Presentation-Reverse Engineering of Data Structures from Binary by Zhiqiang Lin

The syntactic and semantic definitions of a program's data structures are valuable to many security and forensics applications, such as memory image mining, software vulnerability discovery, protocol reverse engineering, and virtual machine introspection. 

In this talk, I will present a systematic framework to reverse engineer data structure definitions as well as data structure instances without a program's source code. In the first part of the talk, I will present REWARDS, a main component of the framework that automatically reveals the syntactic and semantic definitions of data structures from a program's binary. I will then demonstrate the unique benefits of REWARDS to binary software vulnerability discovery and botnet investigation. In the second part of the talk, I will present SigGraph, another key component of my framework that automatically generates non-isomorphic, context-free data structure signatures, for reverse engineering data structure instances from memory images. In particular, I instantiate SigGraph for generating signatures of OS kernel objects without requiring global kernel memory mapping information. I will demonstrate the application of SigGraph to kernel memory forensics and kernel rootkit detection. Finally, I will give an overview of my other research efforts and propose my future work.


Zhiqiang Lin is a doctoral candidate in the Department of Computer Science at Purdue University. He is also affiliated with CERIAS, the Center for Education and Research in Information Assurance and Security. His research efforts primarily focus on Systems and Software Security, with an emphasis on the development of program analysis and reverse engineering techniques, and their applications to OS kernel integrity enforcement, software vulnerability discovery, malicious code analysis, and computer forensics.


Monday, February 21st, 3:00 pm at Jacobs Believed in Me Auditorium