Visual Reverse Engineering
description
Transcript of Visual Reverse Engineering
Visual Reverse Engineering
Willy Vasquez
Background Willy Vasquez Rising Senior at MIT
› Studying Computer Science and Engineering
› Research with Shafi Goldwasser› Intern at Symantec Mobility Management
Group
Source Work of Christopher Domas of the
Battelle Memorial Institute Brief overview of his talk at REcon
› The Future of RE: Dynamic Binary Visualization
Reverse Engineering The goal is to answer “what is this and
what does it do?”
From Art to Science Lots of time to identify patterns Finding the patterns is an art.
Visual RE Taking a computationally difficult task
and translating it to a problem our brains naturally do
Traversing thousands of lines of hex and making sense of it in 20 seconds
Why improve? Steganography Obfuscation Embedded Devices Unknown formats
Why improve? Our current best RE tools are
completely dependent on known structure
Gates’ Law› Software is getting slower more rapidly
than hardware becomes faster› Amount of Information we need to analyze
is growing exponentially
Background Ideas Greg Conti
› US Military Academy› Blackhat
Aldo Cortesi› Nullcube› corte.si
Conti’s Idea Even in unstructured data there are
relationships, especially among local hex bytes
Digraphs
Conti’s Idea
Ascii AudioImage
Cortesi’s Work Mapping data to Hilbert curves
Building on Concepts Goal: Understanding data independent
of format
..cantor.dust.. Named after Georg Cantor Works off of emphasizing the idea of
relationships between binary information
3D Digraphs
Entropy Explorer
..cantor.dust.. classification Bayesion Method to classify certain
types of formats
..cantor.dust.. parsing Current binary parsing
› Recursive descent: IDA style that follows patterns and calls in code
› Linear sweep: objdump and goes through in linear fashion
Rely on a structures grammar ..cantor.dust.. Uses probabilistic
parsing, which does not rely on grammar
..cantor.dust.. parsing
..cantor.dust.. summary A new way to look at binary
information Can find demo from blackhat
presentation: https://media.blackhat.com/bh-us-12/Arsenal/Domas/_cantor.dust_.7z.zip
No updates since last summer
Sources The full talk and slides located on the
recon.cx website: › http://recon.cx/2013/schedule/events/20.ht
ml