[HGI-News-de] Kolloquium: "Analyzing x86 Executa­bles with Jakstab" - Johannes Kinder - Donnerstag, 02. Dezember 2010

[Newsletter des Horst Görtz Instituts]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sehr geehrte Damen und Herren,

im Rahmen des HGI-Kolloquiums, organisiert vom Lehrstuhl für Netz- und
Datensicherheit (NDS), wird Johannes Kinder von der TU Darmstadt am
nächsten Donnerstag, den 02. Dezember 2010 über "Analyzing x86
Executa­bles with Jakstab" referieren.

Der Vortrag beginnt um 11.00 Uhr s.t. im ID 03/445. Zu diesem und
sämtlichen weiteren Vorträgen im Rahmen des Hackerpraktikums sind alle
Studierende und Interessierte herzlich eingeladen! Eine Voranmeldung ist
nicht erforderlich!

Weitere Informationen gibt es auf folgender Webseite:
https://www.nds.rub.de/chair/lectures/471/

Abstract:
This work is concerned with static analysis of binary executables
in a theoretically well-founded, sound, yet practical way. The
major challenge is the reconstruction of a correct control flow
graph in presence of indirect jumps, pointer arithmetic, and
untyped variables.

We argue for the integration of disassembly, control flow
reconstruction, and static analysis in a unified process. We
introduces a framework for simultaneous control and data flow
analysis on low level binary code, which is proven to yield the
most precise control flow graph with respect to the precision of
the data flow domain. A very precise domain that lends itself
well to control flow reconstruction is introduced in Bounded
Address Tracking, a combined pointer and value analysis that
supports pointer arithmetic. It tracks variable valuations up to
a tunable bound on the number of values per variable per program
location. Its path sensitivity generally allows strong updates to
memory, i.e., heap regions are uniquely identified, and equips it
with context sensitivity without assuming a correct layout of
procedures.

These building blocks are combined into an extensible program
analysis architecture, which is implemented in the novel binary
analysis tool Jakstab. Jakstab works directly on binaries and
disassembles instructions on demand while exploring the program's
state space, allowing it to handle low level features such as
overlapping instructions, which cause difficulties for regular
disassemblers.  The architecture is highly configurable to allow
a wide range of analyses, from sound abstract interpretation to
heuristics-supported disassembly. Its practical feasibility and
improvements over existing approaches are shown through case
studies on device driver binaries and system executables found on
a regular desktop PC.


Beste Grüße

Florian Kohlar

- -- 
Dipl.-Ing. Florian Kohlar

Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
- -----------------------------------
Universitätsstr. 150, Geb. ID 2/457
D-44780 Bochum

Telefon: +49 (0) 234 / 32-26798
Fax: +49 (0) 234 / 32-14347
http://www.nds.rub.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJM7RJ8AAoJENH3O2sq3f9ohB8QAL0BLY6OIDmtcRnqDIC1aTZv
0oq0rNYbkzhruytH/KSfFEIbE44NXZgNYY35Wxb3J5jE0GZFlH0CZMrFPTu10GD0
EtPNwL8hN3CxC6ayXkeA3SZrAUowLDYmPhPVq8dCOF4BFrcoAKvIKYrO3MRFCUrk
j0op8985vyzu6L+QvlAHSt5+ypXVSJw4agU28ymegQqV28xIQcL5TK1bn1NqA84y
Ux8mqk5XSIcFgOjhhMVrrHKKx+Hza4D3XVB2Hrajl1G6lNAu3OUaE4SrpCZVBz0Q
UiAE8S/L7ZyfsKcik69xjPo7Wf00Q+XjJuTCTE4TgMadg2vXuV4upWPrNpdfSjFV
V+h6j8aTHmeHDjPYIDM4JePi5ssINkfbcC7ONd9QOm1OgnK8bb1371No4Fnv0eco
H/Z1y33juTOtnb3IdVjR6MDywuw4NCcBQOKfC0YI3d8uPUqdKZgj+dGH9WhPvI3+
LR6fwhFAJkbE3++Htj4ANd46i25rUGIB/cUsxnFqrWdbXcdtMV8YwchULl3gzFDr
I/pOh+P1ap+Ay3/1/A2i2NNW0VFG3+7rhRs24z4Rjre08bdnziZLYYECXtTKvZ9k
hPX4dJCVgo8o1aaz8r8sZRmLSVc49RtnyA4vqTExNZwt4vv0yaBbvQd6zbInc/tB
r1jeONXGRH/o+1iZXRbh
=JZjp
-----END PGP SIGNATURE-----