keystone the last missing framework for reverse
play

KEYSTONE: the last missing framework for Reverse Engineering - PowerPoint PPT Presentation

Nov 09, 2022 •236 likes •731 views

KEYSTONE: the last missing framework for Reverse Engineering www.keystone-engine.org NGUYEN Anh Quynh <aquynh -at- gmail.com> RECON - June 19th, 2016 1 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  1. KEYSTONE: the last missing framework for Reverse Engineering www.keystone-engine.org NGUYEN Anh Quynh <aquynh -at- gmail.com> RECON - June 19th, 2016 1 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  2. Bio Nguyen Anh Quynh (aquynh -at- gmail.com) ◮ Nanyang Technological University, Singapore ◮ Researcher with a PhD in Computer Science ◮ Operating System, Virtual Machine, Binary analysis, etc ◮ Capstone disassembler: http://capstone-engine.org ◮ Unicorn emulator: http://unicorn-engine.org ◮ Keystone assembler: http://keystone-engine.org 2 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  3. Fundamental frameworks for Reverse Engineering 3 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  4. Fundamental frameworks for Reverse Engineering 4 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  5. Assembler framework Definition Compile assembly instructions & returns encoding as sequence of bytes ◮ Ex: inc EAX → 40 May support high-level concepts such as macro, function, etc Framework to build apps on top of it Applications Dynamic machine code generation ◮ Binary rewrite ◮ Binary searching 5 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  6. Internals of assembler engine Given assembly input code Parse assembly instructions into separate statements Parse each statement into different types ◮ Label, macro, directive, etc ◮ Instruction: menemonic + operands ⋆ Emit machine code accordingly ⋆ Instruction-Set-Architecture manual referenced is needed 6 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  7. Challenges of building assembler Huge amount of works! Good understanding of CPU encoding Good understanding of instruction set Keep up with frequently updated instruction extensions. 7 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  8. Good assembler framework? True framework ◮ Embedded into tool without resorting to external process Multi-arch ◮ X86, Arm, Arm64, Mips, PowerPC, Sparc, etc Multi-platform ◮ *nix, Windows, Android, iOS, etc Updated ◮ Keep up with latest CPU extensions Bindings ◮ Python, Ruby, Go, NodeJS, etc 8 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  9. Existing assembler frameworks Nothing is up to our standard, even in 2016! ◮ Yasm: X86 only, no longer updated ◮ Intel XED: X86 only, miss many instructions & closed-source ◮ Other important archs: Arm, Arm64, Mips, PPC, Sparc, etc? 9 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  10. Life without assembler frameworks? People are very much struggling for years! ◮ Use existing assembler tool to compile assembly from file ◮ Call linker to link generated object file ◮ Use ELF parser to parse resulted file for final encoding Ugly and inefficient Little control on the internal process & output Cross-platform support is very poor 10 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  11. Dream a good assembler Multi-architectures ◮ Arm, Arm64, Mips, PowerPC, Sparc, X86 (+X86_64) + more Multi-platform: *nix, Windows, Android, iOS, etc Updated: latest extensions of all hardware architectures Independent with multiple bindings ◮ Low-level framework to support all kind of OS and tools ◮ Core in C++, with API in pure C, and support multiple binding languages 11 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  12. Timeline Indiegogo campaign started on March 17th, 2016 (for 3 weeks) ◮ 99 contributors, 4 project sponsors Beta code released to beta testers on April 30th, 2016 ◮ Only Python binding available at this time Version 0.9 released on May 31st, 2016 ◮ More bindings by beta testers: NodeJS, Ruby, Go & Rust Haskell binding merged after v0.9 public 12 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  13. Keystone == Next Generation Assembler Framework 13 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  14. Goals of Keystone Multi-architectures ◮ Arm, Arm64, Mips, PowerPC, Sparc, X86 (+X86_64) + more Multi-platform: *nix, Windows, Android, iOS, etc Updated: latest extensions of all hardware architectures Core in C/C++, API in pure C & support multiple binding languages 14 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  15. Challenges to build Keystone Huge amount of works! Too many hardware architectures Too many instructions Limited resource ◮ Started as a personal project 15 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  16. Keystone design & implementation 16 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  17. Ambitions & ideas Have all features in months, not years! Stand on the shoulders of the giants at the initial phase. Open source project to get community involved & contributed. Idea: LLVM! 17 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  18. Introduction on LLVM LLVM project Open source project on compiler: http://llvm.org Huge community & highly active Backed by many major players: AMD, Apple, Google, Intel, IBM, ARM, Imgtec, Nvidia, Qualcomm, Samsung, etc. Multi-arch ◮ X86, Arm, Arm64, Mips, PowerPC, Sparc, Hexagon, SystemZ, etc Multi-platform ◮ Native compile on Windows, Linux, macOS, BSD, Android, iOS, etc 18 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  19. LLVM architecture 19 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  20. LLVM’s Machine Code (MC) layer Core layer of LLVM to integrate compiler with its internal assemblers Used by compiler, assembler, disassembler, debugger & JIT compilers Centralize with a big table of description (TableGen) of machine instructions Auto generate assembler, disassembler, and code emitter from TableGen (*.inc) - with llvm-tablegen tool. 20 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  21. Why LLVM? Available assembler internally in Machine Code (MC) module - for inline assembly support. ◮ Only useable for LLVM modules, not for external code ◮ Closely designed & implemented for LLVM ◮ Very actively maintained & updated by a huge community Already implemented in C++, so easy to immplement Keystone core on top Pick up only those archs having assemblers: 8 archs for now. 21 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  22. LLVM advantages High quality code with lots of tested done using test cases Assembler maintained by top experts of each archs ◮ X86: maintained by Intel (arch creator). ◮ Arm+Arm64: maintained by Arm & Apple (arch creator & Arm64’s device maker). ◮ Hexagon: maintained by Qualcomm (arch creator) ◮ Mips: maintained by Imgtec (arch creator) ◮ SystemZ: maintained by IBM (arch creator) ◮ PPC & Sparc: maintained by highly active community New instructions & bugs fixed quite frequently! Bugs can be either reported to us, or reported to LLVM upstream, then ported back. 22 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  23. Are we done? 23 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  24. Challenges to build Keystone (1) LLVM MC is a challenge Not just assembler, but also disassembler, Bitcode, InstPrinter, Linker Optimization, etc LLVM codebase is huge and mixed like spaghetti :-( Keystone job Keep only assembler code & remove everything else unrelated Rewrites some components but keep AsmParser, CodeEmitter & AsmBackend code intact (so easy to sync with LLVM in future) Keep all the code in C++ to ease the job (unlike Capstone) ◮ No need to rewrite complicated parsers ◮ No need to fork llvm-tblgen 24 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  25. Decide where to make the cut Where to make the cut? ◮ Cut too little result in keeping lots of redundant code ◮ Cut too much would change the code structure, making it hard to sync with upstream. Optimal design for Keystone ◮ Take the assembler core & make minimal changes 25 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  26. Keystone flow 26 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

