Xusheng Li,Zhisheng Hu,Haizhou Wang,Yiwei Fu,Ping Chen,Minghui Zhu,Peng Liu

DOI: https://doi.org/10.48550/arXiv.1807.11110

2024-02-13

Abstract:Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present ROPNN, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that ROPNN has high detection rate (99.3%) and a very low false positive rate (0.01%). ROPNN successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. Additionally, ROPNN detects all 10 ROP exploits that can bypass Bin-CFI. ROPNN is non-intrusive and does not incur any runtime overhead to the protected program.

Cryptography and Security

Ma Rongkuan,Zheng Hao,Wang Jingyi,Wang Mufeng,Wei Qiang,Wang Qingxian

DOI: https://doi.org/10.1631/fitee.2000709

IF: 2.526

2022-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

LIU Yun-feng,KE Ying-lin,WANG Qiu-cheng,HU Xiao-dong,PENG Wei

DOI: https://doi.org/10.3969/j.issn.1006-5911.2006.01.006

2006-01-01

Computer Integrated Manufacturing Systems

Abstract:To promote the use of feature-based techniques in Reverse Engineering(RE) and support innovative design,feature-based reverse engineering technology was systematically studied.Based on analysis and summarization of the concept and development trend of feature-based RE.The section feature-based and surface featurebased modeling strategies were proposed,and the relationships of the two types of strategies in feature-based RE were also discussed.The example of blade reconstruction indicated that with application of two strategies in feature-based RE,parametric CAD model with higher precision and better quality could be reconstructed rapidly.

金涛,陈建良,童水光

DOI: https://doi.org/10.3321/j.issn:1004-132X.2002.16.023

2002-01-01

Abstract:This paper reviews the developed process of reverse engineering, after addressing the research aspects of reverse engineering and main application areas, the various 3D data digitized technology and model reconstruction methods are discussed in particular, some other specific issues including reconstruction method by geometry and constraints, integrated reverse engineering system framework and the software used for reverse engineering are described as well. The limitations of existing research and technology are also described, the representive problems are as followes:data acquistion techniques which consider downstream process very few, surface patch fitting used in geometric model reconstruction neglects the constraints relationship and geometric feature of the object. Before reverse engineering is widely used as a available tool, there will be still several problems needed to be solved.

柯映林,刘云峰,范树迁,陈曦,李岸

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.06.012

2004-01-01

Abstract:RE-SOFT, a feature-based reverse engineering software, has been widely accepted by CAD technicians because of its distinct tools for point-cloud operation, geometric feature extraction, operation and analysis, feature-based curve and surface reconstruction, edit and etc. System architecture and main functions of the software are introduced briefly. Some key techniques and algorithms, with regard to data pre-processing, feature extraction, feature reconstruction and edition, are presented and described in detail. Taking an engine blade as an example, the application illustrates that, with RE-SOFT, feature-based parametric model can be obtained efficiently and accurately. Finally, the next tasks for upgrading RE-SOFT are concluded.

Tab Zhang,Claire Taylor,Bart Coppens,Waleed Mebane,Christian Collberg,Bjorn De Sutter

2024-06-07

Abstract:This paper introduces reAnalyst, a scalable analysis framework designed to facilitate the study of reverse engineering (RE) practices through the semi-automated annotation of RE activities across various RE tools. By integrating tool-agnostic data collection of screenshots, keystrokes, active processes, and other types of data during RE experiments with semi-automated data analysis and annotation, reAnalyst aims to overcome the limitations of traditional RE studies that rely heavily on manual data collection and subjective analysis. The framework enables more efficient data analysis, allowing researchers to explore the effectiveness of protection techniques and strategies used by reverse engineers more comprehensively and efficiently. Experimental evaluations validate the framework's capability to identify RE activities from a diverse range of screenshots with varied complexities, thereby simplifying the analysis process and supporting more effective research outcomes.

Software Engineering

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Le Yu,Yangyang Liu,Pengfei Jing,Xiapu Luo,Lei Xue,Kaifa Zhao,Yajin Zhou,Ting Wang,Guofei Gu,Sen Nie,Shi Wu

2022-01-01

Abstract:In-vehicle protocols are very important to the security assessment and protection of modern vehicles since they are used in communicating with, accessing, and even manipulating ECUs (Electronic Control Units) that control various vehicle components. Unfortunately, the majority of in-vehicle protocols are proprietary without publicly available documents. Although recent studies proposed methods to reverse engineer the CAN protocol used in the communication among ECUs, they cannot be applied to vehicle diagnostics protocols, which have been widely exploited by attackers to launch remote attacks. In this paper, we propose a novel framework for automatically reverse engineering the diagnostic protocols of vehicles by leveraging professional diagnostic tools. Specifically, we design and develop a new cyber-physical system that uses a set of algorithms to control a programmable robotics arm with the aid of cameras to automatically trigger and capture the messages of diagnostics protocols as well as reverse engineer their formats, semantic meanings, and proprietary formulas required for processing the response messages. We perform a large-scale experiment to evaluate our prototype using 18 real vehicles. It successfully reverse engineers 570 messages (446 for reading sensor values and 124 for controlling components). The experimental results show that our framework achieves high precision in reverse engineering proprietary formulas and obtains much more messages than the prior approach based on app analysis.

