DSIbin: Identifying dynamic data structures in C/C++ binaries

Thomas Rupprecht; Xi Chen; David H. White; Jan H. Boockmann; Gerald Luttgen; Herbert Bos

doi:10.1109/ASE.2017.8115646

DSIbin: Identifying dynamic data structures in C/C++ binaries

Thomas Rupprecht
, Xi Chen
, David H. White
, Jan H. Boockmann
, Gerald Luttgen
, Herbert Bos

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

98 Downloads (Pure)

Abstract

Reverse engineering binary code is notoriously difficult and, especially, understanding a binary's dynamic data structures. Existing data structure analyzers are limited wrt. program comprehension: they do not detect complex structures such as skip lists, or lists running through nodes of different types such as in the Linux kernel's cyclic doubly-linked list. They also do not reveal complex parent-child relationships between structures. The tool DSI remedies these shortcomings but requires source code, where type information on heap nodes is available. We present DSIbin, a combination of DSI and the type excavator Howard for the inspection of C/C++ binaries. While a naive combination already improves upon related work, its precision is limited because Howard's inferred types are often too coarse. To address this we auto-generate candidates of refined types based on speculative nested-struct detection and type merging; the plausibility of these hypotheses is then validated by DSI. We demonstrate via benchmarking that DSIbin detects data structures with high precision.

Original language	English
Title of host publication	2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE)
Subtitle of host publication	[Proceedings]
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	331-341
Number of pages	11
ISBN (Electronic)	9781538626849
ISBN (Print)	9781538639764
DOIs	https://doi.org/10.1109/ASE.2017.8115646
Publication status	Published - 2017
Event	32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017 - Urbana-Champaign, United States Duration: 30 Oct 2017 → 3 Nov 2017

Conference

Conference	32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017
Country/Territory	United States
City	Urbana-Champaign
Period	30/10/17 → 3/11/17

Funding

This work was supported by the German Research Foundation through DFG grant LU 1748/4-1, the Netherlands Organisation for Scientific Research through the grant NWO 639.023.309 VICI Dowsing, and the Cisco Grant Program (CG #595086). We also thank the anonymous reviewers for their valuable comments and suggestions

Funders	Funder number
California Department of Fish and Game
Deutsche Forschungsgemeinschaft	LU 1748/4-1
Nederlandse Organisatie voor Wetenschappelijk Onderzoek	CG #595086, NWO 639.023.309 VICI Dowsing

Keywords

Data structure identification
dynamic data structures
pointer programs
reverse engineering
type recovery

Access to Document

10.1109/ASE.2017.8115646

DSIbinFinal published version, 365 KBLicence: Article 25fa Dutch Copyright Act

Persistent URL (handle)

Persistent link

Cite this

Rupprecht, T., Chen, X., White, D. H., Boockmann, J. H., Luttgen, G., & Bos, H. (2017). DSIbin: Identifying dynamic data structures in C/C++ binaries. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE): [Proceedings] (pp. 331-341). Article 8115646 Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ASE.2017.8115646

@inproceedings{ed7d22ea2c854a89ba665bde4441091d,

title = "DSIbin: Identifying dynamic data structures in C/C++ binaries",

abstract = "Reverse engineering binary code is notoriously difficult and, especially, understanding a binary's dynamic data structures. Existing data structure analyzers are limited wrt. program comprehension: they do not detect complex structures such as skip lists, or lists running through nodes of different types such as in the Linux kernel's cyclic doubly-linked list. They also do not reveal complex parent-child relationships between structures. The tool DSI remedies these shortcomings but requires source code, where type information on heap nodes is available. We present DSIbin, a combination of DSI and the type excavator Howard for the inspection of C/C++ binaries. While a naive combination already improves upon related work, its precision is limited because Howard's inferred types are often too coarse. To address this we auto-generate candidates of refined types based on speculative nested-struct detection and type merging; the plausibility of these hypotheses is then validated by DSI. We demonstrate via benchmarking that DSIbin detects data structures with high precision.",