  27. Challenges to build Keystone (2) Multiple binaries LLVM compiled into multiple libraries ◮ Supported libs ◮ Parser ◮ TableGen ◮ etc Keystone needs to be a single library Keystone job Modify linking setup to generate a single library ◮ libkeystone.[so, dylib] or keystone.dll ◮ libkeystone.a, or keystone.lib 27 / 48 NGUYEN Anh Quynh KEYSTONE: the last missing framework for Reverse Engineering

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

to Critical Information Infrastructure Haythem EL MIR, CISSP CEO, keystone Group &amp; CISRT.tn

to Critical Information Infrastructure Haythem EL MIR, CISSP CEO, keystone Group &amp; CISRT.tn

Building the Digital Keystone Cyber Threats to Critical Information Infrastructure Haythem EL MIR, CISSP CEO, keystone Group &amp; CISRT.tn www.keystone.tn Building the Digital Keystone State Sponsored Attacks Political Warfare

519 views • 37 slides
AN EU LEGAL FRAMEWORK TO HALT AND REVERSE EU-DRIVEN DEFORESTATION Cristina Mller and

AN EU LEGAL FRAMEWORK TO HALT AND REVERSE EU-DRIVEN DEFORESTATION Cristina Mller and

POLICY DEPARTMENT FOR ECONOMIC, SCIENTIFIC AND QUALITY OF LIFE POLICIES ECON . EMPL . ENVI . ITRE . IMCO AN EU LEGAL FRAMEWORK TO HALT AND REVERSE EU-DRIVEN DEFORESTATION Cristina Mller and Helmut Gaugitsch Environment Agency Austria

779 views • 38 slides
Miasm2 Reverse engineering framework F. Desclaux, C. Mougey Commissariat lnergie

Miasm2 Reverse engineering framework F. Desclaux, C. Mougey Commissariat lnergie

Miasm2 Reverse engineering framework F. Desclaux, C. Mougey Commissariat lnergie atomique et aux nergies alternatives June 17, 2017 Summary 1 Introduction 2 Use case: Shellcode Use case: EquationDrug from EquationGroup 3 Use

1.66k views • 143 slides
Hands-On Ghidra A Tutorial about the Software Reverse Engineering Framework Roman Rohleder

Hands-On Ghidra A Tutorial about the Software Reverse Engineering Framework Roman Rohleder

Hands-On Ghidra A Tutorial about the Software Reverse Engineering Framework Roman Rohleder Thales Group Ghidra? Gee-druh. The G sounds like the G in goto, great, good, graph and GitHub. The emphasis goes on the first syllable.

