SlideShare ist ein Scribd-Unternehmen logo

Be Social. Use CrowdRE.

CrowdStrike
CrowdStrike

CrowdRE is an IDA Pro plugin that enables collaborative reverse engineering by allowing analysts to share and synchronize analysis results for malware samples. It uses a version control-like system to manage annotations on functions and types, and features fuzzy matching to import relevant annotations from other analysts who have worked on similar code. The tool aims to improve efficiency of malware analysis by facilitating distributed and collaborative work between reverse engineers.

Technologie
1 von 19
Downloaden Sie, um offline zu lesen
Be Social. Use CrowdRE. An IDA Plugin for Collaborative Reversing Tillmann Werner, Jason Geffner RECON, Montreal, Canada Friday, June 15, 2012
CrowdStrike ■ Stealth mode startup ■ Handpicked ‘A’ team of technical talent ■ 26 Million Series A funding ■ “You don’t have a malware problem, you have an adversary problem”™ ■ We are hiring!
Special Thanks Georg Wicherski Aaron Putnam TJ Little and Harley Jeff Stambolsky Sr. Research Scientist Sr. Research Engineer Sr. UI Engineers Resident Nerd
Why ? ■ Developers work in teams to build the software we are reversing ■ Stuxnet, Flame, Duqu ■ RATs like PoisonIvy ■ Bots like Zeus ■ calc.exe ■ Code reuse is prevalent in malware variants ■ Working together, we can reverse more quickly and efficiently ■ Take a page from developer world and model RE after source control methodologies
Collaborative Reversing ■ Approach 1: Just-in-time propagation of results ■ All changes are synchronized to all users instantly ■ Well-suited for teaching reverse-engineering, demonstrations, etc. ■ Approach 2: Working on different parts, sharing results on demand ■ Distributed tasks ■ Multiple people can work on different parts simultaneously ■ Analysis results can be combined at any time
Related Work – Tools of the Trade ■ IDA Sync, 2005 ■ Real-time synchronization of names, stack variables, comments ■ Hooks into IDA hot keys ■ CollabREate, 2008 ■ Successor of IDA Sync: IDA Pro “remote-control” ■ Snapshot report: replay all updates up until a certain point ■ BinCrowd, 2010 ■ Commit-based model ■ Supports matching similar functions
The Platform ■ Community platform to support professional, distributed RE ■ Design similar to version control systems ■ Commits: annotations per function ■ Free Cloud service for the reverse engineering community ■ People can share their results ■ Reverse engineering projects can benefit from community input ■ IDA Pro plugin ■ Utilizes the power of the Hex-Rays Decompiler plugin ■ Integrates smoothly into IDA’s Qt GUI
Rewoltke  CrowdRE + = rewoltke ...
BinNavi Integration ■ Google is adding integration for CrowdRE to BinNavi ■ Analysts will be able to use BinNavi to share their analysis results with the CrowdRE community ■ Our best wishes go to Thomas Dullien for a speedy recovery
Annotations ■ Function prototype ■ Name ■ Calling convention ■ Return type ■ Parameter types and names ■ Stack variables ■ Register variables (Hex-Rays) ■ Structs, enums ■ Comments – IDA and Hex-Rays
Type Information ■ Types ■ Structs ■ Enums ■ User-defined types ■ Function annotations depend on types ■ Dependencies are recursively included ■ Checkouts contain dependencies, too ■ Name duplicates require conflict resolution ■ User is prompted for solution (update, retain, keep) ■ Future plan: resolving cyclic dependencies
Importing Annotations ■ Batch import ■ The first thing to do when starting to work on a new binary ■ Always the most recent commit ■ Individual imports ■ More control over what to import ■ User can choose between different versions
Finding Functions ■ Exact matching ■ Binary’s hash + function offset ■ Fuzzy matching ■ SHA1 hash over sequence of mnemonics ■ Position-independent representation ■ Want to cover immediates, too ■ Jump and call operands are zeroed out ■ Same for immediates that generate cross-references
Dealing with Multiple Matches FNV Hashes • Fast to compute ■ Multiple matches – which is the best? • Good Avalanche behavior ■ Quality of the annotation • For different word sizes ■ Code similarity ■ Compute similarity value for pairs of inputs hash := FNV_BASIS ■ Rank by this value, let the user choose for byte in input: hash ^= byte hash *= FNV_PRIME ■ Similarity hashing ■ Assign consecutive basic blocks to chunks ■ Fixed number of chunks ensures constant sized output ■ For each chunk: compute FNV hash ■ Combine FNV hashes to final hash ■ s(a, b) = 100 – normalized_levenshtein(simhash(a), simhash(b))
Similarity Hashing – Details ■ Basic block reordering poses challenges ■ Define an order on the set of basic blocks ■ Come up with a reordering resilient scheme BB1 BB2 BB3 BB4 ■ Fuzzy hash serves as pre-filter ■ Matches are usually 100% equal ■ Make fuzzy hash more fuzzy fnv1 fnv2 ■ Position-independent representation quite strict ■ Need to take instruction reordering into account ■ Improved algorithms in future versions
Demo Time!
Future Plans ■ Integration with other RE tools? ■ Cloud service ■ Social ratings of commits ■ Access control lists ■ Client ■ Real time notifications on updated annotations ■ New and improved matching algorithms ■ Ability to deal with cyclic type dependencies ■ Tracking of function/file mappings ■ Mass importing of common library code
Where to get it: http://crowd.re
Be Social. Use CrowdRE.

