SlideShare a Scribd company logo

FinalPoster-Draft_v4

D
David Sutherin

FoRREST is a Python framework that provides tools for reverse engineering binaries. It represents information extracted from binaries in a hierarchy of levels from raw data to high-level analysis. FoRREST implements plugins that interface with tools like Radare2 and Boomerang to decompile and infer control flow. It stores results in a database and provides an intuitive interface to simplify reverse engineering for novices. The goals are to make as much information accessible, implement high-level analysis, and ensure the framework is extensible.

1 of 1
Download to read offline
1
Implementation Background Reverse engineering is the process of examining a binary executable file in order to gain an understanding of the function that it performs. This can be done for many reasons, including: Problem Reverse engineering is an incredibly complex task, requiring many different tools and a significant amount of background knowledge. Goals • Provide access to as much information from a binary file as possible in a cohesive interface. • Implement high-level reverse engineering tools. • Make the framework extensible so that it can be used alongside other techniques and tools. • Decrease the learning curve for novice reverse engineers by providing an intuitive interface and functions. Data Representations Information retrieved from a file can exist in many states, which we have classified into different levels as displayed below. Basic Structure FoRREST is a Linux-based framework of reverse engineering tools, implemented as a set of Python classes, each corresponding to a specific level of the data representation hierarchy (bottom left). Usage Features Access to Information FoRREST gives users access to most of the information that an analysts would require from performing static analysis. High-Level Tools FoRREST implements several high-level tools such as Radare2, boomerang, and angr, which can be used for in-depth analysis. Extensibility FoRREST can be easily imported into the Python interpreter, allowing users to easily integrate it with other tools they use. Intuitive Interface FoRREST’s features are invoked by function names which clearly represent the information that they acquire. Results To simplify the process of reverse engineering software, we have created an extensible framework that provides access to much low-level, and some high-level information about binary executables. FoRREST was developed to make its use as intuitive as possible once the basics of reverse engineering are understood. Going Forward We have implemented some high-level reverse engineering techniques, but will need to integrate more in order to make FoRREST as useful as possible for reverse engineers. Once high-level functions have been completed, we will design and perform a controlled user test to judge the project’s success. Finally, we will submit a complete report to the International Conference on Cyber Warfare and Security, with the hope of seeing our results published in a technical journal in 2017. References FoRREST A Framework of Robust Reverse Engineering Software Tools Cole Loewer, Logan Rickert, David Sutherin, and Dr. Adam Bryant Conclusion EvaluationIntroduction • Malware Analysis • Legacy Code Modification • Vulnerability Discovery • Security Assurance Fig. 2: Command Line Interface Fig. 3: Import into Python Interpreter Database Information extracted from an executable is stored in a database, which is especially useful for examining malware, as a preliminary analysis can be performed in a sandbox environment, and it can be continued on any machine by accessing the database Level 3: Transform The Transform plugin leverages Radare2 to provide the disassembly, mnemonics, functions, data references and jump targets within the file. Level 4: Infer The Infer plugin is the heavy-hitter, allowing analysts to perform high-level analyses by working as a wrapper for Radare2, angr, and boomerang. It gives users access to the control flow graph (example to the right), intermediate representation, and decompilation of a file, and performs deobfuscation. Level 0: Raw The Raw plugin allows users to access the most basic information about a file, performing little to no analysis: filename, extension, file size, and checksums, as well as the original bytes. Level 1: Extract The Extract plugin supplies access to information such as the file’s mime type, version number, intended architecture, the compiler used, and the sections that the original bytes are divided into. Level 2: Interpret The Interpret plugin translates the original bytes into more meaningful representations, i.e. opcodes and strings. It also provides a list of imported and exported libraries. Fig. 4: An example control flow graph output from FoRREST Fig. 1: The data representation hierarchy defining the structure of FoRREST Adam Bryant. Personal communication, June 2016. Adam Bryant, Robert Mills, Michael Grimaila, and Gilbert Peterson. Top-level goals in reverse engineering executable software. In Proceedings of the 8th International Conference on Information Warfare and Security: ICIW 2013, page 16. Academic Conferences Limited, 2013. emmerik, gerard_, quantumg, and thenihilist. boomerang, 2016 Willy Jimenez, Amel Mammar, and Ana Cavalli. Software vulnerabilities, prevention and detection methods: A review. Security in Model-Driven Architecture, page 6, 2009. pancake. Radare2, 2016. Rensselaer Polytechnic Institute. CSCI 4968: Modern binary exploitation, 2015. Yan Shoshitaishvili, et al. SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis. 2016. Wolfgang Wögerer. A survey of static program analysis techniques. Technical report, Citeseer, 2005.

