Analytic Provenance for Software Reverse Engineers

Reverse engineering is a time-consuming process essential to software-security tasks such as malware analysis and vulnerability discovery. During the process, an engineer will follow multiple leads to determine how the software functions. The combination of time and possible explanations makes it difficult for the engineers to maintain a context of their findings within the overall task. Analytic provenance tools have demonstrated value in similarly complex fields that require open-ended exploration and hypothesis vetting. However, they have not been explored in the reverse engineering domain. This dissertation presents SensorRE, the first analytic provenance tool designed to support software reverse engineers. A semi-structured interview with experts led to the design and implementation of the system. We describe the visual interfaces and their integration within an existing software analysis tool. SensorRE automatically captures user\u27s sense making actions and provides a graph and storyboard view to support further analysis. User study results with both experts and graduate students demonstrate that SensorRE is easy to use and that it improved the participants\u27 exploration process

IRE: A Framework For Inductive Reverse Engineering

abstract: Reverse engineering is critical to reasoning about how a system behaves. While complete access to a system inherently allows for perfect analysis, partial access is inherently uncertain. This is the case foran individual agent in a distributed system. Inductive Reverse Engineering (IRE) enables analysis under such circumstances. IRE does this by producing program spaces consistent with individual input-output examples for a given domain-specific language. Then, IRE intersects those program spaces to produce a generalized program consistent with all examples. IRE, an easy to use framework, allows this domain-specific language to be specified in the form of Theorist s, which produce Theory s, a succinct way of representing the program space. Programs are often much more complex than simple string transformations. One of the ways in which they are more complex is in the way that they follow a conversation-like behavior, potentially following some underlying protocol. As a result, IRE represents program interactions as Conversations in order to more correctly model a distributed system. This, for instance, enables IRE to model dynamically captured inputs received from other agents in the distributed system. While domain-specific knowledge provided by a user is extremely valuable, such information is not always possible. IRE mitigates this by automatically inferring program grammars, allowing it to still perform efficient searches of the program space. It does this by intersecting conversations prior to synthesis in order to understand what portions of conversations are constant. IRE exists to be a tool that can aid in automatic reverse engineering across numerous domains. Further, IRE aspires to be a centralized location and interface for implementing program synthesis and automatic black box analysis techniques.Dissertation/ThesisMasters Thesis Computer Science 201

The theory of interface slicing

Interface slicing is a new tool which was developed to facilitate reuse-based software engineering, by addressing the following problems, needs, and issues: (1) size of systems incorporating reused modules; (2) knowledge requirements for program modification; (3) program understanding for reverse engineering; (4) module granularity and domain management; and (5) time and space complexity of conventional slicing. The definition of a form of static program analysis called interface slicing is addressed

Economic Espionage Act--Reverse Engineering and the Intellectual Property Public Policy, The

The publicity surrounding[...] incidents of industrial espionage resulted in a push for federal protections. In response to this pressure from U.S. industries, Congress passed the Economic Espionage Act of 1996 ( EEA ). The EEA protects trade secrets through the use of federal criminal sanctions. The EEA\u27s provisions are introduced in Part I. Trade secrets are a form of intellectual property. Therefore, a basic understanding of intellectual property law is important to an analysis of the EEA. Part II of this Article provides an overview of the various forms of intellectual property. To be effective, the EEA must complement existing intellectual property jurisprudence. Yet, on its face the EEA prohibits practices that are otherwise lawful as part of a reverse engineering program. Part II of this Article also describes reverse engineering and examines its acceptance in each area of intellectual property law. Understanding the EEA in terms of the other forms of intellectual property protection and the practice of reverse engineering raises some concerns over the prudence of vigorous EEA enforcement. A strict reading of the EEA may prohibit reverse engineering. Since reverse engineering plays a significant role in the exploitation of knowledge committed to the public domain through the grant of patents and copyrights, prohibiting reverse engineering may stifle the drive to study and improve upon the existing knowledge base. Part III of this Article examines these concerns. The increasing importance of intellectual property in the world economy has created a trend toward criminalization of infringement. In addition to the acts covered by the EEA, some international agreements require criminal sanctions for infringement of various rights, certain acts of copyright infringement carry criminal penalties, and Congress is currently considering the Collections of Information Antipiracy Act. While these laws are designed to protect intellectual property, the inclusion of criminal sanctions means that they must be analyzed in light of criminal law theories such as notice, vagueness, and leniency. As this trend continues, and prosecutions under these new laws become more frequent, it will be important for criminal practitioners to have a firm grasp of intellectual property concepts and for intellectual property attorneys to understand the importance of criminal law. Finally, it is important for Congress to consider such criminal law issues when enacting new intellectual property legislation. A discussion of these issues with respect to the EEA provides a framework for developing this discussion with respect to other intellectual property laws. To assist in determining the legitimacy of these concerns, Part I also examines the legislative history of the EEA to ascertain congressional intent with respect to the identified problems. Based upon the issues raised in Part III, Part IV proposes a solution to address these concerns while maintaining the effectiveness of the EEA in fulfilling its intended purpose. Specifically, the Article proposes amending the EEA to explicitly allow reverse engineering and to limit its application to espionage activities similar to those Congress had in mind when drafting the Act

