaches. In this paper, we present design principles for file analysis which support meaningful investigation when there is little or no knowledge of the underlying file format, but are flexible enough to allow integration of additional semantic information, when available. We also present results from the implementation of a visual reverse engineering system based on our analysis. We validate the efficacy of both our analysis and our system with case studies depicting analysis use cases where a hex editor would be of limited value. Our results indicate that visual approaches help analysts rapidly identify files, analyze unfamiliar file structures, and gain insights that inform and complement the current suite of tools currently in use.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Conti, G., Grizzard, J., Ahamad, M., Owen, H.: Visual Exploration of Malicious Network Objects Using Semantic Zoom, Interactive Encoding and Dynamic Queries. In: IEEE Symposium on Information Visualization’s Workshop on Visualization for Computer Security (VizSEC) (October 2005)Google Scholar
  2. 2.
    Helfman, J.: Dotplot Patterns: A Literal Look at Pattern Languages. TAPOS Journal 2(1), 31–41 (1995)Google Scholar
  3. 3.
    Kaminsky, D.: Black Ops 2006. Blackhat USA (2006) (last accessed December 20, 2007), www.doxpara.com/slides/dmk_blackops2006.ppt
  4. 4.
    Yoo, I.: Visualizing Windows Executable Viruses Using Self-Organizing Maps. VizSec/DMSec (2004)Google Scholar
  5. 5.
    Carrera, E., Erdelyi, G.: Digital Genome Mapping – Advanced Binary Malware Analysis. In: Virus Bulletin Conference (2004)Google Scholar
  6. 6.
    Flake., H.: Structural Comparison of Executable Objects. Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pp. 161–173 (2004)Google Scholar
  7. 7.
    A different look at Bagle. F-Secure Weblog (23 September 2005) (last accessed December 20, 2007), http://www.f-secure.com/weblog/archives/00000662.html
  8. 8.
    Graphing malware. F-Secure Weblog (25 October 2005) (last accessed December 20, 2007), http://www.f-secure.com/weblog/archives/00000324.html
  9. 9.
    Dullien, T., Rolles, R.: Graph-based comparison of Executable Objects. In: Symposium Sur La Securite Des Technologies De L’Information Et Des Communications (SSTIC) (2005)Google Scholar
  10. 10.
    Flake, H.: Diff, Navigate, Audit – Three applications of graphs and graphing for security, Blackhat USA (2004) (last accessed December 20, 2007), http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-flake.pdf
  11. 11.
    Nolan, B., Sinda, M.: File Visualization Environment (FiVE). In: National Conference on Undergraduate Research (2008)Google Scholar
  12. 12.
    Kaminsky, D.: Black Ops 2006 : Viz Edition. Chaos Computer Congress (2006) (last accessed May 1, 2008), www.doxpara.com/slides/dmk_blackops2006_ccc.ppt
  13. 13.
    Sutton, M., Greene, A., Amini, P.: Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley, Reading (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Gregory Conti
    • 1
  • Erik Dean
    • 1
  • Matthew Sinda
    • 1
  • Benjamin Sangster
    • 1
  1. 1.Department of Electrical Engineering and Computer ScienceUnited States Military Academy, West PointNew York 

Personalised recommendations