The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Yonghwi Kwon - Purdue University

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

P2C: Understanding Output Data Files via On-the-Fly Transformation from Producer to Consumer Executions

Sep 09, 2015

Download: Video Icon MP4 Video Size: 75.1MB  
Watch on Youtube Watch on YouTube

Abstract

In cyber-attack analysis, it is often highly desirable to understand the meaning of an unknown file or network message in the absence of their consumer (i.e. the program that parses and understands the file/message). For example, a malware may stealthily collect information from a victim machine, store them as a file and later send it to a remote server. P2C is a novel technique that can parse and understand unknown files and network messages. Given a file/message that was generated in the past without the presence of any monitoring techniques, and a set of potential producers of the file/message, P2C systematically explores the execution paths in the producers without requiring any inputs. In the meantime, it tries to transform a producer execution to a consumer execution that closely resembles the ideal consumer execution that can parse the given unknown file/message. In particular, when a write operation is encountered in the original execution, P2C performs the opposite read operation on the unknown file/message and patches the original execution with the loaded value. In order to handle correlations between data fields in the file/message, P2C follows a trial-and-error approach to look for the correct transformation until the file/message can be parsed and the meaning of their fields can be disclosed. Our experiments on a set of real world applications demonstrate P2C is highly effective.

About the Speaker

Yonghwi Kwon is a PhD student in the Department of Computer Science at Purdue University.
His research interests include, but not limited to, dynamic/static binary analysis, reverse-engineering, and system security, focusing on solving security and debugging problems using dynamic binary analysis and translation techniques. He is a recipient of the SIGSOFT Distinguished Paper Award and Best Paper Award from ASE 2013.


Ways to Watch

YouTube

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!