Towards Automatic Digitalization of Railway Engineering Schematics

Relay-based Railways Interlocking Systems (RRIS) carry out critical functions to control stations. Despite being based on old and hard-to-maintain electro-mechanical technology, RRIS are still pervasive. A powerful CAD modeling and analysis approach based on symbolic logic has been recently proposed to support the re-engineering of relay diagrams into more maintainable computer-based technologies. However, the legacy engineering drawings that need to be digitized consist of large, hand-drawn diagrams dating back several decades. Manually transforming such diagrams into the format of the CAD tool is labor-intensive and error-prone, effectively a bottleneck in the reverse-engineering process. In this paper, we tackle the problem of automatic digitalization of RRIS schematics into the corresponding CAD format with an integrative Artificial Intelligence approach. Deep learning-based methods, segment detection, and clustering techniques for the automated digitalization of engineering schematics are used to detect and classify the single elements of the diagram. These elementary elements can then be aggregated into more complex objects leveraging the domain ontology. First results of the method’s capability of automatically reconstructing the engineering schematics are presented

Economic Espionage Act--Reverse Engineering and the Intellectual Property Public Policy, The

The publicity surrounding[...] incidents of industrial espionage resulted in a push for federal protections. In response to this pressure from U.S. industries, Congress passed the Economic Espionage Act of 1996 ( EEA ). The EEA protects trade secrets through the use of federal criminal sanctions. The EEA\u27s provisions are introduced in Part I. Trade secrets are a form of intellectual property. Therefore, a basic understanding of intellectual property law is important to an analysis of the EEA. Part II of this Article provides an overview of the various forms of intellectual property. To be effective, the EEA must complement existing intellectual property jurisprudence. Yet, on its face the EEA prohibits practices that are otherwise lawful as part of a reverse engineering program. Part II of this Article also describes reverse engineering and examines its acceptance in each area of intellectual property law. Understanding the EEA in terms of the other forms of intellectual property protection and the practice of reverse engineering raises some concerns over the prudence of vigorous EEA enforcement. A strict reading of the EEA may prohibit reverse engineering. Since reverse engineering plays a significant role in the exploitation of knowledge committed to the public domain through the grant of patents and copyrights, prohibiting reverse engineering may stifle the drive to study and improve upon the existing knowledge base. Part III of this Article examines these concerns. The increasing importance of intellectual property in the world economy has created a trend toward criminalization of infringement. In addition to the acts covered by the EEA, some international agreements require criminal sanctions for infringement of various rights, certain acts of copyright infringement carry criminal penalties, and Congress is currently considering the Collections of Information Antipiracy Act. While these laws are designed to protect intellectual property, the inclusion of criminal sanctions means that they must be analyzed in light of criminal law theories such as notice, vagueness, and leniency. As this trend continues, and prosecutions under these new laws become more frequent, it will be important for criminal practitioners to have a firm grasp of intellectual property concepts and for intellectual property attorneys to understand the importance of criminal law. Finally, it is important for Congress to consider such criminal law issues when enacting new intellectual property legislation. A discussion of these issues with respect to the EEA provides a framework for developing this discussion with respect to other intellectual property laws. To assist in determining the legitimacy of these concerns, Part I also examines the legislative history of the EEA to ascertain congressional intent with respect to the identified problems. Based upon the issues raised in Part III, Part IV proposes a solution to address these concerns while maintaining the effectiveness of the EEA in fulfilling its intended purpose. Specifically, the Article proposes amending the EEA to explicitly allow reverse engineering and to limit its application to espionage activities similar to those Congress had in mind when drafting the Act

Towards owl ontologies from relational databases: An HTML-form driven approach

The use of ontologies and ontology languages like OWL has attracted much attention, mainly in the Semantic Web research field. In this paper we focus on the problem of automating the generation of domain ontologies, at least partially, by applying reverse engineering technique. We present the complete details of the process of semi-automatically creating an OWL ontology that corresponds to the content of a relational database based on the analysis of its related HTML-forms. The main reason for this construction is to make the relational database information that is available on the Web machine-processable and reduce the time consuming task of ontology creation. Copyright © 2007 by the International Society for Computers and Their Applications (ISCA)

Improving Memory Forensics Through Emulation and Program Analysis

Memory forensics is an important tool in the hands of investigators. However, determining if a computer is infected with malicious software is time consuming, even for experts. Tasks that require manual reverse engineering of code or data structures create a significant bottleneck in the investigative workflow. Through the application of emulation software and symbolic execution, these strains have been greatly lessened, allowing for faster and more thorough investigation. Furthermore, these efforts have reduced the barrier for forensic investigation, so that reasonable conclusions can be drawn even by non-expert investigators. While previously Volatility had allowed for the detection of malicious hooks and injected code with an insurmountably high false positive rate, the techniques presented in the work have allowed for a much lower false positive rate automatically, and yield more detailed information when manual analysis is required. The second contribution of this work is to improve the reliability of memory forensic tools. As it currently stands, if some component of the operating system or language runtime has been updated, the task of verifying that these changes do not affect the correctness of investigative tools involves a large reverse engineering effort, and significant domain knowledge, on the part of whoever maintains the tool. Through modifications of the techniques used in the hook analysis, this burden can be lessened or eliminated by comparing the last known functionality to the new functionality. This allows the tool to be updated quickly and effectively, so that investigations can proceed without issue