Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Mapping of Large Binary Objects Ben Sangster Roy Ragsdale Greg Conti

Similar presentations


Presentation on theme: "Automated Mapping of Large Binary Objects Ben Sangster Roy Ragsdale Greg Conti"— Presentation transcript:

1 Automated Mapping of Large Binary Objects Ben Sangster Roy Ragsdale Greg Conti

2 The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government.

3 Motivation FF Screen memory FFF Basic ROM memory FFF Alternate: Rom plug-in area A000-BFFF ROM : Basic A000-BFFF Alternate: RAM C000-CFFF RAM memory, including alternate D000-D02E Video Chip (6566) D400-D41C Sound Chip (6581 SID) D800-DBFF Color nybble memory DC00-DC0F Interface chip 1, IRQ (6526 CIA) DD00-DD0F Interface chip 2, NMI (6526 CIA) D000-DFFF Alternate: Character set E000-FFFF ROM: Operating System E000-FFFF Alternate : RAM FF81-FFF Jump Table

4 Goals Accurately identify regions within arbitrary binary object Efficient algorithms Extensible framework Automated mapping process Automated process for generating test data Current State: BINMAP Utility

5

6 insert ~ 5MB here... 0 ~12MB

7 insert ~ 5MB here... 0 ~12MB ASCII Text Compressed Image 1 Compressed Image N Unicode URLs Data Structure

8 0N0N f(x)

9 0N0N

10 binary fragment high entropymedium entropy low entropy encryptioncompressionrepeating values machine code human language data structures uncompressed media RLE LZW...EN FR RU...AES DES... ECB CBC... Partial Taxonomy

11 Goal FF ASCII Text (English) FFF Pointer Table FFF Variable Length Array A000-BFFF Compressed Data A000-BFFF Unicode (Basic Latin) C000-CFFF Unknown Region D000-D02E Repeating Value (0xFF) D400-D41C Encrypted Region (AES) D800-DBFF PNG Image DC00-DC0F JavaScript DD00-DD0F Encrypted Region (RSA Key?) D000-DFFF Unknown Region E000-FFFF BMP Image E000-FFFF Unicode (Hyperlinks?) FF81-FFF Repeating Value (0x00)

12 f(x) Fragment type 1a1-a2 Fragment type 2 a3-a4 Fragment type Na5-a6

13 Test 1 Test 2 Test 3 Test N Fragment type 1a1-a2b1-b2c1-c2z1-z2 Fragment type 2 a3-a4b3-b4c3-c4z3-z4 Fragment type Na5-a6b5-b6c5-c6z5-z6

14 Shannon Entropy Perl Random Number Sequence a1-a2 AES Encrypted Word Document a3-a4 ASCII Text Documenta5-a6 BMP (Single Color)a7-a8

15 Shannon Entropy Shannon entropy H(X) measures uncertainty and quantifies information contained in message. Other Techniques - Hamming Weight - Index of Coincidence - Mean / Standard Deviation - Traditional pattern matching -

16 Window Size (Shannon Entropy of AES sample)

17

18

19

20 Window Size (Shannon Entropy of 4 file types)

21

22 BinMap Demo

23 Extensibility

24 Example

25 Entropy/Evaluating

26 Future Work Improve Framework –Analyze performance –Develop & improve plug-ins Improve Datasets Integrate with visualization, interaction and GUI Other identification measures Apply datamining techniques Increase size of taxonomy Code repository:

27 0x3F 0x3F 0x3F ? ? ?


Download ppt "Automated Mapping of Large Binary Objects Ben Sangster Roy Ragsdale Greg Conti"

Similar presentations


Ads by Google