cs 166 information security reverse engineering digital
play

CS 166: Information Security Reverse Engineering & Digital - PowerPoint PPT Presentation

Aug 04, 2023 •236 likes •1.04k views

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

  1. CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San José State University

  2. SRE • Software Reverse Engineering – Also known as Reverse Code Engineering (RCE) – Or simply “reversing” • Can be used for good ... – Understand malware – Understand legacy code • …or not-so-good – Remove usage restrictions from software – Find and exploit flaws in software – Cheat at games, etc.

  3. SRE • We assume… – Reverse engineer is an attacker – Attacker only has exe (no source code) – Not bytecode (i.e., no Java, .Net) • Attacker might want to – Understand the software – Modify (“patch”) the software

  4. SRE Tools • Disassembler – Converts exe to assembly (as best it can) – Cannot always disassemble 100% correctly – In general, it is not possible to re-assemble disassembly into working exe • Debugger – Must step thru code to completely understand it – Labor intensive ¾ lack of useful tools • Hex Editor – To patch (modify) exe file • Process Monitor, VMware, etc.

  5. SRE Tools • IDA Pro ¾ the top-rated disassembler – Cost is a few hundred dollars – Converts binary to assembly (as best it can) • OllyDbg ¾ high-quality shareware debugger – Includes a good disassembler • Hex editor ¾ to view/modify bits of exe – UltraEdit is good ¾ freeware – HIEW ¾ useful for patching exe • Process Monitor ¾ freeware

  6. Why is Debugger Needed? • Disassembler gives static results – Good overview of program logic – User must “mentally execute” program – Difficult to jump to specific place in the code • Debugger is dynamic – Can set break points – Can treat complex code as “black box” – And code not always disassembled correctly • Disassembler and debugger both required for any serious SRE task

  7. SRE Necessary Skills • Working knowledge of target assembly code • Experience with the tools – IDA Pro ¾ sophisticated and complex – OllyDbg ¾ best choice for this class • Knowledge of Windows Portable Executable (PE) file format • Boundless patience and optimism • SRE is a tedious, labor-intensive process!

  8. SRE Example • We consider a simple example • This example only requires disassembler (IDA Pro) and hex editor – Trudy disassembles to understand code – Trudy also wants to patch the code • For most real-world code, would also need a debugger (OllyDbg)

  9. SRE Example • Program requires serial number • But Trudy doesn’t know the serial number… q Can Trudy get serial number from exe?

  10. SRE Example • IDA Pro disassembly q Looks like serial number is S123N456

  11. SRE Example • Try the serial number S123N456 q It works! q Can Trudy do “better”?

  12. SRE Example • Again, IDA Pro disassembly q And hex view…

  13. SRE Example q “test eax,eax” is AND of eax with itself o Flag bit set to 0 only if eax is 0 o If test yields 0, then jz is true q Trudy wants jz to always be true q Can Trudy patch exe so jz always holds?

  14. SRE Example q Can Trudy patch exe so that jz always true? xor xor ¬ jz jz always true!!! Assembly Hex test eax,eax 85 C0 … xor eax,eax 33 C0 …

  15. SRE Example • Edit serial.exe with hex editor serial.exe serialPatch.exe q Save as serialPatch.exe

  16. SRE Example • Any “serial number” now works! • Very convenient for Trudy!

  17. SRE Example • Back to IDA Pro disassembly… serial.exe serialPatch.exe

  18. Problem 12.2 a) Give at least two other ways that Trudy could patch the code so that any serial number works. b) Changing the jz instruction that appears at 0x401032 to jnz is not correct for part a. Why not?

  19. SRE Attack Mitigation • Impossible to prevent SRE on open system • But can make such attacks more difficult • Anti-disassembly techniques – To confuse static view of code • Anti-debugging techniques – To confuse dynamic view of code • Tamper-resistance – Code checks itself to detect tampering • Code obfuscation – Make code more difficult to understand

  20. Anti-disassembly • Anti-disassembly methods include – Encrypted or “packed” object code – False disassembly – Self-modifying code – Many other techniques • Encryption prevents disassembly – But still need plaintext code to decrypt code! – Same problem as with polymorphic viruses

  21. Anti-disassembly Example • Suppose actual code instructions are … inst 1 jmp junk inst 3 inst 4 q What a “dumb” disassembler sees … inst 2 in inst t 3 in inst t 4 in inst t 5 in inst t 6 inst 1 q This is example of “false disassembly” q But, clever attacker will figure it out

  22. Anti-debugging • IsDebuggerPresent() • Can also monitor for – Use of debug registers – Inserted breakpoints • Debuggers don’t handle threads well – Interacting threads may confuse debugger – And therefore, confuse attacker • Many other debugger-unfriendly tricks – See next slide for one example

  23. Anti-debugger Example … inst 2 inst 3 inst 4 inst 5 inst 6 inst 1 • Suppose when program gets inst 1, it pre-fetches inst 2, inst 3 and inst 4 – This is done to increase efficiency • Suppose when debugger executes inst 1, it does not pre-fetch instructions • Can we use this difference to confuse the debugger?