keywords = "Data structure identification, dynamic data structures, pointer programs, reverse engineering, type recovery",

author = "Thomas Rupprecht and Xi Chen and White, \{David H.\} and Boockmann, \{Jan H.\} and Gerald Luttgen and Herbert Bos",

year = "2017",

doi = "10.1109/ASE.2017.8115646",

language = "English",

isbn = "9781538639764",

pages = "331--341",

booktitle = "2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE)",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

address = "United States",

note = "32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017 ; Conference date: 30-10-2017 Through 03-11-2017",

}

Rupprecht, T, Chen, X, White, DH, Boockmann, JH, Luttgen, G & Bos, H 2017, DSIbin: Identifying dynamic data structures in C/C++ binaries. in 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE): [Proceedings]., 8115646, Institute of Electrical and Electronics Engineers Inc., pp. 331-341, 32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017, Urbana-Champaign, United States, 30/10/17. https://doi.org/10.1109/ASE.2017.8115646

DSIbin: Identifying dynamic data structures in C/C++ binaries. / Rupprecht, Thomas; Chen, Xi; White, David H. et al.
2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE): [Proceedings]. Institute of Electrical and Electronics Engineers Inc., 2017. p. 331-341 8115646.

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - DSIbin: Identifying dynamic data structures in C/C++ binaries

AU - Rupprecht, Thomas

AU - Chen, Xi

AU - White, David H.

AU - Boockmann, Jan H.

AU - Luttgen, Gerald

AU - Bos, Herbert

PY - 2017

Y1 - 2017

N2 - Reverse engineering binary code is notoriously difficult and, especially, understanding a binary's dynamic data structures. Existing data structure analyzers are limited wrt. program comprehension: they do not detect complex structures such as skip lists, or lists running through nodes of different types such as in the Linux kernel's cyclic doubly-linked list. They also do not reveal complex parent-child relationships between structures. The tool DSI remedies these shortcomings but requires source code, where type information on heap nodes is available. We present DSIbin, a combination of DSI and the type excavator Howard for the inspection of C/C++ binaries. While a naive combination already improves upon related work, its precision is limited because Howard's inferred types are often too coarse. To address this we auto-generate candidates of refined types based on speculative nested-struct detection and type merging; the plausibility of these hypotheses is then validated by DSI. We demonstrate via benchmarking that DSIbin detects data structures with high precision.

AB - Reverse engineering binary code is notoriously difficult and, especially, understanding a binary's dynamic data structures. Existing data structure analyzers are limited wrt. program comprehension: they do not detect complex structures such as skip lists, or lists running through nodes of different types such as in the Linux kernel's cyclic doubly-linked list. They also do not reveal complex parent-child relationships between structures. The tool DSI remedies these shortcomings but requires source code, where type information on heap nodes is available. We present DSIbin, a combination of DSI and the type excavator Howard for the inspection of C/C++ binaries. While a naive combination already improves upon related work, its precision is limited because Howard's inferred types are often too coarse. To address this we auto-generate candidates of refined types based on speculative nested-struct detection and type merging; the plausibility of these hypotheses is then validated by DSI. We demonstrate via benchmarking that DSIbin detects data structures with high precision.

KW - Data structure identification

KW - dynamic data structures

KW - pointer programs

KW - reverse engineering

KW - type recovery

UR - https://www.scopus.com/pages/publications/85041447163

UR - https://www.scopus.com/pages/publications/85041447163#tab=citedBy

U2 - 10.1109/ASE.2017.8115646

DO - 10.1109/ASE.2017.8115646

M3 - Conference contribution

AN - SCOPUS:85041447163

SN - 9781538639764

SP - 331

EP - 341

BT - 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE)

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017

Y2 - 30 October 2017 through 3 November 2017

ER -

DSIbin: Identifying dynamic data structures in C/C++ binaries

Abstract

Conference

Funding

Keywords

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this