Techniques for Dynamic Analysis for Understanding the Operation of Executables - Coursework Example

Review Techniques for Dynamic Analysis for Understanding the Operation of Executables Understanding the operation of executables is abridged when a blend of techniques for dynamic analysis is employed. Effective dynamic analysis necessitates that the execution traces be produced by executing states that are representative of the typical usage of the system. This paper provides a review of the techniques used to perform malware analysis on executables. This evaluation can be employed to assist maintainers to locate features that require altering by extracting views of a software system at various levels. Introduction Reports from literature indicate that up to ninety percent of the software development expenditure is spent on evolution and maintenance tasks. While undertaking a maintenance task, it is essential to make out and to trace the portion of code that requires altering depending on the perception that is acquired by executing the software and consultation with its use-cases. It is relatively easy to locate a portion of code that requires changing if the system is well documented and high level documents can be traced to the source code. However, this is rarely the case since the only information available regarding the system is the source code itself. Such instances call for maintainers to read and scrutinize the source code, which may be time consuming and tiresome since implementing a feature may entail multiple modules and classes. In an attempt to decrease such a labor-intensive endeavor, various techniques have been developed to automatically identify the softwares features and to trace these features to the source code that executes them. Static analysis techniques are inadequate for understanding of executables in a large software system and to establish its features, therefore, static analysis techniques ought to be accompanied by complementary dynamic analysis techniques. In most cases, this is completed by instrumenting the softwares code, executing its pertinent features via a prowler, and then analyzing the execution traces to establish the portions of the code that were executed by the features. Using necessary tool support, this approach permits developers to situate the code of interest promptly and easily. It can also disclose run-time relationships between modules and between classes, including thread contacts for multi-threaded systems, which static analysis alone cannot detect. Dynamic Analysis Techniques Dynamic analysis is a method used to study the performance of software systems by running it and observing its actions. Despite the existence of techniques based exclusively on static information, hybrid techniques combining static and dynamic information offer a more precise or a quicker solution. The methods used to gather runtime data include source code instrumentation, debugging of prowling, and instrumentation of compiled code. Such system accomplishes runtime event generation by instrumenting the program source code or creating models of object-oriented programs that appear as state diagrams. Some of the dynamic analysis techniques based on these approaches include: a) Process Monitor This is a SysInternal instrument which enables users to monitor all registry, file and process activity on a system. The tool works by installation of a device driver that records information regarding processes taking place inside the kernel of the system under analysis. Although the data is recorded by means of a device driver, the recorded information is conveyed to the user and accessible with a simple and trouble-free graphical user interface. This powerful technique is mainly used to monitor system activity on Windows systems. While the Process Monitor records every activity, each registry, file or process operation generates a line of output in the application window. While running Process Monitor, the system creates many events even when idle. Effective use of this technique requires that accurate filters are set up to record the information of interest without leaving out significant details. The filtering capacity of this application is a huge improvement from its progenitors Regmon and Filemon in which capture filters are set up based on uncomplicated string expressions. Process Monitor records all details and creates display filters that contain accurate compound expressions. The expressions focus on events that lead to a permanent change in the system like the generation of a new registry value or data written to a file. Once the filter expression is designed, it can be saved for use in the future. b) Wireshark This is an open-source network protocol analyzer which records, analyzes, and filters network traffic across many protocols. Wireshark is a helpful technique, but exhibits some challenges in dynamic analysis. Most importantly, the tool fails to identify what process produces every packet of recorded network data, making it hard to establish whether a packet was generated by the program under analysis. An almost similar program, Port Explorer, checks network traffic at the connection stage and in contrast to Wireshark it captures details of the process that generates every connection. Example This example describes the understanding of executables in an open-source multi-platform web browser. The web browser incorporates other internet tools such as newsgroup reader, e-mail client, HTML editor and Internet Relay Chart. This C++ based browser has millions of lines o code, multiple binary modules, various installation programs and several executable objects. The features considered in this example majorly focus the web browser and to some extent on e-mail aspects. The multiple relationships and classes add to the intricacy of the program maintenance and understanding. The set of browser use-cases that characterize its functionality are identified and dynamic analysis is used to obtain statistics. The overall run-time record of use-cases is summarized into