Empfohlen

Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16
David Pasek
 
What is Object storage ?
What is Object storage ?What is Object storage ?
What is Object storage ?
Nabil Kassi
 
VMware VSAN Technical Deep Dive - March 2014
VMware VSAN Technical Deep Dive - March 2014VMware VSAN Technical Deep Dive - March 2014
VMware VSAN Technical Deep Dive - March 2014
David Davis
 
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIOHigh Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
Rebekah Rodriguez
 
vSAN architecture components
vSAN architecture componentsvSAN architecture components
vSAN architecture components
David Pasek
 
High availability virtualization with proxmox
High availability virtualization with proxmoxHigh availability virtualization with proxmox
High availability virtualization with proxmox
Oriol Izquierdo Vibalda
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 

Empfohlen

Hacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted ThreatsHacking Exposed Live: Mobile Targeted Threats
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16
David Pasek
 
What is Object storage ?
What is Object storage ?What is Object storage ?
What is Object storage ?
Nabil Kassi
 
VMware VSAN Technical Deep Dive - March 2014
VMware VSAN Technical Deep Dive - March 2014VMware VSAN Technical Deep Dive - March 2014
VMware VSAN Technical Deep Dive - March 2014
David Davis
 
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIOHigh Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
Rebekah Rodriguez
 
vSAN architecture components
vSAN architecture componentsvSAN architecture components
vSAN architecture components
David Pasek
 
High availability virtualization with proxmox
High availability virtualization with proxmoxHigh availability virtualization with proxmox
High availability virtualization with proxmox
Oriol Izquierdo Vibalda
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Cloud, sdn and nfv 기술동향 atto-research-박문기-20171016
Cloud, sdn and nfv 기술동향 atto-research-박문기-20171016Cloud, sdn and nfv 기술동향 atto-research-박문기-20171016
Cloud, sdn and nfv 기술동향 atto-research-박문기-20171016
문기 박
 
Why does my choice of storage matter with cassandra?
Why does my choice of storage matter with cassandra?Why does my choice of storage matter with cassandra?
Why does my choice of storage matter with cassandra?
Johnny Miller
 
Lenovo HPC Strategy Update
Lenovo HPC Strategy UpdateLenovo HPC Strategy Update
Lenovo HPC Strategy Update
inside-BigData.com
 
virtualization and hypervisors
virtualization and hypervisorsvirtualization and hypervisors
virtualization and hypervisors
Gaurav Suri
 
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionCeph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Karan Singh
 
Chicago Data Summit: Apache HBase: An Introduction
Chicago Data Summit: Apache HBase: An IntroductionChicago Data Summit: Apache HBase: An Introduction
Chicago Data Summit: Apache HBase: An Introduction
Cloudera, Inc.
 
