Created: Monday, June 18 2012 14:01.00 CDT
Printer Friendly ...
RECON 2012 Keynote: The Case for Semantics-Based Methods in Reverse Engineering
The goal of my RECON 2012 keynote speech was to introduce methods in academic program analysis and demonstrate -- intuitively, without drawing too much on formalism -- how they can be used to solve practical problems that are interesting to industrial researchers in the real world. Given that it was the keynote speech, and my goal of making the material as accessible as possible, I attempted to make my points with pictures instead of dense technical explanations. As a result, one might consider this presentation to be a friendly (but decidedly incomplete) introduction to binary program analysis as opposed to a rigorous mathematical monograph. The presentation features five detailed expositions of applying static program analysis (abstract interpretation and SMT solving) towards practically-interesting reverse engineering problems. (Aside: it's quite challenging to present this material without using terms such as "lattice", "Galois connection", etc.!)
Unfortunately, due to an error with the camera, the recording of the talk does not exist. This is problematic: I failed somewhat in walking the sharp edge of Einstein's razor, "as simple as possible, but no simpler" -- it was in fact made simpler than what was possible, and some important details (for example, about relational abstract interpretation and reduced products) were included in the spoken material but not the actual slides. Therefore, the learned reader is advised to imagine judiciously-placed asterisks and the accompanying errata, and the untutored pupil would be well-advised to recognize the incomplete and intuitive nature of the exposition and perhaps consult this
program analysis reading list
I would like to give the talk at some other conference at which the video can be reliably recorded, so that it may be published online.
are the slides.
Posted: Monday, June 18 2012 15:03.42 CDT
Still going through it, but I remember most of the information was based on your previous posts. Nicely put together in one series. I like the fact your dead listing examples comes from real world application. That deobfuscated inc and sar handler was from VMP if I am correct?
Also, when you refer to inequalities, you are referring to an improper transformation from A and A', which was the problem of the transforming engine at least?
I do remember I read Ilfak's post about the simplex algorithm.
All in all, impressive work is to be expected as usual, Rolf.
I wonder if you came across this before? http://www.loria.fr/~ranise/pubs/nasa.pdf
Posted: Monday, June 18 2012 15:10.05 CDT
As for the VM, no comment. I don't understand the question about inequalities -- would those be the linear inequalities in the stack tracking example, or semantic inequivalence? As for the paper, haven't read it before but it looks like a fairly basic introduction to theorem prover internals; I recommend the beginner consult books such as The Calculus of Computation and Decision Procedures rather than reading research literature (at least at first).
Posted: Monday, June 18 2012 15:21.04 CDT
Had to say i think you're keynote, altough only a keynote, only touched very basic concepts. i was hoping to learn something new which unfortunatly i didn't.
glad to see you've added the reading list, i'll surly go over it.
keep up the good work :)
Posted: Monday, June 18 2012 15:23.13 CDT
Great job on the keynote! It was probably the best talk of REcon. I was sitting over the camera man's shoulder watching the camera repeatedly die starting about ten minutes into it. Shame. Keep up the good work man. I hope to see some more slides and write-ups from you. Cheers.
Posted: Monday, June 18 2012 15:32.18 CDT
Thanks arebc and Nirlzr! As for your comments, Nirlzr, I don't 100% agree with the notion that, for example, octagon and TVPI polyhedra are "very basic concepts" in program analysis seeing as people were writing their Ph.D. theses on these subjects not too long ago. Similarly, note that people have written Ph.D. theses about abstract interpretation without invoking the concept of a reduced product or relational abstractions. However, I do largely agree that there are considerably more sophisticated analyses in the literature and that many of the actual analyses that I presented might even rightly be called "trivial" in comparison to the more sophisticated methods. But that actually does not detract from the point of the talk: I wanted to convince people that you can solve interesting reverse engineering problems with program analysis, and if the analyses are indeed "trivial", then that's even better motivation for reverse engineers to study it, because they can do cool stuff without having to dive extremely deeply into the literature (and are aware that the literature offers even more sophisticated solutions).
Posted: Monday, June 18 2012 15:32.19 CDT
@Rolf: Semantic inequalities.
Well, it's a good start I guess for such work. I don't think there is anything our there that would be consider advanced specifically in what you are trying to achieve in here. Its very specific. But, good stuff.
Add New Comment
total registered users.
Recently Created Topics
Career: Malware Reve...
How to produce separ...
How to decompile a f...
How to trap mouse cl...
Intel pin in loaded ...
Going to do today wi...
how to create delphi...
enabling menu in a s...
How to get the Image...
OllyDBG Process Term...
Recent Forum Posts
Intel pin in loaded ...
OOP_RE tool available?
OOP_RE tool available?
Should binaries be n...
Problem with ollydbg
looking for a softwa...
.orpc section what's...
Pydbg load() issue
Recent Blog Entries
IAT Patcher - new tool for ...
CryptoShark: code tracer ba...
Build a debugger in 5 minutes
frida.re 1.2.0 is out, with...
Android Malware Analysis
Recent Blog Comments
Using NtCreateThreadEx for ...
Branch tracing and LBR acce...
Advanced debugging techniques
2 anti-trace mechanisms spe...
Jun 6, 2008