1.25k views • 40 slides
Bridging Clouds with Keystone to Keystone Federation Vishakha Agarwal Colleen Murphy Who are

Bridging Clouds with Keystone to Keystone Federation Vishakha Agarwal Colleen Murphy Who are

Bridging Clouds with Keystone to Keystone Federation Vishakha Agarwal Colleen Murphy Who are we? Vishakha Agarwal (vishakha) Senior Member Technical Staff at NEC Keystone contributor Colleen Murphy (cmurphy)

568 views • 30 slides
Keystone Policy Series CENSUS 2020 Update for PA Funders Welcome! Keystone Policy Series

Keystone Policy Series CENSUS 2020 Update for PA Funders Welcome! Keystone Policy Series

Keystone Policy Series CENSUS 2020 Update for PA Funders Welcome! Keystone Policy Series This webinar is being recorded and will available for distribution following todays program. All lines will be muted during this call, please

341 views • 30 slides
Methodological considerations Biosocial research framework Biological data quality issues

Methodological considerations Biosocial research framework Biological data quality issues

Methodological considerations Biosocial research framework Biological data quality issues Missing data in biosocial research Missing biological data Substantial proportions of missing biological data A number of processes that

421 views • 17 slides
Fil illi ling th the gap ap a keystone for r th the Pan European Priv rivate Plac

Fil illi ling th the gap ap a keystone for r th the Pan European Priv rivate Plac

Fil illi ling th the gap ap a keystone for r th the Pan European Priv rivate Plac lacement mark rket Tues esday, 14 14 Apri ril l 20 2015 15 Lo London Filling the gap a keystone for the Pan European Private Placement market

319 views • 29 slides
radare2 Radare2 - a framework for reverse engineering Maxime Morin (@Maijin212), Julien Voisin,

radare2 Radare2 - a framework for reverse engineering Maxime Morin (@Maijin212), Julien Voisin,

radare2 Radare2 - a framework for reverse engineering Maxime Morin (@Maijin212), Julien Voisin, Jeffrey Crowell (@jeffreycrow- ell), Anton Kochkov (@akochkov) October 22, 2015 Hack.lu 10-2015 maxime morin 22 y/o french expat @ Luxembourg

1.99k views • 84 slides
A missing value tour Julie Josse Ecole Polytechnique, INRIA 26 january 2020 Workshop of the

A missing value tour Julie Josse Ecole Polytechnique, INRIA 26 january 2020 Workshop of the

A missing value tour Julie Josse Ecole Polytechnique, INRIA 26 january 2020 Workshop of the Applied Machine Learning Days 2020, Lausanne 1 Overview 1. Introduction 2. Handling missing values (inferential framework) 3. Supervised learning

657 views • 43 slides
Remanufacturing of Products Remanufacturing of Products and Reverse Logistics and Reverse

Remanufacturing of Products Remanufacturing of Products and Reverse Logistics and Reverse

Remanufacturing of Products Remanufacturing of Products and Reverse Logistics and Reverse Logistics Xochitl Aquiahuatl March 2007 Outline Outline Closed-loop Supply Chain Reverse Logistics Recovery Options Product

388 views • 22 slides
Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop

Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop

Bringing Memory-Safety to Keystone Enclave Mingshen Sun Baidu X-Lab Open-Source Enclaves Workshop (OSEW 2019) Berkeley, July 2019 https://mesatee.org Rust and Keystone Enclave Open-Source Enclave (RISC-V Hardware/Keystone Enclave) :

662 views • 32 slides
The Keystone for Primary Care? Benjamin F. Crabtree, PhD Department of Family Medicine &amp;

The Keystone for Primary Care? Benjamin F. Crabtree, PhD Department of Family Medicine &amp;

Patient-Centered Medical Home: The Keystone for Primary Care? Benjamin F. Crabtree, PhD Department of Family Medicine &amp; Community Health April 29, 2017 keystone How well is Australias health care doing? Treating sinusitis?