GPU Virtualization in Embedded Automotive Solutions
GPU Virtualization in Embedded Automotive SolutionsGPU Virtualization in Embedded Automotive Solutions
GPU Virtualization in Embedded Automotive Solutions
GlobalLogic Ukraine
 
VMware vSphere vsan EN.pptx
VMware vSphere vsan EN.pptxVMware vSphere vsan EN.pptx
VMware vSphere vsan EN.pptx
CH431
 
IBM Power9 Features and Specifications
IBM Power9 Features and SpecificationsIBM Power9 Features and Specifications
IBM Power9 Features and Specifications
inside-BigData.com
 
Emea nutanix overview presentation emea
Emea nutanix overview presentation emeaEmea nutanix overview presentation emea
Emea nutanix overview presentation emea
Lan & Wan Solutions
 
Using ClickHouse for Experimentation
Using ClickHouse for ExperimentationUsing ClickHouse for Experimentation
Using ClickHouse for Experimentation
Gleb Kanterov
 
VIOS in action with IBM i
VIOS in action with IBM i VIOS in action with IBM i
VIOS in action with IBM i
COMMON Europe
 
Apache HBase Performance Tuning
Apache HBase Performance TuningApache HBase Performance Tuning
Apache HBase Performance Tuning
Lars Hofhansl
 
Advanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtopAdvanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtop
Alan Renouf
 
Achieving a 50% Reduction in Cross-AZ Network Costs from Kafka (Uday Sagar Si...
Achieving a 50% Reduction in Cross-AZ Network Costs from Kafka (Uday Sagar Si...Achieving a 50% Reduction in Cross-AZ Network Costs from Kafka (Uday Sagar Si...
Achieving a 50% Reduction in Cross-AZ Network Costs from Kafka (Uday Sagar Si...
confluent
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & Features
DataStax Academy
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to Redis
Dvir Volk
 
Five common customer use cases for Virtual SAN - VMworld US / 2015
Five common customer use cases for Virtual SAN - VMworld US / 2015Five common customer use cases for Virtual SAN - VMworld US / 2015
Five common customer use cases for Virtual SAN - VMworld US / 2015
Duncan Epping
 
Nutanix Technology Bootcamp
Nutanix Technology BootcampNutanix Technology Bootcamp
Nutanix Technology Bootcamp
ICT-Partners
 
VMware Virtual SAN Presentation
VMware Virtual SAN PresentationVMware Virtual SAN Presentation
VMware Virtual SAN Presentation
virtualsouthwest
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 

Weitere ähnliche Inhalte

Was ist angesagt?

virtualization and hypervisors
virtualization and hypervisorsvirtualization and hypervisors
virtualization and hypervisors
Gaurav Suri
 
GPU Virtualization in Embedded Automotive Solutions
GPU Virtualization in Embedded Automotive SolutionsGPU Virtualization in Embedded Automotive Solutions
GPU Virtualization in Embedded Automotive Solutions
GlobalLogic Ukraine
 
Emea nutanix overview presentation emea
Emea nutanix overview presentation emeaEmea nutanix overview presentation emea
Emea nutanix overview presentation emea
Lan & Wan Solutions
 
Achieving a 50% Reduction in Cross-AZ Network Costs from Kafka (Uday Sagar Si...
Achieving a 50% Reduction in Cross-AZ Network Costs from Kafka (Uday Sagar Si...Achieving a 50% Reduction in Cross-AZ Network Costs from Kafka (Uday Sagar Si...
Achieving a 50% Reduction in Cross-AZ Network Costs from Kafka (Uday Sagar Si...
confluent
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to Redis
Dvir Volk
 

Was ist angesagt? (20)

Cloud, sdn and nfv 기술동향 atto-research-박문기-20171016
Cloud, sdn and nfv 기술동향 atto-research-박문기-20171016Cloud, sdn and nfv 기술동향 atto-research-박문기-20171016
Cloud, sdn and nfv 기술동향 atto-research-박문기-20171016
 
Why does my choice of storage matter with cassandra?
Why does my choice of storage matter with cassandra?Why does my choice of storage matter with cassandra?
Why does my choice of storage matter with cassandra?
 
Lenovo HPC Strategy Update
Lenovo HPC Strategy UpdateLenovo HPC Strategy Update
Lenovo HPC Strategy Update
 
virtualization and hypervisors
virtualization and hypervisorsvirtualization and hypervisors
virtualization and hypervisors
 
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionCeph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
 
Chicago Data Summit: Apache HBase: An Introduction
Chicago Data Summit: Apache HBase: An IntroductionChicago Data Summit: Apache HBase: An Introduction
Chicago Data Summit: Apache HBase: An Introduction
 
GPU Virtualization in Embedded Automotive Solutions
GPU Virtualization in Embedded Automotive SolutionsGPU Virtualization in Embedded Automotive Solutions
GPU Virtualization in Embedded Automotive Solutions
 
VMware vSphere vsan EN.pptx
VMware vSphere vsan EN.pptxVMware vSphere vsan EN.pptx
VMware vSphere vsan EN.pptx
 