YE Yongdong,YE Xiaoping,JIN Tao

DOI: https://doi.org/10.3969/j.issn.1005-2402.2006.11.017

2006-01-01

Abstract:An integrated reverse engineering system has been developed. It makes the points-data processing system as a data adapter between the digitized device and the commercial CAD/CAE/CAM software. The digitalization manner, scanning path plan and sample points will be defined by final application based on the integrated system. And the measured points can directly generate NC code and STL file via the data adapter. Another alternative is 3D object reconstruction; the work also depends on the downstream process. The integrated approach can reduce the scanning and modeling time, create the unite model and adapt to various applications. The technology has been integrated with the current commercial CAD systems and is proved valid by practically application.

bo zhou,yanfen wang,xiaohu yang

DOI: https://doi.org/10.1142/9789812701534_0159

2005-01-01

Abstract:So far most research work done on software reverse engineering is mainly focused on the legacy systems, which are built on obsolete technologies, but contain a lot of information and knowledge about the certain application domain. However, software based on more recent technologies, such as component- based, also raises many issues during comprehension and evolution. Especially, the component models like in J2EE world are based on many technical aspects that make them difficult to understand and use. Thus, the evolution of component-based software becomes an emerging issue in reverse engineering area. In this paper we propose an idea to integrate reverse engineering with more recent systems based on the new technology, component-based, not only restricted to the legacy system. We also extend the existing graph based approaches to reverse engineering such systems. In our approach, the directed graph describes and manages dependencies among the components in the system based on the information extracted from source code, deployment descriptors and configuration files. With this component dependency graph, it helps developers to understand the system better, and ease the succeeding phases of reengineering the system.

Daniel Votipka,Seth M. Rabin,Kristopher Micinski,Jeffrey S. Foster,Michelle L. Mazurek

DOI: https://doi.org/10.48550/arXiv.1912.00317

2019-12-01

Cryptography and Security

Abstract:Reverse engineering is a complex process essential to software-security tasks such as vulnerability discovery and malware analysis. Significant research and engineering effort has gone into developing tools to support reverse engineers. However, little work has been done to understand the way reverse engineers think when analyzing programs, leaving tool developers to make interface design decisions based only on intuition. This paper takes a first step toward a better understanding of reverse engineers' processes, with the goal of producing insights for improving interaction design for reverse engineering tools. We present the results of a semi-structured, observational interview study of reverse engineers (N=16). Each observation investigated the questions reverse engineers ask as they probe a program, how they answer these questions, and the decisions they make throughout the reverse engineering process. From the interview responses, we distill a model of the reverse engineering process, divided into three phases: overview, sub-component scanning, and focused experimentation. Each analysis phase's results feed the next as reverse engineers' mental representations become more concrete. We find that reverse engineers typically use static methods in the first two phases, but dynamic methods in the final phase, with experience playing large, but varying, roles in each phase. % and the role of experience varies between phases. Based on these results, we provide five interaction design guidelines for reverse engineering tools.

ZhiJun Huang,Tao Zheng,Yunxiu Shi,Ang Li

DOI: https://doi.org/10.1109/icsai.2012.6223219

2012-01-01

Abstract:As the proposition of the idea of Return-Oriented Programming (ROP), programs will face new challenges from viruses, and many of current defense measures will be ineffective. With fine granularity, covert virus features, deliberate and sophisticated construction and rare static characteristics, ROP attack can circumvent many traditional defense measures and its variant Jump-Oriented Programming (JOP) attack makes lots of current special ROP defense tools lose their effects. Under this circumstance, it's imperative to discover the dynamic features of ROP exploits. At this time, bringing in the technology of Dynamic Binary Instrumentation (DBI) provides powerful support for dynamic analysis of ROP attack. In this paper, we will introduce a defense measure to ROP attack. By identifying malicious program execution flow and restricting the function call specification of general program libraries, we will prevent the turning-complete features of ROP attack. Our detection method can restrain malicious use of shared libraries by ROP and defend a large part of ROP attacks.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

Zhi Jun Huang,Tao Zheng,Jia Liu

DOI: https://doi.org/10.1109/sees.2012.6225491

2012-01-01

Abstract:With the popularity of embedded devices, especially smart phones, a growing attention has been paid to their programs' security. Many viruses on PC platforms migrated to embedded device have brought new threats to the security of the embedded platform. ROP (Return-Oriented Programming) attack is one of them. At the same time, traditional protective measures on PC platform tend to lose effect in embedded devices due to differences among platforms and architectures which bring significant challenges to virus protection on embedded devices. Defending ROP attack confronts the same problem. Existing protective methods against ROP attack on PC rarely work well on an embedded platform. This paper presents a protective algorithm against ROP virus on the embedded ARM platform. Furthermore, we develop a Valgrind tool to implement this algorithm with dynamic binary instrumentation technology which can effectively prevent the ROP attack and its variants on the ARM platform.

