Uninformed: Informative Information for the Uninformed

Vol 5» 2006.Sep

Process and Kernel Stalking

One of the more difficult questions to answer when testing software for vulnerabilities is: ``when is the testing considered finished?'' How do we, as vulnerability bug hunters, know when we have completed our testing cycle by exhausting all code paths and discovering all possible bugs? Because fuzz testing can easily be random, so unpredictable, the question of when to conclude testing is often left incomplete.

Pedram Amini, who recently released ``Paimei'', coined the term "Process Stalking" as a set of runtime binary analysis tools intended to enhance the visual effect of runtime analysis. His tool includes an IDA Pro plug-in paired with GML graph files for easy viewing. His strategy amalgamates the processes of runtime profiling through tracing and state mapping, which is a graphic model composed of behavior states of a binary. Pedram Amini's "Process Stalker" tool suite can be found on his personal website (http://pedram.redhive.com) and the reverse engineering website OpenRCE (http://www.openrce.org). - might just use references or something. The fact that process stalker is used to reverse MS Update patches is irrelevant to the paper.