  24. Anti-debugger Example … inst 2 inst 3 inst 4 ju junk inst 5 inst 6 inst 1 • Suppose inst 1 overwrites inst 4 in memory • Then program (without debugger) will be OK since it fetched inst 4 at same time as inst 1 • Debugger will be confused when it reaches ju junk where inst 4 is supposed to be • Problem if this segment of code executed more than once! – Also, code is very platform-dependent • Again, clever attacker can figure this out

  25. Tamper-resistance • Goal is to make patching more difficult • Code can hash parts of itself • If tampering occurs, hash check fails • Research has shown, can get good coverage of code with small performance penalty • But don’t want all checks to look similar – Or else easy for attacker to remove checks • This approach sometimes called “guards”

  26. Code Obfuscation • Goal is to make code hard to understand – Opposite of good software engineering! – Simple example: spaghetti code • Much research into more robust obfuscation – Example: opaque predicate int x,y : if((x - y) * (x - y) > (x * x - 2 * x * y+y * y)){…} – The if() conditional is always false • Attacker wastes time analyzing dead code

  27. Code Obfuscation • Code obfuscation sometimes promoted as a powerful security technique • Diffie and Hellman’s original ideas for public key crypto were based on obfuscation – But it didn’t work • Recently it has been shown that obfuscation probably cannot provide “strong” security – On the (im)possibility of obfuscating programs • Obfuscation might still have practical uses! – Even if it can never be as strong as crypto

  28. Authentication Example • Software used to determine authentication • Ultimately, authentication is 1-bit decision – Regardless of method used (pwd, biometric, …) – Somewhere in authentication software, a single bit determines success/failure • If Trudy can find this bit, she can force authentication to always succeed • Obfuscation makes it more difficult for attacker to find this all-important bit

  29. Obfuscation • Obfuscation forces attacker to analyze larger amounts of code • Method could be combined with – Anti-disassembly techniques – Anti-debugging techniques – Code tamper-checking • All of these increase work (and pain) for attacker • But a persistent attacker can ultimately win

  30. Software Cloning • Suppose we write a piece of software • We then distribute an identical copy (or clone) to each customers • If an attack is found on one copy, the same attack works on all copies • This approach has no resistance to “break once, break everywhere” (BOBE) • This is the usual situation in software development

  31. Metamorphic Software • Metamorphism is used in malware • Can metamorphism also be used for good? • Suppose we write a piece of software • Each copy we distribute is different – This is an example of metamorphic software • Two levels of metamorphism are possible – All instances are functionally distinct (only possible in certain applications) – All instances are functionally identical but differ internally (always possible) • We consider the latter case

  32. Metamorphic Software • If we distribute N copies of cloned software – One successful attack breaks all N • If we distribute N metamorphic copies, where each of N instances is functionally identical, but they differ internally… – An attack on one instance does not necessarily work against other instances – In the best case, N times as much work is required to break all N instances

  33. Metamorphic Software • We cannot prevent SRE attacks • The best we can hope for is BOBE resistance • Metamorphism can improve BOBE resistance • Consider the analogy to genetic diversity – If all plants in a field are genetically identical, one disease can kill all of the plants – If the plants in a field are genetically diverse, one disease can only kill some of the plants

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University

Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University

ECE590 Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University With additional content by Jiaming Li, NC State University, 2015 What is software reverse engineering? Determine and possibly change

629 views • 35 slides
ECE590 Computer and Information Security Fall 2018 Reverse Engineering Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2018 Reverse Engineering Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2018 Reverse Engineering Tyler Bletsch Duke University With additional content by Jiaming Li, NC State University, 2015 What is software reverse engineering? Determine and possibly change

643 views • 35 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise

Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise

Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise Automation Twitter: @ collinrm CanSecWest March 2018 About Me Security since ~1994 (hard to tell) BS, MS, PhD in computer science (all focused on

1.29k views • 80 slides
Reverse engineering: obfuscation Srdjan Matic < srdjan@security.di.unimi.it > Aristide

Reverse engineering: obfuscation Srdjan Matic < srdjan@security.di.unimi.it > Aristide

Universit` a degli Studi di Milano Facolt` a di Scienze e Tecnologie Dipartimento di Informatica Reverse engineering: obfuscation Srdjan Matic < srdjan@security.di.unimi.it > Aristide Fattori < joystick@security.di.unimi.it > A.A.

