applications of the reverse
play

Applications of the Reverse Engineering Language REIL Hackers to - PowerPoint PPT Presentation

Jun 20, 2023 •369 likes •762 views

Applications of the Reverse Engineering Language REIL Hackers to Hackers Conference 2009, So Paulo Sebastian Porst zynamics GmbH (sebastian.porst@zynamics.com) Talk Overview Necessity of new RE methods Solutions we developed

  1. Applications of the Reverse Engineering Language REIL Hackers to Hackers Conference 2009, São Paulo Sebastian Porst zynamics GmbH (sebastian.porst@zynamics.com)

  2. Talk Overview • Necessity of new RE methods • Solutions we developed • Applications of our solutions

  3. About zynamics • Small German company • Unhappy with the state of Reverse Engineering • Needed: New RE tools and methods – BinDiff, BinNavi, VxClass

  4. About me • Lead Developer of BinNavi • Many years of RE experience • Try to come up with new RE methods • Talk about it at conferences

  5. What we are doing • Build Reverse Engineering tools • Try to automize binary file analysis • Help people find vulnerabilities

  6. Why we are doing this Software Complexity Architectural Diversity Microsoft Security Budget Good old days Now

  7. How we are doing this • Develop new RE methods – Platform-Independent – Easy to use • Integrate them into our tools

  8. REIL • Reverse Engineering Intermediate Language • Platform-Independent • Designed for Reverse Engineering

  9. Design Principles • Very small instruction set • Very regular operand structure • Very simple operand types • No side-effects

  10. Example

  11. REIL Usage Convert native code to REIL Run REIL algorithm Port results back to original code

  12. Advantages • Easy to pick up and comprehend • Reduces analysis complexity • Write once; use everywhere

  13. MonoREIL • Monotone framework for REIL • Simplifies analysis algorithm development • Read the book

  14. Advantages • All algorithms have the same regular structure • Simplifies algorithms – Trade-off: Runtime

  15. Core Concepts • Instruction Graph • Lattice • Monotone Transformations

  16. Instruction Graph 1400: add t0, 15, t1 1401: bisz t1, , t2 1402: jcc t2, , 1405 1403: str 8, , t3 1405: str 16, , t3 1404: jcc t2, , 1406 1406: add t3, t3, t4 1407: jcc 1, , 1420

  17. Lattice T B

  18. Transformations 1400: add t0, 15, t1 1401: bisz t1, , t2 1402: jcc t2, , 1405 1403: str 8, , t3 1405: str 16, , t3 1404: jcc t2, , 1406 1406: add t3, t3, t4 1407: jcc 1, , 1420

  19. Applications Register Tracking : Helps Reverse Engineers follow data flow through code (Never officially presented) Index Underflow Detection : Automatically find negative array accesses (CanSecWest 2009, Vancouver) Automated Deobfuscation : Make obfuscated code more readable (SOURCE Barcelona 2009, Barcelona) ROP Gadget Generator : Automatically generates return-oriented shellcode (Work in progress; scheduled for Q1/2010)

  20. Register Tracking • Follows interesting register values • Keeps track of dependent values • Transitive closure of the effects of a register on the program state

  21. Lattice All eax eax ebx ecx ebx ecx ecx OF eax ebx ecx OF Ø

  22. General Idea • Start with the tracked register • Follow the control flow • Instruction uses register → Add modified registers to the tracked set • Instruction clears register → Remove cleared register from the set

  23. Example {t0} add t0, 4, t1 {t0, t1} bisz t2, , CF {t0, t1} bisz t0, , ZF {t0, t1, ZF} add t2, 4, t1 {t0, ZF}

  24. Result

  25. Use • Fully integrated into BinNavi • Makes it very simple to follow values • Helps the reverse engineer to concentrate on what is important

  26. Range Tracking • Tracks potential ranges for register values • Useful to detect buffer underflows like MS08-67 • Intervals are used to cut down on complexity

  27. Lattice • Complicated to show in a picture • Keep track of register values and pointer dereferences as a list of ranges • eax [0 .. 4] [0 .. 10] – Add a value between 0 and 10 to [eax], [eax + 1], [eax + 2], [eax + 3], or [eax + 4]

  28. General Idea • Track register values relative to their first use • Follow the control flow • Calculate maximum range of effects each instruction has on a register • If the range gets negative for memory accesses, mark the location

  29. Use • Helps bug hunters to find potential vulnerabilities • Automated and effective • Not yet fully proven to work

  30. Deobfuscation • Convert obfuscated code into something more readable • Multi-process step with many lattices – Constant propagation – Dead code elimination – ...

