REbus Make your security tools cooperate Raphal Rigo with slides by - - PowerPoint PPT Presentation

▶

Mar 13, 2023 243 likes •510 views

REbus Make your security tools cooperate Raphal Rigo with slides by Xavier Mehrenberger July 5 th / RMLL Sec 2016 REbus Example malware CFG analysis workflow graph img Image viewer Bin CFG July 5 th / RMLL Sec 2016 2 REbus Example

SLIDE 1

REbus

Make your security tools cooperate

Raphaël Rigo with slides by Xavier Mehrenberger July 5th / RMLL Sec 2016

SLIDE 2

REbus

Example malware CFG analysis workflow

Bin CFG graph→img Image viewer

July 5th / RMLL Sec 2016 2

SLIDE 3

REbus

Example malware CFG analysis workflow

Bin CFG graph→img Image viewer

Lib. dep.

July 5th / RMLL Sec 2016 2

SLIDE 4

REbus

Example malware CFG analysis workflow

Bin CFG graph→img Image viewer

Lib. dep.

Visual analytics

July 5th / RMLL Sec 2016 2

SLIDE 5

REbus

Example malware CFG analysis workflow

Bin CFG graph→img Image viewer

Lib. dep.

Visual analytics Unpacker

July 5th / RMLL Sec 2016 2

SLIDE 6

REbus

Example malware CFG analysis workflow

Bin CFG graph→img Image viewer

Lib. dep.

Visual analytics Unpacker Unpacker 2

July 5th / RMLL Sec 2016 2

SLIDE 7

REbus

Example malware CFG analysis workflow

Bin CFG graph→img Image viewer

Lib. dep.

Visual analytics Unpacker Unpacker 2 Zip

July 5th / RMLL Sec 2016 2

SLIDE 8

REbus

Example malware CFG analysis workflow

Bin CFG graph→img Image viewer

Lib. dep.

Visual analytics Unpacker Unpacker 2 Zip Unzip

July 5th / RMLL Sec 2016 2

SLIDE 9

REbus

Example malware CFG analysis workflow

Bin CFG graph→img Image viewer

Lib. dep.

Visual analytics Unpacker Unpacker 2 Zip Unzip Mail

July 5th / RMLL Sec 2016 2

SLIDE 10

REbus

Example malware CFG analysis workflow

Bin CFG graph→img Image viewer

Lib. dep.

Visual analytics Unpacker Unpacker 2 Zip Unzip Mail Parse mail

July 5th / RMLL Sec 2016 2

SLIDE 11

REbus

REbus interfaces

Agent Tool Bus master Storage Tool interface Bus interface Storage interface

July 5th / RMLL Sec 2016 3

SLIDE 12

REbus

REbus architecture

Framework, with a decentralised workflow

Decentralized workflow

Tool 1 Tool 2

July 5th / RMLL Sec 2016 4

SLIDE 13

REbus

REbus architecture

Framework, with a decentralised workflow

Adding a new agent

Tool 1 Tool 2 Tool 3

July 5th / RMLL Sec 2016 5

SLIDE 14

REbus

Data exchange across the bus

Goal: compute md5sum of each file contained in provided ✳t❣③ archive

inject apt1.tgz master / storage unarchive hasher return /md5_hash

July 5th / RMLL Sec 2016 6

SLIDE 15

REbus

Data exchange across the bus

Goal: compute md5sum of each file contained in provided ✳t❣③ archive

inject apt1.tgz master / storage apt1.tgz unarchive hasher return /md5_hash

July 5th / RMLL Sec 2016 6

SLIDE 16

REbus

Data exchange across the bus

Goal: compute md5sum of each file contained in provided ✳t❣③ archive

master / storage apt1.tgz unarchive hasher return /md5_hash /compressed/gzip/%1234abcdef

July 5th / RMLL Sec 2016 6

SLIDE 17

REbus

Data exchange across the bus

Goal: compute md5sum of each file contained in provided ✳t❣③ archive

master / storage apt1.tgz unarchive apt1.tgz hasher return /md5_hash

July 5th / RMLL Sec 2016 6

SLIDE 18

REbus

Data exchange across the bus

Goal: compute md5sum of each file contained in provided ✳t❣③ archive

master / storage apt1.tgz AURIGA_sample_6B3 unarchive hasher return /md5_hash

July 5th / RMLL Sec 2016 6

SLIDE 19

REbus

Data exchange across the bus

Goal: compute md5sum of each file contained in provided ✳t❣③ archive

master / storage apt1.tgz AURIGA_sample_6B3 unarchive hasher return /md5_hash /binary/pe/%abcd1234

July 5th / RMLL Sec 2016 6

SLIDE 20

REbus

Data exchange across the bus

Goal: compute md5sum of each file contained in provided ✳t❣③ archive

master / storage apt1.tgz AURIGA_sample_6B3 unarchive hasher AURIGA_sample_6B3 return /md5_hash

