Visible to the public Biblio

Filters: Keyword is software reverse engineering  [Clear All Filters]
2019-06-24
Viglianisi, Gabriele, Carminati, Michele, Polino, Mario, Continella, Andrea, Zanero, Stefano.  2018.  SysTaint: Assisting Reversing of Malicious Network Communications. Proceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop. :4:1–4:12.

The ever-increasing number of malware samples demands for automated tools that aid the analysts in the reverse engineering of complex malicious binaries. Frequently, malware communicates over an encrypted channel with external network resources under the control of malicious actors, such as Command and Control servers that control the botnet of infected machines. Hence, a key aspect in malware analysis is uncovering and understanding the semantics of network communications. In this paper we present SysTaint, a semi-automated tool that runs malware samples in a controlled environment and analyzes their execution to support the analyst in identifying the functions involved in the communication and the exchanged data. Our evaluation on four banking Trojan samples from different families shows that SysTaint is able to handle and inspect encrypted network communications, obtaining useful information on the data being sent and received, on how each sample processes this data, and on the inner portions of code that deal with the data processing.

2019-03-04
Schwartz, Edward J., Cohen, Cory F., Duggan, Michael, Gennari, Jeffrey, Havrilla, Jeffrey S., Hines, Charles.  2018.  Using Logic Programming to Recover C++ Classes and Methods from Compiled Executables. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. :426–441.
High-level C++ source code abstractions such as classes and methods greatly assist human analysts and automated algorithms alike when analyzing C++ programs. Unfortunately, these abstractions are lost when compiling C++ source code, which impedes the understanding of C++ executables. In this paper, we propose a system, OOAnalyzer, that uses an innovative new design to statically recover detailed C++ abstractions from executables in a scalable manner. OOAnalyzer's design is motivated by the observation that many human analysts reason about C++ programs by recognizing simple patterns in binary code and then combining these findings using logical inference, domain knowledge, and intuition. We codify this approach by combining a lightweight symbolic analysis with a flexible Prolog-based reasoning system. Unlike most existing work, OOAnalyzer is able to recover both polymorphic and non-polymorphic C++ classes. We show in our evaluation that OOAnalyzer assigns over 78% of methods to the correct class on our test corpus, which includes both malware and real-world software such as Firefox and MySQL. These recovered abstractions can help analysts understand the behavior of C++ malware and cleanware, and can also improve the precision of program analyses on C++ executables.