  31. General Idea • Take a piece of code • Apply the deobfuscation algorithms • Repeat until no further deobfuscation is possible • Result: Deobfuscated Code

  32. Result Before After

  33. Problems • Turns out that deobfuscation is tricky for many reasons • Further requirements: – Function that determines the readability of code – Backend that produces executable code from REIL

  34. ROP Gadget Generator • Return-oriented shellcode generator • REIL-based but not MonoREIL-based • Originally for Windows Mobile but platform-independent • To be presented in 2010

  35. General Idea • Automated analysis of instruction sequences • Automated extraction of useful instruction sequences • Combines gadgets to shellcode • Helps the development of return- oriented shellcode

  36. Result

  37. Future Development • BinAudit – Collection of algorithms for vulnerability research • Type Reconstruction – Figuring out what higher level data types are stored in registers

  38. Related Work • ERESI Project • BitBlaze • Silvio Cesare

  39. http://www.flickr.com/photos/marcobellucci/3534516458/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reverse Cycle Walking and its Applications Sarah Miracle and Scott Yilek University of St. Thomas

Reverse Cycle Walking and its Applications Sarah Miracle and Scott Yilek University of St. Thomas

Reverse Cycle Walking and its Applications Sarah Miracle and Scott Yilek University of St. Thomas Format Preserving Encryption Example: Existing database with millions of US social security numbers 9 digit numbers First 3 digits

881 views • 73 slides
Reverse Osmosis Reverse Osmosis Background to Market and to Market and Background Technology

Reverse Osmosis Reverse Osmosis Background to Market and to Market and Background Technology

Reverse Osmosis Reverse Osmosis Background to Market and to Market and Background Technology Technology 1 Technology and Applications Technology and Applications Reverse osmosis has been commercial for Reverse osmosis has been

948 views • 60 slides
Remanufacturing of Products Remanufacturing of Products and Reverse Logistics and Reverse

Remanufacturing of Products Remanufacturing of Products and Reverse Logistics and Reverse

Remanufacturing of Products Remanufacturing of Products and Reverse Logistics and Reverse Logistics Xochitl Aquiahuatl March 2007 Outline Outline Closed-loop Supply Chain Reverse Logistics Recovery Options Product

388 views • 22 slides
Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and

Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and

Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and Documentation Engineering Virus Analysis Malware Virus Needs a vector for propagation Worm No vector needed Can spread by

320 views • 21 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby

On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby

On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby perrin dot leo at gmail 4th of July 2017 Boolean Functions and Their Applications The content of this talk is based on joint works with Biryukov,

1.32k views • 108 slides
Reverse Logistics Woodfield Distribution, LLC v081617 Reverse Logistics About Us Description

Reverse Logistics Woodfield Distribution, LLC v081617 Reverse Logistics About Us Description

Presentation of Capabilities Reverse Logistics Woodfield Distribution, LLC v081617 Reverse Logistics About Us Description of Services Reverse Distribution Channels DSCSA/Sustainability About Us WDSrx Woodfield Distribution, LLC Is A

454 views • 13 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Most-Effective Actions to Reverse Global Warning Most-Effective Actions to Reverse Global Warning

Most-Effective Actions to Reverse Global Warning Most-Effective Actions to Reverse Global Warning

Our Goal: A Coordinated Philanthropic Effort Most-Effective Actions to Reverse Global Warning Most-Effective Actions to Reverse Global Warning CO2 Reduction (gigatons) Refrigerant management 89.7 1. Wind turbines (onshore) 84.6 2. Reduced

308 views • 12 slides
WEBee Reverse Convolution Coding Reverse Convolution Coding Convolutional encoding uses a

WEBee Reverse Convolution Coding Reverse Convolution Coding Convolutional encoding uses a

WEBee Reverse Convolution Coding Reverse Convolution Coding Convolutional encoding uses a 288-by-216 matrix M M is not full row-rank (row:288 > column:216), the matrix equation is an overdetermined system ZigBee signals occupy

164 views • 15 slides
AutoDiff: Reverse Mode v 0 v 5 v 2 v 3 ln x 1 v 0 v 5 v 2 v 1 + x 2 v 4 y v 6 +

AutoDiff: Reverse Mode v 0 v 5 v 2 v 3 ln x 1 v 0 v 5 v 2 v 1 + x 2 v 4 y v 6 +

x 1 AutoDiff: Reverse Mode v 0 v 5 v 2 v 3 ln x 1 v 0 v 5 v 2 v 1 + x 2 v 4 y v 6 + v 3 v 1 Traverse the original graph in the reverse topological v 4 x 2 y v 6 sin order and for each node in the original

980 views • 64 slides
What You Should Know about Reverse Mortgages Welcome and Why We Are Here Idriys Abdullah

What You Should Know about Reverse Mortgages Welcome and Why We Are Here Idriys Abdullah

What You Should Know about Reverse Mortgages Welcome and Why We Are Here Idriys Abdullah Consumer Protection Advocate DISB Reverse Mortgages Presentation 2 Mission Statement DISBs Mission is Two-Fold Protect consumers by providing

