Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with...
-
Upload
alexis-gordon -
Category
Documents
-
view
218 -
download
2
Transcript of Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with...
![Page 1: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/1.jpg)
Visual Reverse Engineering
Willy Vasquez
![Page 2: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/2.jpg)
Background
Willy Vasquez Rising Senior at MIT
› Studying Computer Science and Engineering
› Research with Shafi Goldwasser› Intern at Symantec Mobility Management
Group
![Page 3: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/3.jpg)
Source
Work of Christopher Domas of the Battelle Memorial Institute
Brief overview of his talk at REcon › The Future of RE: Dynamic Binary
Visualization
![Page 4: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/4.jpg)
Reverse Engineering
The goal is to answer “what is this and what does it do?”
![Page 5: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/5.jpg)
From Art to Science
Lots of time to identify patterns Finding the patterns is an art.
![Page 6: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/6.jpg)
Visual RE
Taking a computationally difficult task and translating it to a problem our brains naturally do
Traversing thousands of lines of hex and making sense of it in 20 seconds
![Page 7: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/7.jpg)
Why improve?
Steganography Obfuscation Embedded Devices Unknown formats
![Page 8: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/8.jpg)
Why improve?
Our current best RE tools are completely dependent on known structure
Gates’ Law› Software is getting slower more rapidly
than hardware becomes faster› Amount of Information we need to analyze
is growing exponentially
![Page 9: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/9.jpg)
Background Ideas
Greg Conti› US Military Academy› Blackhat
Aldo Cortesi› Nullcube› corte.si
![Page 10: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/10.jpg)
Conti’s Idea
Even in unstructured data there are relationships, especially among local hex bytes
Digraphs
![Page 11: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/11.jpg)
Conti’s Idea
Ascii AudioImage
![Page 12: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/12.jpg)
Cortesi’s Work
Mapping data to Hilbert curves
![Page 13: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/13.jpg)
Building on Concepts
Goal: Understanding data independent of format
![Page 14: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/14.jpg)
..cantor.dust..
Named after Georg Cantor Works off of emphasizing the idea of
relationships between binary information
![Page 15: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/15.jpg)
3D Digraphs
![Page 16: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/16.jpg)
Entropy Explorer
![Page 17: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/17.jpg)
..cantor.dust.. classification
Bayesion Method to classify certain types of formats
![Page 18: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/18.jpg)
..cantor.dust.. parsing
Current binary parsing› Recursive descent: IDA style that follows
patterns and calls in code› Linear sweep: objdump and goes through
in linear fashion Rely on a structures grammar ..cantor.dust.. Uses probabilistic
parsing, which does not rely on grammar
![Page 19: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/19.jpg)
..cantor.dust.. parsing
![Page 20: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/20.jpg)
..cantor.dust.. summary
A new way to look at binary information
Can find demo from blackhat presentation: https://media.blackhat.com/bh-us-12/Arsenal/Domas/_cantor.dust_.7z.zip
No updates since last summer
![Page 21: Willy Vasquez Rising Senior at MIT › Studying Computer Science and Engineering › Research with Shafi Goldwasser › Intern at Symantec Mobility Management.](https://reader030.fdocuments.net/reader030/viewer/2022032723/56649cfa5503460f949cbfd2/html5/thumbnails/21.jpg)
Sources
The full talk and slides located on the recon.cx website: › http://recon.cx/2013/schedule/events/20.ht
ml