applications of the reverse
play

Applications of the Reverse Engineering Language REIL Hackers to - PowerPoint PPT Presentation

Jun 20, 2023 •369 likes •762 views

Applications of the Reverse Engineering Language REIL Hackers to Hackers Conference 2009, So Paulo Sebastian Porst zynamics GmbH (sebastian.porst@zynamics.com) Talk Overview Necessity of new RE methods Solutions we developed

  1. Applications of the Reverse Engineering Language REIL Hackers to Hackers Conference 2009, São Paulo Sebastian Porst zynamics GmbH (sebastian.porst@zynamics.com)

  2. Talk Overview • Necessity of new RE methods • Solutions we developed • Applications of our solutions

  3. About zynamics • Small German company • Unhappy with the state of Reverse Engineering • Needed: New RE tools and methods – BinDiff, BinNavi, VxClass

  4. About me • Lead Developer of BinNavi • Many years of RE experience • Try to come up with new RE methods • Talk about it at conferences

  5. What we are doing • Build Reverse Engineering tools • Try to automize binary file analysis • Help people find vulnerabilities

  6. Why we are doing this Software Complexity Architectural Diversity Microsoft Security Budget Good old days Now

  7. How we are doing this • Develop new RE methods – Platform-Independent – Easy to use • Integrate them into our tools

  8. REIL • Reverse Engineering Intermediate Language • Platform-Independent • Designed for Reverse Engineering

  9. Design Principles • Very small instruction set • Very regular operand structure • Very simple operand types • No side-effects

  10. Example

  11. REIL Usage Convert native code to REIL Run REIL algorithm Port results back to original code

  12. Advantages • Easy to pick up and comprehend • Reduces analysis complexity • Write once; use everywhere

  13. MonoREIL • Monotone framework for REIL • Simplifies analysis algorithm development • Read the book

  14. Advantages • All algorithms have the same regular structure • Simplifies algorithms – Trade-off: Runtime

  15. Core Concepts • Instruction Graph • Lattice • Monotone Transformations

  16. Instruction Graph 1400: add t0, 15, t1 1401: bisz t1, , t2 1402: jcc t2, , 1405 1403: str 8, , t3 1405: str 16, , t3 1404: jcc t2, , 1406 1406: add t3, t3, t4 1407: jcc 1, , 1420

  17. Lattice T B

  18. Transformations 1400: add t0, 15, t1 1401: bisz t1, , t2 1402: jcc t2, , 1405 1403: str 8, , t3 1405: str 16, , t3 1404: jcc t2, , 1406 1406: add t3, t3, t4 1407: jcc 1, , 1420

  19. Applications Register Tracking : Helps Reverse Engineers follow data flow through code (Never officially presented) Index Underflow Detection : Automatically find negative array accesses (CanSecWest 2009, Vancouver) Automated Deobfuscation : Make obfuscated code more readable (SOURCE Barcelona 2009, Barcelona) ROP Gadget Generator : Automatically generates return-oriented shellcode (Work in progress; scheduled for Q1/2010)

  20. Register Tracking • Follows interesting register values • Keeps track of dependent values • Transitive closure of the effects of a register on the program state

  21. Lattice All eax eax ebx ecx ebx ecx ecx OF eax ebx ecx OF Ø

  22. General Idea • Start with the tracked register • Follow the control flow • Instruction uses register → Add modified registers to the tracked set • Instruction clears register → Remove cleared register from the set

  23. Example {t0} add t0, 4, t1 {t0, t1} bisz t2, , CF {t0, t1} bisz t0, , ZF {t0, t1, ZF} add t2, 4, t1 {t0, ZF}

  24. Result

  25. Use • Fully integrated into BinNavi • Makes it very simple to follow values • Helps the reverse engineer to concentrate on what is important

  26. Range Tracking • Tracks potential ranges for register values • Useful to detect buffer underflows like MS08-67 • Intervals are used to cut down on complexity

  27. Lattice • Complicated to show in a picture • Keep track of register values and pointer dereferences as a list of ranges • eax [0 .. 4] [0 .. 10] – Add a value between 0 and 10 to [eax], [eax + 1], [eax + 2], [eax + 3], or [eax + 4]

  28. General Idea • Track register values relative to their first use • Follow the control flow • Calculate maximum range of effects each instruction has on a register • If the range gets negative for memory accesses, mark the location

  29. Use • Helps bug hunters to find potential vulnerabilities • Automated and effective • Not yet fully proven to work

  30. Deobfuscation • Convert obfuscated code into something more readable • Multi-process step with many lattices – Constant propagation – Dead code elimination – ...

