Presentation Title Howard: Excavating Data Structures from Stripped Binaries
State of the art disassemblers are indispensable for reverse engineering and forensics. The most advanced ones, like IDA Pro and OllyDbg, offer a variety of techniques to help elevate low-level assembly instructions to higher level code. For instance, they can recognize known library functions in the binary. However, they are typically weak in reverse engineering data structures. Since real programs tend to revolve around their data structures, ignorance of these structures makes the already complex task of reverse engineering even slower and more painful.
The most common approaches for data structure detection are based on static analysis techniques like value set analysis, aggregate structure identification and combinations thereof. Some, like CodeSurfer/x86, are available as experimental plug-ins for IDA Pro, unfortunately, the power of static analysis is quite limited and none of the techniques mentioned above can adequately handle even some of the most common data structures — like arrays.
Some projects have therefore resorted to dynamic analysis. Again, success has been limited and the best known examples are Laika and Rewards. In this presentation, we describe a new technique known as Howard that greatly improves on these existing techniques. It is complementary to Rewards, but much more powerful as it also finds internal variables. The main goal of Howard is to furnish existing disassemblers and debuggers with information about data structures and types to ease reverse engineering. For this purpose, it automatically generates debug symbols that can be used by all common tools. In the presentation, we will demonstrate this with a real analysis example using gdb.
About Asia Slowinska
Asia Slowinska is the final year PhD student at the Vrije Universiteit Amsterdam, under the supervision of prof. Herbert Bos. She interned twice with Microsoft Research Cambridge where she joined the Systems and Performance Group. Before that she spent few months working with the Systems and Security Department at Institute for Infocomm Research in Singapore.
Her research interests involve the area of systems security. Her work focuses on automatic detection and analysis of attacks, particularly those related to low-level memory errors.