495 views • 34 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Reverse, Flatten, and Zip More List Processing in Ocaml Theory of Programming Languages Computer

Reverse, Flatten, and Zip More List Processing in Ocaml Theory of Programming Languages Computer

No More Fluff Flatten Reverse Zip Unzip Mapcons Subsets Decimal Reverse, Flatten, and Zip More List Processing in Ocaml Theory of Programming Languages Computer Science Department Wellesley College No More Fluff Flatten Reverse Zip

440 views • 6 slides
BEST PRACTICE PRESENTATION Basque Government Directorate of Biodiversity and Environmental

BEST PRACTICE PRESENTATION Basque Government Directorate of Biodiversity and Environmental

First Interregional First Interregional Seminar Seminar REVERSE REVERSE First First Interregional Interregional Seminar Seminar REVERSE REVERSE Agriculture and Agriculture and Agriculture and Biodiversity Agriculture

567 views • 15 slides
1-Bucket-Theta: Map 1-Bucket-Theta: Reduce Col T 1 6 Row Input: tuple x S T,

1-Bucket-Theta: Map 1-Bucket-Theta: Reduce Col T 1 6 Row Input: tuple x S T,

10/20/2011 1-Bucket-Theta: Map 1-Bucket-Theta: Reduce Col T 1 6 Row Input: tuple x S T, Input: ( ID, [(x 1 , origin 1 ),..., (x k , origin k )] ) 1 S1.A=5 S2.A=7 matrix-to-reducer mapping lookup table 1 2 S3.A=7 S4.A=8

396 views • 6 slides
Continuous-time Markov Chains Gonzalo Mateos Dept. of ECE and Goergen Institute for Data Science

Continuous-time Markov Chains Gonzalo Mateos Dept. of ECE and Goergen Institute for Data Science

Continuous-time Markov Chains Gonzalo Mateos Dept. of ECE and Goergen Institute for Data Science University of Rochester gmateosb@ece.rochester.edu http://www.ece.rochester.edu/~gmateosb/ October 14, 2020 Introduction to Random Processes

834 views • 40 slides
How efficient are binary search trees? Balanced search trees Balancing a tree means to keep the

How efficient are binary search trees? Balanced search trees Balancing a tree means to keep the

CS206 CS206 How efficient are binary search trees? Balanced search trees Balancing a tree means to keep the left and right subtree of Binary search tree operations take time O ( h ) , where h is the every node of roughly equal size.

200 views • 3 slides
Critique #4 Due next Tuesday (4/14) Y. Zhang, C. Lu, C. Gill, P. Lardieri and G. Thaker,

Critique #4 Due next Tuesday (4/14) Y. Zhang, C. Lu, C. Gill, P. Lardieri and G. Thaker,

Critique #4 Due next Tuesday (4/14) Y. Zhang, C. Lu, C. Gill, P. Lardieri and G. Thaker, Middleware Support for Aperiodic Tasks in Distributed Real-Time Systems, IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), April

664 views • 32 slides
Near-linear Time Gaussian Process Optimization with Adaptive Batching and Resparsification D.

Near-linear Time Gaussian Process Optimization with Adaptive Batching and Resparsification D.

Near-linear Time Gaussian Process Optimization with Adaptive Batching and Resparsification D. Calandriello* 1 , L. Carratino * 2 , A. Lazaric 3 , M. Valko 1 , L. Rosasco 2,4 * equal contribution. 1 DeepMind, 2 MaLGa - UniGe, 3 Facebook, 4 MIT - IIT

705 views • 45 slides
On Moment Problems in Robust Control, Spectral Estimation, Image Processing and System

On Moment Problems in Robust Control, Spectral Estimation, Image Processing and System

On Moment Problems in Robust Control, Spectral Estimation, Image Processing and System Identification Anders Lindquist Shanghai Jiao Tong University, China, and the Royal Institute of Technology, Stockholm, Sweden University of Maryland May,

937 views • 38 slides
harmonic functions and the chromatic polynomial R. Kenyon (Brown) based on joint work with A.

harmonic functions and the chromatic polynomial R. Kenyon (Brown) based on joint work with A.

harmonic functions and the chromatic polynomial R. Kenyon (Brown) based on joint work with A. Abrams, W. Lam The chromatic polynomial G ( n ) of a graph G is the number of proper colorings with n colors. (adjacent vertices have di ff erent

456 views • 26 slides
Formal Methods for the Verification of Distributed Algorithms Paul Gastin Laboratoire

Formal Methods for the Verification of Distributed Algorithms Paul Gastin Laboratoire

Formal Methods for the Verification of Distributed Algorithms Paul Gastin Laboratoire Spcification et Vrification ENS Paris Saclay & CNRS with C. Aiswarya (CMI) & Benedikt Bollig (LSV) Motivations Distributed algorithms are

1.23k views • 90 slides

More recommend