Jared Chandler (Tufts University)
Reverse engineering message formats from static network traces is a difficult and time consuming security task, critical for a variety of purposes: bug-finding via fuzz testing, automatic exploit generation, understanding the communications of hostile systems, and recovering specifications that are proprietary or have been lost. In this talk we describe our experiences evaluating BinaryInferno, a tool for automatically reverse engineering binary message formats from network traces. We discuss considerations for selecting protocols to evaluate, determining message format ground truth, and assembling representative datasets. Two issues we examine are the availability of real-world captures for malware protocols, and the need to validate that individual protocol messages actually conform to their ground truth specifications. We detail the engineering aspects of comparing BinaryInferno against related tools, the issues which arose, and how we address them. We examine different evaluation metrics and their tradeoffs as related to uncovering unknown message formats. We discuss how we handled the different representations of message format produced by each related tool. Finally, we conclude with a set of recommendations for future experiments involving protocol reverse engineering.
Speaker’s Biography
Jared Chandler is a PhD candidate studying Computer Science at Tufts University. His research focuses on computer security with an emphasis on automatic methods to reverse engineer unknown binary protocols, human computer interaction, and cyber deception.