Yonghwi Kwon - Purdue University
Sep 09, 2015
Download: MP4 Video
Watch in your Browser
Watch on YouTube
"P2C: Understanding Output Data Files via On-the-Fly Transformation from Producer to Consumer Executions"
In cyber-attack analysis, it is often highly desirable to understand the meaning of an unknown file or network message in the absence of their consumer (i.e. the program that parses and understands the file/message). For example, a malware may stealthily collect information from a victim machine, store them as a file and later send it to a remote server. P2C is a novel technique that can parse and understand unknown files and network messages. Given a file/message that was generated in the past without the presence of any monitoring techniques, and a set of potential producers of the file/message, P2C systematically explores the execution paths in the producers without requiring any inputs. In the meantime, it tries to transform a producer execution to a consumer execution that closely resembles the ideal consumer execution that can parse the given unknown file/message. In particular, when a write operation is encountered in the original execution, P2C performs the opposite read operation on the unknown file/message and patches the original execution with the loaded value. In order to handle correlations between data fields in the file/message, P2C follows a trial-and-error approach to look for the correct transformation until the file/message can be parsed and the meaning of their fields can be disclosed. Our experiments on a set of real world applications demonstrate P2C is highly effective.
About the Speaker
Yonghwi Kwon is a PhD student in the Department of Computer Science at Purdue University.
His research interests include, but not limited to, dynamic/static binary analysis, reverse-engineering, and system security, focusing on solving security and debugging problems using dynamic binary analysis and translation techniques. He is a recipient of the SIGSOFT Distinguished Paper Award and Best Paper Award from ASE 2013.
Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M.
STEW G52 (Suite 050B), West Lafayette Campus. More information...