An Observational Investigation of Reverse Engineers' Process and Mental Models

Votipka, Daniel; Rabin, Seth M.; Micinski, Kristopher; Foster, Jeffrey S.; Mazurek, Michelle L.

doi:10.1145/3290607.3313040

Cited by 26 publications

(31 citation statements)

References 69 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This paper presented a coarse-grained, general workflow model of vulnerability research practices. The structure and content of our model aligns and expands upon with the model presented in Votipka et al (2019), suggesting that these findings will be replicable in further studies with larger participant pools, and will provide an empirical grounding for related research in VR. We would like to call particular attention to the need for further research and studies in the following areas.…”

Section: Practitioner Takeawayssupporting

confidence: 64%

“…This finding spurred additional research to integrate CRSs with human vulnerability researchers in a collaborative environment (Fraze, 2017;Shoshitaishvili et al, 2017). However, there is a very limited information in the literature that empirically examines VR work habits, behaviors, and practices, excepting the work of Votipka, Rabin, Micinski, Foster, & Mazurek (2019), limiting designers' and engineers' ability to effectively integrate CRSs into a collaborative humanmachine system.…”

Section: Research Motivations and Objectivesmentioning

confidence: 99%

See 1 more Smart Citation

Challenges and Opportunities in Collaborative Vulnerability Research Workflows

Mullins

Kelliher

Nargi

et al. 2020

Proceedings of the Human Factors and Ergonomics Society Annual

View full text Add to dashboard Cite

Recently, cyber reasoning systems demonstrated near-human performance characteristics when they autonomously identified, proved, and mitigated vulnerabilities in software during a competitive event. New research seeks to augment human vulnerability research teams with cyber reasoning system teammates in collaborative work environments. However, the literature lacks a concrete understanding of vulnerability research workflows and practices, limiting designers’, engineers’, and researchers’ ability to successfully integrate these artificially intelligent entities into teams. This paper contributes a general workflow model of the vulnerability research process, and identifies specific collaboration challenges and opportunities anchored in this model. Contributions were derived from a qualitative field study of work habits, behaviors, and practices of human vulnerability research teams. These contributions will inform future work in the vulnerability research domain by establishing an empirically-driven workflow model that can be adapted to specific organizational and functional constraints placed on individual and teams.

show abstract

Section: Practitioner Takeawayssupporting

confidence: 64%

Section: Research Motivations and Objectivesmentioning

confidence: 99%

Challenges and Opportunities in Collaborative Vulnerability Research Workflows

Mullins

Kelliher

Nargi

et al. 2020

Proceedings of the Human Factors and Ergonomics Society Annual

View full text Add to dashboard Cite

show abstract

“…Human studies in this domain have used a range of techniques to gain process insights, including post-hoc analysis or surveys as in [9] (potentially missing automatic decisions), think-aloud protocols or semi-structured interviews as in [45] (potentially changing analysts' approaches), or in situ data collection (potentially losing information about the relevance of actions). Other studies, like ours, take the general approach used in cognitive science research: developing a task that explores the cognitive processes of interest but is controlled enough to support understanding the data.…”

Section: Related Workmentioning

confidence: 99%

Effects of Precise and Imprecise Value-Set Analysis (VSA) Information on Manual Code Analysis

Matzen¹,

Leger²,

Reedy³

2021

Proceedings 2021 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

Binary reverse engineers combine automated and manual techniques to answer questions about software. However, when evaluating automated analysis results, they rarely have additional information to help them contextualize these results in the binary. We expect that humans could more readily understand the binary program and these analysis results if they had access to information usually kept internal to the analysis, like value-set analysis (VSA) information. However, these automated analyses often give up precision for scalability, and imprecise information might hinder human decision making.To assess how precision of VSA information affects human analysts, we designed a human study in which reverse engineers answered short information flow problems, determining whether code snippets would print sensitive information. We hypothesized that precise VSA information would help our participants analyze code faster and more accurately, and that imprecise VSA information would lead to slower, less accurate performance than no VSA information. We presented hand-crafted code snippets with precise, imprecise, or no VSA information in a blocked design, recording participants' eye movements, response times, and accuracy while they analyzed the snippets. Our data showed that precise VSA information changed participants' problemsolving strategies and supported faster, more accurate analyses. However, surprisingly, imprecise VSA information also led to increased accuracy relative to no VSA information, likely due to the extra time participants spent working through the code.

