Franck de Goër - Reverse Engineering binary code in one execution - A lightweight function based dynamic execution

08:15
Friday
20
Oct
2017
Organized by: 
Franck de Goër
Speaker: 
Franck de Goër, LIG/VASCO et VERIMAG/PACSS
Teams: 

Jury :

  • Roland Groz, professeur, Grenoble INP, directeur de thèse
  • Laurent Mounier, maître de conférences, Université Grenoble Alpes, codirecteur de thèse
  • Kavé Salamatian, professeur des universités, Université de Savoie, examinateur
  • Valérie Viet Triem Tong, professeur associé, Centrale Supelec, rapporteur
  • Jacques Klein, Senior Research scientist, Université du Luxembourg , rapporteur
  • Andy King, professeur, University of Kent, examinateur
  • Sarah Zennou, ingénieur de recherche, Airbus Group, examinateur
  • Marion Videau, maître de conférences, LORIA, examinateur
     

In this thesis we propose a new approach for dynamic analysis of binary codes. This work takes place in the context of reverse engineering of binary codes, with some security-oriented objectives ins mind. like malware analysis or vulnerability detection.
In particular we aim to retrieve high-level information from a binary program through a single code execution. Typical information we are interested in are function prototypes, function ``coupling'' (input-output data-flow relations between functions) and retrieving dynamic
memory allocators. The approach we proposed is based on heuristics in order to efficiently analyze large programs. Experiments  show that the results obtained  remain accurate enough, with respect to more expensive analysis techniques.

Our approach is guided by the following principles: 1) universality -  assumptions on the target programs are weak (no need to re-compile the code, can be applied on stripped binaries), 2) scalability - the analysis is light enough to deal with large programs,
3) accuracy favouring correctness - we try to minimize as much as possible the number of false positives (e.g., detecting spurious parameters on a given function).