IBM Power9 Features and Specifications
IBM Power9 Features and SpecificationsIBM Power9 Features and Specifications
IBM Power9 Features and Specifications
 
Emea nutanix overview presentation emea
Emea nutanix overview presentation emeaEmea nutanix overview presentation emea
Emea nutanix overview presentation emea
 
Using ClickHouse for Experimentation
Using ClickHouse for ExperimentationUsing ClickHouse for Experimentation
Using ClickHouse for Experimentation
 
VIOS in action with IBM i
VIOS in action with IBM i VIOS in action with IBM i
VIOS in action with IBM i
 
Apache HBase Performance Tuning
Apache HBase Performance TuningApache HBase Performance Tuning
Apache HBase Performance Tuning
 
Advanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtopAdvanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtop
 
Achieving a 50% Reduction in Cross-AZ Network Costs from Kafka (Uday Sagar Si...
Achieving a 50% Reduction in Cross-AZ Network Costs from Kafka (Uday Sagar Si...Achieving a 50% Reduction in Cross-AZ Network Costs from Kafka (Uday Sagar Si...
Achieving a 50% Reduction in Cross-AZ Network Costs from Kafka (Uday Sagar Si...
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & Features
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to Redis
 
Five common customer use cases for Virtual SAN - VMworld US / 2015
Five common customer use cases for Virtual SAN - VMworld US / 2015Five common customer use cases for Virtual SAN - VMworld US / 2015
Five common customer use cases for Virtual SAN - VMworld US / 2015
 
Nutanix Technology Bootcamp
Nutanix Technology BootcampNutanix Technology Bootcamp
Nutanix Technology Bootcamp
 
VMware Virtual SAN Presentation
VMware Virtual SAN PresentationVMware Virtual SAN Presentation
VMware Virtual SAN Presentation
 

Andere mochten auch

End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
CrowdStrike
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
CrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
CrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
CrowdStrike
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 Presentation
Angelo Rago
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
Tal Be'ery
 

Andere mochten auch (20)

CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
 
Venom
Venom Venom
Venom
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 Presentation
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
 
IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明IDAの脆弱性とBug Bounty by 千田 雅明
IDAの脆弱性とBug Bounty by 千田 雅明
 

Ähnlich wie Be Social. Use CrowdRE.

haXe - One codebase to rule'em all
haXe - One codebase to rule'em allhaXe - One codebase to rule'em all
haXe - One codebase to rule'em all
Tom Crombez
 
ShaREing Is Caring
ShaREing Is CaringShaREing Is Caring
ShaREing Is Caring
sporst
 
Experiences with Microservices at Tuenti
Experiences with Microservices at TuentiExperiences with Microservices at Tuenti
Experiences with Microservices at Tuenti
Andrés Viedma Peláez
 
"Using the OpenCL C Kernel Language for Embedded Vision Processors," a Presen...
"Using the OpenCL C Kernel Language for Embedded Vision Processors," a Presen..."Using the OpenCL C Kernel Language for Embedded Vision Processors," a Presen...
"Using the OpenCL C Kernel Language for Embedded Vision Processors," a Presen...
Edge AI and Vision Alliance
 
Foundational Design Patterns for Multi-Purpose Applications
Foundational Design Patterns for Multi-Purpose ApplicationsFoundational Design Patterns for Multi-Purpose Applications
Foundational Design Patterns for Multi-Purpose Applications
Ching-Hwa Yu
 
N api - node interactive 2017
N api - node interactive 2017N api - node interactive 2017
N api - node interactive 2017
Michael Dawson
 
Building and deploying LLM applications with Apache Airflow
Building and deploying LLM applications with Apache AirflowBuilding and deploying LLM applications with Apache Airflow
Building and deploying LLM applications with Apache Airflow
Kaxil Naik
 

Ähnlich wie Be Social. Use CrowdRE. (20)

Vert.x keynote for EclipseCon 2013
Vert.x keynote for EclipseCon 2013Vert.x keynote for EclipseCon 2013
Vert.x keynote for EclipseCon 2013
 
haXe - One codebase to rule'em all
haXe - One codebase to rule'em allhaXe - One codebase to rule'em all
haXe - One codebase to rule'em all
 
ShaREing Is Caring
ShaREing Is CaringShaREing Is Caring
ShaREing Is Caring
 
Experiences with Microservices at Tuenti
Experiences with Microservices at TuentiExperiences with Microservices at Tuenti
Experiences with Microservices at Tuenti
 