More Related Content

PPT
Open64 compiler
Maria Akther
 
DOCX
Interview Question of Aspdotnet
MohitKumar1985
 
PDF
Software Reverse Engineering in a Security Context
Lokendra Rawat
 
PPTX
Software Reverse Engineering in a Security Context (ncrisc 2018)
Lokendra Rawat
 
DOCX
Roger resume
roger wayinda
 
PPTX
J_McConnell_LabReconnaissance
Juanita McConnell
 
DOCX
Resume
Sanny Singh
 
PDF
Unit 4 Reverse Engineering Tools Functionalities & Use-Cases.pdf
ChatanBawankar
 
Open64 compiler
Maria Akther
 
Interview Question of Aspdotnet
MohitKumar1985
 
Software Reverse Engineering in a Security Context
Lokendra Rawat
 
Software Reverse Engineering in a Security Context (ncrisc 2018)
Lokendra Rawat
 
Roger resume
roger wayinda
 
J_McConnell_LabReconnaissance
Juanita McConnell
 
Resume
Sanny Singh
 
Unit 4 Reverse Engineering Tools Functionalities & Use-Cases.pdf
ChatanBawankar
 

Similar to FinalPoster-Draft_v4 (20)

PDF
Half-automatic Compilable Source Code Recovery
Joxean Koret
 
PDF
Demystifying Binary Reverse Engineering - Pixels Camp
André Baptista
 
PPTX
CyCon 2019 - A Day in the Life of a Reverse Engineer
James Haughom Jr
 
PDF
Malware analysis and detection using reverse Engineering, Available at: www....
Research Publish Journals (Publisher)
 
PPTX
Reverse Engineering 101
ysurer
 
PPTX
Reengineering including reverse & forward Engineering
Muhammad Chaudhry
 
PPTX
Software reverse engineering
Parminder Singh
 
PDF
Looking Forwards to Going Backwards
Jonathan Francis Roscoe
 
PPTX
Reverse engineering tools a devops engineers can use
Jean Marcel Belmont
 
PDF
International Journal of Engineering Research and Development
IJERD Editor
 
PDF
Malicious File for Exploiting Forensic Software
Takahiro Haruyama
 
PPTX
Intro to Reverse Engineering
Null Bhubaneswar
 
PDF
2023-02-22_Tiberti_CyberX.pdf
cifoxo
 
PPTX
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
PDF
Pentester++
CTruncer
 
PPTX
Reverse Engineering.pptx
Sameer Sapra
 
PDF
Mitigating Java Deserialization attacks from within the JVM (improved version)
Apostolos Giannakidis
 
PDF
Software cracking and patching
Mayank Gavri
 
PDF
Hacking with Reverse Engineering and Defense against it
Prakashchand Suthar
 
PDF
50120130406012
IAEME Publication
 
Half-automatic Compilable Source Code Recovery
Joxean Koret
 
Demystifying Binary Reverse Engineering - Pixels Camp
André Baptista
 
CyCon 2019 - A Day in the Life of a Reverse Engineer
James Haughom Jr
 
Malware analysis and detection using reverse Engineering, Available at: www....
Research Publish Journals (Publisher)
 
Reverse Engineering 101
ysurer
 
Reengineering including reverse & forward Engineering
Muhammad Chaudhry
 
Software reverse engineering
Parminder Singh
 
Looking Forwards to Going Backwards
Jonathan Francis Roscoe
 
Reverse engineering tools a devops engineers can use
Jean Marcel Belmont
 
International Journal of Engineering Research and Development
IJERD Editor
 
Malicious File for Exploiting Forensic Software
Takahiro Haruyama
 
Intro to Reverse Engineering
Null Bhubaneswar
 
2023-02-22_Tiberti_CyberX.pdf
cifoxo
 
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
Pentester++
CTruncer
 
Reverse Engineering.pptx
Sameer Sapra
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Apostolos Giannakidis
 