July 5th / RMLL Sec 2016 6

SLIDE 21

REbus

Data exchange across the bus

Goal: compute md5sum of each file contained in provided ✳t❣③ archive

master / storage apt1.tgz AURIGA_sample_6B3

md5sum(AURIGA)

unarchive hasher return /md5_hash

July 5th / RMLL Sec 2016 6

SLIDE 22

REbus

Data exchange across the bus

Goal: compute md5sum of each file contained in provided ✳t❣③ archive

master / storage apt1.tgz AURIGA_sample_6B3

md5sum(AURIGA)

unarchive hasher return /md5_hash /md5_hash/%6e1d51696

July 5th / RMLL Sec 2016 6

SLIDE 23

REbus

Data exchange across the bus

Goal: compute md5sum of each file contained in provided ✳t❣③ archive

master / storage apt1.tgz AURIGA_sample_6B3

md5sum(AURIGA)

unarchive hasher return /md5_hash

md5sum(AURIGA)

July 5th / RMLL Sec 2016 6

SLIDE 24

REbus

Example agent combination

✩ r❡❜✉s❴❛❣❡♥t ✲♠ r❡❜✉s❴❞❡♠♦✳❛❣❡♥ts ❤❛s❤❡r ✉♥❛r❝❤✐✈❡ ❭ ✐♥❥❡❝t ⑦✴ ❛♣t✶✳t❣③ ✲✲ ❭ r❡t✉r♥ ✲✲s❤♦rt ♠❞✺❴❤❛s❤ ❛♣t✶✳t❣③✿ ❆❯❘■●❆❴✻❇✸✶✸✹✹❇✹✵❊✷❆❋✾❈✾❊❊✸❇❆✼✵✼✺✺✽❈✶✹❊ ❂ ✻ ❜✸✶✸✹✹❜✹✵❡✷❛❢✾❝✾❡❡✸❜❛✼✵✼✺✺✽❝✶✹❡ ❛♣t✶✳t❣③✿ ❆❯❘■●❆❴❈❉❈❉✸❆✵✾❊❊✾✾❈❋❋✾❆✺✽❊❋❊❆✺❈❈❇❊✷❇❊❉ ❂ ❝❞❝❞✸❛✵✾❡❡✾✾❝❢❢✾❛✺✽❡❢❡❛✺❝❝❜❡✷❜❡❞ ❛♣t✶✳t❣③✿ ❇❆◆●❆❚❴✹✻✽❋❋✷❈✶✷❈❋❋❈✼❊✺❇✷❋❊✵❊❊✻❇❇✸❇✷✸✾❊ ❂ ✹✻✽ ❢❢✷❝✶✷❝❢❢❝✼❡✺❜✷❢❡✵❡❡✻❜❜✸❜✷✸✾❡ ❬✳✳✳❪

July 5th / RMLL Sec 2016 7

SLIDE 25

❢r♦♠ r❡❜✉s✳❛❣❡♥t ✐♠♣♦rt ❆❣❡♥t ❢r♦♠ r❡❜✉s❴❞❡♠♦✳t♦♦❧s ✐♠♣♦rt ❤❛s❤❴t♦♦❧s ❅❆❣❡♥t✳r❡❣✐st❡r ❝❧❛ss ❍❛s❤❡r✭❆❣❡♥t ✮✿ ❴♥❛♠❡❴ ❂ ✧❤❛s❤❡r✧ ❴❞❡s❝❴ ❂ ✧❘❡t✉r♥ ♠❞✺ ♦❢ ❛ ❜✐♥❛r②✧ ❞❡❢ s❡❧❡❝t♦r❴❢✐❧t❡r ✭s❡❧❢ ✱ s❡❧❡❝t♦r ✮✿ ★ ■♥❞✐❝❛t❡ t❤❛t t❤✐s ❛❣❡♥t ✐s ♦♥❧② ✐♥t❡r❡st❡❞ ✐♥ ❞❡s❝r✐♣t♦rs ✇❤♦s❡ ★ s❡❧❡❝t♦r st❛rt ✇✐t❤ ✧✴ ❜✐♥❛r②✧ r❡t✉r♥ s❡❧❡❝t♦r✳st❛rts✇✐t❤✭✧✴❜✐♥❛r②✴✧✮ ❞❡❢ ♣r♦❝❡ss✭s❡❧❢ ✱ ❞❡s❝ ✱ s❡♥❞❡r❴✐❞ ✮✿ ★ ❝❛❧❧ t❤❡ ✈❡r② ❝♦♠♣❧❡① t♦♦❧ ♦♥ t❤❡ r❡❝❡✐✈❡❞ ✈❛❧✉❡ ♠❞✺❴❤❛s❤ ❂ ❤❛s❤❴t♦♦❧s✳♠❞✺❤❛s❤❡r✭❞❡s❝✳✈❛❧✉❡✮ ★ ❈r❡❛t❡ ❛ ♥❡✇ ❝❤✐❧❞ ❞❡s❝r✐♣t♦r ♥❡✇❴❞❡s❝ ❂ ❞❡s❝✳ s♣❛✇♥❴❞❡s❝r✐♣t♦r ✭✧✴♠❞✺❴❤❛s❤✧✱ ✉♥✐❝♦❞❡✭♠❞✺❴❤❛s❤✮✱ s❡❧❢✳♥❛♠❡✮ ★ P✉s❤ t❤❡ ♥❡✇ ❞❡s❝r✐♣t♦r t♦ t❤❡ ❜✉s s❡❧❢✳♣✉s❤✭♥❡✇❴❞❡s❝✮

Listing 1: Agent REbus to compute md5sum of binary files

SLIDE 26