1.37k views • 55 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Missing Data and Imputation NINA ORWITZ OCTOBER 30 TH , 2017 Outline Types of missing data

Missing Data and Imputation NINA ORWITZ OCTOBER 30 TH , 2017 Outline Types of missing data

Missing Data and Imputation NINA ORWITZ OCTOBER 30 TH , 2017 Outline Types of missing data Simple methods for dealing with missing data Single and multiple imputation R example Missing data is a complex problem We must consider:

377 views • 22 slides
Keystone Opportunity Zones School District of Philadelphia School Board Meeting September 20,

Keystone Opportunity Zones School District of Philadelphia School Board Meeting September 20,

Keystone Opportunity Zones School District of Philadelphia School Board Meeting September 20, 2018 The Keystone Opportunity Zone program was started in 1999 as a state-wide real estate incentive. Its KOZ Overview purpose is to be a catalyst

600 views • 38 slides
Cross-domain Modeling and Optimization of High-speed Visual Servo Systems Zhenyu Ye, Eindhoven

Cross-domain Modeling and Optimization of High-speed Visual Servo Systems Zhenyu Ye, Eindhoven

Cross-domain Modeling and Optimization of High-speed Visual Servo Systems Zhenyu Ye, Eindhoven University of Technology and Connecterra BV Henk Corporaal, Eindhoven University of Technology Pieter Jonker, Delft University of Technology Henk

407 views • 25 slides
Cross section and coupling measurements with the ATLAS detector for the 125 GeV Higgs Boson in

Cross section and coupling measurements with the ATLAS detector for the 125 GeV Higgs Boson in

Cross section and coupling measurements with the ATLAS detector for the 125 GeV Higgs Boson in the fermion decay channels Particles and Nuclei International Conference 2017 Beijing, China September 1 st 5 th 2017 Kristian Gregersen

296 views • 25 slides
Jhaumeer-Laulloo Sabina* Department of Chemistry, University of Mauritius * Corresponding

Jhaumeer-Laulloo Sabina* Department of Chemistry, University of Mauritius * Corresponding

Authors: Moosun Bibi Salma Bhowon Gupta Minu Bhewa Shabneez Jhaumeer-Laulloo Sabina* Department of Chemistry, University of Mauritius * Corresponding author: sabina@uom.ac.mu The construction of new C-C bonds is of central importance in

800 views • 22 slides
MATH6380O Mini-Project 1 Image Classification with Extracted Feature ZHANG Jianhui, ZHANG

MATH6380O Mini-Project 1 Image Classification with Extracted Feature ZHANG Jianhui, ZHANG

MATH6380O Mini-Project 1 Image Classification with Extracted Feature ZHANG Jianhui, ZHANG Hongming, ZHU Weizhi, FAN Min Hong Kong University of Science and Technology March 13, 2018 Outline Preprocessing data 1 Feature Extraction 2

555 views • 21 slides
Assembly Programming on Linux Assembly Programming on Linux Necessity OS Kernel Development

Assembly Programming on Linux Assembly Programming on Linux Necessity OS Kernel Development

Assembly Programming on Linux Assembly Programming on Linux Necessity OS Kernel Development 80x86 Sparc Alpha Some device drivers SCSI Controller Video Card Network Card Others that has ROM on board .. Compiler/Interpreter/Cross

282 views • 11 slides
Quiz! Books and papers put away Hats off or brims turned backwards Piece of paper

Quiz! Books and papers put away Hats off or brims turned backwards Piece of paper

Quiz! Books and papers put away Hats off or brims turned backwards Piece of paper out - Name and Student ID on it Your work is your own - Eyes on your own paper - Protect your own paper - Turn your paper over when youre done

154 views • 4 slides
Report on QCDOC All Hands Meeting US Lattice QCD Collaboration Meeting FNAL, May 14-15, 2009

Report on QCDOC All Hands Meeting US Lattice QCD Collaboration Meeting FNAL, May 14-15, 2009

Report on QCDOC All Hands Meeting US Lattice QCD Collaboration Meeting FNAL, May 14-15, 2009 Stratos Efstathiadis BNL OUTLINE Introduction Available Hardware Machine Monitoring and Usage User Environment, File

350 views • 21 slides
HW/SW Codesign w/ FPGAsGeneral Purpose Embedded Cores ECE 495/595 G.P. Embedded Cores (A

HW/SW Codesign w/ FPGAsGeneral Purpose Embedded Cores ECE 495/595 G.P. Embedded Cores (A

HW/SW Codesign w/ FPGAsGeneral Purpose Embedded Cores ECE 495/595 G.P. Embedded Cores (A Practical Intro. to HW/SW Codesign, P. Schaumont) The most successful programmable component on silicon is the microprocessor Fueled by a well-balanced mix of

467 views • 21 slides

More recommend