The analysis of computer files poses a difficult problem for security researchers seeking to detect and analyze malicious content, software developers stress testing file formats for their products, and for other researchers seeking to understand the behavior and structure of undocumented file formats. Traditional tools, including hex editors, disassemblers and debuggers, while powerful, constrain analysis to primarily text based approaches. In this paper, we present design principles for file analysis which support meaningful investigation when there is little or no knowledge of the underlying file format, but are flexible enough to allow integration of additional semantic information, when available. We also present results from the implementation of a visual reverse engineering system based on our analysis. We validate the efficacy of both our analysis and our system with case studies depicting analysis use cases where a hex editor would be of limited value. Our results indicate that visual approaches help analysts rapidly identify files, analyze unfamiliar file structures, and gain insights that inform and complement the current suite of tools currently in use.
[1]
Thomas Dullien,et al.
Graph-based comparison of Executable Objects
,
2005
.
[2]
InSeon Yoo,et al.
Visualizing windows executable viruses using self-organizing maps
,
2004,
VizSEC/DMSEC '04.
[3]
Gregory J. Conti,et al.
Visual exploration of malicious network objects using semantic zoom, interactive encoding and dynamic queries
,
2005,
IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..
[4]
Jonathan Helfman,et al.
Dotplot Patterns: A Literal Look at Pattern Languages
,
1996,
Theory Pract. Object Syst..
[5]
Enrique V. Carrera,et al.
Digital genome mapping: ad-vanced binary malware analysis
,
2004
.
[6]
Halvar Flake,et al.
Structural Comparison of Executable Objects
,
2004,
DIMVA.
[7]
Pedram Amini,et al.
Fuzzing: Brute Force Vulnerability Discovery
,
2007
.