computer and information security
play

Computer and Information Security Fall 2019 Reverse Engineering - PowerPoint PPT Presentation

Apr 30, 2023 •277 likes •629 views

ECE590 Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University With additional content by Jiaming Li, NC State University, 2015 What is software reverse engineering? Determine and possibly change

  1. ECE590 Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University With additional content by Jiaming Li, NC State University, 2015

  2. What is software reverse engineering? • Determine and possibly change program logic  “Logic” ≠ Just observed behavior • Ethics  Useful for good: • Analyze malware • Understand undocumented legacy code • Watch/read/play the stuff you paid for  Useful for evil • “Crack” software (remove restrictions) • Find exploits • Cheat at games 2

  3. Types of tools • Disassembler  Turn compiled program into assembly  Not perfect Also, decompiler : •  Static tool Attempts to turn assembly back into source code. • Usually awful at machine code, but managed code (e.g. Java, • Debugger Python) can produce decent results.  Step through running program  Dynamic tool • Hex editor  Make changes to binaries • Monitoring tools  Watch system calls, library calls, etc. 3

  4. Examples of tools • Linux:  Disassember: objdump (free), IDA Pro (free and paid versions)  Debugger: gdb and its front-ends  Hex editor: okteta , bless, lots more…  Monitoring: strace , ltrace IDA Pro eats basically anything • Windows:  Disassembler: IDA Pro (free and paid versions)  Debugger: WinDBG (basic), OllyDbg (shareware), SoftICE ($1000+)  Hex editor: XVI32, Notepad++ with plugin, etc.  Monitoring tools: Process Monitor, Explorer, and more. • X86 in general: A hypervisor (VMware, KVM, etc.) 4

  5. Debug or disassemble? Both. • Disassembler gives static results  Good overview of program logic  But need to “mentally execute” program  Difficult to jump to specific place in the code • Debugger is dynamic  Can set break points  Can treat complex code as “black box”  Not all code disassembles correctly • Disassembler and debugger both required for any serious reverse engineering task 5 From "Computer Science 654 Lecture 5: Software Reverse Engineering" by Wayne Patterson, Howard Univ. 2009.

  6. Example 1: HW2 auto-grader • Python decompiles very easily 6

  7. Example 2: Minecraft • Minecraft is a Java program, no mod support • All mods use something like the Mod Coder Pack (MCP): “ Use MCP to decompile the Minecraft client and server jar files. Use the decompiled source code to create mods for Minecraft. Recompile modified versions of Minecraft. Reobfuscate the classes of your mod for Minecraft. ” • Entire mod community is built on reverse engineering! 7

  8. Examining multi-component systems • Weaknesses often at the seams – where parts of system come together  Most visible, often exploitable  Example: SQL injection • If not the seams, at least focus on the least protected part Aim here if possible Thing A Thing B 8

  9. Example 3: Auto-grader for a homework question you didn’t get • Was used last year, but cut because it involves implementing SHA-3, which is commonly supported in most libraries by now. • We’ll focus on the auto -grader and its anti-tamper mechanisms. • Two files: (1) Binary hw3sign , (2) shell script sha-test.sh • Normal usage: 9

  10. Example 3: Auto-grader for a homework question you didn’t get • Naïve attack: Just change the script 10

  11. Example 3: Lost HW autograder • Naïve attack: Just change the script  Failed: hw3sign must be checking it somehow! 11

  12. Example 3: Lost HW autograder Topology hw3sign sha-test.sh 12

  13. Example 3: Lost HW autograder • Could look at behavior with strace : $ strace -f -o trace.txt ./sha-test.sh myenc ... $ cat trace.txt 4127 execve("./sha-test.sh", ["./sha-test.sh", "myenc"], [/* 46 vars */]) = 0 4127 brk(0) = 0x1700000 4127 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f55d5a17000 4127 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) 4127 open("/etc/ld.so.cache", O_RDONLY) = 3 4127 fstat(3, {st_mode=S_IFREG|0644, st_size=210058, ...}) = 0 4127 mmap(NULL, 210058, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f55d59e3000 4127 close(3) = 0 ... • But hw3sign never appears to open sha-test.sh : $ grep open trace.txt | grep sha-test.sh 4127 open("./sha-test.sh", O_RDONLY) = 3  This one line is from when sha-test.sh itself is started  There’s more mystery here that I’ll leave to you… 13