Continuous delivery in practice (public)
Continuous delivery in practice (public)Continuous delivery in practice (public)
Continuous delivery in practice (public)
 
Deep Learning for Chatbot (3/4)
Deep Learning for Chatbot (3/4)Deep Learning for Chatbot (3/4)
Deep Learning for Chatbot (3/4)
 
hover.in at CUFP 2009
hover.in at CUFP 2009hover.in at CUFP 2009
hover.in at CUFP 2009
 
Web-scale data processing: practical approaches for low-latency and batch
Web-scale data processing: practical approaches for low-latency and batchWeb-scale data processing: practical approaches for low-latency and batch
Web-scale data processing: practical approaches for low-latency and batch
 
Maximum Uptime Cluster Orchestration with Ansible
Maximum Uptime Cluster Orchestration with AnsibleMaximum Uptime Cluster Orchestration with Ansible
Maximum Uptime Cluster Orchestration with Ansible
 
"Using the OpenCL C Kernel Language for Embedded Vision Processors," a Presen...
"Using the OpenCL C Kernel Language for Embedded Vision Processors," a Presen..."Using the OpenCL C Kernel Language for Embedded Vision Processors," a Presen...
"Using the OpenCL C Kernel Language for Embedded Vision Processors," a Presen...
 
Surviving a Plane Crash, a NU.nl case-study
Surviving a Plane Crash, a NU.nl case-studySurviving a Plane Crash, a NU.nl case-study
Surviving a Plane Crash, a NU.nl case-study
 
Azure 機器學習 - 使用Python, R, Spark, CNTK 深度學習
Azure 機器學習 - 使用Python, R, Spark, CNTK 深度學習 Azure 機器學習 - 使用Python, R, Spark, CNTK 深度學習
Azure 機器學習 - 使用Python, R, Spark, CNTK 深度學習
 
"The life beyond Terraform, or the rise of Platform Engineering", Stanislav ...
"The life beyond Terraform, or the rise of Platform Engineering", Stanislav ..."The life beyond Terraform, or the rise of Platform Engineering", Stanislav ...
"The life beyond Terraform, or the rise of Platform Engineering", Stanislav ...
 
Foundational Design Patterns for Multi-Purpose Applications
Foundational Design Patterns for Multi-Purpose ApplicationsFoundational Design Patterns for Multi-Purpose Applications
Foundational Design Patterns for Multi-Purpose Applications
 
Schema migration (DB migration) with Phinx
Schema migration (DB migration) with PhinxSchema migration (DB migration) with Phinx
Schema migration (DB migration) with Phinx
 
N api - node interactive 2017
N api - node interactive 2017N api - node interactive 2017
N api - node interactive 2017
 
Building and deploying LLM applications with Apache Airflow
Building and deploying LLM applications with Apache AirflowBuilding and deploying LLM applications with Apache Airflow
Building and deploying LLM applications with Apache Airflow
 
GPCE16 Poster: Automatic Non-functional Testing of Code Generators Families
GPCE16 Poster: Automatic Non-functional Testing of Code Generators Families GPCE16 Poster: Automatic Non-functional Testing of Code Generators Families
GPCE16 Poster: Automatic Non-functional Testing of Code Generators Families
 
New Developments in H2O: April 2017 Edition
New Developments in H2O: April 2017 EditionNew Developments in H2O: April 2017 Edition
New Developments in H2O: April 2017 Edition
 
P1 2017 python
P1 2017 pythonP1 2017 python
P1 2017 python
 

Mehr von CrowdStrike

State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
CrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
CrowdStrike
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
CrowdStrike
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
CrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
TOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperTOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS Whitepaper
CrowdStrike
 

Mehr von CrowdStrike (8)

State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
TOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperTOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS Whitepaper
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Kürzlich hochgeladen (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

Be Social. Use CrowdRE.