Software cracking and patching
Mayank Gavri
 
Hacking with Reverse Engineering and Defense against it
Prakashchand Suthar
 
50120130406012
IAEME Publication
 
Ad

FinalPoster-Draft_v4

  • 1. Implementation Background Reverse engineering is the process of examining a binary executable file in order to gain an understanding of the function that it performs. This can be done for many reasons, including: Problem Reverse engineering is an incredibly complex task, requiring many different tools and a significant amount of background knowledge. Goals • Provide access to as much information from a binary file as possible in a cohesive interface. • Implement high-level reverse engineering tools. • Make the framework extensible so that it can be used alongside other techniques and tools. • Decrease the learning curve for novice reverse engineers by providing an intuitive interface and functions. Data Representations Information retrieved from a file can exist in many states, which we have classified into different levels as displayed below. Basic Structure FoRREST is a Linux-based framework of reverse engineering tools, implemented as a set of Python classes, each corresponding to a specific level of the data representation hierarchy (bottom left). Usage Features Access to Information FoRREST gives users access to most of the information that an analysts would require from performing static analysis. High-Level Tools FoRREST implements several high-level tools such as Radare2, boomerang, and angr, which can be used for in-depth analysis. Extensibility FoRREST can be easily imported into the Python interpreter, allowing users to easily integrate it with other tools they use. Intuitive Interface FoRREST’s features are invoked by function names which clearly represent the information that they acquire. Results To simplify the process of reverse engineering software, we have created an extensible framework that provides access to much low-level, and some high-level information about binary executables. FoRREST was developed to make its use as intuitive as possible once the basics of reverse engineering are understood. Going Forward We have implemented some high-level reverse engineering techniques, but will need to integrate more in order to make FoRREST as useful as possible for reverse engineers. Once high-level functions have been completed, we will design and perform a controlled user test to judge the project’s success. Finally, we will submit a complete report to the International Conference on Cyber Warfare and Security, with the hope of seeing our results published in a technical journal in 2017. References FoRREST A Framework of Robust Reverse Engineering Software Tools Cole Loewer, Logan Rickert, David Sutherin, and Dr. Adam Bryant Conclusion EvaluationIntroduction • Malware Analysis • Legacy Code Modification • Vulnerability Discovery • Security Assurance Fig. 2: Command Line Interface Fig. 3: Import into Python Interpreter Database Information extracted from an executable is stored in a database, which is especially useful for examining malware, as a preliminary analysis can be performed in a sandbox environment, and it can be continued on any machine by accessing the database Level 3: Transform The Transform plugin leverages Radare2 to provide the disassembly, mnemonics, functions, data references and jump targets within the file. Level 4: Infer The Infer plugin is the heavy-hitter, allowing analysts to perform high-level analyses by working as a wrapper for Radare2, angr, and boomerang. It gives users access to the control flow graph (example to the right), intermediate representation, and decompilation of a file, and performs deobfuscation. Level 0: Raw The Raw plugin allows users to access the most basic information about a file, performing little to no analysis: filename, extension, file size, and checksums, as well as the original bytes. Level 1: Extract The Extract plugin supplies access to information such as the file’s mime type, version number, intended architecture, the compiler used, and the sections that the original bytes are divided into. Level 2: Interpret The Interpret plugin translates the original bytes into more meaningful representations, i.e. opcodes and strings. It also provides a list of imported and exported libraries. Fig. 4: An example control flow graph output from FoRREST Fig. 1: The data representation hierarchy defining the structure of FoRREST Adam Bryant. Personal communication, June 2016. Adam Bryant, Robert Mills, Michael Grimaila, and Gilbert Peterson. Top-level goals in reverse engineering executable software. In Proceedings of the 8th International Conference on Information Warfare and Security: ICIW 2013, page 16. Academic Conferences Limited, 2013. emmerik, gerard_, quantumg, and thenihilist. boomerang, 2016 Willy Jimenez, Amel Mammar, and Ana Cavalli. Software vulnerabilities, prevention and detection methods: A review. Security in Model-Driven Architecture, page 6, 2009. pancake. Radare2, 2016. Rensselaer Polytechnic Institute. CSCI 4968: Modern binary exploitation, 2015. Yan Shoshitaishvili, et al. SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis. 2016. Wolfgang Wögerer. A survey of static program analysis techniques. Technical report, Citeseer, 2005.