Scalable data structure detection and classification for C/C++ binaries

Haller, Istvan; Slowinska, Asia; Bos, Herbert

doi:10.1007/s10664-015-9363-y

Cited by 11 publications

(7 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Трансформации, устраняющие указатели -новое направление исследований. Наиболее близкими здесь являются работы по анализу видов структур данных (shape analysis) [10,12,13] и обратной трансляции [14,16] на язык более высокого уровня. Причем в этих работах не ставится задача устранения указателей.…”

Section: обзор работunclassified

Verification of a String to Integer Conversion Program

Shelekhov¹

2020

View full text Add to dashboard Cite

Deductive verification of a string to integer conversion program kstrtoul in Linux OS kernel library is described. The kstrtoul program calculates the integer value presented as a char sequence of digits. To simplify program verification the transformations of replacing pointer operators to equivalent actions without pointers are conducted. Model of inner program state are constructed to enhance program specification. Deductive verification was conducted in the tools Why3 and Coq.

show abstract

Section: обзор работunclassified

Verification of a String to Integer Conversion Program

Shelekhov¹

2020

View full text Add to dashboard Cite

show abstract

“…DSI provides two desirable features that will help us to advance the state-of-theart in identifying dynamic data structures from malware. The first is DSI's rich heap abstraction that, in contrast to ARTISTE [3], DDT [7], HeapDbg [11], and MemPick [6], permits the identification of many complex data structure implementation techniques. These range from the generic list implementations employed by the Linux kernel, to highly optimized data structures, and to those created via custom memory allocators.…”

Section: Ccs'16mentioning

confidence: 99%

“…Secondly, DSI identifies data structures by accumulating evidence, a process which is resilient against the transient corrupted shapes that arise due to manipulation operations, which we term degenerate shapes. In contrast, other approaches [6,7] try to exclude degenerate shapes from the analysis, which may be difficult if wellstructured interfaces are required [7] and these are obfuscated. Additionally, there is typically limited support for nested data structures, whereas DSI's key features enable the robust identification of arbitrarily deep nesting.…”

Section: Ccs'16mentioning

confidence: 99%

Poster

Rupprecht

Chen

White

et al. 2016

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

As the complexity of malware grows, so does the necessity of employing program structuring mechanisms during development. While control flow structuring is often obfuscated, the dynamic data structures employed by the program are typically untouched. We report on work in progress that exploits this weakness to identify dynamic data structures present in malware samples for the purposes of aiding reverse engineering and constructing malware signatures, which may be employed for malware classification.Using a prototype implementation, which combines the type recovery tool Howard and the identification tool Data Structure Investigator (DSI), we analyze data structures in Carberp and AgoBot malware. Identifying their data structures illustrates a challenging problem. To tackle this, we propose a new type recovery for binaries based on machine learning, which uses Howard's types to guide the search and DSI's memory abstraction for hypothesis evaluation.

show abstract

“…Mandating programmers to store data references in collections needs that multiple memory blocks are allocated per data element: one to store the data element and another one to store the collection's node. There were some drawbacks to this traditional method [5], [6]: a) E-mail: dmp@znu.ac.ir b) E-mail: mahjur@mut.ac.ir (Corresponding author) DOI: 10.1587/transinf.2018EDP7105 tine should be called several times to allocate the space of a data element and it's node. Such extra calls reduce the performance of collections.…”

Section: Introductionmentioning

confidence: 99%

Efficient Reusable Collections

Mohammadpur

Mahjur

2018

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Efficiency and flexibility of collections have a significant impact on the overall performance of applications. The current approaches to implement collections have two main drawbacks: (i) they limit the efficiency of collections and (ii) they have not adequate support for collection composition. So, when the efficiency and flexibility of collections is important, the programmer needs to implement them himself, which leads to the loss of reusability. This article presents neoCollection, a novel approach to encapsulate collections. neoCollection has several distinguishing features: (i) it can be applied on data elements efficiently and flexibly (ii) composition of collections can be made efficiently and flexibly, a feature that does not exist in the current approaches. In order to demonstrate its effectiveness, neoCollection is implemented as an extension to Java and C++.

show abstract

Scalable data structure detection and classification for C/C++ binaries

Cited by 11 publications

References 27 publications

Verification of a String to Integer Conversion Program

Verification of a String to Integer Conversion Program

Poster

Efficient Reusable Collections

Contact Info

Product

Resources

About