Medusa A disassembler and something more... Angelin Njakasoa BOOZ - - PowerPoint PPT Presentation

medusa
SMART_READER_LITE
LIVE PREVIEW

Medusa A disassembler and something more... Angelin Njakasoa BOOZ - - PowerPoint PPT Presentation

Dec 18, 2023 244 likes •470 views

Medusa A disassembler and something more... Angelin Njakasoa BOOZ LSE Summer Week 2016 Quarkslab Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 1 / 20 Presentation Whoami? Where do I work? What do I do? Angelin

slide-1
SLIDE 1

Medusa

A disassembler and something more... Angelin Njakasoa BOOZ

LSE Summer Week 2016

Quarkslab

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 1 / 20

slide-2
SLIDE 2

Presentation

Whoami? Where do I work? What do I do?

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 2 / 20

slide-3
SLIDE 3

Reverse Engineering

What is Reverse Engineering?

Reverse engineering, also called back engineering, is the processes of extracting knowledge or design information from anything man-made and re-producing it or re-producing anything based on the extracted

  • information. The process often involves disassembling something and

analyzing its components and workings in detail.

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 3 / 20

slide-4
SLIDE 4

Why using reverse engineering?

Analyze goodware for security reinforcement. Analyze malware to identify it easier and develop counter-measure.

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 4 / 20

slide-5
SLIDE 5

Financial impact of malware

At rate, ransomware is on pace to be a $1 billion a year crime this year. The recent cyber attack on Bangladesh’s central bank that let hackers stole over $80 Million from the institutes’ Federal Reserve bank account was reportedly caused due to the Malware installed on the Bank’s computer systems. Although the malware type has not been identified, the malicious software likely included spying programs that let the group learn how money was processed, sent and received.

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 5 / 20

slide-6
SLIDE 6

What is Medusa?

Medusa

A disassembler with semantic, emulation and symbolic execution. It was made to have a more detailed analysis of binaries. Medusa is composed by: Loaders Architectures Passes Databases Analyzers Disassembler Emulator Symbolic Execution Engine

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 6 / 20

slide-7
SLIDE 7

Design

Core Executable

Opening Mapping Configuation and disassembling Loading and saving Symbolic execution Analizing

PE ELF X86 ARM ... Text SOCI (WIP) Your contribution here Interpreter LLVM

Emulation

Disassembler Symbolic disassembler ... Symbolic execution Simplifier Constant folder ...

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 7 / 20

slide-8
SLIDE 8

Emulator

CPU: Medusa relies on YAML files to describe each instructions, most

  • f them also contain a specific field name semantic.

Memory: Create a memory context to execute a program OS: We emulate function’s behavior in python

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 8 / 20

slide-9
SLIDE 9

Why emulation?

Control what the target can access by managing memory, API, etc; Modify the execution on the fly Monitoring the context of the program

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 9 / 20

slide-10
SLIDE 10

Semantic

Architectures: arm: .yaml 11485 loc - .py of 681 loc x86: .yaml 14121 - .py 794 loc z80: .yaml 4151 loc - .py 187 loc st62: .yaml 589 loc - .py 348 loc

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 10 / 20

slide-11
SLIDE 11

Semantic

Into yaml file:

  • pcode 0x00

mnemonic add

  • perand Eb, Gb

update_flags: cf, pf, af, zf, sf, of semantic add The generator is written in python because it’s easier to parse.

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 11 / 20

slide-12
SLIDE 12

How does it works?

Demo

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 12 / 20

slide-13
SLIDE 13

Obfuscation

Obfuscation

Obfuscation is the obscuring of intended meaning in communication, making the message confusing, willfully ambiguous, or harder to understand.

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 13 / 20

slide-14
SLIDE 14

Symbolic Execution

Definition

Symbolic execution (also symbolic evaluation) is a means of analyzing a program to determine what inputs cause each part of a program to execute.

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 14 / 20

slide-15
SLIDE 15

Obfuscation

Some methods of obfuscations: Constant unfolding Obfuscated pattern Data flattening Code flattening

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 15 / 20

slide-16
SLIDE 16

Symbolic execution on Constant unfolding

x = 0xf9cbe47a + 0x6341b86

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 16 / 20

slide-17
SLIDE 17

Symbolic execution on Pattern of obfuscation

Demo

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 17 / 20

slide-18
SLIDE 18

Conclusion

Questions

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 18 / 20

slide-19
SLIDE 19

Github

https://github.com/wisk/medusa

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 19 / 20

slide-20
SLIDE 20

Big Thanks!

Thanks to Wisk, Quarkslab and the LSE!

Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 20 / 20