  14. Example 3: Lost HW autograder Best place to attack? hw3sign sha-test.sh 14

  15. Example 3: Lost HW autograder • Two past successful student attacks • Black box attack:  hw3sign signs the binary, then the certificate itself  What if we ask it to “test” a doctored certificate as a binary – it will sign it for us! No understanding needed! • Chameleon attack:  Add cheating to sha-test.sh; also add code to copy a legit sha-test.sh over itself before doing signings  Malicious behavior occurs then hides before check occurs  Example of a TOCTOU attack (Time-Of-Check/Time-Of-Use)! 15

  16. Example 4: NSA Codebreaker challenge, 2015 • Scenario:  Terrorists using a cryptography program to decrypt/authenticate messages from leadership  What we have: • The program: codebreaker3.exe • A member’s key: tier1_key.pem • A text file with a hidden message: tier1_msg.txt  At first glance, the program appears to simply check stock information, but that’s a ruse.  Need to reverse engineer it: Challenge has 4 tasks, we’ll do 2. 16 Adapted from content by Jiaming Li, NC State University, 2015

  17. Codebreaker Task 1: Decrypt • Need to decode message we have. • The program: 17 Adapted from content by Jiaming Li, NC State University, 2015

  18. Codebreaker Task 1: Decrypt • Do static analysis with IDA Pro  Load binary  Confirm binary format options  Process: • Code is disassembled • Call graph of assembly code built • All memory references are cross-referenced, especially string literals 18 Adapted from content by Jiaming Li, NC State University, 2015

  19. Codebreaker Task 1: Decrypt • Do static analysis with IDA Pro, check the all string information 19 Adapted from content by Jiaming Li, NC State University, 2015

  20. Codebreaker Task 1: Decrypt • Press x, this leads us to the location where this string appears: 20 Adapted from content by Jiaming Li, NC State University, 2015

  21. Codebreaker Task 1: Decrypt • OK, let’s try “decoder” parameter: 21 Adapted from content by Jiaming Li, NC State University, 2015

  22. Codebreaker Task 1: Decrypt • We need to find where “Failed binary name check” appears: • and this comes from: 22 Adapted from content by Jiaming Li, NC State University, 2015

  23. Codebreaker Task 1: Decrypt • Then we change our program name to “secret - messenger.exe” and try again: 23 Adapted from content by Jiaming Li, NC State University, 2015

  24. Codebreaker Task 1: Decrypt • Ideas? • Let’s jam the stuff into symbol and action fields 24 Adapted from content by Jiaming Li, NC State University, 2015

  25. Codebreaker Task 2: Bypass access limitation • We’ve collected a new message file - this one to a different field operative whose key we also have . • Each operative has their own decrypt tool, each tool will only decrypt content “addressed” to its owner. • Need to defeat this access limitation to decrypt the message. 25 Adapted from content by Jiaming Li, NC State University, 2015

  26. Codebreaker Task 2: Bypass access limitation • Let’s go back to IDA to find where this error appears: 26 Adapted from content by Jiaming Li, NC State University, 2015 26

  27. Codebreaker Task 2: Bypass access limitation • Note down the address of “ cmp ax,4756h”, press SPACE: • How to test if this is the check? • How to bypass the check? 27 Adapted from content by Jiaming Li, NC State University, 2015

  28. Codebreaker Task 2: Bypass access limitation • In order to bypass this check as easily as possible, we can just modify the assembly code or change the specific flag during execution. Load the program with ollydbg: 28 Adapted from content by Jiaming Li, NC State University, 2015

  29. Codebreaker Task 2: Bypass access limitation • Press CTRL+g go to the address 00401bf2, press F2 set breakpoint: 29 Adapted from content by Jiaming Li, NC State University, 2015

