Scheme: Industry Fellowship
Organisation: University of Kent at Canterbury
Dates: Oct 2008-Sep 2012
Summary: My host organisation is routinely faced with the problem of reverse engineering binaries in order to audit them for security vulnerabilities. This amounts to taking an executable and studying it first, to understand its overall behaviour, and then second, to check whether it is prone to certain kinds of attack.
Understanding the behaviour of a source program developed by a third-party is challenging enough, but understanding a binary is even more difficult. Furthermore, some clients, notably those from the government sector, require the audit to be performed by UK nationals. This presents problems in itself, as there are few British engineers who are skilled in reverse engineering. Retaining such highly skilled staff also presents problems for the whole work-chain; without a security engineer in post it is impossible to fulfill contractual obligations, even though a reverse engineering might only be required for one aspect of the audit.
These socio-economic problems motivate the scientific question of how to automate reversing engineering. The aim of my work over the last year has therefore been to extract information from a binary so as to support a security engineer in the security audit; the idea is to derive as much information from a binary as possibly, using purely mechanical techniques, and then present this information to security engineer so that they do not need to derive this information themselves. The information may not be sufficient to completely reason about the program, but the intention is that the information is suitably detailed to aid the auditing task.