Extracting Output Formats from Executables

2006 13th Working Conference on Reverse Engineering Pub Date : 2006-10-23 DOI:10.1109/WCRE.2006.29

Junghee Lim, T. Reps, B. Liblit

{"title":"Extracting Output Formats from Executables","authors":"Junghee Lim, T. Reps, B. Liblit","doi":"10.1109/WCRE.2006.29","DOIUrl":null,"url":null,"abstract":"We describe the design and implementation of FFE/x86 (File-Format Extractor for x86), an analysis tool that works on stripped executables (i.e., neither source code nor debugging information need be available) and extracts output data formats, such as file formats and network packet formats. We first construct a hierarchical finite state machine (HFSM) that over-approximates the output data format. An HFSM defines a language over the operations used to generate output data. We use value-set analysis (VSA) and aggregate structure identification (ASI) to annotate HFSMs with information that partially characterizes some of the output data values. VSA determines an over-approximation of the set of addresses and integer values that each data object can hold at each program point, and ASI analyzes memory accesses in the program to recover information about the structure of aggregates. A series of filtering operations is performed to over-approximate an HFSM with a finite-state machine, which can result in a final answer that is easier to understand. Our experiments with FFE/x86 uncovered a possible bug in the image-conversion utility png2ico","PeriodicalId":306640,"journal":{"name":"2006 13th Working Conference on Reverse Engineering","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-10-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"64","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2006 13th Working Conference on Reverse Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WCRE.2006.29","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 64

Abstract

We describe the design and implementation of FFE/x86 (File-Format Extractor for x86), an analysis tool that works on stripped executables (i.e., neither source code nor debugging information need be available) and extracts output data formats, such as file formats and network packet formats. We first construct a hierarchical finite state machine (HFSM) that over-approximates the output data format. An HFSM defines a language over the operations used to generate output data. We use value-set analysis (VSA) and aggregate structure identification (ASI) to annotate HFSMs with information that partially characterizes some of the output data values. VSA determines an over-approximation of the set of addresses and integer values that each data object can hold at each program point, and ASI analyzes memory accesses in the program to recover information about the structure of aggregates. A series of filtering operations is performed to over-approximate an HFSM with a finite-state machine, which can result in a final answer that is easier to understand. Our experiments with FFE/x86 uncovered a possible bug in the image-conversion utility png2ico

查看原文本刊更多论文

从可执行文件中提取输出格式

我们描述了FFE/x86(用于x86的文件格式提取器)的设计和实现，这是一个分析工具，用于剥离可执行文件(即，既不需要源代码也不需要调试信息)，并提取输出数据格式，如文件格式和网络数据包格式。我们首先构造一个层次有限状态机(HFSM)，它过度逼近输出数据格式。HFSM通过用于生成输出数据的操作定义了一种语言。我们使用值集分析(VSA)和聚合结构识别(ASI)来用部分表征某些输出数据值的信息注释hfsm。VSA确定每个数据对象可以在每个程序点保存的地址集和整数值的过度近似值，ASI分析程序中的内存访问以恢复有关聚合结构的信息。执行一系列过滤操作，用有限状态机过度逼近HFSM，这可能导致更容易理解的最终答案。我们对FFE/x86的实验发现了图像转换实用程序png2ico中可能存在的错误

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2006 13th Working Conference on Reverse Engineering

自引率

0.00%

发文量