413 views • 9 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Reverse engineering Reverse engineer Did anyone analyze f1 something similar A binary file f2

Reverse engineering Reverse engineer Did anyone analyze f1 something similar A binary file f2

Asm2Vec : Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization Steven H. H. Ding Benjamin C. M. Fung Philippe Charland Data Mining and Security Lab Mission Critical Cyber Security

625 views • 23 slides
LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me PhD student at Hasselt University since 2014 Since 2016 on FWO SBO research grant Researching wireless security Protocol security,

803 views • 57 slides
CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Assembly code and binary formats (ELF)

630 views • 23 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering autom ated reverse engineering Erik Poll Erik Poll Radboud University Nijmegen Testing Ingredients T ti I di t Two things are needed to test

865 views • 53 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CMOS Reverse Engineering Advanced Digital IC Design (ETI135) Vt1 2012 Steffen Malkowsky,

CMOS Reverse Engineering Advanced Digital IC Design (ETI135) Vt1 2012 Steffen Malkowsky,

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion CMOS Reverse Engineering Advanced Digital IC Design (ETI135) Vt1 2012 Steffen Malkowsky, Christoph M uller Lund University February 10, 2012 Steffen Malkowsky,

670 views • 50 slides
Tools for effortless reverse engineering of MikroTik routers

Tools for effortless reverse engineering of MikroTik routers

Tools for effortless reverse engineering of MikroTik routers https://github.com/0ki/mikrotik-tools v3 http ://kirils.org/ Legal disclaimer Goal of this presentation is to allow the members of the research community to assess security and

1.14k views • 47 slides
CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Basics: encodings Code is data is code is data Learn to read hex numbers: 0x38 == 0011'1000 Python: hex(int('00111000', 2))

696 views • 54 slides
Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours

Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours

1 Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours did you spend? (<3h, 6h, 10h, 15h, >20h) Please join Piazza An optional recitation at 5-7pm on every Wed (in CoC 052 ) Lab02:

603 views • 14 slides
An Invitation to Homotopy Type Theory Tingxiang Zou Type Theory Formal Systems: Churchs

An Invitation to Homotopy Type Theory Tingxiang Zou Type Theory Formal Systems: Churchs

An Invitation to Homotopy Type Theory Tingxiang Zou Type Theory Formal Systems: Churchs simply typed lambda calculus (1940); Martin L ofs dependent type theory (1971-1984) Origin: Russells theory of types The world is

848 views • 12 slides
An Algorithm better than AO*? Blai Bonet Universidad Sim on Bol var Caracas, Venezuela

An Algorithm better than AO*? Blai Bonet Universidad Sim on Bol var Caracas, Venezuela

An Algorithm better than AO*? Blai Bonet Universidad Sim on Bol var Caracas, Venezuela H ector Geffner ICREA and Universitat Pompeu Fabra Barcelona, Spain 7/2005 An Algorithm Better than AO*? B. Bonet and H. Geffner; 7/05 1

658 views • 14 slides
Energy Efficiency in Data Centers Through Optimized operations Eswar Viswanathan Director

Energy Efficiency in Data Centers Through Optimized operations Eswar Viswanathan Director

Energy Efficiency in Data Centers Through Optimized operations Eswar Viswanathan Director Data Center Lifecycle Services International Secure Power Division Confidential Property of Schneider Electric | Our technologies ensure that

437 views • 19 slides
Adapting to Alzheimers Understanding dementia in individuals with intellectual and

Adapting to Alzheimers Understanding dementia in individuals with intellectual and

Adapting to Alzheimers Understanding dementia in individuals with intellectual and developmental disabilities We have no disclosures Joanne Rolle, MPA Jennifer Dresen, MSW/MPH Learning Objectives Project Background Administration on

381 views • 7 slides
Insurance Distribution Directive Webinar September 2018 04 September 2018 1 Contents

Insurance Distribution Directive Webinar September 2018 04 September 2018 1 Contents

Insurance Distribution Directive Webinar September 2018 04 September 2018 1 Contents Introduction CoB Overview Product Governance and Distribution Selling Knowledge and Competence Next Steps 04 September 2018 2 IDD expectations IDD

661 views • 34 slides
Derek Nord, PhD, FAAIDD Director and Associate Professor Indiana Institute on Disability and

Derek Nord, PhD, FAAIDD Director and Associate Professor Indiana Institute on Disability and

Derek Nord, PhD, FAAIDD Director and Associate Professor Indiana Institute on Disability and Community Indiana University Bloomington, IN Making Employment a Reality: Were All Responsible May 1, 2020 The attached handouts are provided as

520 views • 16 slides
t r Ptr ts

t r Ptr ts

t r Ptr ts s tr s rs rt r rst

1.26k views • 71 slides

More recommend