  • 1. Be Social. Use CrowdRE. An IDA Plugin for Collaborative Reversing Tillmann Werner, Jason Geffner RECON, Montreal, Canada Friday, June 15, 2012
  • 2. CrowdStrike ■ Stealth mode startup ■ Handpicked ‘A’ team of technical talent ■ 26 Million Series A funding ■ “You don’t have a malware problem, you have an adversary problem”™ ■ We are hiring!
  • 3. Special Thanks Georg Wicherski Aaron Putnam TJ Little and Harley Jeff Stambolsky Sr. Research Scientist Sr. Research Engineer Sr. UI Engineers Resident Nerd
  • 4. Why ? ■ Developers work in teams to build the software we are reversing ■ Stuxnet, Flame, Duqu ■ RATs like PoisonIvy ■ Bots like Zeus ■ calc.exe ■ Code reuse is prevalent in malware variants ■ Working together, we can reverse more quickly and efficiently ■ Take a page from developer world and model RE after source control methodologies
  • 5. Collaborative Reversing ■ Approach 1: Just-in-time propagation of results ■ All changes are synchronized to all users instantly ■ Well-suited for teaching reverse-engineering, demonstrations, etc. ■ Approach 2: Working on different parts, sharing results on demand ■ Distributed tasks ■ Multiple people can work on different parts simultaneously ■ Analysis results can be combined at any time
  • 6. Related Work – Tools of the Trade ■ IDA Sync, 2005 ■ Real-time synchronization of names, stack variables, comments ■ Hooks into IDA hot keys ■ CollabREate, 2008 ■ Successor of IDA Sync: IDA Pro “remote-control” ■ Snapshot report: replay all updates up until a certain point ■ BinCrowd, 2010 ■ Commit-based model ■ Supports matching similar functions
  • 7. The Platform ■ Community platform to support professional, distributed RE ■ Design similar to version control systems ■ Commits: annotations per function ■ Free Cloud service for the reverse engineering community ■ People can share their results ■ Reverse engineering projects can benefit from community input ■ IDA Pro plugin ■ Utilizes the power of the Hex-Rays Decompiler plugin ■ Integrates smoothly into IDA’s Qt GUI
  • 8. Rewoltke  CrowdRE + = rewoltke ...
  • 9. BinNavi Integration ■ Google is adding integration for CrowdRE to BinNavi ■ Analysts will be able to use BinNavi to share their analysis results with the CrowdRE community ■ Our best wishes go to Thomas Dullien for a speedy recovery
  • 10. Annotations ■ Function prototype ■ Name ■ Calling convention ■ Return type ■ Parameter types and names ■ Stack variables ■ Register variables (Hex-Rays) ■ Structs, enums ■ Comments – IDA and Hex-Rays
  • 11. Type Information ■ Types ■ Structs ■ Enums ■ User-defined types ■ Function annotations depend on types ■ Dependencies are recursively included ■ Checkouts contain dependencies, too ■ Name duplicates require conflict resolution ■ User is prompted for solution (update, retain, keep) ■ Future plan: resolving cyclic dependencies
  • 12. Importing Annotations ■ Batch import ■ The first thing to do when starting to work on a new binary ■ Always the most recent commit ■ Individual imports ■ More control over what to import ■ User can choose between different versions
  • 13. Finding Functions ■ Exact matching ■ Binary’s hash + function offset ■ Fuzzy matching ■ SHA1 hash over sequence of mnemonics ■ Position-independent representation ■ Want to cover immediates, too ■ Jump and call operands are zeroed out ■ Same for immediates that generate cross-references
  • 14. Dealing with Multiple Matches FNV Hashes • Fast to compute ■ Multiple matches – which is the best? • Good Avalanche behavior ■ Quality of the annotation • For different word sizes ■ Code similarity ■ Compute similarity value for pairs of inputs hash := FNV_BASIS ■ Rank by this value, let the user choose for byte in input: hash ^= byte hash *= FNV_PRIME ■ Similarity hashing ■ Assign consecutive basic blocks to chunks ■ Fixed number of chunks ensures constant sized output ■ For each chunk: compute FNV hash ■ Combine FNV hashes to final hash ■ s(a, b) = 100 – normalized_levenshtein(simhash(a), simhash(b))
  • 15. Similarity Hashing – Details ■ Basic block reordering poses challenges ■ Define an order on the set of basic blocks ■ Come up with a reordering resilient scheme BB1 BB2 BB3 BB4 ■ Fuzzy hash serves as pre-filter ■ Matches are usually 100% equal ■ Make fuzzy hash more fuzzy fnv1 fnv2 ■ Position-independent representation quite strict ■ Need to take instruction reordering into account ■ Improved algorithms in future versions
  • 17. Future Plans ■ Integration with other RE tools? ■ Cloud service ■ Social ratings of commits ■ Access control lists ■ Client ■ Real time notifications on updated annotations ■ New and improved matching algorithms ■ Ability to deal with cyclic type dependencies ■ Tracking of function/file mappings ■ Mass importing of common library code
  • 18. Where to get it: http://crowd.re