Abstract
The analysis of computer files poses a difficult problem for security researchers seeking to detect and analyze malicious content, software developers stress testing file formats for their products, and for other researchers seeking to understand the behavior and structure of undocumented file formats. Traditional tools, including hex editors, disassemblers and debuggers, while powerful, constrain analysis to primarily text based approaches. In this paper, we present design principles for file analysis which support meaningful investigation when there is little or no knowledge of the underlying file format, but are flexible enough to allow integration of additional semantic information, when available. We also present results from the implementation of a visual reverse engineering system based on our analysis. We validate the efficacy of both our analysis and our system with case studies depicting analysis use cases where a hex editor would be of limited value. Our results indicate that visual approaches help analysts rapidly identify files, analyze unfamiliar file structures, and gain insights that inform and complement the current suite of tools currently in use.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Conti, G., Grizzard, J., Ahamad, M., Owen, H.: Visual Exploration of Malicious Network Objects Using Semantic Zoom, Interactive Encoding and Dynamic Queries. In: IEEE Symposium on Information Visualization’s Workshop on Visualization for Computer Security (VizSEC) (October 2005)
Helfman, J.: Dotplot Patterns: A Literal Look at Pattern Languages. TAPOS Journal 2(1), 31–41 (1995)
Kaminsky, D.: Black Ops 2006. Blackhat USA (2006) (last accessed December 20, 2007), www.doxpara.com/slides/dmk_blackops2006.ppt
Yoo, I.: Visualizing Windows Executable Viruses Using Self-Organizing Maps. VizSec/DMSec (2004)
Carrera, E., Erdelyi, G.: Digital Genome Mapping – Advanced Binary Malware Analysis. In: Virus Bulletin Conference (2004)
Flake., H.: Structural Comparison of Executable Objects. Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pp. 161–173 (2004)
A different look at Bagle. F-Secure Weblog (23 September 2005) (last accessed December 20, 2007), http://www.f-secure.com/weblog/archives/00000662.html
Graphing malware. F-Secure Weblog (25 October 2005) (last accessed December 20, 2007), http://www.f-secure.com/weblog/archives/00000324.html
Dullien, T., Rolles, R.: Graph-based comparison of Executable Objects. In: Symposium Sur La Securite Des Technologies De L’Information Et Des Communications (SSTIC) (2005)
Flake, H.: Diff, Navigate, Audit – Three applications of graphs and graphing for security, Blackhat USA (2004) (last accessed December 20, 2007), http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-flake.pdf
Nolan, B., Sinda, M.: File Visualization Environment (FiVE). In: National Conference on Undergraduate Research (2008)
Kaminsky, D.: Black Ops 2006 : Viz Edition. Chaos Computer Congress (2006) (last accessed May 1, 2008), www.doxpara.com/slides/dmk_blackops2006_ccc.ppt
Sutton, M., Greene, A., Amini, P.: Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley, Reading (2007)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Conti, G., Dean, E., Sinda, M., Sangster, B. (2008). Visual Reverse Engineering of Binary and Data Files. In: Goodall, J.R., Conti, G., Ma, KL. (eds) Visualization for Computer Security. VizSec 2008. Lecture Notes in Computer Science, vol 5210. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85933-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-540-85933-8_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85931-4
Online ISBN: 978-3-540-85933-8
eBook Packages: Computer ScienceComputer Science (R0)