  31. General Idea • Take a piece of code • Apply the deobfuscation algorithms • Repeat until no further deobfuscation is possible • Result: Deobfuscated Code

  32. Result Before After

  33. Problems • Turns out that deobfuscation is tricky for many reasons • Further requirements: – Function that determines the readability of code – Backend that produces executable code from REIL

  34. ROP Gadget Generator • Return-oriented shellcode generator • REIL-based but not MonoREIL-based • Originally for Windows Mobile but platform-independent • To be presented in 2010

  35. General Idea • Automated analysis of instruction sequences • Automated extraction of useful instruction sequences • Combines gadgets to shellcode • Helps the development of return- oriented shellcode

  36. Result

  37. Future Development • BinAudit – Collection of algorithms for vulnerability research • Type Reconstruction – Figuring out what higher level data types are stored in registers

  38. Related Work • ERESI Project • BitBlaze • Silvio Cesare

  39. http://www.flickr.com/photos/marcobellucci/3534516458/

Recommend

Reverse Cycle Walking and its Applications Sarah Miracle and Scott Yilek University of St. Thomas

Reverse Cycle Walking and its Applications Sarah Miracle and Scott Yilek University of St. Thomas

Reverse Cycle Walking and its Applications Sarah Miracle and Scott Yilek University of St. Thomas Format Preserving Encryption Example: Existing database with millions of US social security numbers 9 digit numbers First 3 digits

881 views • 73 slides
Reverse Osmosis Reverse Osmosis Background to Market and to Market and Background Technology

Reverse Osmosis Reverse Osmosis Background to Market and to Market and Background Technology

Reverse Osmosis Reverse Osmosis Background to Market and to Market and Background Technology Technology 1 Technology and Applications Technology and Applications Reverse osmosis has been commercial for Reverse osmosis has been

948 views • 60 slides
Remanufacturing of Products Remanufacturing of Products and Reverse Logistics and Reverse

Remanufacturing of Products Remanufacturing of Products and Reverse Logistics and Reverse

Remanufacturing of Products Remanufacturing of Products and Reverse Logistics and Reverse Logistics Xochitl Aquiahuatl March 2007 Outline Outline Closed-loop Supply Chain Reverse Logistics Recovery Options Product

388 views • 22 slides
Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and

Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and

Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and Documentation Engineering Virus Analysis Malware Virus Needs a vector for propagation Worm No vector needed Can spread by

320 views • 21 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby

On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby

On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby perrin dot leo at gmail 4th of July 2017 Boolean Functions and Their Applications The content of this talk is based on joint works with Biryukov,

1.32k views • 108 slides
Reverse Logistics Woodfield Distribution, LLC v081617 Reverse Logistics About Us Description

Reverse Logistics Woodfield Distribution, LLC v081617 Reverse Logistics About Us Description

Presentation of Capabilities Reverse Logistics Woodfield Distribution, LLC v081617 Reverse Logistics About Us Description of Services Reverse Distribution Channels DSCSA/Sustainability About Us WDSrx Woodfield Distribution, LLC Is A

454 views • 13 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Most-Effective Actions to Reverse Global Warning Most-Effective Actions to Reverse Global Warning

Most-Effective Actions to Reverse Global Warning Most-Effective Actions to Reverse Global Warning

Our Goal: A Coordinated Philanthropic Effort Most-Effective Actions to Reverse Global Warning Most-Effective Actions to Reverse Global Warning CO2 Reduction (gigatons) Refrigerant management 89.7 1. Wind turbines (onshore) 84.6 2. Reduced

308 views • 12 slides
WEBee Reverse Convolution Coding Reverse Convolution Coding Convolutional encoding uses a

WEBee Reverse Convolution Coding Reverse Convolution Coding Convolutional encoding uses a

WEBee Reverse Convolution Coding Reverse Convolution Coding Convolutional encoding uses a 288-by-216 matrix M M is not full row-rank (row:288 > column:216), the matrix equation is an overdetermined system ZigBee signals occupy

164 views • 15 slides
AutoDiff: Reverse Mode v 0 v 5 v 2 v 3 ln x 1 v 0 v 5 v 2 v 1 + x 2 v 4 y v 6 +

AutoDiff: Reverse Mode v 0 v 5 v 2 v 3 ln x 1 v 0 v 5 v 2 v 1 + x 2 v 4 y v 6 +

x 1 AutoDiff: Reverse Mode v 0 v 5 v 2 v 3 ln x 1 v 0 v 5 v 2 v 1 + x 2 v 4 y v 6 + v 3 v 1 Traverse the original graph in the reverse topological v 4 x 2 y v 6 sin order and for each node in the original

980 views • 64 slides
What You Should Know about Reverse Mortgages Welcome and Why We Are Here Idriys Abdullah

