Give me back my data structures! Reverse engineering data structures from stripped binaries

Date: Thursday, April 14, 2011
Speaker: Herbert Bos
Venue: IST Austria

Mondi 2

Even the most advanced reverse engineering techniques and products are weak in recovering data structures in stripped binaries – binaries without symbol tables. Unfortunately, forensics and reverse engineering without data structures is exceedingly hard. In this talk, I will present a new solution, known as Howard, to extract data structures from C binaries without any need for symbol tables. Our results are significantly more accurate than those of previous methods – sufficiently so to allow us to generate our own (partial) symbol tables without access to source code. Thus, debugging such binaries becomes feasible and reverse engineering becomes simpler. Also, we show that we can protect existing binaries from popular memory corruption attacks, without access to source code. Unlike most existing tools, our system uses dynamic analysis (on a QEMU-based emulator) and detects data structures by tracking how a program uses memory.

Posted in RiSE Seminar