executed, loaded and total that is then compiled into modules, classes, methods and method entry events. The dynamic analysis includes several omitted unique associations between class methods. The distribution of the source code covers the source code of all browser modules and tools and the interactions between classes in several binary modules. Each class implements a unique interface in various binary modules. To show the significance of use-case based dynamic analysis for maintainers, we assume that the maintenance task required is to alter a particular feature of the browser. This feature enables users to send an HTML link or page via e-mail. The maintainer is able to examine the source code and the existing documentation of the system and attempt to establish the parts of the source code associated with this feature use-case. Instead, the maintainer can use the technique to execute the feature use-case and determine the sections of source code. To make the software views generated by the analysis simpler, it is appropriate that the maintainer executes other program features besides to the relevant feature. Other features are executed in order to be able to establish the common classes and modules executed by most features. In this case, a common class refers to an entity used to implement a high percentage of use-cases, when filtered out, such entities lowers the clutter of the views and stresses the uniqueness of every use-case. Large systems like the web browser generate graphs with multiple relationships; some of which are unmanageable. These graphs can then be simplified by clustering the graphs of every view or providing the option of choosing to incorporate or leave out the common classes and modules in the dynamic analysis. The clustering instrument employs optimization to capitalize on cohesion between two nodes in an identical cluster and reduce pairing between nodes in different clusters. Each cluster is labeled to indicate the dominant class within the cluster. Summary Dynamic analysis uses the notion of marked execution traces to identify program features. A feature is defined by the maintainer based on marked-traces. A market trace is determined manually while executing the program by defining the starting point and ending point of the trace via a trace-marker tool of the profiler. For instance, before executing the feature, the maintainer presses a button on the graphic user interface of the profiler to signal the start of the marked trace. Another button of the GUI would be pressed indicating the end of that feature. After the features of the software are exercised, the dynamic analysis tools analyze the traces to generate a number of views, at several stages of detail, to help the maintainer in understanding executables. The views are generated by taking the system through dynamic analysis under different features. The run-time data is used to construct two sets of views: metrics that determine the similarity between features and the intricacy of the software; and graphs that record the sections of the software’s architecture pertaining to the features. The dynamic approach is effective in practice because “change requests” are normally written in natural language with precise allusions to software characteristics. Beginning from the “change request”, a developer can then implement the program in profiling mode, and execute the required features to define the sections of the source code, rather than beginning with the code and seeking to map its features manually. The main challenge of dynamic analysis particularly in large systems is the considerable degradation in presentation and the lack of profilers which are appropriate for understanding executables. For instance, most of the dynamic profilers concentrate on analysis of the performance of windows software; other techniques depend on the notion of statistical profiling, which may lead to infrequent loss of events. In addition, profiling develops into a challenge when multi-language and multi-threaded systems are entailed. Conclusion This paper presented a relatively detailed review of the techniques of dynamic analysis that can be employed to various systems of known functionality. Some of the discussion is based on a hierarchy of graphs that aid the exploration of the software architecture of the system, and metrics, focusing on exposing the intricate nature of the system. The study has revealed the capacity of the techniques to gather dynamic data, analyze it, and make a presentation as a set of views. The techniques reviewed here are barely an introduction to the wide subject of knowledge and tools necessary to fully understand the operation of executables. A wealth of detailed information is available in various internet forums for those wishing to deepen their knowledge on this subject. This automated techniques and the views reviewed in this paper can assist in maintenance tasks that need a deep comprehension of particular sections of large software systems. (Bruegge et al.; Kendall; Salah et al.;Eisenbarth et al; Souder et al.) Works cited B. Bruegge, T. Gottschalk, and B. Luo. A framework for dynamic program analysis. In Conference on Object-Oriented Programming Systems, Languages, and Applications (OOSLA93), Washington, USA, September 1993. Kendall, Kris. "Practical Malware Analysis." Mandiant intelligent information security 0.0 (2007): 1-10. ebookspdf.org. Web. 24 Apr. 2014. M. Salah, S. Mancoridis, G. Antoniol, and M. Di Penta. Towards employing use-cases and dynamic analysis to comprehend mozilla. In International Conference on Software Maintenance, pages 639.642, Budapest, Hungary, Sept 26-29 2005. IEEE Press. T. Eisenbarth, R. Koschke, and D. Simon. Aiding program comprehension by static and dynamic feature analysis. In International Conference on Software Maintenance, Florence, Italy, November 2001. IEEE. T. Souder, S. Mancoridis, and M. Salah. Form: A framework for creating views of program executions. In International Conference on Software Maintenance, Florence, Italy, November 2001. Read More