What You Should Know about Reverse Mortgages Welcome and Why We Are Here Idriys Abdullah

What You Should Know about Reverse Mortgages Welcome and Why We Are Here Idriys Abdullah Consumer Protection Advocate DISB Reverse Mortgages Presentation 2 Mission Statement DISBs Mission is Two-Fold Protect consumers by providing

495 views • 34 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Reverse, Flatten, and Zip More List Processing in Ocaml Theory of Programming Languages Computer

Reverse, Flatten, and Zip More List Processing in Ocaml Theory of Programming Languages Computer

No More Fluff Flatten Reverse Zip Unzip Mapcons Subsets Decimal Reverse, Flatten, and Zip More List Processing in Ocaml Theory of Programming Languages Computer Science Department Wellesley College No More Fluff Flatten Reverse Zip

440 views • 6 slides
BEST PRACTICE PRESENTATION Basque Government Directorate of Biodiversity and Environmental

BEST PRACTICE PRESENTATION Basque Government Directorate of Biodiversity and Environmental

First Interregional First Interregional Seminar Seminar REVERSE REVERSE First First Interregional Interregional Seminar Seminar REVERSE REVERSE Agriculture and Agriculture and Agriculture and Biodiversity Agriculture

567 views • 15 slides
Reverse mathematics and Ramsey theorem for pairs Benoit Monin Universit e Paris-Est Cr

Reverse mathematics and Ramsey theorem for pairs Benoit Monin Universit e Paris-Est Cr

Reverse mathematics and Ramsey theorem for pairs Benoit Monin Universit e Paris-Est Cr eteil Reverse mathematics Section 1 Reverse mathematics Reverse mathematics Ramsey theorem for pairs Splitting in two Motivation pougnioule

601 views • 58 slides
GSA Reverse Auctions (Vendor Training) ReverseAuctions.gsa.gov Drand Dixon, Business Development

GSA Reverse Auctions (Vendor Training) ReverseAuctions.gsa.gov Drand Dixon, Business Development

GSA Reverse Auctions (Vendor Training) ReverseAuctions.gsa.gov Drand Dixon, Business Development Specialist Melissa Mould, Business Development Specialist / Senior Contracting Officer GSA Reverse Auctions Division April 26, 2017 Reverse

567 views • 29 slides
Prospects for a reverse analysis of topology Fran cois G. Dorais Dartmouth College BLAST 2013

Prospects for a reverse analysis of topology Fran cois G. Dorais Dartmouth College BLAST 2013

Prospects for a reverse analysis of topology Fran cois G. Dorais Dartmouth College BLAST 2013 Reverse mathematics The program of reverse mathematics aims to figure out which axioms are necessary to prove theorems of everyday mathematics.

329 views • 30 slides
1 Case study 1 Case study 2 Problem Problem Sort a huge randomly-ordered file of small Sort a

1 Case study 1 Case study 2 Problem Problem Sort a huge randomly-ordered file of small Sort a

Sorting applications Sorting algorithms are essential in a broad variety of applications Organize an MP3 library. Display Google PageRank results. Advanced Topics in Sorting List RSS news items in reverse chronological order. Find

507 views • 12 slides
MAIN DRIVERS OF GLOBAL CHANGE - Land use change - Climate change - Pollution - Biodiversity

MAIN DRIVERS OF GLOBAL CHANGE - Land use change - Climate change - Pollution - Biodiversity

First Interregional First Interregional Seminar Seminar REVERSE REVERSE First First Interregional Interregional Seminar Seminar REVERSE REVERSE Agriculture and Agriculture and Biodiversity Agriculture and Agriculture

390 views • 15 slides
On the mathematical and foundational significance of the uncountable Sam Sanders (jww Dag

On the mathematical and foundational significance of the uncountable Sam Sanders (jww Dag

On the mathematical and foundational significance of the uncountable Sam Sanders (jww Dag Normann) Kanazawa, March 2018 Center for Advanced Studies, LMU Munich Reverse Mathematics Reverse Mathematics Reverse Mathematics (RM), as

1.66k views • 137 slides
Reverse Mathematics. Antonio Montalb an. University of Chicago. September 2011 Antonio

Reverse Mathematics. Antonio Montalb an. University of Chicago. September 2011 Antonio

Reverse Mathematics. Antonio Montalb an. University of Chicago. September 2011 Antonio Montalb an. University of Chicago. Reverse Mathematics. Reverse Mathematics Reverse Mathematics refers to the program, whose motivating question is

422 views • 30 slides
Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for .NET are easy to reverse engineer. This is not in any way a fault in the design of .NET; it is simply a reality of modern, intermediate-compiled

132 views • 10 slides

More recommend