Alex Yao Chu Zhu,Wei Qi Yan,Roopak Sinha

DOI: https://doi.org/10.4018/ijdcf.20211101.oa7

2021-01-01

International Journal of Digital Crime and Forensics

Abstract:Most Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS) cannot defend the attacks from a Return Oriented Program (ROP) which applies code reusing and exploiting techniques without the need for code injection. Malicious attackers chain a short sequence as a gadget and execute this gadget as an arbitrary (Turing-complete) behavior in the target program. Lots of ROP defense tools have been developed with satisfactory performance and low costs overhead, but malicious attackers can evade ROP tools. Therefore, it needs security researchers to continually improve existing ROP defense tools, because the defense ability of target devices, such as smartphones is weak, and such devices are being increasingly targeted. Our contribution in this paper is to propose an ROP defense method that has provided a better performance of defense against ROP attacks than existing ROP defense tools.

Ping Chen,Hai Xiao,Xiaobin Shen,Xinchun Yin,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-10772-6_13

2009-01-01

Abstract:Return-Oriented Programming (ROP) is a new technique that helps the attacker construct malicious code mounted on x86/SPARC executables without any function call at all. Such technique makes the ROP malicious code contain no instruction, which is different from existing attacks. Moreover, it hides the malicious code in benign code. Thus, it circumvents the approaches that prevent control flow diversion outside legitimate regions (such as W *** X ) and most malicious code scanning techniques (such as anti-virus scanners). However, ROP has its own intrinsic feature which is different from normal program design: (1) uses short instruction sequence ending in "ret", which is called gadget, and (2) executes the gadgets contiguously in specific memory space, such as standard GNU libc. Based on the features of the ROP malicious code, in this paper, we present a tool DROP, which is focused on dynamically detecting ROP malicious code. Preliminary experimental results show that DROP can efficiently detect ROP malicious code, and have no false positives and negatives.

Elliot Varoy,John Burrows,Jing Sun,Sathiamoorthy Manoharan

DOI: https://doi.org/10.1109/iceccs.2016.030

2016-01-01

Abstract:Understanding existing pieces of software is a challenge faced by many software developers regardless of their experience. This project researches into existing reverse engineering tools used for code comprehension and identifies the limitations of the current approaches. Furthermore, a prototype implementation was developed to extract design models from available source code in order to achieve better program comprehension. The design and implementation of the model extraction tool were defined, with a focus on Java systems and an agile methodology. This tool was realised by extending the existing open source diagrammatic software, UMLet, with a set of features to aid in code comprehension. Finally, the prototype implementation was evaluated against the related tools in the field as well as by a group of professional experts.

Kangjie Lu,Dabi Zou,Weiping Wen,Debin Gao

DOI: https://doi.org/10.1145/2076732.2076784

2011-01-01

Abstract:Over the last few years, malware analysis has been one of the hottest areas in security research. Many techniques and tools have been developed to assist in automatic analysis of malware. This ranges from basic tools like disassemblers and decompilers, to static and dynamic tools that analyze malware behaviors, to automatic malware clustering and classification techniques, to virtualization technologies to assist malware analysis, to signature- and anomaly-based malware detection, and many others. However, most of these techniques and tools would not work on new attacking techniques, e.g., attacks that use return-oriented programming (ROP). In this paper, we look into the possibility of enabling existing defense technologies designed for normal malware to cope with malware using return-oriented programming. We discuss difficulties in removing ROP from malware, and design and implement an automatic converter, called deRop, that converts an ROP exploit into shellcode that is semantically equivalent with the original ROP exploit but does not use ROP, which could then be analyzed by existing malware defense technologies. We apply deRop on four real ROP malwares and demonstrate success in using deRop for the automatic conversion. We further discuss applicability and limitations of deRop.

Xin Peng,Wenyun Zhao,Yijian Wu,Yunjiao Xue

DOI: https://doi.org/10.5220/0002513703990402

2005-01-01

Abstract:Reengineering presents a practical and feasible approach to transform legacy systems into evolvable systems. Component-based systems are evolvable and can be easily reengineered. Object-oriented software reengineering should base on component library and focus on seamlessly cooperating with component library and assembly tool to construct the whole reengineering system. So the reengineering discussed here concentrates on extracting components from legacy systems via comprehension and analysis. In this paper, we present our java-based tool prototype FDReengineer and introduce the component extraction algorithm. The method and the advantage is demonstrated through a case study.

Baisu Huang,Bo Qian,Wanghong Yuan,Hong Mei,Fuqing Yang

1999-01-01

Abstract:Research on reverse engineering is a focal point in the software engineering field, and it is the basis for software understanding and reengineering, but explorations of object-oriented reverse engineering are still at a starting phase. In this paper, an automatic approach to engineering the C++ programs in reverse is presented through introducing JBOORET, JBOORET is an object-oriented reverse engineering tool for C++. This approach is based on program analysis, extracting program information from source code and recovering the OOD diagram of the objective system. JBOORET may be used to recapture the system design, aid the system documentation and understanding, restructure the system, and so on. In addition, the design idea and some key techniques employed in the design and implementation of JBOORET are described, including information extracting, incremental parsing, ambiguity handling in parser, automatic layout, etc.