show abstract

“…While RE tasks are often partially automated (e.g., via decompilation), full automation is often impossible: the extreme semantic expressivity afforded to binaries (including encrypted code, stripped symbol tables, etc..) often necessitates open-ended exploration and case-specific reasoning. Recent literature suggests that many practicioners follow an iterative approach involving several rounds of hypothesis formation and validation/falsification, often assisated via a combination of static and dynamic analysis [1]- [3].…”

Section: Introductionmentioning

confidence: 99%

“…To rapidly interact with a binary, RE practicioners often use reverse engineering tools such as Ghidra [4], IDA Pro [5], or Radare2 [6]. The goal of these tools is to allow an RE 1 to quickly explore the binary and visualize it (typically D 3 RE vision. d3re allows REs to interactively define and calculate queries of arbitrary complexity over large production binaries and then visualize their results using Ghidra.…”

Section: Introductionmentioning

confidence: 99%

Declarative Demand-Driven Reverse Engineering

Sun¹,

Ching²,

Micinski³

2021

Proceedings 2021 Workshop on Binary Analysis Research

Self Cite

View full text Add to dashboard Cite

interactively, via a GUI or CLI) in a variety of ways. For example, a reverse engineer looking for a time bomb may first search for calls to the system's time function, and then walk backwards to understand whether each call is associated with legitimate or malicious behavior. In doing so, the RE may need to reason about, e.g., indirect control flow, or even identify the time function (in a stripped binary). Because REs are expert users, and often skilled programmers, RE tools provide programmatic interfaces that enable REs to systematize reasoning tasks via extensions. A broad range of popular extensions exist for several tools which perform such tasks as loading the results of static analyses [7], [8], interacting with debuggers [9], and identifying common cryptographic-relevant code [10].In this paper, we argue that deductive databases (e.g., Datalog) serve as a natural abstraction boundary between RE tools and logical inference tasks over binaries. We envision a future in which a reverse engineer interactively explores a binary using an RE tool while simultaneously querying arbitrarilycomplex logical properties written in a terse declarative style. We call this Declarative Demand-Driven Reverse Engineering (henceforth D 3 RE). In D 3 RE, an RE interacts with a deductive database by giving inputs (e.g., the currently highlighted address) to a rule-based deductive inference system written in a declarative language such as Datalog. Rules inductively compute relations over facts about the binary. As an example, consider a relation direct call ∈ Addr × Addr which relates callsite addresses (offsets within the binary) to procedure invocation target addresses. In our vision, D 3 RE allows REs to interactively compute with and visualize the results of queries over these deductive rules.We see D 3 RE as a natural extension of several observations about the state of the start. First, many existing RE tools assemble databases to index various properties (e.g., addresses, symbols, etc...) of binaries for quick exploration. Deductive databases further allow REs to write arbitrary logical queries which are computed maximally efficiently via, e.g., compilation to relational algebra kernels as done in Soufflé. Deductive databases have also enabled several recent advances in binary analysis demonstrating both efficiency and robustness over conventional techniques. For example, the Datalogbased disassembler ddisasm achieves both faster and moreprecise disassembly than other state-of-the-art disassemblers, and OOAnalyzer uses Prolog to enable declarative recovery of classes from compiled C++ code.In this short paper we describe our progress in implementing a prototype tool, d3re, which we are building to realize the Abstract-Binary reverse engineering is a challenging task because it often necessitates reasoning using both domain-specific knowledge (e.g., understanding entrypoint idioms common to an ABI) and logical inference (e.g., reconstructing interprocedural control flow). To help perform these tasks, reverse engineers oft...

show abstract

An Observational Investigation of Reverse Engineers' Process and Mental Models

Cited by 26 publications

References 69 publications

Challenges and Opportunities in Collaborative Vulnerability Research Workflows

Challenges and Opportunities in Collaborative Vulnerability Research Workflows

Effects of Precise and Imprecise Value-Set Analysis (VSA) Information on Manual Code Analysis

Declarative Demand-Driven Reverse Engineering

Contact Info

Product

Resources

About