  30. Codebreaker Task 2: Bypass access limitation • Let’s run the program and it will stop at this breakpoint, press F8 to run one more step and we modify the conditional JUMP instruction manually: 30 Adapted from content by Jiaming Li, NC State University, 2015

  31. Codebreaker Task 2: Bypass access limitation • Then, right click → copy to executable→ all modification, so we just saved our new program, let’s try to run it: 31 Adapted from content by Jiaming Li, NC State University, 2015

  32. Codebreaker Tasks 3 and 4 • Task 3: Analyze decryption logic and develop a compatible encryption tool • Task 4: Spoof messages so they appear to come from group leadership. Tell all recipients: “ Leadership has arranged a meeting with the local authorities…Meet at the city police station at 18:00. Be discreet, and come unarmed as to not draw attention. ” (LOL) 32 Adapted from content by Jiaming Li, NC State University, 2015

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University System Security 2 Security in computer systems Hardware (System)

838 views • 56 slides
Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

8.10.2019 Information Security Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak Can Network Security: Hacettepe University Ensure security of communication over insecure medium

267 views • 10 slides
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Information Security in a Wireless World Dennis D. Steinauer Computer Security Division

Information Security in a Wireless World Dennis D. Steinauer Computer Security Division

Information Security in a Wireless World Dennis D. Steinauer Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD Information Security in a Wireless World Basic

554 views • 30 slides
Computer and Information Security Fall 2019 Endpoint security Tyler Bletsch Duke University

Computer and Information Security Fall 2019 Endpoint security Tyler Bletsch Duke University

ECE590 Computer and Information Security Fall 2019 Endpoint security Tyler Bletsch Duke University Overview How do you configure endpoints for better security? 1. Updates 2. Correct settings 3. Reduce attack surface 4. Limit privilege 5.

477 views • 19 slides
Definitions and Terminology Fall 2014 CS 334 Computer Security 1 Security Goals

Definitions and Terminology Fall 2014 CS 334 Computer Security 1 Security Goals

Definitions and Terminology Fall 2014 CS 334 Computer Security 1 Security Goals Confidentiality : concealment of information or resources. Availability : preserve ability to use information or resource desired. An unavailable

318 views • 19 slides
Physical Information Security Fall 2010 CS461/ECE422 Computer Security I Reading Material

Physical Information Security Fall 2010 CS461/ECE422 Computer Security I Reading Material

Physical Information Security Fall 2010 CS461/ECE422 Computer Security I Reading Material Secrets of Computer Espionage Chapter 5 Soft TEMPEST paper http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf Outline Forensics/Spying

595 views • 46 slides
Physical Information Security Fall 2009 CS461/ECE422 Computer Security I Reading Material

Physical Information Security Fall 2009 CS461/ECE422 Computer Security I Reading Material

Physical Information Security Fall 2009 CS461/ECE422 Computer Security I Reading Material Secrets of Computer Espionage Chapter 5 Soft TEMPEST paper http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf Outline Forensics/Spying

771 views • 47 slides
Computer and Information Security Fall 2019 Computer Security Overview Tyler Bletsch Duke

Computer and Information Security Fall 2019 Computer Security Overview Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2019 Computer Security Overview Tyler Bletsch Duke University Is this circle secure? PROBLEM: The question is under-defined. What does it mean to for a circle to be secure? LESSON:

400 views • 29 slides
ECE560 Computer and Information Security Fall 2020 Computer Security Overview Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 Computer Security Overview Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 Computer Security Overview Tyler Bletsch Duke University Is this circle secure? PROBLEM: The question is under-defined. What does it mean to for a circle to be secure? LESSON:

573 views • 29 slides
ECE590 Computer and Information Security Fall 2018 Computer Security Overview Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Computer Security Overview Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Computer Security Overview Tyler Bletsch Duke University Is this circle secure? PROBLEM: The question is under-defined. What does it mean to for a circle to be secure? LESSON:

763 views • 29 slides
Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular testing aims to

1.06k views • 54 slides
CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1

CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1

CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1 General Information A research project with 2-5 individuals Building a new system Improving an existing technique Performing a large

