Title :
Extracting Output Formats from Executables
Author :
Lim, Junghee ; Reps, Thomas ; Liblit, Ben
Author_Institution :
Comput. Sci. Dept., Wisconsin Univ., Madison, WI
Abstract :
We describe the design and implementation of FFE/x86 (File-Format Extractor for x86), an analysis tool that works on stripped executables (i.e., neither source code nor debugging information need be available) and extracts output data formats, such as file formats and network packet formats. We first construct a hierarchical finite state machine (HFSM) that over-approximates the output data format. An HFSM defines a language over the operations used to generate output data. We use value-set analysis (VSA) and aggregate structure identification (ASI) to annotate HFSMs with information that partially characterizes some of the output data values. VSA determines an over-approximation of the set of addresses and integer values that each data object can hold at each program point, and ASI analyzes memory accesses in the program to recover information about the structure of aggregates. A series of filtering operations is performed to over-approximate an HFSM with a finite-state machine, which can result in a final answer that is easier to understand. Our experiments with FFE/x86 uncovered a possible bug in the image-conversion utility png2ico
Keywords :
finite state machines; program debugging; program diagnostics; source coding; FFE/x86; aggregate structure identification; data formats; file-format extractor; filtering operations; hierarchical finite state machine; image-conversion utility; memory accesses; network packet formats; output formats; stripped executables; value-set analysis; Aggregates; Automata; Computer networks; Data mining; Debugging; Filtering; Information analysis; Performance analysis; Reverse engineering; Software tools;
Conference_Titel :
Reverse Engineering, 2006. WCRE '06. 13th Working Conference on
Conference_Location :
Benevento
Print_ISBN :
0-7695-2719-1
DOI :
10.1109/WCRE.2006.29
