Recovery of binary data structures from program traces
In this paper we consider the problem of recovery of binary data formats and describe the format recovery system implemented in ISP RAS. First, we enumerate general approaches to this problem, their advantages and constraints: static, dynamic and network trace analysis. Here we also describe the f...
Main Authors: | , |
---|---|
Format: | Article |
Language: | English |
Published: |
Ivannikov Institute for System Programming of the Russian Academy of Sciences
2018-10-01
|
Series: | Труды Института системного программирования РАН |
Subjects: | |
Online Access: | https://ispranproceedings.elpub.ru/jour/article/view/1005 |
_version_ | 1811278243047669760 |
---|---|
author | A. I. Avetisyan A. I. Getman |
author_facet | A. I. Avetisyan A. I. Getman |
author_sort | A. I. Avetisyan |
collection | DOAJ |
description | In this paper we consider the problem of recovery of binary data formats and describe the format recovery system implemented in ISP RAS. First, we enumerate general approaches to this problem, their advantages and constraints: static, dynamic and network trace analysis. Here we also describe the fundamental dynamic analysis constraint (incomplete code coverage) and several possible methods to partly compensate it in this particular problem. Second, we discuss data sources and features of analysis of such objects as files, network packets of different levels and different kinds of protocols (stateful and stateless), incoming and outgoing messages. We also discuss the problem of protocol analysis and specifically the problem of recovering the protocol state machine. Third, we describe our function specification facility that allows us to define models of functions and their parameters and brings additional accuracy to our format recovery approach through taking into consideration user's knowledge about the features of a specific software environment. In this paper we also present the general scheme of our approach and test results of the implemented system. Finally, we discuss future research directions: encrypted traffic analysis and several possible applications for recovery results. |
first_indexed | 2024-04-13T00:31:15Z |
format | Article |
id | doaj.art-85065799b1824d829d8bbe6df980e994 |
institution | Directory Open Access Journal |
issn | 2079-8156 2220-6426 |
language | English |
last_indexed | 2024-04-13T00:31:15Z |
publishDate | 2018-10-01 |
publisher | Ivannikov Institute for System Programming of the Russian Academy of Sciences |
record_format | Article |
series | Труды Института системного программирования РАН |
spelling | doaj.art-85065799b1824d829d8bbe6df980e9942022-12-22T03:10:27ZengIvannikov Institute for System Programming of the Russian Academy of SciencesТруды Института системного программирования РАН2079-81562220-64262018-10-012201005Recovery of binary data structures from program tracesA. I. Avetisyan0A. I. Getman1ИСП РАНИСП РАНIn this paper we consider the problem of recovery of binary data formats and describe the format recovery system implemented in ISP RAS. First, we enumerate general approaches to this problem, their advantages and constraints: static, dynamic and network trace analysis. Here we also describe the fundamental dynamic analysis constraint (incomplete code coverage) and several possible methods to partly compensate it in this particular problem. Second, we discuss data sources and features of analysis of such objects as files, network packets of different levels and different kinds of protocols (stateful and stateless), incoming and outgoing messages. We also discuss the problem of protocol analysis and specifically the problem of recovering the protocol state machine. Third, we describe our function specification facility that allows us to define models of functions and their parameters and brings additional accuracy to our format recovery approach through taking into consideration user's knowledge about the features of a specific software environment. In this paper we also present the general scheme of our approach and test results of the implemented system. Finally, we discuss future research directions: encrypted traffic analysis and several possible applications for recovery results.https://ispranproceedings.elpub.ru/jour/article/view/1005динамический анализбинарные трассывосстановление форматованализ протоколов |
spellingShingle | A. I. Avetisyan A. I. Getman Recovery of binary data structures from program traces Труды Института системного программирования РАН динамический анализ бинарные трассы восстановление форматов анализ протоколов |
title | Recovery of binary data structures from program traces |
title_full | Recovery of binary data structures from program traces |
title_fullStr | Recovery of binary data structures from program traces |
title_full_unstemmed | Recovery of binary data structures from program traces |
title_short | Recovery of binary data structures from program traces |
title_sort | recovery of binary data structures from program traces |
topic | динамический анализ бинарные трассы восстановление форматов анализ протоколов |
url | https://ispranproceedings.elpub.ru/jour/article/view/1005 |
work_keys_str_mv | AT aiavetisyan recoveryofbinarydatastructuresfromprogramtraces AT aigetman recoveryofbinarydatastructuresfromprogramtraces |