647 views • 9 slides
Computer and Information Security Fall 2020 Cryptography Tyler Bletsch Duke University Some

Computer and Information Security Fall 2020 Cryptography Tyler Bletsch Duke University Some

ECE560 Computer and Information Security Fall 2020 Cryptography Tyler Bletsch Duke University Some slides adapted from slideware accompanying Computer Security: Principles and Practice by William Stallings and Lawrie Brown REAL advice

1.12k views • 79 slides
A brief introduction to information security Part II Tyler Moore Computer Science &

A brief introduction to information security Part II Tyler Moore Computer Science &

Notes A brief introduction to information security Part II Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX August 28 & 30, 2012 Engineered defenses to achieve protection goals Security threats Countering

369 views • 14 slides
Welcome Joint Public Service Centre Project Welcome Agenda Introductions Project

Welcome Joint Public Service Centre Project Welcome Agenda Introductions Project

Staff Engagement Group 7 th November 2014 Welcome Joint Public Service Centre Project Welcome Agenda Introductions Project Update Key Task Area Project Manager Updates Engagement Assessment Results Implementation

856 views • 38 slides
LGA Conference The Community Safety Revolution: Living in the New Landscape Sharon Moore,

LGA Conference The Community Safety Revolution: Living in the New Landscape Sharon Moore,

LGA Conference The Community Safety Revolution: Living in the New Landscape Sharon Moore, Commissioner for Families, Staffordshire County Council Kirsty Mooney, Project Manager Early Intervention, Office of the Police and Crime Commissioner

450 views • 7 slides
Student Crises Prepare Prevent Intervene W E S L E Y C E D R O S , E D . S . S E N I O

Student Crises Prepare Prevent Intervene W E S L E Y C E D R O S , E D . S . S E N I O

Student Crises Prepare Prevent Intervene W E S L E Y C E D R O S , E D . S . S E N I O R D I R E C T O R O F S T U D E N T S E R V I C E S T A M A L P A I S U N I O N H I G H S C H O O L D I S T R I C T P R E S E N T E D T O

662 views • 16 slides
The RESULTS TS Nation onal al Webin inar ar October ober 20 2020 20 Welcome me! 2 Our

The RESULTS TS Nation onal al Webin inar ar October ober 20 2020 20 Welcome me! 2 Our

The RESULTS TS Nation onal al Webin inar ar October ober 20 2020 20 Welcome me! 2 Our Anti ti-Oppr Oppression ession Val alues es RESULTS is a movement of passionate, committed everyday people. Together we use our voices to

639 views • 41 slides
TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC Mallory attacks! www.google.com A? Clients ns1.evil.com www.google.com. A 6.6.6.6 Resolver DNSSEC Mallory attacks! www.google.com A?

510 views • 30 slides
Building Resilient Energy Systems Hosted by The U.S. Department of Housing and Urban Development

Building Resilient Energy Systems Hosted by The U.S. Department of Housing and Urban Development

Building Resilient Energy Systems Hosted by The U.S. Department of Housing and Urban Development July 30, 2015 Lewis Milford President Clean Energy Group Seth Mullendore Project Director Clean Energy Group Who We Are

482 views • 20 slides
Building a Healthy and Safe Workforce during Covid19 Service above Self For Official Use

Building a Healthy and Safe Workforce during Covid19 Service above Self For Official Use

OFFICIAL: Sensitive Building a Healthy and Safe Workforce during Covid19 Service above Self For Official Use Only OFFICIAL: Sensitive OFFICIAL: Sensitive Covid19 and Victoria Police Work Environment State of Emergency

213 views • 5 slides
Badal Joshi Mathematics, Duke University Stochastic Models in Neuroscience, CIRM January 18,

Badal Joshi Mathematics, Duke University Stochastic Models in Neuroscience, CIRM January 18,

A COUPLED POISSON PROCESS MODEL FOR WAKE-SLEEP CYCLING Badal Joshi Mathematics, Duke University Stochastic Models in Neuroscience, CIRM January 18, 2010 Outline Biological motivation Experimental background Description of

623 views • 34 slides

More recommend