Vartan Padaryan

Russian Academy of Sciences | RAS · Institute for System Programming of the Russian Academy of Sciences

The mathematical foundations of abstract interpretation provide a unified method of formalization and research of program analysis algorithms for a broad spectrum of practical problems. However, its practical usage for binary code analysis faces several challenges, of both scientific and engineering nature. In this paper we address some of those ch...

Many binary code analysis tools rely on intermediate representation (IR) derived from a binary code, instead of working directly with machine instructions. In this paper, we first consider binary code analysis problems that benefit from IR and compile a list of requirements that the IR suitable for solving these problems should meet. Generally spea...

A representation of algorithms extracted from binary code by reverse engineering is discussed. Both intermediate representations designed for automatic analysis and final representations passed to the end user are considered. The two main tasks of reverse engineering—automatic detection of exploitable vulnerabilities and discovery of undocumented f...

A lot of binary code analysis tools do not work directly with machine instructions, instead relying on an intermediate representation from the binary code. In this paper, we first analyze problems in binary code analysis that benefit from such an IR and construct a list of requirements that an IR suitable for solving these problems must meet. Gener...

The paper discusses the problem of representation of algorithms extracted from binary code in course of reverse engineering: both representations for automatic analysis and final representations for the user. Two key subproblems of reverse engineering are focused on: automatic search for exploitable defects and discovery of undeclared capabilities....

Tracking and verification of data flows includes set of techniques that can be applied to make applications more secure, to perform software analysis for debugging or reverse engineering, and so on. Taint analysis is one of the techniques used to control data flows. This paper presents an approach for system-wide lightweight platform-aware taint an...

This paper proposes a new object model of data for the in-depth analysis of network traffic. In contrast to the model used by most modern network analyzers (for example, Wireshark and Snort), the proposed model supports data stream reassembling with subsequent parsing. The model also provides a convenient universal mechanism for binding parsers, th...

A technology of the deterministic replay of an execution process in virtual machines can be used for debugging, improving reliability and robustness, software development and incident investigation (including reverse engineering of malware). The paper describes an implementation of deterministic replay for guest machines based on IA-32 in the emula...

This paper introduces a refined method for automated exploitability evaluation of found program bugs. During security development lifecycle a significant number of crashes is detected in programs. Because of limited resources, bug fixing is time consuming and needs prioritization. It should be the matter of highest priority to fix exploitable bugs....

The article proposes different methods of presenting network traffic analysis results, the need for which arises primarily in the area of network security. One of the most important tasks is to identify malicious traffic. For this purpose both the complete graph of network interactions and time-based packet diagram are presented. These components a...

In recent years mobile devices have become an integral part of daily routine, most of them based on Android OS. This leads to rapid growth of malicious applications for the Android platform, as well as specialized analysis tools. In this article we discuss current Android security issues and propose a classification of these issues by categories. A...

In this paper memory violation detection method is considered. This method applied to program binaries, without requiring debug information. It allows to find such memory violations as out-of-bound read or writing in some buffer. The technique is based on dynamic analysis and symbolic execution. We present a tool implemented the method. We used thi...

The deterministic replay technique can be used for debugging, improving reliability and robustness, software development and incident investigation (including reverse engineering of malware). The paper describes the implementation of deterministic replay of IA-32 based boards in QEMU. Another implementation of this technique in QEMU had been previo...

The article suggests a new object model of data for in-depth analysis of network traffic. In contrast to the model used by most existing network analyzers, such as Wireshark or Snort, the core of our model supports data streams reassembling and next processing. The model also provides a convenient universal mechanism for binding parsers. So one can...

In this paper search method for format string vulnerabilities is presented. The method is based on dynamic analysis and symbolic execution. It is applied to program binaries, without requiring debug information. We present a tool implementing this method. We have used this tool to detect known vulnerabilities in Linux programs.

Methods and tools for binary code analysis developed in the Institute of System Programming, Russian Academy of Sciences, and their applications in algorithm and data format recovery are considered. The executable code of various general-purpose CPU architectures is analyzed. The analysis is performed given no source codes, debugging information, a...

An automated method for exploit generation is presented. This method allows one to construct exploits for stack buffer overflow vulnerabilities and to prioritize software bugs. The method is based on the dynamic analysis and symbolic execution of programs. It could be applied to program binaries and does not require debug information. The proposed...

The article presents the experience of using software emulators as a tool for dynamic analysis of binary code: as a machine instruction tracer, and as a smart interactive debugger. We provide a description of deterministic replay implemented in the QEMU emulator to supply the stated functionalities.

This paper proposes a decomposition of generic software security problems, mapping them to smaller problems of static and dynamic binary code analysis.

Obfuscation algorithms are now widely used to prevent software reverse engineering. Binary code virtualization is one of the most powerful obfuscations technics. Another obfuscation method known as “dispatching” can be used to transform application control flow similarly to virtual machine insertion. Our research was aimed at reconstruction of cont...

In the paper we evaluate two approaches to full-system deterministic replay. Both of them allow replaying guest OS and applications without modifications. Deterministic replay is intended for debugging and dynamic analysis of system core, multithreaded and non-deterministic applications, cross-platform applications, and devices’ drivers.Presented a...

We propose a model describing the operational semantics of machine instructions for a wide class of target architectures. A special feature of the model is that it is designed for the inverse (compared to the classical compiler problem) tract of transformations, but, at the same time, the model makes it possible to perform different optimizing tran...

The paper considers the model of a parallel program, which can be effectively interpreted using an instrumental computer, allowing for fairly exact prediction of the actual runtime of a parallel program on a specific parallel computing system. The model has been developed for parallel Java-programs with explicit exchange of messages by means of the...

A model of parallel program that can be effectively interpreted on the development computer guaranteeing the possibility of a sufficiently precise prediction of real run time for a simulated parallel program at the prescribed computer system is studied. The model is worked out for parallel programs with explicit message passing written in the Java...

This paper considers a model of a parallel program that can efficiently be interpreted on an instrumental computer, providing a means for a sufficiently accurate prediction of the actual time needed for execution of the parallel program on a given parallel computational system. The model is designed for parallel programs with explicit message passi...

This chapter discusses checkpointing improvement in ParJava environment. ParJava supports development and maintenance of data parallel programs. ParJava environment provides developers of a data parallel program a wide set of tools allowing analysis of its properties. These tools allow getting precise estimates of program execution time as a functi...

In the present paper the ParJava integrated environment supporting the devel-opment and maintenance of data parallel Java-programs is discussed. When a parallel program is developed it is necessary to assure not only its correctness, but also its efficiency and scalability. For this purpose it is useful to know some dynamic properties of the progra...

In the present paper a new facility of Par Java integrated environment - rollback recovery tool, -is discussed Existing coordinated checkpointing algorithms are improved, in order to apply them to high performance computations. We offer to study data parallel program, and select program intervals with minimal JVM's heap usage, as most suitable for...

ParJava integrated environment supporting the development and maintenance of data parallel Java-programs is discussed. When a parallel program is developed it is necessary to assure not only its correctness, but also its efficiency and scalability. For this purpose it is useful to know some dynamic properties of the program (profiles, traces, slice...

ParJava integrated environment supporting development and maintenance of data parallel Java-programs is discussed. When a parallel program is developed it is necessary to assure not only its correctness, but also its efficiency and scalability. For this purpose it is useful to know some dynamic properties of the program. This information may help t...